Tell us about your PDF experience.

Exchange Online
Article • 02/22/2023

Exchange Online is part of the Microsoft 365 and Office 365 suite of products.

End users - see Office help Assign admin Learn about the Exchange
and training permissions admin center

Microsoft Exchange Online is a cloud based messaging platform that delivers email,
calendar, contacts, and tasks. Users with an Exchange Online license connect to
Exchange Online through email and calendar clients like, Outlook desktop, Outlook on
the web and Outlook mobile app to access email and collaboration functionality,
including shared mailboxes, shared calendars and global address lists.

You get Exchange Online when you sign up for Microsoft 365 for business and Microsoft
365 for enterprise subscriptions.

You can also buy standalone Exchange Online plans (https://www.microsoft.com/en-

us/microsoft-365/exchange/compare-microsoft-exchange-online-plans ) for your
organization.

Manage Exchange Online

As an administrator for your organization, you manage your organization's Exchange
Online service in the Exchange admin center (EAC). Use the Microsoft 365 admin center
for simple email and user management tasks. Use the EAC in Exchange Online for more
complex tasks. Learn more at Exchange admin center in Exchange Online.

Here's how you get there:

1. Sign in to Microsoft 365 or Office 365 using your work or school account, and
then choose the Admin tile.
2. In the Microsoft 365 admin center, choose Admin centers > Exchange.

Exchange admin center is also available at this URL address

https://admin.exchange.microsoft.com .

Not all settings will be available if you are using Azure AD groups to manage role
assignments.
To help you administer Exchange Online, assign users to the Exchange administrator
role.

 Tip

When you assign someone to the Exchange administrator role, we recommend

assigning them to the Service Support administrator role. This way they can see
important information in the Microsoft 365 admin center, such as the health of the
Exchange Online service, and change and release notifications.

Help for Microsoft 365 admins

We're consolidating our content on the Office help and training site . See the
following:

Microsoft 365 admin center help: how to get started with the Microsoft 365 admin
center, reset passwords, and more.
Manage email and calendars: how to set up email, fix problems, and import email.
Exchange admin center in Exchange
Online
Article • 02/22/2023

） Important

Effective from December 2022, the classic Exchange Admin Center will be
deprecated for worldwide customers. Microsoft recommends using the new
Exchange Admin Center , if not already doing so.

While most of the features have been migrated to new EAC, some have been
migrated to other admin centers and remaining ones will soon be migrated to New
EAC. Find features that are not yet there in new EAC at Other Features or use
Global Search that will help you navigate across new EAC.

The new Exchange admin center (EAC) is a modern, web-based management console for
managing Exchange that is designed to provide an experience more in line with the
overall Microsoft 365 admin experience. It replaces the Exchange Control Panel (ECP) to
manage email settings for your organization.

Experience the new Exchange admin center

Try the new Exchange admin center using the URL
https://admin.exchange.microsoft.com and sign in using your credentials. You can also
continue to access the Classic Exchange admin center using the URL Classic Exchange
admin center and sign in using your credentials.

To experience some of the new Exchange admin center features, see the following:

Personalized dashboard, reports, and insights

The new EAC offers actionable insights and includes reports for mail flow,
migration, and priority monitoring.
https://www.microsoft.com/en-us/videoplayer/embed/RWBuGX?
postJsllMsg=true

New navigation panel

The new EAC includes a left navigation panel to make it easier to find features.
 https://www.microsoft.com/en-us/videoplayer/embed/RWBuGF?
postJsllMsg=true

Azure cloud shell support

Cloud Shell is a browser-accessible shell that provides a command-line experience

built with Azure management tasks in mind. It enables admins to choose a shell
experience that best suits their working lifestyle.
https://www.microsoft.com/en-us/videoplayer/embed/RWBuFn?
postJsllMsg=true

Improved mailbox management

Recipient management is one of the most crucial tasks that admins perform. The
new EAC now includes easier mailbox management.
https://www.microsoft.com/en-us/videoplayer/embed/RWBGra?
postJsllMsg=true

Improved support for groups

The new EAC enables you to create and manage four types of groups: Microsoft
365 Groups, Distribution lists, Mail-enabled security groups, and Dynamic
distribution lists.
https://www.microsoft.com/en-us/videoplayer/embed/RWBJbk?
postJsllMsg=true

Migration capabilities

The new EAC supports various kinds of migrations, including cross-tenant

migrations for M&A scenarios, and automation Google Workspace (G-Suite)
migrations.
https://www.microsoft.com/en-us/videoplayer/embed/RWBuGs?
postJsllMsg=true

For more information on new EAC and Classic

EAC
See the following articles:

To understand the differences between Classic and new EAC, see Classic and New
Exchange admin center differences.
To explore features in new EAC, see New Exchange admin center.
To explore features in Classic EAC, see Classic Exchange admin center.
 To get an update on the journey of the new EAC, see What's new in Exchange
admin center.

Supported browsers
See the following articles:

Microsoft 365 and Office resources : lists supported browsers for Microsoft 365,
Office 365, and the Exchange admin center.
Supported Browsers for Outlook on the web .

Related articles
Are you using Exchange Server? See Exchange admin center in Exchange Server.

Are you using standalone Exchange Online Protection (EOP)? See Exchange admin
center in Exchange Online Protection.
Differences between the Classic
Exchange admin center (Classic EAC)
and the new Exchange admin center
(new EAC) in Exchange Online
Article • 05/26/2023

The following are the differences between the Classic Exchange admin center (Classic
EAC) and the new Exchange admin center (new EAC).

User mailbox and Shared mailbox

In Classic EAC, they are available as separate tabs, Mailboxes, and Shared.

In new EAC, they're merged together under Mailboxes. In Mailboxes page, you can
select Filter > User mailbox/Shared mailbox to view them. You can also sort them
by clicking Recipient type.

For more information, see Manage user mailboxes.

Compliance Management tab

 In Classic EAC, it is available.

In new EAC, it is not available and is now a part of Microsoft Purview compliance
portal .

７ Note

The UI support for auditing and add-ins in the Exchange Admin Center (EAC)
will be discontinued. However, alternative solutions are available through
Commandlet workarounds. For detailed instructions on auditing, refer to the
Auditing reports in the Exchange admin center in Exchange Online.
Similarly, for add-ins, visit the Add-ins for Outlook in Exchange Online for
information on Commandlet alternatives.

Protection tab
In Classic EAC, it is available.

In new EAC, it is not available and is now a part of Microsoft 365 security center .

Unified Messaging tab

In Classic EAC, it is available.
In new EAC, Exchange Online Unified Messaging is retired and replaced by Cloud
Voicemail. For more information, see Plan Cloud Voicemail service and Retiring
Unified Messaging in Exchange Online .

Migration
 In Classic EAC, it is under Recipients.
In new EAC, it is available as a separate tab in the feature pane.

Cross Tenant Migration

In Classic EAC, it is not available.
In new EAC, it is a new addition to the types of migration and is available under
Migration.

Permissions tab
In Classic EAC, it is available.
In new EAC, it is now known as Roles and is available in the feature pane.

View Alerts
In Classic EAC, it is not available.
In new EAC, it is a new addition and is available under Mail flow.

For more information, see Exchange admin center.

What's new when upgrading from Classic

Exchange admin center (Classic EAC) to new
Exchange admin center (new EAC)?
1. Personalized Dashboard: The admin can now customize the dashboard by
choosing from a wide variety of cards using + Add Card option. It allows the
admin to quickly view reports that are of more importance to them.
2. Training & Guide: You can select Training for admins for a video tutorial and
Documentation to learn about the new Exchange admin center.
3. Reports: You can view the reports on mail flow and migration batches.
4. Insights: You can use the recommendations to discover trends and/or insights, and
take actions to fix issues related to mailbox and mail flow.
5. Support Assistant: You can get help from Microsoft 365 Support Assistant. For
more information, see Contact Support.
6. Cloud Shell: You can select the Cloud Shell icon to access a browser-based
command-line experience built with Azure management tasks. It also securely
authenticates automatically for instant access to your resources through Azure
PowerShell cmdlets. For more information, see Azure Cloud Shell.
 7. Give feedback: You can select the Give feedback icon to provide your feedback
and let us know what you think. You can also share your email address for us to
reach out to you for more information.

For more information, see What's new in Exchange admin center.

Related articles
Microsoft Purview compliance portal

Microsoft 365 security center

About the Microsoft Support and Recovery Assistant

New Exchange admin center in
Exchange Online
Article • 01/27/2023

The new Exchange admin center is simple and accessible, and it enables you to perform
tasks like restoring mailboxes, migrating data, and much more.

Get to the new Exchange admin center

You must have Microsoft 365 admin permissions to access the new Exchange admin
center. For more information, see Permissions in Exchange Online.

1. Sign in to Microsoft 365 or Office 365 using your work or school account.

2. In the left navigation pane, navigate to Admin centers > Exchange.

You can also get to the new Exchange admin center directly by using the URL
https://admin.exchange.microsoft.com and signing in using your credentials.

７ Note

Be sure to use a private browsing session (not a regular session) to access the
Exchange admin center using the direct URL. This will prevent the credential that
you are currently logged on with from being used. To open an InPrivate Browsing
session in Microsoft Edge or an incognito window in Google Chrome, press
CTRL+SHIFT+N. To open an InPrivate Browsing session in Microsoft Edge Legacy,
Internet Explorer, or a Private Browsing session in Mozilla Firefox, press
CTRL+SHIFT+P.
New Exchange admin center features
Here's what the new Exchange admin center looks like.

Home page
You can personalize your home page by selecting a theme, setting your language, and
timezone from the Settings bubble.

1. To personalize your dashboard, click + Add card on top of the homepage and drag
any card onto the dashboard to the location you want.

2. To learn about the new updates in the new Exchange admin center, click What's
New?.

3. To sign out of the new Exchange admin center and sign in as a different user, click
My account tile. You can also sign in with another account.

4. To learn about the new Exchange admin center, in Training & guide, select
Training for admins for a video tutorial and Documentation.

5. To get help from Microsoft 365 Support assistant, click .

6. To give feedback to help improve the new Exchange admin center, click . While
it's not necessary to provide your email ID, you can click You can contact me
about this feedback checkbox and provide your email ID to help the team to
resolve your concerns faster.
Feature pane
Here are the features available in the left-hand navigation.

Area What you do here

Recipients View and manage your mailboxes (both user and shared mailboxes), groups,
resource mailboxes, and contacts.

Mail flow Trace messages, create rules, manage remote domains and accepted domains,
add connectors, manage alert, and alert policies.

Roles Manage administrator roles.

Migration Migrate mailboxes in batches.

Reports View reports on mail flow and migration batches.

Insights Use the recommendations to discover trends and/or insights, and take actions to
fix issues related to mailbox and mail flow.

Organization Manage organization sharing and apps for Outlook.

Public Manage public folders and public folder mailboxes.

folders

７ Note

You can also access Classic Exchange admin center and Microsoft 365 admin
center, by selecting them at the bottom of left navigation panel.
Tabs
The tabs are your second level of navigation. Each of the feature areas contains various
tabs, each representing a complete feature.

Toolbar
When you click most tabs, you'll see a toolbar. The toolbar has icons that perform a
specific action.

List view
When you select a tab, in most cases you'll see a list view. The list view in the new
Exchange admin center is designed to remove limitations that existed in the Classic
Exchange admin center and Exchange Control Panel.

Details pane
When you select an item from the list view, information about that object is displayed in
the details pane.

To bulk edit several items: Select the objects you want to bulk edit, and use the options
in the toolbar.

Related articles
[Exchange Online]Exchange Online
Exchange admin center in Exchange Online

What's new in Exchange admin center

Differences between the Classic Exchange admin center (Classic EAC) and the new
Exchange admin center (new EAC)
Classic Exchange admin center in
Exchange Online
Article • 01/27/2023

） Important

Check out the new Exchange admin center! The experience is modern, intelligent,
and better. Personalize your dashboard, manage cross tenant migration, experience
the improved Groups feature, and more. Try it now !

Get to the Classic Exchange admin center

You must have Microsoft 365 admin permissions to access the Classic Exchange admin
center. For more information, see Permissions in Exchange Online.

1. Sign in to Microsoft 365 or Office 365 using your work or school account, and
then choose the Admin tile.

2. In the Microsoft 365 admin center, choose Admin centers > Exchange.

You can also get to the Classic Exchange admin center directly by using a URL. To do
this, go to https://outlook.office365.com/ecp and sign in using your credentials.

７ Note
 Be sure to use a private browsing session (not a regular session) to access the
Exchange admin center using the direct URL. This will prevent the credential that
you are currently logged on with from being used. To open an InPrivate Browsing
session in Microsoft Edge or an incognito window in Google Chrome, press
CTRL+SHIFT+N. To open an InPrivate Browsing session in Microsoft Edge Legacy,
Internet Explorer, or a Private Browsing session in Mozilla Firefox, press
CTRL+SHIFT+P.

Classic Exchange admin center features

Here's what the Classic Exchange admin center looks like.

Feature pane
Here are the features you'll find in the left-hand navigation.

Area What you do here

Dashboard An overview of the admin center.

 Area What you do here

Recipients View and manage your mailboxes, groups, resource mailboxes, contacts, shared
mailboxes, and mailbox migrations.

Permissions Manage administrator roles, user roles, and Outlook on the web (formerly known
as Outlook Web App) policies.

Compliance Manage In-Place eDiscovery & Hold, auditing, data loss prevention (DLP),
management retention policies, retention tags, and journal rules.

Organization Manage organization sharing and apps for Outlook.

Protection Manage malware filters, connection filters, content filters, outbound spam, and
quarantine for your organization.

Mail flow Manage rules, message tracing, accepted domains, remote domains, and
connectors.

Mobile Manage the mobile devices that you allow to connect to your organization. You
can manage mobile device access and mobile device mailbox policies.

Public Manage public folders and public folder mailboxes.

folders

Unified Manage Unified Messaging (UM) dial plans and UM IP gateways.

messaging

Tabs
The tabs are your second level of navigation. Each of the feature areas contains various
tabs, each representing a complete feature.

Toolbar
When you click most tabs, you'll see a toolbar. The toolbar has icons that perform a
specific action.

List view
When you select a tab, in most cases you'll see a list view. The list view in the Classic
Exchange admin center is designed to remove limitations that existed in Exchange
Control Panel.

In Exchange Online, the viewable limit from within the Classic Exchange admin center list
view is approximately 10,000 objects. In addition, paging is included so you can page to
the results. In the Recipients list view, you can also configure page size and export the
data to a CSV file.

Details pane
When you select an item from the list view, information about that object is displayed in
the details pane.

To bulk edit several items: press the CTRL key, select the objects you want to bulk edit,
and use the options in the details pane.

Centers, Me tile, and Help

The Centers tile allows you to change from one admin center to another. The Me tile
allows you to sign out of the Classic Exchange admin center and sign in as a different
user. From the Help drop-down menu, you can perform the following actions:

Help: Click to view the online help content.

Disable Help bubble: The Help bubble displays contextual help for fields when you
create or edit an object. You can turn off the Help bubble or turn it on if it has
been disabled.

Related articles
Exchange Online

Exchange admin center in Exchange Online

What's new in Exchange admin center

What's new in the Exchange admin
center in Exchange Online
Article • 02/22/2023

We're continuously adding new features to the Exchange admin center (EAC); fixing
issues as we learn about them and making changes based on your feedback. On this
page, you can find highlights of all the recent changes we've made. Some features get
rolled out at different times to our customers, so if you are not seeing a new feature yet,
keep checking back.

The Exchange admin center now uses a new portal at

https://admin.exchange.microsoft.com . The new EAC is a modern, web-based
management console for managing Exchange, designed to provide an experience that is
more aligned with the overall Microsoft 365 admin experience.

For now, it is possible to switch back to the existing EAC (often called the "classic" EAC).
However, the classic EAC will be fully deprecated by September 2022.

September 2021
Here are some of the changes and new features we introduced in the modern EAC in
September 2021.

New EAC is now Generally Available in GCC-H

The new Exchange admin center (EAC) is a modern, accessible, web-based management
portal for managing Exchange Online based on the Microsoft 365 admin center
experience. The new EAC was made generally available to our worldwide (WW) users in
April 2021 and our GCC customers in June 2021. Today, we are excited to announce that
the new EAC is now generally available for our GCC-H customers. The EAC URL for GCC-
H customers is https://admin.exchange.office365.us

Announcement of ECP Deprecation

With the new EAC providing most admin capabilities, we are now at the next stage of
our journey, and we have announced the retirement of the classic EAC in our WW
deployment. The classic EAC will be fully deprecated by September 2022.

） Important
 This change is for Worldwide (WW) only. It does not affect GCC, GCC-High, DoD, or
other Sovereign Clouds.

The Classic EAC deprecation timeline is planned as follows:

You can read more about the Classic EAC deprecation here: Deprecation of the classic
Exchange admin center in WW service - Microsoft Tech Community

August 2021
Here are some of the changes and new features we introduced in the modern EAC in
August 2021.

Customizable Settings: Normal/Compact list view

In our efforts to provide customizable settings to admins, the new EAC has introduced a
feature, 'Settings', located in the left navigation panel.

Currently, it has one customizable setting for admins; 'List view preference'. This setting
allows users to select the normal view or compact view as the preferred list view for the
entire EAC portal. Once the user selects either of the views, it is applied to all the list
pages in the new EAC.
Hide from GAL feature in resources
The Hide from GAL [Global Address List] feature in resources is now available. Click on
any of the resource mailboxes, and this feature setting can be found under General
settings.

July 2021
Here are some of the changes and new features we introduced in the modern EAC in
July 2021.

Dynamic distribution list [DDL] created through

PowerShell can now be seen in new EAC
The admins could always create a Dynamic distribution list/group from PowerShell. If the
user creates a DDL with different recipient filters, this PowerShell-created DDL can now
be viewed in new EAC by admins.
Reflection of the created DDL in new EAC:

The recipient filter setting is non-editable from the new EAC. The admin will have to use
PowerShell to edit the member setting.

Hide from GAL feature in mailbox & groups

Hide from GAL [Global Address List] was a long-awaited feature and is now live for use.

User and Shared Mailboxes: Click on any user/shared mailbox for which you want
to check the 'Hide from GAL' setting, click on 'Account' and then click on 'Manage
contact information' to edit the setting.
 Groups: Hide from GAL functionality is available for all groups Hide from GAL
functionality is available in all four types of groups: Microsoft 365 Groups,
Distribution lists, Mail-enabled security groups, and Dynamic distribution lists. The
setting is available under the Settings tab of the groups.

June 2021
Here are some of the changes and new features we introduced in the modern EAC in
June 2021.

New EAC is now Generally Available in GCC

The new Exchange admin center (EAC) https://admin.exchange.microsoft.com is a
modern, accessible, web-based management portal for managing Exchange Online
based on the Microsoft 365 admin center experience. The new EAC was made generally
available to our WW users in April 2021. Today, we are excited to announce that the new
EAC is generally available for our GCC customers.

The GCC customers now have access to a new dashboard, new usability features, and
several intelligent reports to help them be more productive in their work.

UX Enhancement in new EAC: Coherence with Microsoft

365 admin center
To provide a more coherent experience, the new EAC team made efforts to enhance the
UX to become close to the Microsoft 365 admin center experience. The command bars
and the detail panels now have similar control and navigation experiences in both the
portals.

May 2021
Here are some of the changes and new features we introduced in the modern EAC in
May 2021.

Custom Attributes in Mailboxes

The new EAC now includes 15 extension attributes that you can use to add information
about a recipient, such as an employee ID, organizational unit (OU), or some other
custom value for which there isn't an existing attribute. You can use the EAC to manage
the attributes, and you don't need to build custom controls or write scripts to populate
and display these attributes.
Missing "Member of" attribute in mailboxes view

New EAC now offers a view of the Groups that a particular mailbox is a part of.

Easier role group creation for new tenants

Our new customers were facing an issue while creating a new role group. The users
ended up with a warning text that they would have to Enable-
OrganizationCustomization at their end by using PowerShell. This issue has been fixed
now, and all our users can create Role groups without any extra step.

April 2021

New EAC is now Generally Available in Worldwide (WW)

The new Exchange admin center (EAC) is a modern, accessible, web-based
management portal for managing Exchange Online based on the Microsoft 365 admin
center experience. Since entering Public Preview in June 2020, over half a million admins
worldwide have used it.
Today, we are excited to announce that the new EAC is generally available for customers
in 10 languages. With this announcement, we are also releasing a new dashboard, new
usability features, and several intelligent reports to help admins be more productive in
their work.

Here are some highlights:

Personalized Dashboard, Reports, Insights. The New EAC offers actionable

insights and includes mail flow, migration, and priority monitoring reports.
https://www.microsoft.com/en-us/videoplayer/embed/RWBuGX?
postJsllMsg=true

Azure Cloud Shell. Cloud Shell is a browser-accessible shell that provides a

command-line experience built with Azure management tasks in mind. It enables
admins to choose a shell experience that best suits their work style.
https://www.microsoft.com/en-us/videoplayer/embed/RWBuFn?
postJsllMsg=true

You can read more about it here: Announcing General Availability of the new Exchange
admin center - Microsoft Tech Community

February 2021
Here are some of the changes and new features we introduced in the modern EAC in
February 2021.

Three more reasons to love the modern Exchange admin

center (EAC)
Exchange admin center, the digital workspace for IT admins, is where work gets done.
The new EAC portal (https://admin.exchange.microsoft.com ) now brings together
more features, such as Rules, Organization, and Public Folders. Also new to the modern
EAC are the Another User feature (which has been a major Help desk admin demand)
and support for flow for all of our delegated admins.
One portal to meet all Exchange IT admin needs
Having access to the tools we need without context switching is essential. The power of
new features we've introduced in the modern EAC is tremendous and exciting.

1. Rules, Organization, and Public Folders

Rules, Organization, and Public Folders from the classic EAC are now available in the
modern EAC. Admins can take actions on messages that flow through their Exchange
Online organization through Rules. They can set up organization relationships to share
calendar information with external business partners through Organization sharing. In
addition, admins can collect, organize, and share information with other people in their
workgroup or organization through Public Folders.

７ Note

Permissions granted via Azure Privileged Identity Management won't work for
Rules, Organization, or Public Folders in the modern EAC.

2. Another user

The new, modern EAC now has a View another mailbox option, which adjusts Inbox
rules and out-of-office messages on behalf of a user, without requiring that user to
grant full admin access to their mailboxes.

3. Delegated admin support

A delegated admin now has access to the modern EAC portal. Currently, admins need to
sign in to https://partner.microsoft.com , where they will be directed to the classic EAC
portal, and from there they can access the modern EAC.

December 2020
Here are some of the changes and new features we introduced in the modern EAC in
December 2020.

Groups - creation and management

Admins can now create and manage four kinds of groups from the modern EAC:
Microsoft 365 Groups, distribution lists, mail-enabled security groups, and dynamic
distribution lists. The groups experience has now reached parity with that of the classic
EAC. The new group type that we recently introduced in the modern EAC is dynamic
distribution lists.

The pivot experience (different pivots for different group types) makes groups
management even easier.

Dynamic distribution lists

Dynamic distribution lists are mail-enabled Active Directory group objects, created to
expedite the mass sending of email messages and other information within an Exchange
organization.

The membership list for dynamic distribution groups is calculated each time a message
is sent to the group, based on the filters and conditions that are defined.
Delivery management setting
This setting allows admins to manage who can send email to any group. The user can
define these settings once the group is created. This setting is available in all group
types.

Message approval setting

Admins can use this setting to configure whether or not messages sent to a particular
group need to be approved by a moderator. This setting also allows admins to define
who the group moderators are, and it allows admins to define any message senders
who do not require message approval. This setting is available in distribution groups,
dynamic distribution groups, and mail-enabled security groups.

Membership approval setting in mail-enabled security groups

For mail-enabled security groups, there is now a check box called owner approval is
required. After this check box is selected, the owner of the mail-enabled security group
needs to manually add or remove group members from that group.

Membership approval setting in distribution groups

Admins can now manage the membership approval settings during or after the creation
of a distribution group. It allows admins to configure the moderation settings for who
can join the group, and for who can remove members from a group.

September 2020
Here are some of the changes and new features we introduced in the modern EAC in
September 2020.

Group creation and management

Admins can now create groups from the modern EAC. Currently, they can create and
manage Microsoft 365 Groups, distribution groups, and mail-enabled security groups.
The three types of groups that Microsoft 365 administrators can now create and
manage are:

Microsoft 365 groups - Microsoft 365 groups are the recommended group type.
They allow for effective collaboration by providing group members a shared email
and a shared workplace.
Distribution groups - These are the most commonly used group type, and they
allow you to send email to all members of the distribution list.
Mail-enabled security groups - These groups give members access to various
resources like OneDrive, SharePoint, and various admin roles.

Normal/Compact list views in groups

Administrators can now choose to view the list of groups in their organization in either
normal or compact list view. The compact list option allows administrators to view more
entries on a single page.

Naming policy for groups

Administrators now have command over the group naming policy. They can now add
prefixes and suffixes for future groups that will be created, and they can block specific
words from being used in group names and aliases.

Upgrade distribution groups

Administrators can now upgrade their distribution groups into the recommended
Microsoft 365 Groups (previously Microsoft 365 Groups) with a few clicks, as shown
below:
Opt-in/out
End-users now have a single-click opt-in toggle button, available in both the classic
Exchange admin center and in the new EAC. This button provides easy navigation
between the two portals, allowing users to switch to and explore the new portal
seamlessly.

Support Assistant

The admins can now get their queries resolved without going anywhere else. The
support assistant feature allows users to resolve the queries without leaving the EAC
window. In case the user is not satisfied with the provided solution, the user can even
raise a ticket and register their issues.

Educational navigation video

An educational video is now available on the first tile, Training and Guide, in the new
EAC portal. The video walks users through the basic navigation of the new portal. You
can also access the video here .
Recipients - documentation updated
As part of Microsoft's efforts to help users familiarize themselves with the new Exchange
admin center (EAC) portal, the Exchange Online documentation has been updated for
the highest-trafficked articles under Recipients.

July 2020
Here are some of the changes and new features we introduced in the modern EAC in
July 2020.

Mail flow Reports

Exchange admins can now use the existing dashboard to choose from new variety of
mail flow cards that personalize their experience for ease of use and better productivity.
To access this dashboard, go to the Exchange admin center and select Add Card (+) to
see the new cards.

Discover and understand some more trends related to mail flow in your Microsoft 365
or Office 365 organization. The following reports were already available in the Security
& Compliance Center but are now available in the EAC for added convenience.

Top domain mail-flow status report: To identify and troubleshoot domains with mail flow
issues. Learn more.

Queued messages report: To check those messages that are queued for more than 1
hour and were sent through connectors from your Microsoft cloud org. Learn more.

SMTP AUTH clients report: To check for unusual activity and TLS used by clients or
devices using SMTP AUTH. SMTP AUTH client submission protocol only offers basic
authentication and is a less-secure protocol used by devices, such as printers, to send
email messages. Learn more.
June 2020
Here are some of the changes and new features we introduced in the modern EAC in
June 2020.

Manager and directs

Microsoft 365 administrators can now add Manager and Direct reports for individual
mailboxes. Admins can manage this organizational information in the Accounts tab in
the Detail panel.

Custom attributes
Admins can include 15 extension attributes that they can use to add information about a
recipient, such as an employee ID, organizational unit (OU), or some other custom value
for which there isn't an existing attribute.
Google Workspace (formerly G Suite) automation
Admins can migrate batches of users from Google Workspace to Microsoft 365. In order
to move the mailboxes from Google Workspace to Microsoft 365, there is a series of
steps that admins need to perform in Google Workspace in order to establish the
connection between the two environments. The new EAC aims to help the admins
automate those steps to make the process easier and more convenient.

May 2020
Here are some of the changes and new features we introduced in the modern EAC in
May 2020.

Delete shared mailbox

In the modern EAC, Microsoft 365 administrators can now delete an already existing
shared mailbox. Admins can also select multiple shared mailboxes and choose the
Delete button in the command bar to bulk delete them.

Set default message size restriction

Message size limits control the size of messages that a user can send and receive. By
default, when a mailbox is created, there isn't a size limit for sent and received
messages. However, admins can use this control to set a default limit. This limit will be
applied to any new mailboxes created in the Exchange environment.

Export to .csv
Admins can now click on the Export button in the command bar to prepare a .csv file
lists all of the mailboxes residing in Exchange Online.
April 2020
Here are some of the changes and new features we introduced in the modern EAC in
April 2020.

Contacts
Admins now have a new experience when managing contacts for people outside the
organization. Admins can create and manage mail contacts and mail users with external
email addresses.

Column chooser
Admins can now customize the columns that appear in the EAC.
People picker for remote migration
A common request from our customers was to bring back the people picker for a
remote migration scenario. This helps admins to move the selected mailboxes to
Exchange Online.

Personalized Dashboard and Reports

Exchange admins can now use a dashboard to choose from a wide variety of cards that
personalize their experience for ease of use and better productivity. To access the
dashboard, go to the Exchange admin center and select Add Card (+) to see the new
cards:

Migration report: Learn about the status of the migration batches in your
Exchange environment.
 Mail flow reports: Discover and understand trends related to mail flow in your
Microsoft 365 or Office 365 organization. These reports were already available in
the Security & Compliance Center, but are now available in the EAC for added
convenience.
Auto-forwarded messages: Monitor for potential data leaks when people in
your organization automatically forward email messages to an external domain,
such as a personal email address. Learn more.
Inbound & outbound messages details: Monitor message volume and TLS
encryption for each connector. Learn more.
Non-accepted domain: Display messages from your on-premises organization
where the sender's email domain isn't configured as an accepted domain in
Microsoft 365 or Office 365. Learn more.
Non-delivery report: Display the most commonly encountered error codes in
non-delivery reports (also known as NDRs or bounce messages) for your
message senders. Learn more.

Recoverable Items
Admins now have a new experience for finding recoverable items. With this feature,
items that were deleted from a user's mailbox can be recovered back to the inbox.
March 2020
Here are some of the changes and new features we introduced in the modern EAC in
March 2020.

Recipients
In the modern EAC, the user and shared mailbox management experiences are now
merged, and the mailbox list and properties are available on the same page. The option
to filter mailboxes based on type can be found on the top right.

Resources experience has been simplified for managing room and resource mailboxes.

Migration
Migration is now a first-class citizen under the Modern EAC and is no longer buried
inside the Recipient tab as it was in the classic EAC. The major feature additions to the
migration flow are:

The Exchange and Google Workspace migrations are now simple, wizard-based
experiences.
The Google Workspace migration supports migrating Calendar and Contact data
along with emails.
For Google Workspace migration, the 2 GB per mailbox per day restriction has
been removed.

Mail flow
The Mail flow Experience, which was a part of the Security and compliance portal, is now
returning to EAC. As a part of the experience, we have added the following features:

Accepted domains
Remote domains
Connectors
Want to access more features?
As the modern experience is being developed, we are providing deep links from the new
portal for users to move to the old portal for completing their work.

To access familiar features that were in the classic Exchange admin center, click on the
"More features" tab on the left nav and select the feature to open it in a new tab.

What's next?
We are working hard to create modern experiences for Exchange admins. Here are some
features that are coming soon:

Parity Experience with the classic EAC

Groups
Permissions
Organization
Public Folders
 New Value additions for customers
Cloud shell
Tenant switcher
Search

Check out our Ignite blog entry where we detail the changes to the Exchange admin
center, and other Exchange Online improvements that we announced at Microsoft Ignite
2019.

Feedback and wishlist

Our goal is to deliver the features that IT admins need, so please share your feedback
and wishlist with us through the "Give Feedback" button on the new portal.
Permissions in Exchange Online
Article • 02/22/2023

Exchange Online in Microsoft 365 and Office 365 includes a large set of predefined
permissions, based on the Role Based Access Control (RBAC) permissions model, which
you can use right away to easily grant permissions to your administrators and users. You
can use the permissions features in Exchange Online so that you can get your new
organization up and running quickly.

RBAC is also the permissions model that's used in Microsoft Exchange Server. Most of
the links in this topic refer to topics that reference Exchange Server. The concepts in
those topics also apply to Exchange Online.

For information about permissions across Microsoft 365 or Office 365, see About admin
roles

７ Note

Several RBAC features and concepts aren't discussed in this topic because they're
advanced features. If the functionality discussed in this topic doesn't meet your
needs, and you want to further customize your permissions model, see
Understanding Role Based Access Control.

Role-based permissions
In Exchange Online, the permissions that you grant to administrators and users are
based on management roles. A management role defines the set of tasks that an
administrator or user can perform. For example, a management role called Mail
Recipients defines the tasks that someone can perform on a set of mailboxes, contacts,
and distribution groups. When a management role is assigned to an administrator or
user, that person is granted the permissions provided by the management role.

Administrative roles and end-user roles are the two types of management roles.
Following is a brief description of each type:

Administrative roles: These roles contain permissions that can be assigned to

administrators or specialist users using role groups that manage a part of the
Exchange Online organization, such as recipients or compliance management.
 End-user roles: These roles, which are assigned using role assignment policies,
enable users to manage aspects of their own mailbox and distribution groups that
they own. End-user roles begin with the prefix My .

Management roles give permissions to perform tasks to administrators and users by

making cmdlets available to those who are assigned the roles. Because the Exchange
admin center (EAC) and Exchange Online PowerShell use cmdlets to manage Exchange
Online, granting access to a cmdlet gives the administrator or user permission to
perform the task in each of the Exchange Online management interfaces.

Exchange Online includes role groups that you can use to grant permissions. For more
information, see the next section.

７ Note

Some management roles many be available only to on-premises Exchange Server

installations and won't be available in Exchange Online.

Role groups and role assignment policies

Management roles grant permissions to perform tasks in Exchange Online, but you need
an easy way to assign them to administrators and users. Exchange Online provides you
with the following to help you make assignments:

Role groups: Role groups enable you to grant permissions to administrators and
specialist users.

Role assignment policies: Role assignment policies enable you to grant

permissions to end users to change settings on their own mailbox or distribution
groups that they own.

The following sections provide more information about role groups and role assignment
policies.

Role groups
Every administrator who manages Exchange Online must be assigned at least one or
more roles. Administrators might have more than one role because they may perform
job functions that span multiple areas in Exchange Online.

To make it easier to assign multiple roles to an administrator, Exchange Online includes

role groups. When a role is assigned to a role group, the permissions granted by the
role are granted to all the members of the role group. This enables you to assign many
roles to many role group members at once. Role groups typically encompass broader
management areas, such as recipient management. They're used only with
administrative roles, and not end-user roles. Role group members can be Exchange
Online users and other role groups.

７ Note

It's possible to assign a role directly to a user without using a role group. However,
that method of role assignment is an advanced procedure and isn't covered in this
topic. We recommend that you use role groups to manage permissions.

The following figure shows the relationship between users, role groups, and roles.

Exchange Online includes several built-in role groups, each one providing permissions
to manage specific areas in Exchange Online. Some role groups may overlap with other
role groups. The following table lists each role group with a description of its use.

Role group Description Default roles

assigned
Role group Description Default roles
assigned

Compliance Management Members can configure and manage compliance Audit Logs
settings within Exchange in accordance with their Compliance
policies. Admin

Data Loss
Prevention

Information
Rights
Management

Journaling

Message
Tracking

Retention
Management

Transport
Rules

View-Only
Audit Logs

View-Only
Configuration

View-Only
Recipients

Discovery Management Members can perform searches of mailboxes in the Legal Hold
Exchange Online organization for data that meets Mailbox
specific criteria and can also configure legal holds on Search
mailboxes.

ExchangeServiceAdmins_- Membership in this role group is synchronized n/a

<unique value> across services and is managed centrally. You can't
manage this role group in Exchange Online.
This role group doesn't have any roles assigned to it.
However, it's a member of the Organization
Management role group (as Exchange Service
Administrator) and inherits the permissions provided
by that role group.

You can add members to this role group by adding

users to the Azure AD Exchange admin role in the
Microsoft 365 admin center.
Role group Description Default roles
assigned

Help Desk Members can view and manage the configuration Reset
for individual recipients and view recipients in an Password
Exchange organization. Members of this role group User Options
can only manage the configuration each user can
manage on their own mailbox. View-Only
Recipients

HelpdeskAdmins_<unique Membership in this role group is synchronized n/a

value> across services and is managed centrally. You can't
manage this role group in Exchange Online.
This role group doesn't have any roles assigned to it.
However, it's a member of the View-Only
Organization Management role group (as Helpdesk
Administrator) and inherits the permissions provided
by that role group.

You can add members to this role group by adding

users to the Azure AD Helpdesk admin role in the
Microsoft 365 admin center.

Hygiene Management Members can manage Exchange anti-spam features, Transport

grant permissions for antivirus products to integrate Hygiene
with Exchange, and manage mail flow rules. View-Only
Configuration

View-Only
Recipients

Organization Members have administrative access to the entire Audit Logs

Management Exchange Online organization and can perform Compliance
almost any task in Exchange Online. Admin
By default, the following management roles are not
assigned to any role group, including Organization Data Loss
Management: Prevention

Address Lists Distribution

Mailbox Import Export Groups

E-Mail
By default, the Mailbox Search role is only assigned Address
to the Discovery Management role group Policies

Important: Because the Organization Management Federated

role group is a powerful role, only users that Sharing
perform organizational-level administrative tasks
Information
that can potentially impact the entire Exchange
Rights
Online organization should be members of this role
Management
group.
Role group Description Default roles
assigned

Journaling

Legal Hold

Mail Enabled
Public
Folders

Mail
Recipient
Creation

Mail
Recipients

Mail Tips

Message
Tracking

Migration

Move
Mailboxes

Org Custom
Apps

Org
Marketplace
Apps

Organization
Client Access

Organization
Configuration

Organization
Transport
Settings

Public
Folders

Recipient
Policies

Remote and
Accepted
Role group Description Default roles
assigned

Domains

Reset
Password

Retention
Management

Role
Management

Security
Admin

Security
Group
Creation and
Membership

Security
Reader

Team
Mailboxes

Transport
Hygiene

Transport
Rules

UM
Mailboxes

UM Prompts

Unified
Messaging

User Options

View-Only
Audit Logs

View-Only
Configuration

View-Only
Recipients
Role group Description Default roles
assigned

Recipient Management Members have administrative access to create or Distribution

modify Exchange Online recipients within the Groups
Exchange Online organization. Mail
Recipient
Creation

Mail
Recipients

Message
Tracking

Migration

Move
Mailboxes

Recipient
Policies

Reset
Password

Team
Mailboxes

Records Management Members can configure compliance features, such Audit Logs
as retention policy tags, message classifications, and Journaling
mail flow rules (also known as transport rules).
Message
Tracking

Retention
Management

Transport
Rules

Security Administrator Membership in this role group is synchronized Security

across services and is managed centrally. You can't Admin
manage this role group in Exchange Online.
You can add members to this role group by adding
users to the Azure AD Security admin role in the
Microsoft 365 admin center.
 Role group Description Default roles
assigned

Security Reader Membership in this role group is synchronized Security

across services and is managed centrally. You can't Reader
manage this role group in Exchange Online.
You can add members to this role group by adding
users to the Azure AD Security reader role in the
Microsoft 365 admin center.

TenantAdmins_-<unique Membership in this role group is synchronized n/a

value> across services and is managed centrally. You can't
manage this role group in Exchange Online.
This role group doesn't have any roles assigned to it.
However, it's a member of the Organization
Management role group (as Company
Administrator) and inherits the permissions provided
by that role group.

You can add members to this role group by adding

users to the Azure AD Global admin role in the
Microsoft 365 admin center.

UM Management Members can manage Exchange Unified Messaging UM

(UM) settings and features. Mailboxes
UM Prompts

Unified
Messaging

View-Only Organization Members can view the properties of any object in View-Only
Management the Exchange Online organization. Configuration
View-Only
Recipients

If you work in a small organization that has only a few administrators, you might need to
add those administrators to the Organization Management role group only, and you
may never need to use the other role groups. If you work in a larger organization, you
might have administrators who perform specific tasks administering Exchange Online,
such as recipient configuration. In those cases, you might add one administrator to the
Recipient Management role group, and another administrator to the Organization
Management role group. Those administrators can then manage their specific areas of
Exchange Online, but they won't have permissions to manage areas they're not
responsible for.

If the built-in role groups in Exchange Online don't match the job function of your
administrators, you can create role groups and add roles to them. For more information,
see the Work with role groups section later in this topic.
Role assignment policies
Exchange Online provides role assignment policies so that you can control what settings
your users can configure on their own mailboxes and on distribution groups they own.
These settings include their display name, contact information, voice mail settings, and
distribution group membership.

Your Exchange Online organization can have multiple role assignment policies that
provide different levels of permissions for the different types of users in your
organizations. Some users can be allowed to change their address or create distribution
groups, while others can't, depending on the role assignment policy associated with
their mailbox. Role assignment policies are added directly to mailboxes, and each
mailbox can only be associated with one role assignment policy at a time.

Of the role assignment policies in your organization, one is marked as default. The
default role assignment policy is associated with new mailboxes that aren't explicitly
assigned a specific role assignment policy when they're created. The default role
assignment policy should contain the permissions that should be applied to the majority
of your mailboxes.

Permissions are added to role assignment policies using end-user roles. End-user roles
begin with My and grant permissions for users to manage only their mailbox or
distribution groups they own. They can't be used to manage any other mailbox. Only
end-user roles can be assigned to role assignment policies.

When an end-user role is assigned to a role assignment policy, all of the mailboxes
associated with that role assignment policy receive the permissions granted by the role.
This enables you to add or remove permissions to sets of users without having to
configure individual mailboxes. The following figure shows:

End-user roles are assigned to role assignment policies. Role assignment policies
can share the same end-user roles. For details about the end-user roles that are
available in Exchange Online, see Role assignment policies in Exchange Online.

Role assignment policies are associated with mailboxes. Each mailbox can only be
associated with one role assignment policy.

After a mailbox is associated with a role assignment policy, the end-user roles are
applied to that mailbox. The permissions granted by the roles are granted to the
user of the mailbox.
The Default Role Assignment Policy role assignment policy is included with Exchange
Online. As the name implies, it's the default role assignment policy. If you want to
change the permissions provided by this role assignment policy, or if you want to create
role assignment policies, see Work with role assignment policies later in this topic.

Microsoft 365 or Office 365 permissions in

Exchange Online
When you create a user in Microsoft 365 or Office 365, you can choose whether to
assign various administrative roles, such as Global administrator, Service administrator,
Password administrator, and so on, to the user. Some, but not all, Microsoft 365 and
Office 365 roles grant the user administrative permissions in Exchange Online.

７ Note

The user that was used to create your Microsoft 365 or Office 365 organization is
automatically assigned to the Global administrator Microsoft 365 or Office 365 role.

The following table lists the Microsoft 365 or Office 365 roles and the Exchange Online
role group they correspond to.

Microsoft Exchange Online role group

365 or
Office 365
role
 Microsoft Exchange Online role group
365 or
Office 365
role

Global Organization Management

administrator Note: The Global administrator role and the Organization Management role
group are tied together using a special Company Administrator role group. The
Company Administrator role group is managed internally by Exchange Online and
can't be modified directly.

Billing No corresponding Exchange Online role group.

administrator

Password Help Desk administrator.

administrator

Service No corresponding Exchange Online role group.

administrator

User No corresponding Exchange Online role group.

management
administrator

For a description of the Exchange Online role groups, see the table "Built-in role groups"
in Role groups.

In Microsoft 365 or Office 365, when you add a user to either the Global administrator
or Password administrator roles, the user is granted the rights provided by the
respective Exchange Online role group. Other Microsoft 365 or Office 365 roles don't
have a corresponding Exchange Online role group and won't grant administrative
permissions in Exchange Online. For more information about assigning a Microsoft 365
or Office 365 role to a user, see Assign admin roles.

Users can be granted administrative rights in Exchange Online without adding them to
Microsoft 365 or Office 365 roles. This is done by adding the user as a member of an
Exchange Online role group. When a user is added directly to an Exchange Online role
group, they'll receive the permissions granted by that role group in Exchange Online.
However, they won't be granted any permissions to other Microsoft 365 or Office 365
components. They'll have administrative permissions only in Exchange Online. Users can
be added to any of the role groups listed in the "Built-in role groups table" in Role
groups with the exception of the Company Administrator and Help Desk Administrators
role groups. For more information about adding a user directly to an Exchange Online
role group, see Work with role groups.
Work with role groups
To manage your permissions using role groups in Exchange Online, we recommend that
you use the EAC. When you use the EAC to manage role groups, you can add and
remove roles and members, create role groups, and copy role groups with a few clicks
of your mouse. The EAC provides simple dialog boxes, such as the Add role group
dialog box, shown in the following figure, to perform these tasks.

Exchange Online includes several role groups that separate permissions into specific
administrative areas. If these existing role groups provide the permissions your
administrators need to manage your Exchange Online organization, you need only add
your administrators as members of the appropriate role groups. After you add
administrators to a role group, they can administer the features that relate to that role
group. To add or remove members to or from a role group, open the role group in the
EAC, and then add or remove members from the membership list. For a list of built-in
role groups, see the table "Built-in role groups" in Role groups.

） Important

If an administrator is a member of more than one role group, Exchange Online

grants the administrator all of the permissions provided by the role groups he or
she is a member of.
If none of the role groups included with Exchange Online have the permissions you
need, you can use the EAC to create a role group and add the roles that have the
permissions you need. For your new role group, you will:

1. Choose a name for your role group.

2. Select the roles you want to add to the role group.

3. Add members to the role group.

4. Save the role group.

After you create the role group, you manage it like any other role group.

If there's an existing role group that has some, but not all, of the permissions you need,
you can copy it and then make changes to create a role group. You can copy an existing
role group and make changes to it, without affecting the original role group. As part of
copying the role group, you can add a new name and description, add and remove roles
to and from the new role group, and add new members. When you create or copy a role
group, you use the same dialog box that's shown in the preceding figure.

Existing role groups can also be modified. You can add and remove roles from existing
role groups, and add and remove members from it at the same time, using an EAC
dialog box similar to the one in the preceding figure. By adding and removing roles to
and from role groups, you turn on and off administrative features for members of that
role group.

７ Note

Although you can change which roles are assigned to built-in role groups, we
recommend that you copy built-in role groups, modify the role group copy, and
then add members to the role group copy. > The Company Administrator and Help
Desk administrator role groups can't be copied or changed.

Work with role assignment policies

To manage the permissions that you grant end users to manage their own mailbox in
Exchange Online, we recommend that you use the EAC. When you use the EAC to
manage end-user permissions, you can add roles, remove roles, and create role
assignment policies with a few clicks of your mouse. The EAC provides simple dialog
boxes, such as the role assignment policy dialog box, shown in the following figure, to
perform these tasks.
Exchange Online includes a role assignment policy named Default Role Assignment
Policy. This role assignment policy enables users whose mailboxes are associated with it
to do the following:

Join or leave distribution groups that allow members to manage their own
membership.
View and modify basic mailbox settings on their own mailbox, such as Inbox rules,
spelling behavior, junk mail settings, and Microsoft ActiveSync devices.
Modify their contact information, such as work address and phone number, mobile
phone number, and pager number.
Create, modify, or view text message settings.
 View or modify voice mail settings.
View and modify their marketplace apps.
Create team mailboxes and connect them to Microsoft SharePoint lists.
Create, modify, or view email subscription settings, such as message format and
protocol defaults.

If you want to add or remove permissions from the Default Role Assignment Policy or
any other role assignment policy, you can use the EAC. The dialog box you use is similar
to the one in the preceding figure. When you open the role assignment policy in the
EAC, select the check box next to the roles you want to assign to it or clear the check
box next to the roles you want to remove. The change you make to the role assignment
policy is applied to every mailbox associated with it.

If you want to assign different end-user permissions to the various types of users in your
organization, you can create role assignment policies. When you create a role
assignment policy, you see a dialog box similar to the one in the preceding figure. You
can specify a new name for the role assignment policy, and then select the roles you
want to assign to the role assignment policy. After you create a role assignment policy,
you can associate it with mailboxes using the EAC.

If you want to change which role assignment policy is the default, you must use
Exchange Online PowerShell. When you change the default role assignment policy, any
mailboxes that are created will be associated with the new default role assignment
policy if one wasn't explicitly specified. The role assignment policy associated with
existing mailboxes doesn't change when you select a new default role assignment
policy.

７ Note

If you select a check box for a role that has child roles, the check boxes for the child
roles are also selected. If you clear the check box for a role with child roles, the
check boxes for the child roles are also cleared.

For detailed role assignment policy procedures, see Role assignment policies in
Exchange Online.

Permissions documentation
The following table contains links to topics that will help you learn about and manage
permissions in Exchange Online.
Topic Description

Understanding Learn about each of the components that make up RBAC and how you can
Role Based create advanced permissions models if role groups and management roles
Access Control aren't enough.

Manage role Configure permissions for Exchange Online administrators and specialist users
groups in using role groups, including adding and removing members to and from role
Exchange groups.
Online

Role Configure which features end users have access to on their mailboxes using role
assignment assignment policies, view, create, modify, and remove role assignment policies,
policies in specify the default role assignment policy, and apply role assignment policies to
Exchange mailboxes.
Online

Feature Learn more about the permissions required to manage Exchange Online features
permissions in and services.
Exchange
Online
Feature permissions in Exchange Online
Article • 02/22/2023

The permissions required to perform tasks to manage Microsoft Exchange Online vary
depending on the procedure being performed or the cmdlet you want to run.

For information about Exchange Online Protection (EOP) permissions, see Feature
Permissions in EOP.

To find out what permissions you need to perform the procedure or run the cmdlet, do
the following:

1. In the table below, find the feature that is most related to the procedure you want
to perform or the cmdlet you want to run.

2. Next, look at the permissions required for the feature. You must be assigned one
of those role groups, an equivalent custom role group, or an equivalent
management role. You can also click on a role group to see its management roles.
If a feature lists more than one role group, you only need to be assigned one of
the role groups to use the feature. For more information about role groups and
management roles, see Understanding Role Based Access Control.

3. Now, run the Get-ManagementRoleAssignment cmdlet to look at the role groups

or management roles assigned to you to see if you have the permissions that are
necessary to manage the feature.

７ Note

You must be assigned the Role Management management role to run the
Get-ManagementRoleAssignment cmdlet. If you don't have permissions to
run the Get-ManagementRoleAssignment cmdlet, ask your Exchange
administrator to retrieve the role groups or management roles assigned to
you.

If you want to delegate the ability to manage a feature to another user, see Delegate
role assignments.

Exchange Online permissions

You can use the features in the following table to manage your Exchange Online
organization and recipients. Users who are assigned the View-Only Management role
group can view the configuration of the features in the following table. For more
information about these role groups, see Role groups.

Feature Permissions required

Anti-malware Organization Management

Hygiene Management

Anti-spam Organization Management

Hygiene Management

Arbitration Organization Management

Client Access Organization Management

user settings

Data loss Organization Management

prevention Compliance Management
(DLP)

Discovery Organization Management

mailboxes - Recipient Management
Create

Distribution Organization Management

groups Recipient Management

Domains Organization Management

Microsoft Organization Management

365 or Office
365
connectors

In-Place Discovery Management

eDiscovery Note: By default, the Discovery Management role group doesn't have any
members. No users, including admins, have the required permissions to search
mailboxes. For more information, see Assign eDiscovery permissions in Exchange.
Feature Permissions required

In-Place Hold Discovery Management

Organization Management

Notes:

To create a query-based In-Place Hold, a user requires both the Mailbox

Search and Legal Hold roles to be assigned via membership in a role group
that has both roles assigned. To create an In-Place Hold without using a
query, which places all mailbox items on hold, you must have the Legal
Hold role assigned. The Discovery Management role group is assigned both
roles.
The Organization Management role group is assigned the Legal Hold role.
Members of the Organization Management role group can place an In-
Place Hold on all items in a mailbox, but can't create a query-based In-Place
Hold.

Journal Organization Management

archiving Recipient Management

Journaling Organization Management

Records Management

Linked user Organization Management

Recipient Management

Mail flow Organization Management

Mail flow Organization Management

rules

Mailbox Organization Management

settings Recipient Management

Message Organization Management

Encryption Compliance Management

Records Management

Message Organization Management

trace Compliance Management

Help Desk

Messaging Compliance Management

records Organization Management
management
Records Management
Feature Permissions required

Mobile Organization Management

devices Recipient Management

Organization Organization Management

configuration

Outlook on Organization Management

thew web Recipient Management
mailbox
policies

Permissions Organization Management

and
delegation

Public Organization Management

folders Public Folder Management

Mail-enabled public folders require Recipient Management

POP3 and Organization Management

IMAP4
permissions

Quarantine Organization Management

Hygiene Management

Recipients Organization Management

Recipient Management

Retention Organization Management

policies Recipient Management

Records Management

Role Organization Management

assignments

Supervision Organization Management

Unified Organization Management

Messaging Unified Messaging Management

View-only Organization Management

administrator Records Management
audit logging
Feature Permissions required

View reports Organization Management: Users have access to mailbox reports and mail
protection reports.
View-Only Organization Management: Users have access to mailbox reports.

View-Only Recipients: Users have access to mail protection reports.

Compliance Management: Users have access to mail protection reports and data
loss prevention (DLP) reports (if their subscription has DLP capabilities).

７ Note

To find the permissions that are required to run any Exchange Online cmdlet, see
Find the permissions required to run any Exchange cmdlet.
Manage role groups in Exchange Online
Article • 02/22/2023

A role group is a special kind of universal security group (USG) that's used in the Role
Based Access Control (RBAC) permissions model in Exchange Online. Management role
groups simplify the assignment and maintenance of permissions to users in Exchange
Online. The members of the role group are assigned the same set of roles, and you add
and remove permissions from users by adding them to or removing them from the role
group. For more information about role groups in Exchange Online, see Permissions in
Exchange Online.

What do you need to know before you begin?

Estimated time to complete each procedure: 5 to 10 minutes

To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online. To open Exchange Online PowerShell, see Connect to Exchange Online
PowerShell.

The procedures in this topic require the Role Management RBAC role in Exchange
Online. Typically, you get this permission via membership in the Organization
Management role group (the Microsoft 365 or Office 365 Global administrator
role).

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at:
Exchange Online, or Exchange Online Protection .

View role groups

Use the new EAC to view role groups

1. In the new EAC, go to Roles > Admin roles. All of the role groups in your
organization are listed here.
 2. Select a role group. The details pane shows the Name, Description, Managed by,
Write scope, Assigned, and Permissions of the role group.

Use the Classic EAC to view role groups

1. In the Classic EAC, go to Permissions > Admin Roles. All of the role groups in your
organization are listed here.

2. Select a role group. The details pane shows the Name, Description, Assigned
roles, Members, Managed by, and Write scope of the role group. You can also see
this information by clicking Edit .

Use Exchange Online PowerShell to view role groups

To view a role group, use the following syntax:

PowerShell

Get-RoleGroup [-Identity "<Role Group Name>"] [-Filter <Filter>]

This example returns a summary list of all role groups.

PowerShell

Get-RoleGroup

This example returns detailed information for the role group named Recipient
Administrators.

PowerShell

Get-RoleGroup -Identity "Recipient Administrators" | Format-List

This example returns all role groups where the user Julia is a member. You need to use
the DistinguishedName (DN) value for Julia, which you can find by running the
command: Get-User -Identity Julia | Format-List DistinguishedName .

PowerShell

Get-RoleGroup -Filter "Members -eq

'CN=Julia,OU=contoso.onmicrosoft.com,OU=Microsoft Exchange Hosted
Organizations,DC=NAMPR001,DC=PROD,DC=OUTLOOK,DC=COM'"
For detailed syntax and parameter information, see Get-RoleGroup.

Create role groups

When you create a new role group, you need to configure all of the settings yourself
(during the creation of the group or after). To start with the configuration of an existing
role group and modify it, see Copy existing role groups.

Use the new EAC to create role groups

1. In the new EAC, go to Roles > Admin roles and then click Add role group.

2. In the Add role group window, under Set up the basics section, configure the
following settings and click Next:

Name: Enter a unique name for the role group.

Description: Enter an optional description for the role group.

Write scope: The default value is Default, but you can also select a custom
recipient write scope from the drop-down list.

3. In Add permissions section, select the roles and click Next. Roles define the scope
of the tasks that the members assigned to this role group have permission to
manage.

4. In Assign admins section, select the users to assign to this role group and click
Next. They'll have permissions to manage the roles that you assigned.

5. In Review role group and finish section, verify all the details, and then click Add
role group.

6. Click Done.

Use the Classic EAC to create role groups

1. In the Classic EAC, go to Permissions > Admin Roles and then click Add .

2. In the New role group window that appears, configure the following settings:

Name: Enter a unique name for the role group.

Description: Enter an optional description for the role group.

 Write scope: The default value is Default, but you can also select a custom
recipient write scope that you've already created.

Roles: Click Add to select the roles that you want to be assigned to the
role group in the new window that appears.

Members: Click Add to select the members that you want to add to the
role group in the new window that appears. You can select users, mail-
enabled universal security groups (USGs), or other role groups (security
principals).

When you're finished, click Save to create the role group.

Use Exchange Online PowerShell to create a role group

To create a new role group, use the following syntax:

PowerShell

New-RoleGroup -Name "Unique Name" -Description "Descriptive text" -Roles

<"Role1","Role2"...> -ManagedBy <Managers> -Members <Members> -
CustomRecipientWriteScope "<Existing Write Scope Name>"

The Roles parameter specifies the management roles to assign to the role group by
using the following syntax "Role1","Role1",..."RoleN" . You can see the available
roles by using the Get-ManagementRole cmdlet.
The Members parameter specifies the members of the role group by using the
following syntax: "Member1","Member2",..."MemberN" . You can specify users, mail-
enabled universal security groups (USGs), or other role groups (security principals).
The ManagedBy parameter specifies the delegates who can modify and remove the
role group by using the following syntax: "Delegate1","Delegate2",..."DelegateN" .
Note that this setting isn't available in the EAC.
The CustomRecipientWriteScope parameter specifies the existing custom recipient
write scope to apply to the role group. You can see the available custom recipient
write scopes by using the Get-ManagementScope cmdlet.

This example creates a new role group named "Limited Recipient Management" with the
following settings:

The Mail Recipients and Mail Enabled Public Folders roles are assigned to the role
group.
The users Kim and Martin are added as members. Because no custom recipient
write scope was specified, Kim and Martin can manage any recipient in the
 organization.

PowerShell

New-RoleGroup -Name "Limited Recipient Management" -Roles "Mail

Recipients","Mail Enabled Public Folders" -Members "Kim","Martin"

This is the same example with a custom recipient write scope, which means Kim and
Martin can only manage recipients that are included in the Seattle Recipients scope
(recipients who have their City property set to the value Seattle).

PowerShell

New-RoleGroup -Name "Limited Recipient Management" -Roles "Mail

Recipients","Mail Enabled Public Folders" -Members "Kim","Martin" -
CustomRecipientWriteScope "Seattle Recipients"

For detailed syntax and parameter information, New-RoleGroup.

Copy existing role groups

If an existing role group is close in terms of the permissions and settings that you want
to assign to users, you can copy the existing role group and modify the copy to suit
your needs.

Use the new EAC to copy a role group

Note: You can't use the new EAC to copy a role group if you've used Exchange Online
PowerShell to configure multiple scopes or exclusive scopes on the role group. To copy
role groups that have these settings, you need to use Exchange Online PowerShell.

1. In the new EAC, go to Roles > Admin roles.

2. Select the role group that you want to copy and then click Copy role group.

3. In the Copy role group window, under Set up the basics section, configure the
following settings and click Next:

Name: The default value is "Copy of <Role Group Name>, but you can enter a
unique name for the role group.
Description: The existing description is present, but you can change it.
Write scope: The existing write scope is selected, but you can select Default
or a custom recipient write scope from the drop-down list.
 4. In Edit permissions section, modify the roles and click Next. Roles define the scope
of the tasks that the members assigned to this role group have permission to
manage.

5. In Assign admins section, modify the role group membership and click Next.
They'll have permissions to manage the roles that you assigned.

6. In Review role group and finish section, verify all the details, and then click Copy
role group.

7. Click Done.

Use the Classic EAC to copy a role group

Note: You can't use the Classic EAC to copy a role group if you've used Exchange Online
PowerShell to configure multiple scopes or exclusive scopes on the role group. To copy
role groups that have these settings, you need to use Exchange Online PowerShell.

1. In the Classic EAC, go to Permissions > Admin Roles.

2. Select the role group that you want to copy and then click Copy .

3. In the New role group window that appears, configure the following settings:

Name: The default value is "Copy of <Role Group Name>, but you can enter a
unique name for the role group.

Description: The existing description is present, but you can change it.

Write scope: The existing write scope is selected, but you can select Default
or another custom recipient write scope that you've already created.

Roles: Click Add or Remove to modify the roles that are assigned to the
role group.

Members: Click Add or Remove to modify the role group membership.

When you're finished, click Save to create the role group.

Use Exchange Online PowerShell to copy a role group

1. Store the role group that you want to copy in a variable using the following syntax:

PowerShell

$RoleGroup = Get-RoleGroup "<Existing Role Group Name>"

 2. Create the new role group using the following syntax:

PowerShell

New-RoleGroup -Name "<Unique Name>" -Roles $RoleGroup.Roles [-Members

<Members>] [-ManagedBy <Managers>] [-CustomRecipientWriteScope "
<Existing Custom Recipient Write Scope Name>"]

The Members parameter specifies the members of the role group by using
the following syntax: "Member1","Member2",..."MemberN" . You can specify
users, mail-enabled universal security groups (USGs), or other role groups
(security principals).
The ManagedBy parameter specifies the delegates who can modify and
remove the role group by using the following syntax:
"Delegate1","Delegate2",..."DelegateN" . Note that this setting isn't available

in the EAC.
The CustomRecipientWriteScope parameter specifies the existing custom
recipient write scope to apply to the role group. You can see the available
custom recipient write scopes by using the Get-ManagementScope cmdlet.

This example copies the Organization Management role group to the new role group
named "Limited Organization Management". The role group members are Isabelle,
Carter, and Lukas and the role group delegates are Jenny and Katie.

PowerShell

$RoleGroup = Get-RoleGroup "Organization Management"

New-RoleGroup "Limited Organization Management" -Roles $RoleGroup.Roles -
Members "Isabelle","Carter","Lukas" -ManagedBy "Jenny","Katie"

This example copies the Organization Management role group to the new role group
called Vancouver Organization Management with the Vancouver Users recipient custom
recipient write scope.

PowerShell

$RoleGroup = Get-RoleGroup "Organization Management"

New-RoleGroup "Vancouver Organization Management" -Roles $RoleGroup.Roles -
CustomRecipientWriteScope "Vancouver Users"

For detailed syntax and parameter information, New-RoleGroup.

Modify role groups

Use the new EAC to modify role groups

1. In the new EAC, go to Roles > Admin roles, select the role group you want to
modify, and then edit the following in the details pane:

In General section, click Edit basics to change the name and description.
In Assigned section, add/delete users from this role group.
In Permissions section, add/remove roles assigned to the role group.

2. When you're finished, click Save.

Use the Classic EAC to modify role groups

1. In the Classic EAC, go to Permissions > Admin Roles, select the role group you
want to modify, and then click Edit .

The same options are available when you modify role groups as when you Use the
Classic EAC to create role groups. You can:

Change the name and description.

Change the write scope (if you've created custom recipient write scopes).
Add and remove management roles (create or remove role assignments).
Add and remove members.

Notes:

You can't use the Classic EAC to modify the write scope, roles, and members of a
role group if you've used Exchange Online PowerShell to configure multiple scopes
or exclusive scopes on the role group. To modify the settings of these role groups,
you need to use Exchange Online PowerShell.
Some role groups (for example, the Organization Management role group) restrict
the roles that you can remove from group.
You can add or remove delegates to a role group in the Classic EAC. You can only
use Exchange Online PowerShell.

Use Exchange Online PowerShell to add roles to role

groups (create role assignments)
To add roles to role groups in Exchange Online PowerShell, you create management role
assignments by using the following syntax:
 PowerShell

New-ManagementRoleAssignment [-Name "<Unique Name>"] -SecurityGroup "<Role

Group Name>" -Role "<Role Name>" [-RecipientRelativeWriteScope <MyGAL |
MyDistributionGroups | Organization | Self>] [-CustomRecipientWriteScope "
<Role Scope Name>]

The role assignment name is created automatically if you don't specify one.
If you don't use the RecipientRelativeWriteScope parameter, the implicit read scope
and implicit write scope of the role is applied to the role assignment.
If a predefined scope meets your business requirements, you can use the
RecipientRelativeWriteScope parameter to apply the scope to the role assignment.
To apply a custom recipient write scope, use the CustomRecipientWriteScope
parameter.

This example assigns the Transport Rules management role to the Seattle Compliance
role group.

PowerShell

New-ManagementRoleAssignment -SecurityGroup "Seattle Compliance" -Role

"Transport Rules"

This example assigns the Message Tracking role to the Enterprise Support role group
and applies the Organization predefined scope.

PowerShell

New-ManagementRoleAssignment -SecurityGroup "Enterprise Support" -Role

"Message Tracking" -RecipientRelativeWriteScope Organization

This example assigns the Message Tracking role to the Seattle Recipient Admins role
group and applies the Seattle Recipients scope.

PowerShell

New-ManagementRoleAssignment -SecurityGroup "Seattle Recipient Admins" -Role

"Message Tracking" -CustomRecipientWriteScope "Seattle Recipients"

For detailed syntax and parameter information, see New-ManagementRoleAssignment.

Use Exchange Online PowerShell to remove roles from

role groups (remove role assignments)
To remove roles from role groups in Exchange Online PowerShell, you remove
management role assignments by using the following syntax:

PowerShell

Get-ManagementRoleAssignment -RoleAssignee "<Role Group Name>" -Role "<Role

Name>" -Delegating <$true | $false> | Remove-ManagementRoleAssignment

To remove regular role assignments that grant permissions to users, use the value
$false for the Delegating parameter.
To remove delegating role assignments that allow the role to be assigned to others,
use the value $true for the Delegating parameter.

This example removes the Distribution Groups role from the Seattle Recipient
Administrators role group.

PowerShell

Get-ManagementRoleAssignment -RoleAssignee "Seattle Recipient

Administrators" -Role "Distribution Groups" -Delegating $false | Remove-
ManagementRoleAssignment

For detailed syntax and parameter information, see Remove-

ManagementRoleAssignment.

Use Exchange Online PowerShell to modify the scope of

role assignments in role groups
The write scope of a role assignment in a role group defines the objects that the
members of the role group can operate on (for example, all users, or only the users
whose City property has the value Vancouver). You can modify the write scope of the
roles assigned to a role group to:

The implicit scope from the roles themselves. This means you didn't specify any
custom scopes when you created the role group, or you set the value of all role
assignments in an existing role group to the value $null .
The same custom scope for all role assignments.
Different custom scopes for each individual role assignment.

To set the scope on all of the role assignments on a role group at the same time, use the
following syntax:

PowerShell
 Get-ManagementRoleAssignment -RoleAssignee "<Role Group Name>" | Set-
ManagementRoleAssignment [-CustomRecipientWriteScope "<Recipient Write Scope
Name>"] [-RecipientRelativeScopeWriteScope <MyDistributionGroups |
Organization | Self>] [-ExclusiveRecipientWriteScope "<Exclusive Recipient
Write Scope name>"]

This example changes the recipient scope for all role assignments on the Sales Recipient
Management role group to Direct Sales Employees.

PowerShell

Get-ManagementRoleAssignment -RoleAssignee "Sales Recipient Management" |

Set-ManagementRoleAssignment -CustomRecipientWriteScope "Direct Sales
Employees"

To change the scope on an individual role assignment between a role group and a
management role, do the following steps:

1. Replace <Role Group Name> with the name of the role group and run the
following command to find the names of all the role assignments on the role
group:

PowerShell

Get-ManagementRoleAssignment -RoleAssignee "<Role Group Name>" |

Format-List Name

2. Find the name of the role assignment you want to change. Use the name of the
role assignment in the next step.

3. To set the scope on the individual role assignment, use the following syntax:

PowerShell

Set-ManagementRoleAssignment -Identity "<Role Assignment Name"> [-

CustomRecipientWriteScope "<Recipient Write Scope Name>"] [-
RecipientRelativeScopeWriteScope <MyDistributionGroups | Organization |
Self>] [-ExclusiveRecipientWriteScope "<Exclusive Recipient Write Scope
name>"]

This example changes the recipient scope for the role assignment named Mail
Recipients_Sales Recipient Management to All Sales Employees.

PowerShell
 Set-ManagementRoleAssignment "Mail Recipients_Sales Recipient
Management" -CustomRecipientWriteScope "All Sales Employees"

For detailed syntax and parameter information, see Set-ManagementRoleAssignment.

Use Exchange Online PowerShell to modify the list of

delegates in role groups
Role group delegates define who is allowed to modify and delete the role group. You
can't manage role group delegates in the EAC.

To modify the list of delegates in a role group, use the following syntax:

PowerShell

Set-RoleGroup -Identity "<Role Group Name>" -ManagedBy <Delegates>

To replace the existing list of delegates with the values you specify, use the
following syntax: "Delegate1","Delegate2",..."DelegateN" .

To selectively modify the existing list of delegates, use the following syntax:
@{Add="Delegate1","Delegate2"...; Remove="Delegate3","Delegate4"...} .

This example replaces all current delegates of the Help Desk role group with the
specified users.

PowerShell

Set-RoleGroup -Identity "Help Desk" -ManagedBy "Gabriela Laureano","Hyun-Ae

Rim","Jacob Berger"

This example adds Daigoro Akai and removes Valeria Barrio from the list of delegates on
the Help Desk role group.

PowerShell

Set-RoleGroup -Identity "Help Desk" -ManagedBy @{Add="Daigoro Akai";

Remove="Valeria Barrios"}

For detailed syntax and parameter information, see Set-RoleGroup.

Use Exchange Online PowerShell to modify the
list of members in role groups
The Add-RoleGroupMember and Remove-RoleGroupMember cmdlets add or
remove individual members one at a time. The Update-RoleGroupMember cmdlet
can replace or modify the existing list of members.

The members of a role group can be users, mail-enabled universal security groups
(USGs), or other role groups (security principals).

To modify the members of a role group, use the following syntax:

PowerShell

Update-RoleGroupMember -Identity "<Role Group Name>" -Members <Members> [-

BypassSecurityGroupManagerCheck]

To replace the existing list of members with the values you specify, use the
following syntax: "Member1","Member2",..."MemberN" .
To selectively modify the existing list of members, use the following syntax:
@{Add="Member1","Member2"...; Remove="Member3","Member4"...} .

This example replaces all current members of the Help Desk role group with the
specified users.

PowerShell

Update-RoleGroupMember -Identity "Help Desk" -Members "Gabriela

Laureano","Hyun-Ae Rim","Jacob Berger"

This example adds Daigoro Akai and removes Valeria Barrio from the list of members on
the Help Desk role group.

PowerShell

Update-RoleGroupMember -Identity "Help Desk" -Members @{Add="Daigoro Akai";

Remove="Valeria Barrios"}

For detailed syntax and parameter information, see Update-RoleGroupMember.

Remove role groups

You can't remove built-in role groups, but you can remove custom role groups that
you've created.

Notes:

When you remove a role group, the management role assignments between the
role group and the management roles are deleted. Any management roles that are
assigned to the role group aren't deleted.
If a user depends on the role group for access to a feature, the user will no longer
have access to the feature after you delete the role group.

Use the new EAC to remove a role group

1. In the new EAC, go to Roles > Admin roles.
2. Select the role group and click Delete.
3. Click Confirm in the confirmation window.

Use the EAC to remove a role group

1. In the EAC, go to Permissions > Admin Roles.
2. Select the role group you want to remove and then click Delete .
3. Click Yes in the confirmation window that appears.

Use Exchange Online PowerShell to remove a role group

To remove a custom role group, use the following syntax:

PowerShell

Remove-RoleGroup -Identity "<Role Group Name>" [-

BypassSecurityGroupManagerCheck]

This example removes the Training Administrators role group.

PowerShell

Remove-RoleGroup -Identity "Training Administrators"

This example removes the Vancouver Recipient Administrators role group. Because the
user running the command isn't defined in the ManagedBy property of the role group,
the BypassSecurityGroupManagerCheck switch is required in the command. The user
that's running the command is assigned the Role Management role, which enables the
user to bypass the security group manager check.

PowerShell

Remove-RoleGroup - Identity "Vancouver Recipient Administrators" -

BypassSecurityGroupManagerCheck

For detailed syntax and parameter information, see Remove-RoleGroup.

Role assignment policies in Exchange
Online
Article • 02/22/2023

A role assignment policy is a collection of one or more end-user roles that enable users
to manage their mailbox settings and distribution groups in Exchange Online. End-users
roles are part of the role based access control (RBAC) permissions model in Exchange
Online. You can assign different role assignment policies to different users to allow or
prevent specific self-management features in Exchange Online. For more information,
see Role assignment policies.

In Exchange Online, a default role assignment policy named Default Role Assignment
Policy is specified by the mailbox plan that's assigned to users when their account is
licensed. For more information about mailbox plans, see Mailbox plans in Exchange
Online.

７ Note

Currently User roles and Outlook Web App policies are not available in new
Exchange admin center.

Role assignment policies are how end-user roles (as opposed to management roles) are
assigned to users in Exchange Online. There are several ways you can use role
assignment policies to assign permissions to users:

New users:

Change the end-user roles that are assigned to the default role assignment
policy.

Create a custom role assignment policy and set it as the default. Note that this
method only affects mailboxes that you create without specifying a role
assignment policy or assigning a license (the license specifies the mailbox plan,
which specifies the role assignment policy).

Specify a custom role assignment policy in the mailbox plan. For more
information, see Use Exchange Online PowerShell to modify mailbox plans.

Existing users:
 Assign a different license to the user. This will apply the settings of the different
mailbox plan, which specifies the role assignment policy to apply.

Manually assign a custom role assignment policy to mailboxes.

The available end-user roles that you can assign to mailbox plans are described in the
following table:

Role Assigned to Description

Default
Role
Assignment
Policy by
default?

My Custom Apps Yes Install custom apps.

My Marketplace Apps Yes Install marketplace apps.

My ReadWriteMailbox Apps Yes Install apps with ReadWriteMailbox

permissions.

MyBaseOptions Yes Required for users to access options in

Outlook on the web from their own mailbox.

MyContactInformation Yes Edit their address and telephone number in

the global address list (GAL).
This role contains the following child roles:

MyAddressInformation: Change all

elements of their mailing address, work
telephone number, and fax number.
MyMobileInformation: Change their
mobile phone and pager numbers.
MyPersonalInformation: Change their
home telephone number and web page.

If you think this role gives users too much

power, you can remove the role from the role
assignment policy, and assign one or more of
the child roles. For instructions, see the Add or
remove roles from a role assignment policy
section in this topic.

MyDistributionGroupMembership Yes Join or leave existing distribution groups (if

the group is configured to let members join or
leave the group).
Role Assigned to Description
Default
Role
Assignment
Policy by
default?

MyDistributionGroups Yes Create new distribution groups, delete groups

they own, modify groups they own, and
manage group membership for groups they
own.

MyMailboxDelegation No Allows users to grant send on behalf of

permissions to other users on their mailbox.
Messages clearly show the sender in the From
field (<Sender> on behalf of <Mailbox>), but
replies are delivered to the mailbox, not the
sender.

MyMailSubscriptions Yes Connected accounts were removed from

Outlook on the web in November 2018. For
more information, see Connected accounts
are no longer supported in Outlook on the
web .

MyProfileInformation Yes Edit their first name, middle initial, last name,
and display name in the GAL.
This role contains the following child roles:

MyDisplayName: Change their display

name.
MyName: Change their first name,
middle initial, last name and Notes
property.

If you think this role gives users too much

power, you can remove the role from the role
assignment policy, and assign one of the child
roles. For instructions, see the Add or remove
roles from a role assignment policy section in
this topic.

MyRetentionPolicies Yes Allows users to add personal tags that aren't

part of their assigned retention policy.*

MyTeamMailboxes Yes Site mailboxes were discontinued in favor of

Microsoft 365 groups in September 2017. For
more information, see Use Microsoft 365
Groups instead of Site Mailboxes .
 Role Assigned to Description
Default
Role
Assignment
Policy by
default?

MyTextMessaging Yes Enable text message notifications for

meetings and new email messages.*

MyVoiceMail Yes Update their voice mail settings.*

*
This feature isn't available in all regions or organizations.

What do you need to know before you begin?

Estimated time to complete each procedure: less than 5 minutes.

The procedures in this topic require the Role Management RBAC role in Exchange
Online. Typically, you get this permission via membership in the Organization
Management role group (the Microsoft 365 or Office 365 Global administrator
role). For more information, see Manage role groups in Exchange Online.

To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online. To connect to Exchange Online PowerShell, see Connect to Exchange
Online PowerShell.

Changes to permissions take effect after the user logs out and logs in again.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

View roles assigned to a role assignment policy

Use the EAC to view roles assigned to a role assignment

policy
1. In the EAC, go to Permissions > User roles, and select the role assignment policy.
 2. The roles that are assigned to the policy are displayed in the details pane. You can
also click Edit to see the roles, including the available roles that aren't assigned
to the policy.

Use Exchange Online PowerShell to view roles assigned to

a role assignment policy
To view the roles assigned to a role assignment policy, use the following syntax:

PowerShell

Get-ManagementRoleAssignment -RoleAssignee "<RoleAssignmentPolicyName>" |

Format-Table Name,Role -Auto

This example returns the roles that are assigned to the policy named Default Role
Assignment Policy.

PowerShell

Get-ManagementRoleAssignment -RoleAssignee "Default Role Assignment Policy"

| Format-Table Name,Role -Auto

For detailed syntax and parameter information, see Get-ManagementRoleAssignment.

Note: To return a list of all available end-user roles, run the following command:

PowerShell

Get-ManagementRole | Where {$_.IsEndUserRole -eq $true} | Format-Table

Name,Parent

Add or remove roles from a role assignment

policy

Use the EAC to add or remove roles from a role

assignment policy
1. In the EAC, go to Permissions > User roles, select the role assignment policy, and
then click Edit .

2. In the policy properties window that opens, do one of the following steps:
 To add a role, select the check box next to the role.

To remove a role that's already assigned, clear the check box.

If you select a check box for a role that has child roles, the check boxes for the
child roles are also selected. If you clear the check box of the parent role, the check
boxes for the child roles are also cleared. You can select a child role by clearing the
check box of the parent role and then selecting the individual child role.

3. When you're finished, click Save.

Use Exchange Online PowerShell to add roles to a role

assignment policy
Adding a role to a role assignment policy creates a new role assignment with a unique
name that's a combination of the names of the role and the role assignment policy.

To add roles to a role assignment policy, use the following syntax:

PowerShell

New-ManagementRoleAssignment -Role <RoleName> -Policy "

<RoleAssignmentPolicyName>"

This example adds the role MyMailboxDelegation to the role assignment policy named
Default Role Assignment Policy.

PowerShell

New-ManagementRoleAssignment -Role MyMailboxDelegation -Policy "Default Role

Assignment Policy"

For detailed syntax and parameter information, see New-ManagementRoleAssignment.

Use Exchange Online PowerShell to remove roles from a

role assignment policy
1. Use the procedure from the Use Exchange Online PowerShell to view roles
assigned to a role assignment policy section earlier in this topic to find the name
of the role assignment for the role that you want to remove (it's a combination of
the names of the role and the role assignment policy).

2. To remove the role from the role assignment policy, use this syntax:
 PowerShell

Remove-ManagementRoleAssignment -Identity "<RoleAssignmentName>"

This example removes the MyDistributionGroups role from the role assignment
policy named Default Role Assignment Policy.

PowerShell

Remove-ManagementRoleAssignment -Identity "MyDistributionGroups-Default

Role Assignment Policy"

For detailed syntax and parameter information, see Remove-

ManagementRoleAssignment.

Create role assignment policies

Use the EAC to create role assignment policies

1. In the EAC, go to Permissions > User roles and click New .

2. In the new role assignment policy window that opens, configure the following
settings:

Name: Enter a descriptive name.

Description: Enter an optional description.

Select the roles that you want to assign to the policy.

3. When you're finished, click Save

Use Exchange Online PowerShell to create role

assignment policies
To create a role assignment policy, use the following syntax:

PowerShell

New-RoleAssignmentPolicy -Name <UniqueName> [-Description "<Descriptive

Text>"] [-Roles "<EndUserRole1>","<EndUserRole2>"...] [-IsDefault]
This example creates a new role assignment policy named Contoso Contractors that
include the specified end-user roles.

PowerShell

New-RoleAssignmentPolicy -Name "Contoso Contractors" -Description "Limited

self-management capabilities for contingent staff."] -Roles
"MyBaseOptions","MyContactInformation","MyProfileInformation"

For detailed syntax and parameter information, see New-RoleAssignmentPolicy.

Modify role assignment policies

You can use the EAC or Exchange PowerShell to Add or remove roles from a role
assignment policy.

You can only use Exchange Online PowerShell to specify the default role assignment
policy that's applied to new mailboxes that aren't assigned a license or a role
assignment policy when they're created.

Otherwise, all you can do in the EAC or Exchange Online PowerShell is modify the name
and description of the role assignment policy.

Use Exchange Online PowerShell to specify the default

role assignment policy
To specify the default role assignment policy, use the following syntax:

PowerShell

Set-RoleAssignmentPolicy -Identity "<RoleAssignmentPolicyName>" -IsDefault

This example configures Contoso Users as the default role assignment policy.

PowerShell

Set-RoleAssignmentPolicy -Identity "Contoso Users" -IsDefault

Note: The IsDefault switch is also available on the New-RoleAssignmentPolicy cmdlets.

For detailed syntax and parameter information, see Set-RoleAssignmentPolicy.

Remove role assignment policies
You can't remove the role assignment policy that's currently specified as the default. You
first need to specify another role assignment policy as the default before you can delete
the policy.

You can't remove a role assignment policy that's assigned to mailboxes. Use the
procedures described in the Use Exchange Online PowerShell to modify role assignment
policy assignments on mailboxes section to replace the role assignment policy that's
assigned to mailboxes.

Use the EAC to remove role assignment policies

1. In the EAC, go to Permissions > User roles, select the policy that you want to
delete, and then click Delete .

2. In the warning dialog box that appears, click Yes.

Use Exchange Online PowerShell to remove role

assignment policies
To remove a role assignment policy, use the following syntax:

PowerShell

Remove-RoleAssignmentPolicy -Identity "<RoleAssignmentPolicyName>"

This example removes the role assignment policy named Contoso Managers.

PowerShell

Remove-RoleAssignmentPolicy -Identity "Contoso Managers"

For detailed syntax and parameter information, see Remove-RoleAssignmentPolicy.

View role assignment policy assignments on

mailboxes

Use the EAC to view role assignment policy assignments

on mailboxes
 1. In the EAC, go to Recipients > Mailboxes, select the mailbox, and click Edit .

2. In the mailbox properties window that opens, click Mailbox features. The role
assignment policy is shown in the Role assignment policy field.

3. When you're finished, click Save.

Use Exchange Online PowerShell to view role assignment

policy assignments on mailboxes
To see the role assignment policy assignment on a specific mailbox, use the following
syntax:

PowerShell

Get-Mailbox -Identity <MailboxIdentity> | Format-List RoleAssignmentPolicy

This example returns the role assignment policy for the mailbox named Pedro Pizarro.

PowerShell

Get-Mailbox -Identity "Pedro Pizarro" | Format-List RoleAssignmentPolicy

To return all mailboxes that have a specific role assignment policy assigned, use the
following syntax:

PowerShell

$<VariableName> = Get-Mailbox -ResultSize unlimited

PowerShell

$<VariableName> | where {$_.RoleAssignmentPolicy -eq

'<RoleAssignmentPolicyName>'}

This example returns all mailboxes that have the role assignment policy named Contoso
Managers assigned.

PowerShell

$Mgrs = Get-Mailbox -ResultSize unlimited

PowerShell
 $Mgrs | where {$_.RoleAssignmentPolicy -eq 'Contoso Managers'}

Modify role assignment policy assignments on

mailboxes
A mailbox can have only one role assignment policy assigned. The role assignment
policy that you assign to the mailbox will replace the existing role assignment policy
that's assigned.

Use the EAC to modify role assignment policy

assignments on mailboxes
In the EAC, go to Recipients > Mailboxes, and do one of the following steps:

Individual mailboxes: Select the mailbox > click Edit > click Mailbox features in
the window that opens > click the dropdown next to Role assignment policy >
select a new role assignment policy > click Save.

Multiple mailboxes: Select multiple mailboxes of the same type (for example,
User) by selecting a mailbox, holding down the Shift key, and select another
mailbox farther down in the list or by holding down the CTRL key as you select
each mailbox. In the details pane (that's now titled Bulk Edit): click More options >
click Update under Role Assignment Policy > select the role assignment policy in
the window that appears > click Save.

Use Exchange Online PowerShell to modify role

assignment policy assignments on mailboxes
To change the role assignment policy assignment on a specific mailbox, use this syntax:

PowerShell

Set-Mailbox -Identity <MailboxIdentity> -RoleAssignmentPolicy "

<RoleAssignmentPolicyName>"

This example applies the role assignment policy named Contoso Managers to the
mailbox named Pedro Pizarro.

PowerShell
 Get-Mailbox -Identity "Pedro Pizarro" -RoleAssignmentPolicy "
<RoleAssignmentPolicyName>"

To change the assignment for all mailboxes that have a specific role assignment policy
assigned, use the following syntax:

PowerShell

$<VariableName> = Get-Mailbox -ResultSize unlimited

PowerShell

$<VariableName> | where {$_.RoleAssignmentPolicy -eq

'<CurrentRoleAssignmentPolicyName>'} | Set-Mailbox -RoleAssignmentPolicy
'<NewRoleAssignmentPolicyName>'

This example changes the role assignment policy from Default Role Assignment Policy
to Contoso Staff for all mailboxes that currently have Default Role Assignment Policy
assigned.

PowerShell

$Users = Get-Mailbox -ResultSize unlimited

PowerShell

$Users | where {$_.RoleAssignmentPolicy -eq 'Default Role Assignment

Policy'} | Set-Mailbox -RoleAssignmentPolicy 'Contoso Staff'
Role Based Access Control for
Applications in Exchange Online
Article • 07/25/2023

This article will guide you through using granular and scalable, resource-scoped access
control: Role Based Access Control (RBAC) for Applications in Exchange Online.

Overview
RBAC for Applications in Exchange Online allows admins to grant permissions to an
application that's independently accessing data in Exchange Online. This grant can be
paired with a scope of access (resource scope) to specify which mailboxes an app can
access. This feature extends the current RBAC model in Exchange Online and it replaces
Application Access Policies.

At the core of this system is the management role assignment configuration, which
expresses an admin's intent to allow a principal to access data. In this case, allowing an
app to perform some role against a set of target resources. For example an admin might
configure a room booking system with access to calendar data only in specific regions
using a Management Scope. See the diagram below illustrating the role assignment
model:

Configuration Instructions
The following steps will guide you to create these Application RBAC assignments:

1. Create a new resource scope (optional)

2. Create a pointer to an Azure AD Service Principal
3. Select the appropriate application role
4. Create a New Role assignment
5. Test the New Service principal
Requirements
The Organization Management role group has the delegating role assignment for the
new Application RBAC roles. You need to be a member of the Organization
Management role group to assign these permissions. Alternatively, you can use
Exchange Online RBAC to grant delegating assignments to these application roles as
you see fit. In Azure AD, you need the Global Administrator or Exchange Administrator
roles to assign these permissions.

Define Resource Scope

Management Scopes: An Exchange entity that represents a set of mailboxes using
a filter expression on the properties of those mailboxes.
Admin Units: An Azure AD resource that can be a container for other Azure AD
resources that contains only users groups, or devices. To know more, see
Administrative unit and Create and delete Administrative unit.

Management Scopes
Management scopes allow an admin to scope a set of mailboxes based on the
properties of these objects. Refer to the Management Scope documentation for add,
remove, set. Here's a list of the filterable properties in a Management Scope.

７ Note

While there is a property called Administrative Units, we recommend you use the
native Admin Units parameter on a role assignment to avoid creating a scope as an
intermediary pointer object.

Service Principals
Service Principals represent an instance of an application within your tenant. You should
consider the Service Principal in Exchange to be a pointer to an existing Service Principal
in Azure AD. Service Principals can't be created directly using Exchange Online tools.
Azure AD tools are used to manage Service Principal registrations within tenants.
Exchange prevents the creation of an invalid pointer and reflects any deletions of
Service Principals in Azure AD automatically.

New Service Principal

 PowerShell

New-ServicePrincipal -AppId <Client Application ID in AAD> -ObjectId

<Service principal object ID in AAD> -DisplayName <name>

The following screenshot will help you find these IDs in Azure AD:

７ Note

Don't use the IDs from the App Registrations page, as it shows different values. The
red outlined "Application ID" is the AppID and the "Object ID" is the ServiceID.

You can use another approach to find these IDs using Get-AzureADServicePrincipal.

Remove Service Principal

PowerShell

Remove-ServicePrincipal -Identity <ObjectID, AppID, or DisplayName>

Set Service Principal

PowerShell
 Set-ServicePrincipal -Identity <ObjectID, AppID, or DisplayName > -
DisplayName <Updated name>

Application Roles
Application roles are a special type of management role in Exchange Online, which is
only assignable to an Application. These roles can be enumerated using Get-
ManagementRole.

Role Assignments
Management role assignments tie together a principal, role, and custom resource scope
of access. This assignment acts as the permissions assignment for a service principal
performing a role across a scope.

New Role Assignment

PowerShell

New-ManagementRoleAssignment [[-Name] <String>] -Role <RoleIdParameter> -App

<ObjectID, AppID, or DisplayName> -CustomResourceScope <Management Scope>
(or -RecipientAdministrativeUnitScope)

Set Role Assignment

PowerShell

Set-ManagementRoleAssignment [-Identity] <RoleAssignmentIdParameter> -

CustomResourceScope <Management Scope> (or -
RecipientAdministrativeUnitScope)

Remove Role Assignment

For removing a role assignment, see remove management assignment.

Testing Authorization
A test cmdlet can be used to simulate the behavior enabled by RBAC assignments for a
particular service principal.
 ７ Note

This method excludes permissions that might be granted seperately in Azure AD.

When testing authorization, you can include an optional resource parameter to evaluate
which scoped permissions apply to that target mailbox. InScope will = true or false
to represent if, true that permission applies to that mailbox for that service principal, or
false that service principal has that permission but not over that particular mailbox.
Omitting this flag will result in "Not Run".

Test results always include the allowed resource scope for a particular assigned
permission.

Test Service Principal Access

PowerShell

Test-ServicePrincipalAuthorization -Identity <ObjectID, AppID, or

DisplayName> [-Resource] <target mailbox>

Examples
After using Connect-ExchangeOnline in PowerShell, follow these steps:

Example One: Configuring calendar read access for

Canadian employees using a management scope
PowerShell

New-ServicePrincipal -AppId 71487acd-ec93-476d-bd0e-6c8b31831053 -ObjectId

6233fba6-0198-4277-892f-9275bf728bcc -DisplayName "example"

DisplayName ObjectId AppId

----------- --------- -----
example 6233fba6-0198-4277-892f-9275bf728bcc 71487acd-ec93-476d-
bd0e-6c8b3183105

PowerShell

New-ManagementScope -Name "Canadian employees" -RecipientRestrictionFilter

"CustomAttribute1 -eq '012332'"
 Name ScopeRestrictionType Exclusive RecipientRoot
RecipientFilter
---- -------------------- --------- -------------
---------------
Canadian employees RecipientScope False
CustomAttribute1 -eq '012332'

PowerShell

New-ManagementRoleAssignment -App 6233fba6-0198-4277-892f-9275bf728bcc -Role

"Application Calendars.Read" -CustomResourceScope "Canadian Employees"

Name Role RoleAssigneeName

RoleAssigneeType AssignmentMethod
---- ---- ---------------- ------
---------- ----------------
Application Calendar... Application Ca... 6233fba6-0198-...
ServicePrincipal Direct

Example Two: Configuring Mail.Read for all Europe

Admin Unit mailboxes
PowerShell

New-ServicePrincipal -AppId eb19847b-5563-42ea-b719-ea47cb0cf4b3 -ObjectId

59b7c6cb-58d3-4ee8-a409-8c1f9dbb5d36 -DisplayName "example"

DisplayName ObjectId AppId

----------- --------- -----
example 59b7c6cb-58d3-4ee8-a409-8c1f9dbb5d36 eb19847b-5563-
42ea-b719-ea47cb0cf4b3

PowerShell

New-ManagementRoleAssignment -App 59b7c6cb-58d3-4ee8-a409-8c1f9dbb5d36 -Role

"Application Mail.Read" -RecipientAdministrativeUnitScope 4d819ce9-9257-
44d7-af20-68a49e6697f4

Name Role RoleAssigneeName

RoleAssigneeType AssignmentMethod
---- ---- ---------------- -
--------------- ----------------
Application Mail.Rea... Application Ma... 59b7c6cb-58d3-...
ServicePrincipal Direct
Example Three: Testing permissions assigned to a service
principal
PowerShell

Test-ServicePrincipalAuthorization -Resource b -Identity "DemoB" | Format-

Table

RoleName GrantedPermissions
AllowedResourceScope ScopeType InScope
-------- ------------------ ------------------
-- --------- ------
Application Mail.Read Mail.Read Scope-MESGaDN
CustomRecipientScope False
Application Calendars.Read Calendars.Read Scope-DL1
CustomRecipientScope False
Application Contacts.Read Contacts.Read Scope-MESGa
CustomRecipientScope False

Limitations
Applications can't become member of a Role Group.
Application roles can only be assigned to Service Principals.
Application roles can't be copied or derived.
Exclusive management scopes don't restrict app access.
Changes to app permissions are subject to cache maintenance that varies between
30 minutes and 2 hours depending on the app's recent usage. When testing
configurations, the test command bypasses this cache. An app with no inbound
calls to APIs will have its cache reset in 30 minutes, whereas an actively used app
will keep its cache alive for up to 2 hours.

Supported Protocols
MS Graph
EWS

Supported Application Roles

Name Protocol Permissions List Description

Application Mail.Read MS Mail.Read Allows the app to read

Graph email in all mailboxes
Name Protocol Permissions List Description

without a signed-in
user.

Application Mail.ReadBasic MS Mail.ReadBasic Allows the app to read

Graph email except the body,
previewBody,
attachments, and any
extended properties in
all mailboxes without a
signed-in user

Application Mail.ReadWrite MS Mail.ReadWrite Allows the app to

Graph create, read, update,
and delete email in all
mailboxes without a
signed-in user. Doesn't
include permission to
send mail.

Application Mail.Send MS Mail.Send Allows the app to send

Graph mail as any user without
a signed-in user.

Application MS MailboxSettings.Read Allows the app to read

MailboxSettings.Read Graph user's mailbox settings
in all mailboxes without
a signed-in user.

Application MS MailboxSettings.ReadWrite Allows the app to

MailboxSettings.ReadWrite Graph create, read, update,
and delete user's
mailbox settings in all
mailboxes without a
signed-in user.

Application Calendars.Read MS Calendars.Read Allows the app to read

Graph events of all calendars
without a signed-in
user.

Application MS Calendars.ReadWrite Allows the app to

Calendars.ReadWrite Graph create, read, update,
and delete events of all
calendars without a
signed-in user.

Application Contacts.Read MS Contacts.Read Allows the app to read

Graph all contacts in all
 Name Protocol Permissions List Description

mailboxes without a
signed-in user.

Application MS Contacts.ReadWrite Allows the app to

Contacts.ReadWrite Graph create, read, update,
and delete all contacts
in all mailboxes without
a signed-in user.

Application Mail Full MS Mail.ReadWrite, Mail.Send Allows the app to

Access Graph create, read, update,
and delete email in all
mailboxes and send
mail as any user without
a signed-in user.

Application Exchange Full MS Mail.ReadWrite, Mail.Send, Without a signed-in

Access Graph MailboxSettings.ReadWrite, user: Allows the app to
Calendars.ReadWrite, create, read, update,
Contacts.ReadWrite and delete email in all
mailboxes and send
mail as any user. Allows
the app to create, read,
update, and delete
user's mailbox settings
in all mailboxes. Allows
the app to create, read,
update, and delete
events of all calendars.
Allows the app to
create, read, update,
and delete all contacts
in all mailboxes.

Application EWS EWS.AccessAsApp Allows the app to use

EWS.AccessAsApp Exchange Web Services
with full access to all
mailboxes.

You might notice these roles represent Microsoft Graph permissions that you can
consent elsewhere in the Azure Identity platform. These permissions will have the same
effect as those Graph permissions except for these role assignments allowing for
granular resource scoped access.

FAQ
Why does my application still have access to mailboxes that aren't
granted using RBAC?

You need to ensure that you've removed the tenant-wide unscoped permissions you
assigned in Azure AD. The permissions assigned using RBAC act in addition to grants
you make in Azure AD. Azure AD permissions can only be constrained using Application
Access Policies.

How can I view and modify all application permissions in one

interface?
To ensure admins have a consolidated view of app permissions, we will be surfacing
these permissions granted in Exchange Online in an Azure AD admin experience. This
feature is upcoming, stay tuned.

How to migrate from Application Access Policies to RBAC for

Applications?
With Application Access Policies, you have a service principal, permissions consent in
Azure, and a policy associated with a service principal in Exchange Online. While you can
restructure your scoping mechanism in any way that works well for you by using
Exchange Management Scopes or Administrative Units, here's some guidance on
reusing groups in an App Access Policy as the scope for your RBAC for Applications
grant. This process will not result in any interruption of use for your app.

Migration steps:

1. Create a new management scope, which points to the scoping group from the
Application Access Policy
2. Create the service principal pointer object
3. Assign the needed permissions to the service principal in Exchange Online with the
management scope restriction
4. Remove consent to permission in Azure
5. Remove the Application Access Policy

When creating the management scope in step #1, you'll use a recipient filter with the
filter parameter MemberOfGroup . Here's an example: "MemberOfGroup -eq
'CN=mesga20220818210551,OU=Fabrikam346.onmicrosoft.com,OU=Microsoft
Exchange Hosted Organizations,DC=NAMPR00A001,DC=prod,DC=outlook,DC=com'"

７ Note
 This filter parameter uses the distinguished name of the group, which you can find
using Get-Group cmdlets.

Limitations:

Nested group members are considered out of scope. Only direct group
membership results in the member being considered in scope for the
authorization.
Microsoft 365 Groups, Mail-Enabled Security Groups, and Distribution Lists are
supported.

How does RBAC for Applications work alongside Application

Access Policies?

Compatibility with App Access Policy

RBAC for Applications replaces Application Access Policies.

The Authorization interoperability can be described as follows:

Application Access Policies constrain ONLY the permissions assigned in Azure AD.

RBAC for Applications offers an alternate expression of authorization with an

associated resource scope.

An app can have both Azure AD consented permissions and RBAC assignments.
We expect this case when an app has tenant wide Mail.Read and scoped Mail.Send,
for example.

Permission consents are additive.

Example One: consents from 2 systems

An app has Mail.Read in Azure AD

This app is scoped to mail-enabled security group 1 using an Application Access
Policy
The same app has Calendar.Read consented for Management Scope 1 in RBAC for
Applications
Mailbox A is in mail-enabled security group 1
Mailbox B is in scope for Management Scope 1

MS Graph access to an endpoint requiring both Mail.Read and Calendar.Read for App 1:

Targeting Mailbox A: fails

 Targeting Mailbox B: fails

This endpoint needs both Mail.Read and Calendar.Read. While the app has these
permissions individually against two separate mailboxes, it does not have both
permissions against one mailbox.

Example Two: assigning the same permission twice

An app has Mail.Read in Azure AD

This app is scoped to mail-enabled security group 1 using an Application Access
policy
The same app has Mail.Read consented for Management Scope 1 using RBAC for
Applications
Mailbox A is in mail-enabled security group 1
Management Scope 1 allows access to every mailbox except Mailbox A (according
to some filter like 'Alias -ne mbxa')

MS Graph access to an endpoint requiring Mail.Read for App 1:

Targeting Mailbox A: allow

Targeting Mailbox B: allow

While the Mail.Read from Azure AD only allows access to Mailbox A, the RBAC
assignment allows access to everything except A. In effect, this allows access to
everything because "A and Not A" means everything.

While we've outlined these edge cases for completeness, we don't expect Application
Access Policies to be typically used with RBAC for Applications. Tenant-wide permissions
should be assigned in Azure AD while resource-scoped permissions should be granted
using RBAC for Applications.

How many applications are supported by RBAC for Applications?

You can have up to 10,000 applications per tenant using RBAC for Applications. Please
let us know if this limit poses a problem for you. We've built RBAC for Applications in a
highly scalable way to accommodate the needs of our largest customers.

Feedback on this feature

Feedback on this feature can be shared with exoapprbacpreview@microsoft.com.
Recipients in Exchange Online
Article • 02/22/2023

A recipient is any mail-enabled object in Exchange Online that can receive email
messages. Exchange Online includes several recipient types. Each recipient type is
identified in the Exchange admin center (EAC) and has a unique value in the
RecipientTypeDetails property in Exchange Online PowerShell.

７ Note

In Exchange Online, the new EAC enhances the admin experience with a different
look and feel. The Mailboxes and Shared mailboxes tabs under Recipients in the
Classic EAC are now merged into a single Mailboxes tab under Recipients in the
new EAC. On the Mailboxes tab, you can view shared mailboxes and user mailboxes
under one list view. For more information, see Exchange admin center in Exchange
Online.

The following table describes the different types of recipients in Exchange Online and
provides links to articles that explain how to manage and configure them.

Recipient Description
type

Users

User mailbox A mailbox that's assigned to an individual user in your Exchange Online
organization. A mailbox contains the user's email messages, calendar items,
contacts, tasks, and other important business data.
Create user mailboxes in Exchange Online.

Shared A mailbox that's designed for access by multiple users.

mailbox Shared mailboxes do not require licenses in Exchange Online.

Shared mailboxes in Exchange Online

Mail contact A mail contact contains information about a person who's outside of your
Exchange Online organization. A mail contact has an external email address, but
the mail contact is visible in your organization's shared address book (also known
as the global address list or GAL) and other address lists.
Manage mail contacts
Recipient Description
type

Mail user A mail user (also known as a mail-enabled user) is similar to a mail contact in that
it represent a user with an external email address and is visible in your
organization's shared address book and other address lists. However, a mail user
also has a user account in your organization, and you can assign permissions to
the mail user.

Mail users do not require licenses in Exchange Online.

Manage mail users

Resources

Room A type of resource mailbox that's assigned to a meeting location, such as a

mailbox conference room, auditorium, or training room. Room mailboxes can be included
as resources in meeting requests.
Manage resource mailboxes

Equipment A type of resource mailbox that's assigned to a resource that's not location-
mailbox specific, such as a portable computer, projector, microphone, or a company car.
Equipment mailboxes can be included as resources in meeting requests.
Manage resource mailboxes

Groups

Distribution Distribution groups (also known as distribution lists) provide a single point of
group contact for delivering email to the members of the group.

Create and manage distribution groups.

Mail-enabled Like a distribution group, a mail-enabled security group provides a single point
security of contact for delivering email to the members of the group. However, a mail-
group enabled security group is also a security principal, which means you can assign
permissions to the group that affect all group members who are also security
principals (user mailboxes, mail users, other mail-enabled security groups, etc.).

Manage mail-enabled security groups.

Dynamic A dynamic distribution group uses recipient filters and conditions to periodically
distribution calculate the membership of the group.
group Manage dynamic distribution groups

Collaboration
Recipient Description
type

Microsoft 365 Microsoft 365 groups (formerly known as Office 365 groups), are used for
group collaboration between teams, both inside and outside your company, by
providing group email and a shared workspace for conversations, files, and
calendars.
For email, the benefit of a Microsoft 365 group over traditional groups is: the
email history of the group is preserved. If a new user joins an old Microsoft 365
group, the entire email history of the group is available to them.

Create and manage groups

Mail-enabled A public folder is designed for shared access to collect, organize, and share
public folder information.
Public folders in Microsoft 365, Office 365, and Exchange Online

See also
Manage permissions for recipients
Plus Addressing
To find information about message and recipient limits in Exchange Online, check
out the new article at Exchange Online Limits.
Message and recipient limits in
Exchange Online
Article • 02/22/2023

The content in this topic has been moved to another topic. Check out the new topic at
Exchange Online Limits.
Create user mailboxes in Exchange
Online
Article • 02/22/2023

You have to use the Microsoft 365 admin center or Exchange Online PowerShell to
create an Exchange Online user mailbox. You can't create new user mailboxes using the
new Exchange admin center (EAC). However, after Exchange Online mailboxes are
created, you can manage them using the new EAC. For more information on adding
users in Microsoft 365 admin center, see Add users and assign licenses.

７ Note

After you create a new mailbox using Exchange Online PowerShell, you have to
assign it an Exchange Online license or it will be disabled when the 30-day grace
period ends.

What do you need to know before you begin?

Estimated time to complete: 3 minutes.

You need permissions before you can perform this procedure or procedures. To
see what permissions you need, see the "Recipients" entry in the Feature
permissions in Exchange Online article.

It's a good idea to use strong passwords that are at least eight characters long, and
combine uppercase and lowercase letters, numbers, and symbols.

To learn how to use Windows PowerShell to connect to Exchange Online, see

Connect to Exchange Online PowerShell.

For information about keyboard shortcuts that may apply to the procedures in this
article, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
Use the Microsoft 365 admin center to create a
new mailbox
You can use the Microsoft 365 admin center to create a new user account. When you
assign the user account a license for Exchange Online, a mailbox is automatically created
for the user. To create new user accounts in the Microsoft 365 admin center, see Add
users individually or in bulk.

Use Exchange Online PowerShell to create a

new mailbox
This example creates an Exchange Online mailbox and user account for Holly Holt. The
optional parameter ResetPasswordOnNextLogon will require the user to reset their
password the first time they sign in to Microsoft 365 or Office 365.

PowerShell

New-Mailbox -Alias hollyh -Name hollyh -FirstName Holly -LastName Holt -

DisplayName "Holly Holt" -MicrosoftOnlineServicesID hollyh@corp.contoso.com
-Password (ConvertTo-SecureString -String 'P@ssw0rd' -AsPlainText -Force) -
ResetPasswordOnNextLogon $true

After you create a mailbox by running the previous command, a user account is also
created. You have to activate this user account by assigning a license. To assign a license
in the Microsoft 365 admin center, see Add users individually or in bulk.
Delete or restore user mailboxes in
Exchange Online
Article • 02/22/2023

） Important

Effective from December 2022, the classic Exchange Admin Center will be
deprecated for worldwide customers. Microsoft recommends using the new
Exchange Admin Center , if not already doing so.

While most of the features have been migrated to new EAC, some have been
migrated to other admin centers and remaining ones will soon be migrated to New
EAC. Find features that are not yet there in new EAC at Other Features or use
Global Search that will help you navigate across new EAC.

） Important

Check out the new Exchange admin center! The experience is modern, intelligent,
accessible, and better. Personalize your dashboard, manage cross tenant migration,
experience the improved Groups feature, and more. Try it now !

There are several things you should consider before you decide to delete a user mailbox.
There are different kinds of deletions that you can do on a user mailbox and some of
them won't allow you to restore or recover the mailbox. This article walks you through
the deleted mailbox scenarios, and how to delete, recover or permanently remove a
mailbox from Exchange Online.

７ Note

You can't use EAC to delete or restore user mailboxes.

Soft-deleted user mailboxes

A soft-deleted user mailbox is a mailbox that has been deleted using the Microsoft 365
admin center or the Remove-Mailbox cmdlet in Exchange Online PowerShell, and has
still been in the Azure Active Directory (Azure AD) recycle bin for less than 30 days.
A soft-deleted user mailbox is a mailbox that has been deleted in the following cases:

The user mailbox's associated Azure AD user account is soft-deleted (the Azure AD
user object is out of scope or in the recycle bin container).

The user mailbox's associated Azure AD user account has been hard-deleted but a
Litigation Hold or an eDiscovery hold was placed on the Exchange Online mailbox
before it was deleted.

The user mailbox's associated Azure AD user account has been purged within the
last 30 days, which is the retention length Exchange Online keeps the mailbox in a
soft-deleted state before it's permanently purged and unrecoverable.

７ Note

If you run the Azure cmdlet Remove-MsolUser with the -RemoveFromRecycleBin

parameter in order to remove a user from the Azure AD recycle bin, it will always
put an existing Exchange Online mailbox associated with the Azure AD user in a
soft-deleted state, as long as the user's license was not removed. However, if you
remove the user's license prior to removing the user from the recycle bin, the user
will not go into a soft-deleted user mailbox state.

If in the 30-day time period a new Azure AD user is synchronized from the original on-
premises recipient account with the same ExchangeGuid or ArchiveGuid, this will result
in an ExchangeGuid validation conflict error.

Check out Overview of inactive mailboxes for more info about creating an inactive
mailbox by placing a Litigation Hold on a mailbox before deleting it.

Hard-deleted user mailboxes

A hard-deleted user mailbox is a mailbox that has been deleted in the following cases:

The user mailbox has been soft-deleted for more than 30 days, and the associated
Azure AD user has been hard-deleted. Check out the Remove-MsolUser cmdlet.
All mailbox content such as emails, contacts, and files will be permanently deleted.

The user mailbox's associated user account has been hard-deleted in Azure AD.
The user mailbox is now soft-deleted in Exchange Online and stays in the soft
deleted state for 30 days. If in the 30 days time period a new Azure AD user is
synchronized from the original on-premises recipient account with the same
ExchangeGuid or ArchiveGuid, and that new account is licensed for Exchange
 Online, this results in a hard deletion of the original user mailbox. All mailbox
content such as emails, contacts, and files will be permanently deleted.

The soft deleted mailbox has been deleted using the Remove-Mailbox cmdlet with
the PermanentlyDelete parameter in Exchange Online PowerShell.

The above scenarios assume that the user mailbox isn't in any of the hold states, like
Litigation hold or eDiscovery hold. If there is any type of hold on the user mailbox the
mailbox can't be removed from Exchange Online. For all mail user recipient types,
Litigation hold or eDiscovery hold are ignored and have no impact on the mail users
hard-deleted or soft-delete behavior. The mail user object can't be deleted if there is a
journal mailbox associated with it. You can disable journaling on the mail user by using
the Disable-JournalArchiving cmdlet.

Delete a user mailbox

Use the Microsoft 365 admin center to delete a user

account
When you delete a user account, the corresponding Exchange Online mailbox is deleted
and removed from the list of mailboxes in the EAC. After the user account is deleted, it's
listed on the Deleted Users page in the Microsoft 365 admin center. It can be recovered
within 30 days after being deleted. After 30 days, the user account and mailbox are
permanently deleted and not recoverable.

To delete a Microsoft 365 or Office 365 work or school account, see Delete or restore
users.

Use Windows PowerShell to permanently delete a user

mailbox
This example deletes the user account for Walter Harp from Azure AD.

PowerShell

Remove-MsolUser -UserPrincipalName <Walter Harp> -RemoveFromRecycleBin

For more details, check out, Remove-MsolUser.

Use Exchange Online PowerShell to delete a mailbox

 You need permissions before you can perform this procedure or procedures. To
see what permissions you need, see the"Recipients" entry in the Feature
permissions in Exchange Online article.

To learn how to use Windows PowerShell to connect to Exchange Online, see

Connect to Exchange Online PowerShell.

When you delete an Exchange Online mailbox using Exchange Online PowerShell, the
corresponding Microsoft 365 or Office 365 user is deleted and removed from the list of
users in the Microsoft 365 admin center. The user will still be recoverable for 30 days.
After the 30 days time limit, the user is permanently deleted.

This example deletes an Exchange Online mailbox and the corresponding user account
for Walter Harp.

PowerShell

Remove-Mailbox -Identity "Walter Harp"

Restore a user mailbox

When you delete a mailbox, Exchange Online retains the mailbox and all its contents
until the deleted mailbox retention period expires, which is 30 days. After 30 days, the
mailbox is permanently deleted and can't be recovered. The method for restoring a
mailbox depends on whether the mailbox was deleted by deleting the user account or
removing the Exchange Online license.

To help understand the current status of a deleted

mailbox

７ Note

This feature requires a Microsoft 365 administrator account. This feature isn't
available for Microsoft 365 Government, Microsoft 365 operated by 21Vianet, or
Microsoft 365 Germany.

To help you understand the current status of a recently deleted mailbox, we provide
automated diagnostics in the Microsoft 365 admin center. To launch the diagnostics,
select the following button:
 Run Tests: Deleted Mailbox

７ Note

We strongly recommend restoring the mailbox from the same source (Azure AD or
Exchange Online) from where the user or mailbox was deleted. Failing to do so will
result in a failed restore operation.

Use the Microsoft 365 admin center to restore a user

account
If the mailbox was deleted by deleting the corresponding user account, you can restore
the mailbox by restoring the user account in the Microsoft 365 admin center.

To restore a user account, see Delete or restore users.

Use Exchange Online PowerShell to restore a user

account
You can recover soft-deleted mailboxes using the PowerShell cmdlet below. The cmdlet
example below restores the mailbox for Allie Bellew.

1. Connect to Exchange Online PowerShell

2. Run the Undo-SoftDeletedMailbox cmdlet.

PowerShell

Undo-SoftDeletedMailbox allieb@contoso.com -WindowsLiveID

allieb@contoso.com -Password (ConvertTo-SecureString -String
'Pa$$word1' -AsPlainText -Force)

License removal
When an Exchange Online license is removed from a user, Exchange Online data
associated with that account is held for 30 days. After the 30-day grace period, the data
is deleted and can't be recovered. If you add the license back to the user during the
grace period, this will restore access, and the mailbox will become fully active.

７ Note
 If the Microsoft 365 or Office 365 or Exchange Online license is removed from a
user, the user's mailbox is no longer searchable by using an eDiscovery tool such as
Content Search or eDiscovery (Premium). For more information, see the "Searching
disconnected or de-licensed mailboxes" section in Feature reference for Content
search.

Restoring a user in a hybrid deployment

For user mailboxes in a hybrid scenario, if the mailbox has been soft-deleted and the
Azure AD user that was associated with the mailbox has been hard-deleted from Azure
AD, you can use New-MailboxRestoreRequest to recover the mailbox. Read Configure
Microsoft 365 Groups with on-premises Exchange hybrid for more info. The procedures
in this section explain how to restore the mailbox for a soft-deleted user.

1. Connect to Exchange Online PowerShell

2. Run the following cmdlet to identify the soft-deleted mailbox that you want to
restore.

PowerShell

Get-Mailbox -SoftDeletedMailbox | Select-Object Name,ExchangeGuid

For the soft-deleted mailbox that you want to restore, note its GUID value (you use
the value in Step 4).

3. Create a target mailbox for the restored mailbox. For more information, see Create
user mailboxes in Exchange Online. After you create the target mailbox, run the
following command to get the GUID value of the target mailbox that you'll need in
the next step.

PowerShell

Get-Mailbox -Identity <NameOrAliasOfNewTargetMailbox> | Format-List

ExchangeGuid

4. Replace <SoftDeletedMailboxGUID> with the GUID value from Step 2, and

<NewTargetMailboxGUID> with the GUID value from Step 3, and run the following
cmdlet to restore the mailbox:

PowerShell
 New-MailboxRestoreRequest -SourceMailbox <SoftDeletedMailboxGUID> -
TargetMailbox <NewTargetMailboxGUID>

For other mailbox restoring scenarios related to hybrid infrastructures, refer to Common
mailbox recovery scenarios for hybrid environments .

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Restoring disconnected on-premises mailboxes

to Exchange Online
If you need to restore a disconnected on-premises mailbox to an Exchange Online
mailbox, follow the steps in this section.

1. Open the Exchange Management Shell or Connect to Exchange servers using

remote PowerShell.

2. Run the following command to show the required MailboxGuid value of the
disconnected mailbox:

PowerShell

Get-MailboxDatabase | Get-MailboxStatistics | where

{$_.DisconnectReason -eq "Disabled"} | Format-Table
DisplayName,MailboxGuid,LegacyDN,Database

3. Run the following command to show the required GUID value of the mailbox
database that holds the disconnected mailbox:

PowerShell

Get-MailboxDatabase | Format-List Identity,GUID

4. Connect to Exchange Online PowerShell

5. Replace <MailboxIdentity> with the name, alias, or email address of the target
Exchange Online mailbox, and then run one of the following commands:
 Restore to Exchange Online mailbox: Run the following command to show
the required ExchangeGuid value:

PowerShell

Get-Mailbox -Identity "<MailboxIdentity>" | Format-List

Name,ExchangeGuid,LegacyExchangeDN

Restore to Exchange Online archive mailbox: Run the following command to

show the required ArchiveGuid value:

７ Note

Restoring into a large archive is not supported.

PowerShell

Get-Mailbox -Identity "<MailboxIdentity>" -TargetIsArchive |

Format-List Name,LegacyExchangeDn,ExchangeGuid,ArchiveGuid

6. Now that we have all the required details, run one of the following commands to
start the restore request. In both commands, use the following values:

RemoteHostName is the FQDN of the Exchange server (for example,

mail.contoso.com)

RemoteCredential is the credentials of an on-premises Exchange

administrator account.

RemoteDatabaseGuid is the GUID value of the mailbox database from step 3.

SourceStoreMailbox is the MailboxGuid value of the disconnected mailbox

from step 2.

Restore to Exchange Online mailbox: TargetMailbox is the ExchangeGuid

value of the target Exchange Online mailbox from step 5.

PowerShell

New-MailboxRestoreRequest -RemoteRestoreType DisconnectedMailbox -

RemoteHostName <ServerFQDN> -RemoteCredential (Get-Credential) -
RemoteDatabaseGuid <GUID> -SourceStoreMailbox <MailboxGUID> -
TargetMailbox <ExchangeGUID>
 Restore to Exchange Online archive mailbox: TargetMailbox is the
ArchiveGuid value of the target Exchange Online archive mailbox from step
5.

７ Note

Restoring into a large archive is not supported.

PowerShell

New-MailboxRestoreRequest -RemoteRestoreType DisconnectedMailbox -

TargetIsArchive -RemoteHostName <ServerFQDN> -RemoteCredential
(Get-Credential) -RemoteDatabaseGuid <GUID> -SourceStoreMailbox "
<MailboxGuid>" -TargetMailbox <ArchiveGuid>

7. To check the status of the restore request, do the following steps:

a. Run the following command to get the Identity value of the mailbox restore
request:

PowerShell

Get-MailboxRestoreRequest

b. Replace <MailboxRestoreRequestIdentity> with the Identity value of the

mailbox restore request from the previous step, and run the following
command:

PowerShell

Get-MailboxRestoreRequestStatistics -Identity
<MailboxRestoreRequestIdentity> -IncludeReport

After the PercentComplete value of the restore request has reached 100, you have
successfully restored the disconnected on-premises mailbox to an Exchange Online
mailbox.
Plus Addressing in Exchange Online
Article • 01/26/2023

As of May 2022, plus addressing (also known as subaddressing) is enabled by default in

Exchange Online. Subaddressing is an industry-defined way to support dynamic,
disposable recipient (not sender) email addresses for mailboxes.

An SMTP email address uses the basic syntax: <local-part>@<domain> . For example,
sean@contoso.com.

Plus addressing uses the syntax: <local-part>+<tag>@<domain> . For example,

sean+newsletter@contoso.com.

The original email address must be valid. The +tag value that you add is arbitrary,
although regular character restrictions for SMTP email addresses apply (for example, no
spaces). For more information about using plus addresses, see the Using plus addresses
section.

Plus addressing can be used in any email client that sends emails and you can receive
emails addressed to you using plus addresses as you would normal emails.

If you create a mailbox with an address that contains a + in Exchange Online, Exchange
Online will try to resolve the full email address (for example,
sean+newsletter@contoso.com) to a known mailbox. If the first resolution attempt fails,
Exchange Online does a second attempt to resolve the email address without the plus
sign and tag (for example, sean@contoso.com).

If inbound internet email for your on-premises organization is routed through Exchange
Online, your on-premises mailboxes can also use plus addresses if those mailbox
addresses are known in Exchange Online. If the on-premises mailbox addresses are
unknown to Exchange Online, plus addressing won't work and message delivery will be
affected.

Disable plus addressing in Exchange Online

Use the new Exchange admin center to disable plus

addressing
1. In the new Exchange admin center at https://admin.exchange.microsoft.com , go
to Settings > Mail flow.
 2. Select Turn off plus addressing for your organization, and then select Save.

Use Exchange Online PowerShell to disable plus

addressing
1. Connect to Exchange Online PowerShell.

2. The command uses the following syntax:

PowerShell

Set-OrganizationConfig -DisablePlusAddressInRecipients <$true | $false>

To disable plus addressing in your organization, run the following command:

PowerShell

Set-OrganizationConfig -DisablePlusAddressInRecipients $true

Using plus addresses

You can create new plus addresses by adding a new tag. You can use plus addresses as
unique addresses for services that you sign up for. You cannot, however, send from plus
addresses.

７ Note

Some web forms don't support plus signs in email addresses.

If you need to unsubscribe from an email list subscription service, some

subscription services require that you use the original email address that you
subscribed with. You can't unsubscribe by sending an email from a plus address.

As plus addresses are not aliases that are configured on the mailbox, they don't resolve
to a user's name in Outlook clients. This limitation results in plus addresses being easily
identifiable in the To or CC fields of messages. However, there might be scenarios
where you can't use a plus address for a Microsoft service that needs to be associated
with your mailbox.

To automatically identify and filter messages that are sent to plus addresses, use Inbox
rules to act on those messages. Using the condition Recipient address includes, you can
specify an action for messages sent to a particular plus address. For example, you can
move messages sent to a plus address to a folder.
Manage user mailboxes in Exchange
Online
Article • 02/22/2023

） Important

Effective from December 2022, the classic Exchange Admin Center will be
deprecated for worldwide customers. Microsoft recommends using the new
Exchange Admin Center , if not already doing so.

While most of the features have been migrated to new EAC, some have been
migrated to other admin centers and remaining ones will soon be migrated to New
EAC. Find features that are not yet there in new EAC at Other Features or use
Global Search that will help you navigate across new EAC.

After you create a user mailbox, you can make changes and set additional properties by
using the new Exchange admin center (EAC) or Exchange Online PowerShell.

What do you need to know before you begin?

Estimated time to complete each user mailbox task: 2 to 5 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Recipients" section in the
Feature permissions in Exchange Online topic.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the new EAC to configure user mailbox

properties
1. In the new EAC, go to Recipients > Mailboxes.
The user mailboxes and shared mailboxes tabs (of the Classic EAC) under Recipients,
are now merged into a single tab, Mailboxes. On clicking the Mailboxes tab, you can
view the shared and user mailboxes under one list view. On top of the list of shared and
user mailboxes, the following options are provided:

Add a shared mailbox: Use this option to create a new shared mailbox. The new
EAC allows you to create only shared mailboxes. If you want to create a user
mailbox, you have to use the Microsoft 365 admin center or Exchange Online
PowerShell. However, after Exchange Online mailboxes are created, you can
manage them using the new EAC.
Set default message size restrictions: Use this option to set a maximum size for
messages that can be sent and received by the mailboxes in your organization.
These settings are applied by default to the mailboxes you create.
Refresh: Use this option to refresh the mailbox list.
Export: Use this option to download a .csv file (excel sheet) with details of all the
mailboxes.
Search: Use this option to search for any mailbox by entering the suitable keyword.
Filter: Use this detailed option for creating custom filters or using pre-defined
filters.
Normal List and Compact List - The default view that you see when you open
Mailboxes is the normal listing view. In the Compact List view, you can see more
numbers of rows with reduced spaces in between.
When you select any mailbox by clicking on the radio button next to the display
name (on any row), certain additional options are also available on top. If you are
not able to view all the options, click the more options (...) menu.
Hide from address list: Select this option to prevent the recipient from
appearing in the address book and other address lists that are defined in your
Exchange organization. After you select this option, users can still send
messages to the recipient by using the email address.
Edit contact information: Select this option to edit the contact information.
Manage mailbox delegation: Select this option to assign permissions to other
users (also called delegates) to allow them to sign in to the user's mailbox or
send messages on behalf of the user. For more information, see the section on
"Mailbox permissions" explained later on in this topic.
Recover deleted items: Administrators can search for and recover deleted email
messages in a user's mailbox. This includes items that are permanently deleted
(purged) by a person by using the Recover Deleted Items feature in Outlook or
Outlook on the web (formerly known as Outlook Web App), or items deleted by
an automated process, such as the retention policy assigned to user mailboxes.
In these situations, the purged items can't be recovered by a user. But
administrators can recover purged messages if the deleted item retention
 period for the item hasn't expired. Administrators can search for deleted items
based on Time or Subject Line or Item type.
Convert to shared mailbox: Select this option to convert a mailbox from regular
to shared.
Edit email address: Select this option to change the user's email information.
Refresh: Select this option to refresh the Mailboxes list.

2. In the list of user mailboxes, click the mailbox that you want to change the
properties for. A display pane is shown for the selected user mailbox.

3. On this page, the user can change the Mailbox and Account settings.

4. Use the Mailbox settings for changing any of the following properties.

Email addresses
Mailbox permissions
Mail flow settings
Mailbox policies
More actions
Automatic replies
Email apps
Mailbox Usage

5. Use the Account settings to edit the contact/organization information.

Email Addresses
Use the Email Addresses section to view or change the email addresses associated with
the user mailbox.

By clicking the Manage email address types link, you can view all the email addresses
associated with the user mailbox. The primary SMTP address (also known as the default
reply address) is displayed in bold text in the address list.

Add email address type: Click Add email address type to add a new email address
for this mailbox. Select one of following address types:

SMTP: This is the default address type. Click this button and then type the new
SMTP address in the Email address*: box.

Enter a custom address type: Click this button and type one of the supported
non-SMTP email address types in the Email address*: box.
 ７ Note

With the exception of X.400 addresses, Exchange doesn't validate custom

addresses for proper formatting. You must make sure that the custom address
you specify complies with the format requirements for that address type.

Make this the reply address: In Exchange Online, you can select this check box to
make the new email address the primary SMTP address for the mailbox. This check
box isn't available in the EAC in Exchange Server.

Mail flow settings

Use the Mail flow settings section for default message size and delivery settings.

By clicking the Manage mail flow settings link, you can set the following options:

Email forwarding: Click the Edit button and turn the Email forwarding option to
ON/OFF. Email forwarding lets you set up a mailbox to forward email messages
sent to that mailbox to another user's mailbox in or outside of your organization.
Message size restriction: These settings control the size of messages that the user
can send and receive. Click the Edit button and set a maximum size for messages
sent and received by this mailbox.
Message delivery restriction: Message delivery restrictions are useful to control
who can send messages to users in your organization. For example, you can
configure a mailbox to accept or reject messages sent by specific users, or to
accept messages only from users in your Exchange organization. Click the Edit
button and set the message delivery restrictions.

Mailbox permissions
Use the Mailbox permissions section to assign permissions to other users (also called
delegates) to allow them to sign in to the user's mailbox or send messages on behalf of
the user. By clicking the Mailbox permissions link, you can assign the following
permissions:

Send As: This permission allows users other than the mailbox owner to use the
mailbox to send messages. After this permission is assigned to a delegate, any
message that a delegate sends from this mailbox will appear as if it was sent by the
mailbox owner. However, this permission doesn't allow a delegate to sign in to the
user's mailbox.
 Send on behalf: This permission also allows a delegate to use this mailbox to send
messages. However, after this permission is assigned to a delegate, the From:
address in any message sent by the delegate indicates that the message was sent
by the delegate on behalf of the mailbox owner.
Read and manage: This permission allows a delegate to sign in to the user's
mailbox and view the contents of the mailbox. However, after this permission is
assigned to a delegate, the delegate can't send messages from the mailbox. To
allow a delegate to send email from the user's mailbox, you still have to assign the
delegate the Send As or the Send on Behalf Of permission.

To assign permissions to delegates, click on the Edit button next to the appropriate
permission. By clicking Add permissions, you can view a list of all recipients in your
Exchange organization that can be assigned the permission. Select the recipients you
want, add them to the list, and then click Save. You can also search for a specific
recipient by typing the recipient's name in the search box.

Mailbox policies
Use the Mailbox policies section to apply default mailbox policies for the organization.
On clicking Manage mailbox policies, you can view or change the mailbox policies. Click
and change the following mailbox policies.

Sharing policy: This box shows the sharing policy applied to the mailbox. A sharing
policy controls how users in your organization can share calendar and contact
information with users outside your Exchange organization. The default sharing
policy is assigned to mailboxes when they are created. To change the sharing
policy that's assigned to the user, select a different one from the drop-down list.
Role assignment policy: This box shows the role assignment policy assigned to the
mailbox. The role assignment policy specifies the role-based access control (RBAC)
roles that are assigned to the user and control what specific mailbox and
distribution group configuration settings users can modify. To change the role
assignment policy that's assigned to the user, select a different one from the drop-
down list.
Retention policy: This box shows the retention policy assigned to the mailbox. A
retention policy is a group of retention tags that are applied to the user's mailbox.
They allow you to control how long to keep items in users' mailboxes and define
what action to take on items that have reached a certain age. A retention policy
isn't assigned to mailboxes when they are created. To assign a retention policy to
the user, select one from the drop-down list.
Address book policy: This box shows the address book policy applied to the
mailbox. An address book policy allows you to segment users into specific groups
 to provide customized views of the address book. To apply or change the address
book policy applied to the mailbox, select one from the drop-down list.

More actions
Use the More actions section to do the following changes:

Convert to shared mailbox: Use this option to convert a mailbox from regular to
shared.

Manage litigation hold: This feature is disabled by default. Litigation hold

preserves deleted mailbox items and records changes made to mailbox items.
Deleted items and all instances of changed items are returned in a discovery
search.Turn ON the Litigation hold option to put the mailbox on litigation hold. If
the mailbox is on litigation hold, turn OFF the Litigation hold option to remove the
litigation hold. Mailboxes on litigation hold are inactive mailboxes and can't be
deleted. To delete the mailbox, remove the litigation hold. If the mailbox is on
litigation hold, click Litigation hold to view and change the following litigation
hold settings:

Date hold created: This read-only box indicates the date and time when the
mailbox was put on litigation hold. It is NULL by default.

Hold started by: This read-only box indicates the user who put the mailbox on
litigation hold.

Hold duration (days). Leave blank for no limit. - Enter the hold duration in
days.

Note (visible to the user): Use this box to notify the user about the litigation
hold, explain why the mailbox is on litigation hold, or provide additional
guidance to the user, such as informing them that the litigation hold won't
affect their day-to-day use of email.

Web page with more information for the user: Use this box to provide a URL to
a website that provides information or guidance about the litigation hold on the
mailbox.

７ Note

The text from these boxes appears in the user's mailbox only if they are
using Outlook 2010 or later versions. It doesn't appear in Outlook on the
web or other email clients. To view the text from the Note and URL boxes in
 Outlook, click the File tab, and on the Info page, under Account Settings,
you'll see the litigation hold comment.

Manage mailbox archive: Use this option to enable or disable the archive mailbox.

Set recipient limit: This setting controls the maximum number of recipients the
user can send a message to. Specify the maximum number of recipients in the
Maximum recipients text box. In Exchange Online, the limit is 500 recipients.

Recover deleted items: Administrators can search for and recover deleted email
messages in a user's mailbox. This includes items that are permanently deleted
(purged) by a person by using the Recover Deleted Items feature in Outlook or
Outlook on the web (formerly known as Outlook Web App), or items deleted by an
automated process, such as the retention policy assigned to user mailboxes. In
these situations, the purged items can't be recovered by a user. But administrators
can recover purged messages if the deleted item retention period for the item
hasn't expired. Administrators can search for deleted items based on Time or
Subject Line or Item type.

Custom attributes: Custom attributes are extension attributes that you can use to
add information about a recipient for which there isn't an existing attribute. You
can add a maximum of 15 custom attributes to a mailbox. Click Add custom
attribute to add custom attributes.

Automatic replies
Use these settings to create automatic reply (Out of Office) messages. By clicking
Manage automatic replies, you can turn ON the Automatic replies option.

Specify the following information:

Reply to all senders inside the organizations from this mailbox - Enter the
automatic reply message in this text box.

７ Note

This field cannot be empty if automatic reply is on.

Send automatic replies to senders outside the organizations from this mailbox -
Enable this check box to send automatic replies to senders outside the
organizations from this mailbox. On enabling this check box, you can choose
between the options, Only reply to senders in the mailbox's contact list or Reply
 to all senders. Enter the automatic reply message in the Reply to all senders
outside the organizations from this mailbox text box.

Email apps
Use this section to apply the default settings for Outlook on the web, IMAP, POP3, MAPI
applied. By clicking Manage email apps settings, you can set the default settings for the
following:

Outlook on the web

Outlook desktop (MAPI)
Exchange web services
Mobile (Exchange ActiveSync)
IMAP
POP

７ Note

All these fields are enabled by default.

Mailbox Usage
The Mailbox Usage section displays the last time that the user signed in to their
mailbox, the total size of the mailbox, and the percentage of the total mailbox quota
that has been used. You can't change the Mailbox usage in this display pane. It is a read-
only information for the admins.

Use the Classic EAC to change user mailbox

properties
1. In the Classic EAC, go to Recipients > Mailboxes.

2. In the list of user mailboxes, click the mailbox that you want to change the
properties for, and then click Edit .

3. On the mailbox properties page, you can change any of the following properties.

General
Mailbox Usage
Contact Information
 Organization
Email Address
Mailbox Features
Member Of
MailTip
Mailbox Delegation

General
Use the General section to view or change basic information about the user.

First name, Initials, Last name

* Name: This is the name that's listed in Active Directory. If you change this name,
it can't exceed 64 characters.

* Display name: This name appears in your organization's address book, on the To:
and From: lines in email, and in the Mailbox list. This name can't contain empty
spaces before or after the display name.

* Alias: This specifies the email alias for the user. The user's alias is the portion of
the email address on the left side of the at (@) symbol. It must be unique in the
forest.

* User ID: This is the name that the user uses to sign in to their mailbox and to log
on to the domain. Typically the user logon name consists of the user's alias on the
left side of the @ symbol, and the domain name in which the user account resides
on the right side of the @ symbol.

Hide from address lists: Select this check box to prevent the recipient from
appearing in the address book and other address lists that are defined in your
Exchange organization. After you select this check box, users can still send
messages to the recipient by using the email address.

Click More options to view or change these additional properties:

Custom attributes: This section displays the custom attributes defined for the user
mailbox. To specify custom attribute values, click Edit. You can specify up to 15
custom attributes for the recipient.

Mailbox Usage
Use the Mailbox Usage section to view or change the mailbox storage quota and
deleted item retention settings for the mailbox. These settings are configured by default
when the mailbox is created. They use the values that are configured for the mailbox
database and apply to all mailboxes in that database. You can customize these settings
for each mailbox instead of using the mailbox database defaults.

Last logon: This read-only box displays the last time that the user signed in to their
mailbox.
Mailbox usage: This area shows the total size of the mailbox and the percentage of
the total mailbox quota that has been used.

７ Note

To obtain the information that's displayed in the previous two boxes, the EAC
queries the mailbox database that hosts the mailbox. If the EAC is unable to
communicate with the Exchange store that contains the mailbox database, these
boxes will be blank. A warning message is displayed if the user hasn't signed in to
the mailbox for the first time.

Contact Information
Use the Contact Information section to view or change the user's contact information.
The information on this page is displayed in the address book. Click More options to
display additional boxes.

 Tip

You can use the State/Province box to create recipient conditions for dynamic
distribution groups, email address policies, or address lists.

Mailbox users can use Outlook or Outlook on the web (formerly known as Outlook Web
App) to view and change their own contact information. But they can't change the
information in the Notes and Web page boxes.

Organization
Use the Organization section to record detailed information about the user's role in the
organization. This information is displayed in the address book. Also, you can create a
virtual organization chart that is accessible from email clients such as Outlook.
 Title: Use this box to view or change the recipient's title.
Department: Use this box to view or change the department in which the user
works. You can use this box to create recipient conditions for dynamic distribution
groups, email address policies, or address lists.
Company: Use this box to view or change the company for which the user works.
You can use this box to create recipient conditions for dynamic distribution groups,
email address policies, or address lists.
Manager: To add a manager, click Browse. In Select Manager, select a person, and
then click OK.
Direct reports: You can't modify this box. A direct report is a user who reports to a
specific manager. If you've specified a manager for the user, that user appears as a
direct report in the details of the manager's mailbox. For example, Kari manages
Chris and Kate, so Kari's mailbox is specified in the Manager box of Chris's mailbox
and Kate's mailbox, and Chris and Kate appear in the Direct reports box in the
properties of Kari's mailbox.

Email Address
Use the Email Address section to add, view or change the email addresses associated
with the user mailbox. This includes the user's primary SMTP address and any associated
proxy addresses. The primary SMTP address (also known as the default reply address) is
displayed in bold text in the address list, with the uppercase SMTP value in the Type
column.

Add:

1. Click Add email address type to add a new email address for this mailbox.
Select one of following address types:

SMTP: This is the default address type. Click this button and then type the
new SMTP address in the * Email address box.

Custom address type: Click this button and type one of the supported
non-SMTP email address types in the * Email address box.

７ Note

With the exception of X.400 addresses, Exchange doesn't validate

custom addresses for proper formatting. You must make sure that the
custom address you specify complies with the format requirements
for that address type.
 Make this the reply address: In Exchange Online, you can select this check
box to make the new email address the primary SMTP address for the
mailbox. This check box isn't available in the EAC in Exchange Server.

2. Click OK.

3. Click Save.

Remove:

1. Click Remove corresponding to the email address that you want to remove
from the mailbox.

2. Click Save.

Mailbox Features
Use the Mailbox Features section to view or change the following mailbox features and
settings:

Sharing policy: This box shows the sharing policy applied to the mailbox. A sharing
policy controls how users in your organization can share calendar and contact
information with users outside your Exchange organization. The default sharing
policy is assigned to mailboxes when they are created. To change the sharing
policy that's assigned to the user, select a different one from the drop-down list.

Role assignment policy: This box shows the role assignment policy assigned to the
mailbox. The role assignment policy specifies the role-based access control (RBAC)
roles that are assigned to the user and control what specific mailbox and
distribution group configuration settings users can modify. To change the role
assignment policy that's assigned to the user, select a different one from the drop-
down list.

Retention policy: This box shows the retention policy assigned to the mailbox. A
retention policy is a group of retention tags that are applied to the user's mailbox.
They allow you to control how long to keep items in users' mailboxes and define
what action to take on items that have reached a certain age. A retention policy
isn't assigned to mailboxes when they are created. To assign a retention policy to
the user, select one from the drop-down list.

Address book policy: This box shows the address book policy applied to the
mailbox. An address book policy allows you to segment users into specific groups
to provide customized views of the address book. To apply or change the address
book policy applied to the mailbox, select one from the drop-down list.
Mobile Devices: Use this section to view and change the settings for Exchange
ActiveSync, which is enabled by default. Exchange ActiveSync enables access to an
Exchange mailbox from a mobile device. Click Disable Exchange ActiveSync to
disable this feature for the mailbox.

Outlook on the web: This feature is enabled by default. Outlook on the web
enables access to an Exchange mailbox from a web browser. Click Disable to
disable Outlook on the web for the mailbox. Click Edit details to add or change an
Outlook on the web mailbox policy for the mailbox.

IMAP: This feature is enabled by default. Click Disable to disable IMAP for the
mailbox.

POP3: This feature is enabled by default. Click Disable to disable POP3 for the
mailbox.

MAPI: This feature is enabled by default. MAPI enables access to an Exchange

mailbox from a MAPI client such as Outlook. Click Disable to disable MAPI for the
mailbox.

Litigation hold: This feature is disabled by default. Litigation hold preserves

deleted mailbox items and records changes made to mailbox items. Deleted items
and all instances of changed items are returned in a discovery search. Click Enable
to put the mailbox on litigation hold. If the mailbox is on litigation hold, click
Disable to remove the litigation hold. Mailboxes on litigation hold are inactive
mailboxes and can't be deleted. To delete the mailbox, remove the litigation hold.
If the mailbox is on litigation hold, click Edit details to view and change the
following litigation hold settings:

Hold date: This read-only box indicates the date and time when the mailbox
was put on litigation hold.

Put on hold by: This read-only box indicates the user who put the mailbox on
litigation hold.

Note: Use this box to notify the user about the litigation hold, explain why the
mailbox is on litigation hold, or provide additional guidance to the user, such as
informing them that the litigation hold won't affect their day-to-day use of
email.

URL: Use this box to provide a URL to a website that provides information or
guidance about the litigation hold on the mailbox.

７ Note
 The text from these boxes appears in the user's mailbox only if they are
using Outlook 2010 or later versions. It doesn't appear in Outlook on the
web or other email clients. To view the text from the Note and URL boxes in
Outlook, click the File tab, and on the Info page, under Account Settings,
you'll see the litigation hold comment.

Archiving: If an archive mailbox doesn't exist for the user, this feature is disabled.
To enable an archive mailbox, click Enable. If the user has an archive mailbox, the
size of the archive mailbox and usage statistics are displayed. Click Edit details to
view and change the following archive mailbox settings:

Status: This read-only box indicates whether an archive mailbox exists.

Database: This read-only box shows the name of the mailbox database that
hosts the archive mailbox. This box isn't available in Exchange Online.

Name: Type the name of the archive mailbox in this box. This name is displayed
under the folder list in Outlook or Outlook on the web.

Archive quota (GB): This box shows the total size of the archive mailbox.

Issue warning at (GB): This box shows the maximum storage limit for the
archive mailbox before a warning is issued to the user. If the archive mailbox
size reaches or exceeds the value specified, Exchange sends a warning message
to the user.

７ Note

The archive quota and the issue warning quota for the archive mailbox
can't be changed in Exchange Online.

Delivery Options: Use to forward email messages sent to the user to another
recipient and to set the maximum number of recipients that the user can send a
message to. Click View details to view and change these settings.
Forwarding address: Select the Enable forwarding check box and then click
Browse to display the Select Mail User and Mailbox page. Use this page to
select a recipient to whom you want to forward all email messages that are sent
to this mailbox.
Deliver message to both forwarding address and mailbox: Select this check
box so that messages will be delivered to both the forwarding address and the
user's mailbox.
 Recipient limit: This setting controls the maximum number of recipients the
user can send a message to. Select the Maximum recipients check box to limit
the number of recipients allowed in the To:, Cc:, and Bcc: boxes of an email
message and then specify the maximum number of recipients. In Exchange
Online, the limit is 500 recipients.

Message Size Restrictions: These settings control the size of messages that the
user can send and receive. Click View details to view maximum size for sent and
received messages.

７ Note

These settings can't be changed in Exchange Online.

Message Delivery Restrictions: These settings control who can send email
messages to this user. Click View details to view and change these restrictions.
Accept messages from: Use this section to specify who can send messages to
this user.
All senders: Select this option to specify that the user can accept messages from
all senders. This includes both senders in your Exchange organization and
external senders. This option is selected by default. This option includes external
users only if you clear the Require that all senders are authenticated check box.
If you select this check box, messages from external users will be rejected.
Only senders in the following list: Select this option to specify that the user can
accept messages only from a specified set of senders in your Exchange
organization. Click Add to display the Select Recipients page, which displays
a list of all recipients in your Exchange organization. Select the recipients you
want, add them to the list, and then click OK. You can also search for a specific
recipient by typing the recipient's name in the search box and then clicking
Search .
Require that all senders are authenticated: Select this option to prevent
anonymous users from sending messages to the user.
Reject messages from: Use this section to block people from sending messages
to this user.
No senders: Select this option to specify that the mailbox won't reject messages
from any senders in the Exchange organization. This option is selected by
default.
Senders in the following list: Select this option to specify that the mailbox will
reject messages from a specified set of senders in your Exchange organization.
Click Add to display the Select Recipients page, which displays a list of all
recipients in your Exchange organization. Select the recipients you want, add
 them to the list, and then click OK. You can also search for a specific recipient by
typing the recipient's name in the search box and then clicking Search .

Member Of
Use the Member Of section to view a list of the distribution groups or security groups
to which this user belongs. You can't change membership information on this page.
Note that the user may match the criteria for one or more dynamic distribution groups
in your organization. However, dynamic distribution groups aren't displayed on this
page because their membership is calculated each time they are used.

MailTip
Use the MailTip section to add a MailTip to alert users of potential issues if they send a
message to this recipient. A MailTip is text that is displayed in the InfoBar when this
recipient is added to the To, Cc, or Bcc boxes of a new email message.

７ Note

MailTips can include HTML tags, but scripts aren't allowed. The length of a custom
MailTip can't exceed 175 displayed characters. HTML tags aren't counted in the
limit.

Mailbox Delegation
Use the Mailbox Delegation section to assign permissions to other users (also called
delegates) to allow them to sign in to the user's mailbox or send messages on behalf of
the user. You can assign the following permissions:

Send As: This permission allows users other than the mailbox owner to use the
mailbox to send messages. After this permission is assigned to a delegate, any
message that a delegate sends from this mailbox will appear as if it was sent by the
mailbox owner. However, this permission doesn't allow a delegate to sign in to the
user's mailbox.

Send on Behalf Of: This permission also allows a delegate to use this mailbox to
send messages. However, after this permission is assigned to a delegate, the From:
address in any message sent by the delegate indicates that the message was sent
by the delegate on behalf of the mailbox owner.
 Full Access: This permission allows a delegate to sign in to the user's mailbox and
view the contents of the mailbox. However, after this permission is assigned to a
delegate, the delegate can't send messages from the mailbox. To allow a delegate
to send email from the user's mailbox, you still have to assign the delegate the
Send As or the Send on Behalf Of permission.

To assign permissions to delegates, click Add under the appropriate permission to

display a page that displays a list of all recipients in your Exchange organization that can
be assigned the permission. Select the recipients you want, add them to the list, and
then click OK. You can also search for a specific recipient by typing the recipient's name
in the search box and then clicking Search .

Use Exchange Online PowerShell to change

user mailbox properties
Use the Get-Mailbox and Set-Mailbox cmdlets to view and change properties for user
mailboxes. One advantage of using Exchange Online PowerShell is the ability to change
the properties for multiple mailboxes. For information about what parameters
correspond to mailbox properties, see the following topics:

Get-Mailbox

Set-Mailbox

Here are some examples of using Exchange Online PowerShell to change user mailbox
properties.

This example shows how to forward Pat Coleman's email messages to Sunil Koduri's
(sunilk@contoso.com) mailbox.

PowerShell

Set-Mailbox -Identity patc -DeliverToMailboxAndForward $true -

ForwardingAddress sunilk@contoso.com

This example uses the Get-Mailbox command to find all user mailboxes in the
organization, and then uses the Set-Mailbox command to set the recipient limit to 500
recipients allowed in the To:, Cc:, and Bcc: boxes of an email message.

PowerShell

Get-Mailbox -ResultSize unlimited -Filter "RecipientTypeDetails -eq

'UserMailbox'" | Set-Mailbox -RecipientLimits 500
This example uses the Get-Mailbox command to find all the mailboxes in the Marketing
organizational unit, and then uses the Set-Mailbox command to configure these
mailboxes. The custom warning, prohibit send, and prohibit send and receive limits are
set to 200 megabytes (MB), 250 MB, and 280 MB respectively, and the mailbox
database's default limits are ignored. This command can be used to configure a specific
set of mailboxes to have larger or smaller limits than other mailboxes in the
organization.

PowerShell

Get-Mailbox -OrganizationalUnit "Marketing" | Set-Mailbox -IssueWarningQuota

209715200 -ProhibitSendQuota 262144000 -ProhibitSendReceiveQuota 293601280 -
UseDatabaseQuotaDefaults $false

This example uses the Get-Mailbox cmdlet to find all users in the Customer Service
department, and then uses the Set-Mailbox cmdlet to change the maximum message
size for sending messages to 2 MB.

PowerShell

Get-Mailbox -Filter "Department -eq 'Customer Service'" | Set-Mailbox -

MaxSendSize 2097152

This example sets the MailTip translation in French and Chinese.

PowerShell

Set-Mailbox john@contoso.com -MailTipTranslations ("FR: C'est la langue

française", "CHT: 這是漢語語言")

Bulk edit user mailboxes

You can use the EAC to change the properties for multiple user mailboxes. When you
select two or more user mailboxes from the mailbox list in the EAC, the properties that
can be bulk edited are displayed in the Details pane. When you change one of these
properties, the change is applied to all selected mailboxes.

Here's a list of the user mailbox properties and features that can be bulk edited. Note
that not all properties in each area are available to be changed.

Contact Information: Change shared properties such as street, postal code, and
city name.
 Organization: Change shared properties such as department name, company
name, and the manager that the selected users report to.
Custom attributes: Change or add values for custom attributes 1 - 15.
Mailbox quota: Change the mailbox quota values and the retention period for
deleted items. This isn't available in Exchange Online.
Email connectivity: Enable or disable Outlook on the web, POP3, IMAP, MAPI, and
Exchange ActiveSync.
Archive: Enable or disable the archive mailbox.
Retention policy, role assignment policy, and sharing policy: Update the settings
for each of these mailbox features.
Move mailboxes to another database: Move the selected mailboxes to a different
database.
Delegate permissions: Assign permissions to users or groups that allow them to
open or send messages from other mailboxes. You can assign Full, Send As and
Send on Behalf permissions to users or groups. Check out Manage permissions for
recipients for more details.

７ Note

The estimated time to complete this task is 2 minutes, but may take longer if you
change multiple properties or features.

Use the EAC to bulk edit user mailboxes

1. In the EAC, go to Recipients > Mailboxes.

2. In the list of mailboxes, select two or more mailboxes.

 Tip

You can select multiple adjacent mailboxes by holding down the Shift key and
clicking the first mailbox, and then clicking the last mailbox you want to edit.
You can also select multiple non-adjacent mailboxes by holding down the Ctrl
key and clicking each mailbox that you want to edit.

3. In the Details pane, under Bulk Edit, select the mailbox properties or feature that
you want to edit.

4. Make the changes on the properties page and then save your changes.
Add or remove email addresses for a
mailbox in Exchange Online
Article • 02/22/2023

） Important

Check out the new Exchange admin center! The experience is modern, intelligent,
accessible, and better. Personalize your dashboard, manage cross tenant migration,
experience the improved Groups feature, and more. Try it now !

You can configure more than one email address for the same mailbox. The additional
addresses are called proxy addresses. A proxy address lets a user receive email that's
sent to a different email address. Any email message sent to the user's proxy address is
delivered to their primary email address, which is also known as the primary SMTP
address or the default reply address.

） Important

If you're using Microsoft 365 or Office 365 for business, you should add or remove
email addresses for user mailboxes in the Add another email alias for a user

For additional management tasks related to managing recipients, see the "Recipients
documentation" table in Recipients in Exchange Online.

What do you need to know before you begin?

Estimated time to complete each procedure: 2 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Recipients" entry in the
Feature permissions in Exchange Online article.

For information about keyboard shortcuts that may apply to the procedures in this
article, see Keyboard shortcuts for the Exchange admin center.

The procedures in this article show how to add or remove email addresses for a user
mailbox. You can use similar procedures to add or remove email addresses for other
recipient types.
 ７ Note

You can use similar procedures to add or remove email addresses that use plus
addressing. For more information about plus addressing, see Plus Addressing.

Add an email address to a user mailbox

Use the new Exchange admin center (EAC) to add an

email address
1. In the new EAC, navigate to Recipients > Mailboxes.

2. In the list of user mailboxes, click the mailbox that you want to add an email
address to. A display pane is shown for the selected user mailbox.

3. Under Mailbox settings > Email addresses, click the Manage email address types
link.

4. The Manage email address types display pane is shown. You can view all the email
addresses associated with this user mailbox. Each email address type has one
default reply address. The default reply address is displayed in bold.

７ Note

On the Email Address page, the primary SMTP address is displayed in bold
text in the address list, with the uppercase SMTP value in the Type column.

5. Click Add email address type, and then click SMTP to add an SMTP email
address to this mailbox.

SMTP is the default email address type. You can also add custom addresses to a
mailbox. For more information, see "Change user mailbox properties" in the
Manage user mailboxes topic.

6. Type the new SMTP address in the Email address:* box, and then click OK.

The new address is displayed in the list of email addresses for the selected
mailbox.

You can select the Make this the reply address check box if you wish to make this
address as the reply address.
 7. Click Save to save the change.

Use the Classic EAC to add an email address

1. In the Classic EAC, navigate to Recipients > Mailboxes.

2. In the list of user mailboxes, click the mailbox that you want to add an email
address to, and then click Edit .

3. On the mailbox properties page, click Email Address.

７ Note

On the Email Address page, the primary SMTP address is displayed in bold
text in the address list, with the uppercase SMTP value in the Type column.

4. Click Add , and then click SMTP to add an SMTP email address to this mailbox.

SMTP is the default email address type. You can also add custom addresses to a
mailbox. For more information, see "Change user mailbox properties" in the
Manage user mailboxes topic.

5. Type the new SMTP address in the Email address box, and then click OK.

The new address is displayed in the list of email addresses for the selected
mailbox.

6. Click Save to save the change.

Use Exchange Online PowerShell to add an email address

The email addresses associated with a mailbox are contained in the EmailAddresses
property for the mailbox. Because it can contain more than one email address, the
EmailAddresses property is known as a multivalued property. The following examples
show different ways to modify a multivalued property.

This example shows how to add an SMTP address to the mailbox of Dan Jump.

PowerShell

Set-Mailbox "Dan Jump" -EmailAddresses

@{add="dan.jump@northamerica.contoso.com"}
This example shows how to add multiple SMTP addresses to a mailbox.

PowerShell

Set-Mailbox "Dan Jump" -EmailAddresses

@{add="dan.jump@northamerica.contoso.com","danj@tailspintoys.com"}

For more information about how to use this method of adding and removing values for
multivalued properties, see Modifying Multivalued Properties.

This example shows another way to add email addresses to a mailbox by specifying all
addresses associated with the mailbox. In this example, danj@tailspintoys.com is the
new email address that you want to add. The other two email addresses are existing
addresses. The address with the case-sensitive qualifier SMTP is the primary SMTP
address. You have to include all email addresses for the mailbox when you use this
command syntax. If you don't, the addresses specified in the command will overwrite
the existing addresses.

PowerShell

Set-Mailbox "Dan Jump" -EmailAddresses

SMTP:dan.jump@contoso.com,dan.jump@northamerica.contoso.com,danj@tailspintoy
s.com

） Important

Do not make frequent and multiple changes using the EmailAddress parameter.
Otherwise, the changes might be lost due to a race condition within the Exchange
Online sync infrastructure. As described in the previous example, we recommend
adding multiple EmailAddress values in one command. Do not use multiple
successive commands to add one EmailAddress value per command.

For detailed syntax and parameter information, see Set-Mailbox.

Remove an email address from a user mailbox

Use the new EAC to remove an email address

1. In the new EAC, navigate to Recipients > Mailboxes.
 2. In the list of user mailboxes, click the mailbox that you want to remove an email
address from. A display pane is shown for the selected user mailbox.

3. Under Mailbox settings > Email addresses, click the Manage email address types
link.

4. In the list of email addresses, select the address you want to remove, and then click
the Remove icon.

5. Click Save to save the change.

Use the Classic EAC to remove an email address

1. In the Classic EAC, navigate to Recipients > Mailboxes.

2. In the list of user mailboxes, click the mailbox that you want to remove an email
address from, and then click Edit .

3. On the mailbox properties page, click Email Address.

4. In the list of email addresses, select the address you want to remove, and then click
Remove .

5. Click Save to save the change.

Use Exchange Online PowerShell to remove an email

address
This example shows how to remove an email address from the mailbox of Janet Schorr.

PowerShell

Set-Mailbox "Janet Schorr" -EmailAddresses

@{remove="janets@corp.contoso.com"}

This example shows how to remove multiple addresses from a mailbox.

PowerShell

Set-Mailbox "Janet Schorr" -EmailAddresses

@{remove="janet.schorr@corp.contoso.com","janets@tailspintoys.com"}

For more information about how to use this method of adding and removing values for
multivalued properties, see Modifying Multivalued Properties.
You can also remove an email address by omitting it from the command to set email
addresses for a mailbox. For example, let's say Janet Schorr's mailbox has three email
addresses: janets@contoso.com (the primary SMTP address), janets@corp.contoso.com,
and janets@tailspintoys.com. To remove the address janets@corp.contoso.com, you
would run the following command.

PowerShell

Set-Mailbox "Janet Schorr" -EmailAddresses

SMTP:janets@contoso.com,janets@tailspintoys.com

Because janets@corp.contoso.com was omitted in the previous command, it's removed

from the mailbox.

For detailed syntax and parameter information, see Set-Mailbox.

Use Exchange Online PowerShell to add email

addresses to multiple mailboxes
You can add a new email address to multiple mailboxes at one time by using Exchange
Online PowerShell and a comma separated values (CSV) file.

This example imports data from C:\Users\Administrator\Desktop\AddEmailAddress.csv,

which has the following format.

Console

Mailbox,NewEmailAddress
Dan Jump,danj@northamerica.contoso.com
David Pelton,davidp@northamerica.contoso.com
Kim Akers,kima@northamerica.contoso.com
Janet Schorr,janets@northamerica.contoso.com
Jeffrey Zeng,jeffreyz@northamerica.contoso.com
Spencer Low,spencerl@northamerica.contoso.com
Toni Poe,tonip@northamerica.contoso.com
...

Run the following command to use the data in the CSV file to add the email address to
each mailbox specified in the CSV file.

PowerShell

Import-CSV "C:\Users\Administrator\Desktop\AddEmailAddress.csv" | ForEach

{Set-Mailbox $_.Mailbox -EmailAddresses @{add=$_.NewEmailAddress}}
７ Note

The column names in the first row of this CSV file ( Mailbox,NewEmailAddress ) are
arbitrary. Whatever you use for column names, make sure you use the same
column names in Exchange Online PowerShell command.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
Change how long permanently deleted
items are kept for an Exchange Online
mailbox
Article • 02/22/2023

） Important

Check out the new Exchange admin center! The experience is modern, intelligent,
accessible, and better. Personalize your dashboard, manage cross tenant migration,
experience the improved Groups feature, and more. Try it now !

If you've permanently deleted an item in Microsoft Outlook or Outlook on the web

(formerly known as Outlook Web App), the item is moved to a folder (Recoverable
Items > Deletions) and kept there for 14 days, by default. You can change how long
items are kept, up to a maximum of 30 days.

７ Note

You must use Exchange Online PowerShell to make the change. Unfortunately, you
can't currently do this directly in Outlook or Outlook on the web.

What do you need to know before you begin?

Estimated time to complete each procedure: 3 minutes.

If you want to place a mailbox on In-Place Hold and Litigation Hold so the
retention limit is ignored, make sure the mailbox has an Exchange Online (Plan 2)
user license.

You need permissions before you can do this procedure or procedures. To see
what permissions you need, see the "Recipients" section in the Feature permissions
in Exchange Online article.

You can use Exchange Online PowerShell to perform this procedure. To learn how
to use Windows PowerShell to connect to Exchange Online, see Connect to
Exchange Online PowerShell.
 For information about keyboard shortcuts that may apply to the procedures in this
article, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Change how long permanently deleted items

are kept
In these examples, we increase the retention period to 30 days, the maximum for
Exchange Online mailboxes. But you can set the number to whatever you like, up to that
limit.

Example 1: Set Emily Maier's mailbox to keep deleted items for 30 days. In Exchange
Online PowerShell, run the following command.

PowerShell

Set-Mailbox -Identity "Emily Maier" -RetainDeletedItemsFor 30

Example 2: Set all user mailboxes in the organization to keep deleted items for 30 days.
In Exchange Online PowerShell, run the following command.

PowerShell

Get-Mailbox -ResultSize unlimited -Filter "RecipientTypeDetails -eq

'UserMailbox'" | Set-Mailbox -RetainDeletedItemsFor 30

Need more details about using these commands? See Exchange Online PowerShell Help
article Set-Mailbox.

７ Note

These commands only apply to existing mailboxes and will not affect new
mailboxes that you create in the future. To change this setting on all new
mailboxes, use a mailbox plan that has a new retention policy that applies to new
mailboxes. See Mailbox plans and Set-MailboxPlan for more information.
  Tip

To keep deleted items for longer than 30 days, place the mailbox on In-Place Hold
or Litigation Hold. This works because when a mailbox is placed on hold, deleted
items are kept and retention settings for deleted items are ignored. See In-Place
Hold and Litigation Hold.

Check to be sure the value is changed

To check for one mailbox, run the following command:

PowerShell

Get-Mailbox <Name> | Format-List RetainDeletedItemsFor

Or to check for all mailboxes, run the following command:

PowerShell

Get-Mailbox -ResultSize unlimited -Filter "RecipientTypeDetails -eq

'UserMailbox'" | Format-List Name,RetainDeletedItemsFor

More about deleted items and retention time

When a user permanently deletes a mailbox item (such as an email message, a contact,
a calendar appointment, or a task) in Microsoft Outlook and Outlook on the web, the
item is moved to the Recoverable Items folder, and into a subfolder named Deletions.

A mailbox item is deleted and moved to the Recoverable Items folder when a user does
one of the following:

Deletes an item from the Deleted Items folder

Empties the Deleted Items folder

Permanently deletes an item by selecting it and pressing Shift+Delete

How long deleted items are kept in the Deletions folder depends on the deleted item
retention period that is set for the mailbox. An Exchange Online mailbox keeps deleted
items for 14 days, by default. Use Exchange Online PowerShell, as shown above, to
change this setting, to increase the period up to a maximum of 30 days.
Users can recover, or purge, deleted items before the retention time for a deleted item
expires. To do so, they use the Recover Deleted Items feature in Outlook or Outlook on
the web. See the following articles for Outlook for Windows or for Outlook on the
web .

Additional help:

If a user purges a deleted item, you can recover it before the deleted item
retention period expires. For details, see Recover deleted messages in a user's
mailbox.

To learn more about deleted item retention, the Recoverable Items folder, In-Place
Hold, and Litigation Hold, see Recoverable Items folder in Exchange Online.
Configure email forwarding for a
mailbox in Exchange Online
Article • 02/22/2023

） Important

Check out the new Exchange admin center! The experience is modern, intelligent,
accessible, and better. Personalize your dashboard, manage cross tenant migration,
experience the improved Groups feature, and more. Try it now !

Email forwarding lets you set up a mailbox to forward email messages sent to that
mailbox to another user's mailbox in or outside of your organization.

） Important

If you're using Microsoft 365 or Office 365 for business, you should configure email
forwarding in the Configure email forwarding

Use the new Exchange admin center (EAC) to

configure email forwarding
You can use the new Exchange admin center (EAC) to set up email forwarding to a single
internal recipient, a single external recipient (using a mail contact), or multiple recipients
(using a distribution group).

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Recipients" entry in the Feature
permissions in Exchange Online article.

1. In the new EAC, go to Recipients > Mailboxes.

2. In the list of user mailboxes, click the mailbox that you want to configure mail
forwarding for. A display pane is shown for the selected user mailbox.

3. Under Mailbox settings > Mail flow settings, click the Manage mail flow settings
link.

4. In the Manage mail flow settings display pane, you will see the Email forwarding
option. Click the Edit button next to this option to view or change the setting for
 forwarding email messages.

5. The Manage email forwarding display pane is shown. By default the Forward all
emails sent to this mailbox setting is OFF. Turn it ON.

6. Under Forwarding address text box, enter the forwarding email address. The text
box allows a search option for searching email addresses by partially entering the
keyword.

7. You can turn ON the Keep a copy of forwarded email in this mailbox option if you
wish to keep a copy of the forwarded email.

8. Click Save to save your changes. Click Close to exit from the Manage mail flow
settings display pane.

Use the Classic Exchange admin center to

configure email forwarding
You can use the Classic Exchange admin center (EAC) to set up email forwarding to a
single internal recipient, a single external recipient (using a mail contact), or multiple
recipients (using a distribution group).

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Recipients" entry in the Feature
permissions in Exchange Online article.

1. In the EAC, go to Recipients > Mailboxes.

2. In the list of user mailboxes, click or tap the mailbox that you want to configure
mail forwarding for, and then click or tap Edit .

3. On the mailbox properties page, click Mailbox Features.

4. Under Mail Flow, select View details to view or change the setting for forwarding
email messages.

On this page, you can set the maximum number of recipients that the user can
send a message to. For on-premises Exchange organizations, the recipient limit is
unlimited. For Exchange Online organizations, the limit is 500 recipients.

5. Check the Enable forwarding check box, and then click or tap Browse.

6. On the Select Recipient page, select a user you want to forward all email to. Select
the Deliver message to both forwarding address and mailbox check box if you
 want both the recipient and the forwarding email address to get copies of the
emails sent. Click or tap OK, and then click or tap Save.

What if you want to forward mail to an address outside your organization? Or forward
mail to multiple recipients? You can do that, too!

External addresses: Create a mail contact and then, in the steps above, select the
mail contact on the Select Recipient page. Need to know how to create a mail
contact? Check out Manage mail contacts.
Multiple recipients: Create a distribution group, add recipients to it, and then in
the steps above, select the mail contact on the Select Recipient page. Need to
know how to create a mail contact? Check out Create and manage distribution
groups.

How do you know this worked?

To verify that you've successfully configured email forwarding, do one of the following:

1. In the EAC, go to Recipients > Mailboxes.

2. In the list of user mailboxes, click or tap the mailbox that you configured email
forwarding for, and then click Edit .

3. On the mailbox properties page, click or tap Mailbox Features.

4. Under Mail Flow, click or tap View details to view the mail forwarding settings.

Additional information
This article is for admins. If you want to forward your own email to another recipient,
check out the following articles:

Forward email to another email account

Manage email messages by using rules

For information about keyboard shortcuts that may apply to the procedures in this
article, see Keyboard shortcuts for the Exchange admin center.

Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange
Online or Exchange Online Protection .
Configure message delivery restrictions
for a mailbox in Exchange Online
Article • 02/22/2023

You can use the new EAC, the classic EAC or Exchange Online PowerShell to place
restrictions on whether messages are delivered to individual recipients. Message
delivery restrictions are useful to control who can send messages to users in your
organization. For example, you can configure a mailbox to accept or reject messages
sent by specific users or to accept messages only from users in your Exchange
organization.

） Important

Message delivery restrictions do not impact mailbox permissions. A user with Full
Access permissions on a mailbox will still be able to update the contents in that
mailbox, such as by copying messages into the mailbox, even if that user has been
restricted.

The message delivery restrictions covered in this topic apply to all recipient types. To
learn more about the different recipient types, see Recipients in Exchange Online.

For additional management tasks related to recipients, see the following topics:

Manage user mailboxes

Create and manage distribution groups

Manage dynamic distribution groups

Manage mail users

Manage mail contacts

What do you need to know before you begin?

Estimated time to complete: 5 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Recipients" entry in the
Feature permissions in Exchange Online topic.
 For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the new EAC to configure message delivery

restrictions
1. In the new EAC, navigate to Recipients > Mailboxes.

2. In the list of user mailboxes, click the mailbox that you want to configure message
delivery restrictions for. A display pane is shown for the selected user mailbox.

3. Under Mailbox settings > Mail flow settings, click the Manage mail flow settings
link.

4. In the Manage mail flow settings display pane, you will see the Message Delivery
Restrictions option. Click the Edit button next to this option. The Message delivery
restrictions display pane is shown.

Accept messages from: Use this section to specify who can send messages to this
user.

All senders: This option specifies that the user can accept messages from all
senders. This includes both senders in your Exchange organization and external
senders. This is the default option. It includes external users only if you clear the
Check if all senders are authenticated check box. If you select this check box,
messages from external users will be rejected.

Selected senders: This specifies that the user can choose from a list of senders.
Click Add sender to display the list of all recipients in your Exchange
organization. You can also search for a specific recipient by typing the
recipient's name in the search box. Select the desired recipients, and then click
Confirm.

Check if all senders are authenticated: This option prevents anonymous users
from sending messages to the user. This includes external users that are outside
of your Exchange organization.
 Block messages from: Use this section to block people from sending messages to
this user.

None: This option specifies that the mailbox won't reject messages from any
senders in the Exchange organization. This is the default option.

Selected senders: This specifies that the user can choose from a list of senders.
Click Add sender to display the list of all recipients in your Exchange
organization. You can also search for a specific recipient by typing the
recipient's name in the search box. Select the desired recipients, and then click
Confirm.

5. Click Save to save your changes. Click Close to exit from the Manage mail flow
settings display pane.

Use the Classic EAC to configure message

delivery restrictions
1. In the Classic EAC, navigate to Recipients > Mailboxes.

2. In the list of user mailboxes, click the mailbox that you want to configure message
delivery restrictions for, and then click Edit .

3. On the mailbox properties page, click Mailbox Features.

4. Under Message Delivery Restrictions, click View details to view and change the
following delivery restrictions:

Accept messages from: Use this section to specify who can send messages to
this user.

All senders: This option specifies that the user can accept messages from all
senders. This includes both senders in your Exchange organization and
external senders. This is the default option. It includes external users only if
you clear the Require that all senders are authenticated check box. If you
select this check box, messages from external users will be rejected.

Only senders in the following list: This option specifies that the user can
accept messages only from a specified set of senders in your Exchange
organization. Click Add to display a list of all recipients in your Exchange
organization. Select the recipients you want, add them to the list, and then
click OK. You can also search for a specific recipient by typing the recipient's
name in the search box and then clicking Search .
 Require that all senders are authenticated: This option prevents anonymous
users from sending messages to the user. This includes external users that are
outside of your Exchange organization.

Reject messages from: Use this section to block people from sending
messages to this user.

No senders: This option specifies that the mailbox won't reject messages
from any senders in the Exchange organization. This is the default option.

Senders in the following list: This option specifies that the mailbox will reject
messages from a specified set of senders in your Exchange organization. Click
Add to display a list of all recipients in your Exchange organization. Select
the recipients you want, add them to the list, and then click OK. You can also
search for a specific recipient by typing the recipient's name in the search box
and then clicking Search .

5. Click OK to close the Message Delivery Restrictions page, and then click Save to
save your changes.

How do you know this worked?

To verify that you've successfully configured message delivery restrictions for a user
mailbox, do one the following:

1. In the EAC, navigate to Recipients > Mailboxes.

2. In the list of user mailboxes, click the mailbox that you want to verify the message
delivery restrictions for, and then click Edit .

3. On the mailbox properties page, click Mailbox Features.

4. Under Message Delivery Restrictions, click View details to verify the delivery
restrictions for the mailbox.

Use Exchange Online PowerShell to configure

message delivery restrictions
The following examples show how to use Exchange Online PowerShell to configure
message delivery restrictions for a mailbox. For other recipient types, use the
corresponding Set- cmdlet with the same parameters.

This example configures the mailbox of Robin Wood to accept messages only from the
users Lori Penor, Jeff Phillips, and members of the distribution group Legal Team 1.
 PowerShell

Set-Mailbox -Identity "Robin Wood" -AcceptMessagesOnlyFrom "Lori

Penor","Jeff Phillips" -AcceptMessagesOnlyFromDLMembers "Legal Team 1"

７ Note

If you're configuring a mailbox to accept messages only from individual senders,

you have to use the AcceptMessagesOnlyFrom parameter. If you're configuring a
mailbox to accept messages only from senders that are members of a specific
distribution group, use the AcceptMessagesOnlyFromDLMembers parameter.

This example adds the user named David Pelton to the list of users whose messages will
be accepted by the mailbox of Robin Wood.

PowerShell

Set-Mailbox -Identity "Robin Wood" -AcceptMessagesOnlyFrom @{add="David

Pelton"}

This example configures the mailbox of Robin Wood to require all senders to be
authenticated. This means the mailbox will only accept messages sent by other users in
your Exchange organization.

PowerShell

Set-Mailbox -Identity "Robin Wood" -RequireSenderAuthenticationEnabled $true

This example configures the mailbox of Robin Wood to reject messages from the users
Joe Healy, Terry Adams, and members of the distribution group Legal Team 2.

PowerShell

Set-Mailbox -Identity "Robin Wood" -RejectMessagesFrom "Joe Healy","Terry

Adams" -RejectMessagesFromDLMembers "Legal Team 2"

This example configures the mailbox of Robin Wood to also reject messages sent by
members of the group Legal Team 3.

PowerShell

Set-Mailbox -Identity "Robin Wood" -RejectMessagesFromDLMembers @{add="Legal

Team 3"}
 ７ Note

If you're configuring a mailbox to reject messages from individual senders, you

have to use the RejectMessagesFrom parameter. If you're configuring a mailbox to
reject messages from senders that are members of a specific distribution group,
use the RejectMessagesFromDLMembers parameter.

For detailed syntax and parameter information related to configuring delivery

restrictions for different types of recipients, see the following topics:

Set-DistributionGroup

Set-DynamicDistributionGroup

Set-Mailbox

Set-MailContact

Set-MailUser

How do you know this worked?

To verify that you've successfully configured message delivery restrictions for a user
mailbox using powershell, do one the following:

Run the following command in Exchange Online PowerShell.

PowerShell

Get-Mailbox <identity> | Format-List

AcceptMessagesOnlyFrom,AcceptMessagesOnlyFromDLMembers,RejectMessagesFrom,Re
jectMessagesFromDLMembers,RequireSenderAuthenticationEnabled
Convert a mailbox in Exchange Online
Article • 03/21/2023

You can use the new Exchange admin center (EAC) for the following types of mailbox
conversions:

User mailbox to shared mailbox.

Shared mailbox to user mailbox.

Other types of mailbox conversions require Exchange Online PowerShell:

User mailbox to resource (room or equipment) mailbox

Shared mailbox to user mailbox (also available in the new EAC)
Shared mailbox to resource mailbox
Resource mailbox to user mailbox
Resource mailbox to shared mailbox

What do you need to know before you begin?

Estimated time to complete: 5 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Recipients" entry in the
Feature permissions in Exchange Online topic.

If your organization uses a hybrid Exchange environment, you need to manage

your mailboxes using on-premises Exchange management tools.

To convert a mailbox in a hybrid environment that was provisioned in Exchange

Online but not migrated, you need to convert the remote mailbox object using
the Exchange Management Shell in on-premises Exchange:

PowerShell

Set-RemoteMailbox <MailboxIdentity> -Type <Regular | Shared | Room |

Equipment>

If the mailbox was previously migrated to Exchange Online, you also need to
update the mailbox object in Exchange Online. For more information, see:
Use the new Exchange admin center to convert a mailbox
Use Exchange Online PowerShell to convert a mailbox
 If you're converting a user mailbox to a shared mailbox, you should do one of the
following steps:
Remove any mobile devices from the mailbox before the conversion.
Block mobile access to the mailbox after the conversion. For more information,
see Remove a former employee.

This step is required because mobile functionality won't work properly after the
mailbox is converted to a shared mailbox.

To prevent access to the converted mailbox, you might need to reset the password.

Delegated Access Permission (DAP) partners with Administer On Behalf Of (AOBO)

permissions can't use the procedures in this topic to convert customer mailboxes.
Only members of the Organization Management role group in Exchange Online
(global admins) can convert mailboxes.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the new Exchange admin center to convert

a mailbox
1. In the EAC, go to Recipients > Mailboxes.

The Mailboxes page is displayed.

You can filter for display of only user mailboxes or shared mailboxes by clicking
Filter.

2. Select the user mailbox or a shared mailbox that you want to convert into its other
type, and click on the display name.

3. From the More actions pane, click Convert to regular mailbox or Convert to
shared mailbox.

The mailbox conversion wizard is displayed.

4. Click Confirm.

The mailbox is converted from its present type to its other type, and the
notification message Mailbox converted successfully is displayed.
Use Exchange Online PowerShell to convert a
mailbox
To convert a mailbox, use the following syntax:

PowerShell

Set-Mailbox -Identity <MailboxIdentity> -Type <Regular | Room | Equipment |

Shared>

This example converts the shared mailbox named MarketingDept1 to a user mailbox.

PowerShell

Set-Mailbox -Identity MarketingDept1 -Type Regular

For detailed syntax and parameter information, see Set-Mailbox.

How do you know this worked?

To verify that you have successfully converted the mailbox, replace <MailboxIdentity>
with the alias or email address of the mailbox, and run the following command in
Exchange Online PowerShell:

PowerShell

Get-Mailbox -Identity <MailboxIdentity> | Format-List RecipientTypeDetails

The value for RecipientTypeDetails should be UserMailbox .

For detailed syntax and parameter information, see Get-Mailbox.

Enable or disable Exchange ActiveSync
for a mailbox in Exchange Online
Article • 02/22/2023

You can use the EAC or Exchange Online PowerShell to enable or disable Microsoft
Exchange ActiveSync for a user mailbox. Exchange ActiveSync is a client protocol that
lets users synchronize a mobile device with their Exchange mailbox. Exchange
ActiveSync is enabled by default when a user mailbox is created. To learn more, see
Exchange ActiveSync in Exchange Online.

What do you need to know before you begin?

Estimated time to complete: 2 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Mobile devices" entry in
the Feature permissions in Exchange Online topic.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the new Exchange admin center to enable

or disable Exchange ActiveSync
1. In the new EAC, navigate to Recipients > Mailboxes.

2. In the list of user mailboxes, click the mailbox that you want to enable or disable
Exchange ActiveSync for. A display pane is shown for the selected user mailbox.

3. Under Mailbox settings > Email apps, click the Manage email apps settings link.

4. In the Manage settings for email apps display pane, do one of the following.
 To disable Exchange ActiveSync, for the Mobile (Exchange ActiveSync)
option, when the button is Enabled, set to Disabled.

To enable Exchange ActiveSync, for the Mobile (Exchange ActiveSync)

option, when the button is Disabled, set to Enabled.

5. Click Save to save your change. A message Email app settings updated
successfully is displayed. Click Close to exit.

Use the Classic EAC to enable or disable

Exchange ActiveSync
1. In the Classic EAC, navigate to Recipients > Mailboxes.

2. In the list of user mailboxes, click the mailbox that you want to enable or disable
Exchange ActiveSync for, and then click Edit .

3. On the mailbox properties page, click Mailbox Features.

4. Under Mobile Devices, do one of the following:

To disable Exchange ActiveSync click Disable Exchange ActiveSync.

A warning appears asking if you're sure you want to disable Exchange

ActiveSync. Click Yes.

To enable Exchange ActiveSync, click Enable Exchange ActiveSync.

5. Click Save to save your change.

７ Note

You can enable and disable Exchange ActiveSync for multiple user mailboxes by
using the EAC bulk edit feature. For more information about how to do this, see the
"Bulk edit user mailboxes" section in Manage user mailboxes.

How do you know it worked?

To verify that you've successfully enabled or disabled Exchange ActiveSync for a user
mailbox, do one of the following:

In the EAC, navigate to Recipients > Mailboxes, click the mailbox, and then click
Edit .
 On the mailbox properties page, click Mailbox Features.

Under Mobile Devices, verify whether Exchange ActiveSync is enabled or disabled.

Use Exchange Online PowerShell to enable or

disable Exchange ActiveSync
This example disables Exchange ActiveSync for the mailbox of Yan Li.

PowerShell

Set-CASMailbox -Identity "Yan Li" -ActiveSyncEnabled $false

This example enables Exchange ActiveSync for the mailbox of Elly Nkya.

PowerShell

Set-CASMailbox -Identity "Elly Nkya" -ActiveSyncEnabled $true

For detailed syntax and parameter information, see Set-CASMailbox.

How do you know this worked?

To verify that you've successfully enabled or disabled Exchange ActiveSync for a user
mailbox using PowerShell, do one of the following:

Run the following command in Exchange Online PowerShell.

PowerShell

Get-CASMailbox -Identity <MailboxIdentity>

If Exchange ActiveSync is enabled, the value for the ActiveSyncEnabled property is

True . If Exchange ActiveSync is disabled, the value is False .
Enable or disable MAPI for a mailbox in
Exchange Online
Article • 02/22/2023

You can use the Exchange admin center or Exchange Online PowerShell to enable or
disable MAPI for a user mailbox. When MAPI is enabled, a user's mailbox can be
accessed by Outlook or other MAPI email clients. When MAPI is disabled, it can't be
accessed by Outlook or other MAPI clients. However, the mailbox will continue to
receive email messages, and, assuming that the mailbox is enabled to support access by
those clients, a user can access the mailbox to send and receive email by using Outlook
on the web (formerly known as Outlook Web App), a POP email client, or an IMAP client.

７ Note

Support for Outlook on the web and MAPI, POP3, and IMAP4 email clients is
enabled by default when a user mailbox is created.

For additional management tasks related to managing email client access to a mailbox,
see the following topics:

Enable or disable Outlook on the web for a mailbox

Enable or Disable POP3 or IMAP4 access for a user

What do you need to know before you begin?

Estimated time to complete: 2 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Client Access user
settings" entry in the Feature permissions in Exchange Online topic.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
Use the new Exchange admin center to enable
or disable MAPI
1. In the new EAC, navigate to Recipients > Mailboxes.

2. In the list of user mailboxes, click the mailbox that you want to enable or disable
MAPI. A display pane is shown for the selected user mailbox.

3. Under Mailbox settings > Email apps, click the Manage email apps settings link.

4. In the Manage settings for email apps display pane, do one of the following.

To disable MAPI, for the Outlook desktop (MAPI) option, when the button is
Enabled, set to Disabled.

To enable MAPI, for the Outlook desktop (MAPI) option, when the button is
Disabled, set to Enabled.

5. Click Save to save your change. A message Email app settings updated
successfully is displayed. Click Close to exit.

Use the Classic EAC to enable or disable MAPI

1. In the Classic EAC, navigate to Recipients > Mailboxes.

2. In the list of user mailboxes, click the mailbox that you want to enable or disable
MAPI, and then click Edit .

3. On the mailbox properties page, click Mailbox Features.

4. Under Email Connectivity, do one of the following.

To disable MAPI, under MAPI: Enabled, click Disable.

A warning appears asking if you're sure you want to disable MAPI. Click Yes.

To enable MAPI, under MAPI: Disabled, click Enable.

5. Click Save to save your change.

How do you know this worked?

To verify that you've successfully enabled or disabled MAPI for a user mailbox, do one of
the following:
 In the EAC, navigate to Recipients > Mailboxes, click the mailbox, and then click
Edit .

On the mailbox properties page, click Mailbox Features.

Under Email Connectivity, verify whether MAPI is enabled or disabled.

Use Exchange Online PowerShell to enable or

disable MAPI
This example disables MAPI for the mailbox of Ken Sanchez.

PowerShell

Set-CASMailbox -Identity "Ken Sanchez" -MAPIEnabled $false

This example enables MAPI for the mailbox of Esther Valle.

PowerShell

Set-CASMailbox -Identity "Esther Valle" -MAPIEnabled $true

For detailed syntax and parameter information, see Set-CASMailbox.

How do you know this worked?

To verify that you've successfully enabled or disabled MAPI for a user mailbox, do one of
the following:

Run the following command in Exchange Online PowerShell.

PowerShell

Get-CASMailbox -Identity <MailboxIdentity>

Enable or disable Outlook on the web
for a mailbox in Exchange Online
Article • 02/22/2023

You can use the EAC or Exchange Online PowerShell to enable or disable Outlook on the
web (formerly known as Outlook Web App) for a user mailbox. When Outlook on the
web is enabled, a user can use Outlook on the web to send and receive email. When
Outlook on the web is disabled, the mailbox will continue to receive email messages,
and a user can access it to send and receive email by using a MAPI client, such as
Microsoft Outlook, or with a POP or IMAP email client, assuming that the mailbox is
enabled to support access by those clients.

７ Note

Support for Outlook on the web and MAPI, POP3, and IMAP4 email clients is
enabled by default when a user mailbox is created.

 Tip

Outlook on the web is required for the Share to Outlook feature to work in
Microsoft Teams.

For additional management tasks related to managing email client access to a mailbox,
see the following articles:

Enable or disable MAPI for a mailbox

Enable or Disable POP3 or IMAP4 access for a user

Disabling access to Outlook on the web will also limit the use of the new Outlook for
Windows.

What do you need to know before you begin?

Estimated time to complete: 2 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Client Access user
settings" entry in the Feature permissions in Exchange Online article.
 For information about keyboard shortcuts that may apply to the procedures in this
article, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the new EAC to enable or disable Outlook

on the web
1. In the new EAC, navigate to Recipients > Mailboxes.

2. In the list of user mailboxes, click the mailbox that you want to enable or disable
Outlook on the web. A display pane is shown for the selected user mailbox.

3. Under Mailbox settings > Email apps, click the Manage email apps settings link.

4. In the Manage settings for email apps display pane, do one of the following.

To disable Outlook on the web, for the Outlook on the web option, when the
button is Enabled, set to Disabled.

To enable Outlook on the web, for the Outlook on the web option, when the
button is Disabled, set to Enabled.

5. Click Save to save your change. A message Email app settings updated
successfully is displayed. Click Close to exit.

Use the Classic EAC to enable or disable

Outlook on the web
1. In the Classic EAC, navigate to Recipients > Mailboxes.

2. In the list of user mailboxes, click the mailbox that you want to enable or disable
Outlook on the web for, and then click Edit .

3. On the mailbox properties page, click Mailbox Features.

4. Under Email Connectivity, do one of the following:

 To disable Outlook on the web, under Outlook Web App: Enabled, click
Disable.

A warning appears asking if you're sure you want to disable Outlook on the web.
Click Yes.

To enable Outlook on the web, under Outlook Web App: Disabled, click
Enable.

5. Click Save to save your changes.

７ Note

You can enable and disable Outlook on the web for multiple user mailboxes by
using the EAC bulk edit feature. For more information about how to do this, see the
"Bulk edit user mailboxes" section in Manage user mailboxes.

How do you know it worked?

To verify that you've successfully enabled or disabled Outlook on the web for a user
mailbox, do one of the following:

In the EAC, navigate to Recipients > Mailboxes, click the mailbox, and then click
Edit .

On the mailbox properties page, click Mailbox Features.

Under Email Connectivity, verify whether Outlook on the web is enabled or

disabled.

Use Exchange Online PowerShell to enable or

disable Outlook on the web
This example disables Outlook on the web for the mailbox of Yan Li.

PowerShell

Set-CASMailbox -Identity "Yan Li" -OWAEnabled $false

This example enables Outlook on the web for the mailbox of Elly Nkya.

PowerShell
 Set-CASMailbox -Identity "Elly Nkya" -OWAEnabled $true

For detailed syntax and parameter information, see Set-CASMailbox.

How do you know this worked?

To verify that you've successfully enabled or disabled Outlook on the web for a user
mailbox, do one of the following:

Run the following command in Exchange Online PowerShell.

PowerShell

Get-CASMailbox -Identity <MailboxIdentity>

If Outlook on the web is enabled, the value for the OWAEnabled property is True .
If Outlook on the web is disabled, the value is False .
Mailbox plans in Exchange Online
Article • 02/22/2023

A mailbox plan is a template that automatically configures mailbox properties in

Exchange Online. Mailbox plans correspond to Microsoft 365 and Office 365 license
types. When you assign a license to a new user, the corresponding mailbox plan is used
to configure the settings on the new mailbox that's created. If you change the license
that's assigned to an existing user, the settings in the mailbox plan that's associated with
the new license are applied to the user's existing mailbox.

The following table describes the mailbox plans that you're likely to see in Exchange
Online.

Subscription or license Mailbox plan display name

Exchange Online Kiosk ExchangeOnlineDeskless

Microsoft 365 or Office 365 Enterprise F3

Microsoft 365 Business Basic ExchangeOnline

Microsoft 365 or Office 365 Enterprise E1

Exchange Online Plan 1

Microsoft 365 or Office 365 Enterprise E3 ExchangeOnlineEnterprise

Microsoft 365 or Office 365 Enterprise E5

Exchange Online Plan 2

Notes:

The availability of a mailbox plan in your organization is determined by your

selection when you enroll in Microsoft 365 or Office 365. A subscription might
contain multiple mailbox plans. A mailbox plan might not be available to you
based on your subscription or the age of your organization.
The name value of the mailbox plan is appended with -<GUID> (for example,
ExchangeOnlineEnterprise-44107b46-a8c4-4573-a7ba-bb004fde4d58 ).

For every mailbox plan (returned by the Get-MailboxPlan cmdlet), there's a

corresponding Client Access services (CAS) mailbox plan (returned by the Get-
CasMailboxPlan cmdlet). The names and display names of the mailbox plans and CAS
mailbox plans are identical, and the relationship between them is unbreakable (both the
mailbox plan and the corresponding CAS mailbox plan are assigned to the mailbox
when you license the user; you can't assign just the mailbox plan or just the CAS mailbox
plan separately).
The modifiable settings that are available in mailbox plans by using the Set-MailboxPlan
cmdlet are described in the following table:

Setting Default Description

value

IssueWarningQuota Varies by The user receives a warning message when their

license. mailbox reaches the specified size.
For more information, see Capacity alerts.

MaxReceiveSize Varies by The maximum total message size that can be received
license. by the mailbox. This value is roughly 33% larger than
the actual message size to account for Base64
encoding.
For more information, see Exchange Online limits.

MaxSendSize Varies by The maximum total message size that can be sent
license. from the mailbox. This value is roughly 33% larger
than the actual message size to account for Base64
encoding.
For more information, see Exchange Online limits.

ProhibitSendQuota Varies by The user receives a warning message and they can't
license. send messages when their mailbox reaches the
specified size (which must be greater than the
IssueWarningQuota value).

For more information, see Capacity alerts.

ProhibitSendReceiveQuota Varies by The user receives a warning message and they can't
license. send or receive messages when their mailbox reaches
the specified size (which must be greater than the
ProhibitSendQuota value).

For more information, see Capacity alerts.

RetainDeletedItemsFor 14.00:00:00 Depending on your subscription, you can change this

(14 days) value up to 30 days. For more information, see
Change how long permanently deleted items are kept
for an Exchange Online mailbox.
 Setting Default Description
value

RetentionPolicy Default Note: The value for this property must either be null
MRM Policy (blank) or match the name of the Exchange retention
policy that is configured as default for the tenant
otherwise the experience may be inconsistent when
creating new mailboxes, enabling disabled mailboxes,
and changing licenses.

If a mailbox is assigned an Exchange retention policy

that is not default, the RetentionPolicy value of the
mailbox will be overwritten when changing licenses
and will need to be manually reset to the original
value.

For more information about retention policies, see

Retention tags and retention policies in Exchange
Online.

RoleAssignmentPolicy Default Role Grants users permissions to their own mailbox and
Assignment distribution groups. For more information, see Role
Policy assignment policies.

The modifiable settings that are available in CAS mailbox plans by using the Set-
CasMailboxPlan cmdlet are described in the following table:

Setting Default value Description

ActiveSyncEnabled True Enables or disables Exchange ActiveSync (EAS) access

to the mailbox.

ImapEnabled Varies by license. Enables or disables IMAP4 access to the mailbox.

OwaMailboxPolicy OwaMailboxPolicy- Configures the user's settings in Outlook on the web

Default (formerly known as Outlook Web App). For more
information about Outlook on the web mailbox
policies, see Outlook on the web mailbox policies in
Exchange Online.

PopEnabled True Enables or disables POP3 access to the mailbox.

Modifying the settings of a mailbox plan won't update the settings of an existing
mailbox that already has the mailbox plan applied. To modify these settings on an
existing mailbox, you can:

Modify the corresponding mailbox settings directly in the Exchange admin center
(EAC) or in Exchange Online PowerShell (the Set-Mailbox and Set-CasMailbox
cmdlets).
 Assign a different license to the user. The mailbox plan that corresponds to the
new license will be applied to the existing mailbox (the settings in the mailbox plan
will be applied to the existing mailbox).

What do you need to know before you begin?

Estimated time to complete each procedure: 2 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Mailbox settings" entry in
the Feature permissions in Exchange Online topic.

You can only use Exchange Online PowerShell to perform the procedures in this
topic. To connect to Exchange Online PowerShell, see Connect to Exchange Online
PowerShell.

 Tip

Having problems? Ask for help in the Exchange Online forum.

Use Exchange Online PowerShell to view

mailbox plans
These examples return a summary list of all mailbox plans:

PowerShell

Get-MailboxPlan | Format-Table Name,DisplayName

PowerShell

Get-CasMailboxPlan | Format-Table Name,DisplayName

These examples return the modifiable property values in all mailbox plans:

PowerShell

Get-MailboxPlan | Format-List
DisplayName,IsDefault,Max*Size,IssueWarningQuota,Prohibit*Quota,RetainDelete
dItemsFor,RetentionPolicy,RoleAssignmentPolicy
 PowerShell

Get-CasMailboxPlan | Format-List
DisplayName,ActiveSyncEnabled,ImapEnabled,PopEnabled,OwaMailboxPolicy

These examples return detailed information for the mailbox plan named
ExchangeOnlineEnterprise.

PowerShell

Get-MailboxPlan -Identity ExchangeOnlineEnterprise | Format-List

PowerShell

Get-CasMailboxPlan -Identity ExchangeOnlineEnterprise | Format-List

This example returns the mailbox plan that's assigned to the user named Suk-Jae Yoo.

PowerShell

Get-Mailbox -Identity "Suk-Jae Yoo" | Format-List MailboxPlan

To return all mailboxes that had a specific mailbox plan applied, do the following steps:

1. Run the following command to find the distinguished name of the mailbox plan:

PowerShell

Get-MailboxPlan | Format-List DisplayName,DistinguishedName

2. Use the following syntax to return the mailboxes that have the mailbox plan
assigned:

PowerShell

Get-Mailbox -ResultSize unlimited -Filter "MailboxPlan -eq

'<MailboxPlanDistinguishedName>'"

This example returns the mailboxes that have the ExchangeOnline mailbox plan
applied.

PowerShell
 Get-Mailbox -ResultSize unlimited -Filter "MailboxPlan -eq
'CN=ExchangeOnline-93f46670-2ae7-4591-baa4-
ee153e090945,OU=constoso.onmicrosoft.com,OU=Microsoft Exchange Hosted
Organizations,DC=NAMPR22B009,DC=PROD,DC=OUTLOOK,DC=COM'"

For detailed syntax and parameter information, see Get-MailboxPlan and Get-
CasMailboxPlan.

Use Exchange Online PowerShell to specify the

default mailbox plan
The default mailbox plan is used as the default template for new user mailboxes that
you create without a license (because the license specifies the mailbox plan). For shared
mailboxes, and resource mailboxes without a license, the ExchangeOnline mailbox plan
is assigned, regardless of the default. For more information, see Exchange Online limits.

To specify the default mailbox plan, use the following syntax:

PowerShell

Set-MailboxPlan -Identity <MailboxPlanIdentity> -IsDefault

This example specifies the ExchangeOnline mailbox plan as the default.

PowerShell

Set-MailboxPlan -Identity ExchangeOnline -IsDefault

For detailed syntax and parameter information, see Set-MailboxPlan.

Use Exchange Online PowerShell to modify

mailbox plans
To modify a mailbox plan, use the following syntax:

PowerShell

Set-MailboxPlan -Identity <MailboxPlanIdentity> [-MaxReceiveSize <Size>] [-

MaxSendSize <Size>] [-IssueWarningQuota <Size>] [-ProhibitSendQuota <Size>]
[-ProhibitSendReceiveQuota <Size>] [-RetainDeletedItemsFor <TimeSpan>] [-
RetentionPolicy <RetentionPolicyIdentity>] [-RoleAssignmentPolicy
<RoleAssignmentPolicyIdentity>]
 PowerShell

Set-CASMailboxPlan -Identity <MailboxPlanIdentity> [-ActiveSyncEnabled

<$true | $false>] [-ImapEnabled <$true | $false>] [-PopEnabled <$true |
$false>] [-OwaMailboxPolicy <PolicyIdentity>]

This example modifies the mailbox plan named ExchangeOnlineEnterprise to use the
retention policy named Contoso Retention Policy.

PowerShell

Set-MailboxPlan -Identity -RetentionPolicy "Contoso Retention Policy"

This example disables Exchange ActiveSync, POP3, and IMAP4 access to mailboxes in all
CAS mailbox plans.

PowerShell

Get-CASMailboxPlan | Set-CASMailboxPlan -ActiveSyncEnabled $false -

ImapEnabled $false -PopEnabled $false

For detailed syntax and parameter information, see Set-MailboxPlan and Set-
CasMailboxPlan.
Automatically save sent items in
delegator's mailbox in Exchange Online
Article • 02/22/2023

Mailboxes in Microsoft 365 or Office 365 can be set up so that someone (such as an
executive assistant) can access the mailbox of another person (such as a manager) and
send mail as them. These people are often called the delegate and the delegator,
respectively. We'll call them "assistant" and "manager" for simplicity's sake. When an
assistant is granted access to a manager's mailbox, it's called delegated access.

People often set up delegated access and send permissions to allow an assistant to
manage a manager's calendar where they need to send and respond to meeting
requests. By default, when an assistant sends mail as, or on behalf of, a manager, the
sent message is stored in the assistant's Sent Items folder. You can use this article to
change this behavior so that the sent message is stored in both the assistant and
manager's Sent Items folders.

Let's take a look at a quick example of how this would work in real life:

Mary is the Vice President of Global Sales. She has an extremely busy schedule and
has Rob, her executive assistant, to help manage her calendar.

To help Mary, Rob's been granted delegated access to Mary's mailbox and to send
messages on her behalf. This allows him to see what's on her calendar; schedule,
accept, and decline meeting requests; and respond to messages.

Messages that Rob sends on behalf of Mary are stored in his Sent Items folder.
Mary wants a copy so Rob manually copies messages he's sent on her behalf from
his Sent Items folder to her Sent Item folder.

Rob's wonders if there's a better way to handle Sent Items so he asks his IT Help
Desk. He learns Mary's mailbox can be set up to store messages he sends on her
behalf in both his Sent Items and her Sent Items automatically. This is exactly what
he wants so he asks the Help Desk to set it up.

Send As...Send on behalf...what do they mean

and which should I choose?
When you set up someone as a delegate on a manager's mailbox, you can choose
whether they "Send as" the manager, or "Send on behalf" of them. The difference is
subtle, but can be important in some organizations:

Send As When someone has "Send as" permissions on a mailbox, messages they
send from that mailbox will show only the mailbox owner's name in the From: field
of the message. In the example above, if Rob has "Send as" permissions on Mary's
mailbox, messages he sends from her mailbox will show From: Mary to recipients.

Send on behalf When someone has "Send on behalf" permissions on a mailbox,

messages they send from the owner's mailbox will show that the message was sent
by someone on behalf of the mailbox owner. In the example above, if Rob has
"Send on behalf" permissions on Mary's mailbox, messages he sends from her
mailbox will show From: Rob on behalf of Mary to recipients.

The send permissions that someone has on another user's mailbox are important when
thinking about how sent items should be handled. This is because you can decide, for
each level of permissions, whether messages should be stored in just the assistant's Sent
Items folder or in both the assistant and manager's Sent Items folders. Microsoft 365
and Office 365 default to storing sent items for messages sent with "Send as" and "Send
on behalf" permissions in the assistant's Sent Items only. You can change that default
behavior using the steps below.

 Tip

Managers might have multiple assistants with different levels of permissions. In the
example above, while Rob may be able to send messages on behalf of Mary, she
could have another assistant that can Send as Mary. If this was the case, Mary's IT
department could do the steps for both "Send as" and "Send on behalf"
permissions.

How do I set up a mailbox to save messages

"Sent as" a manager when they're sent by an
assistant?
When you do these steps, any messages sent as the manager whose mailbox you're
configuring, will be saved to the manager's Sent Items folder. To set this up, just follow
the steps below. You'll need to use Windows PowerShell to complete the steps; if you
haven't used it before, go to Connect to Exchange Online PowerShell for instructions on
how to get connected. There's a great video too!

1. Connect to Exchange Online PowerShell.

 2. Get the email address of the manager.

3. Use the following syntax in Exchange Online PowerShell window:

PowerShell

Set-Mailbox <manager's email address> -MessageCopyForSentAsEnabled

$true

For example, if Mary's email address is mary@contoso.com, her IT department would

run the following command:

PowerShell

Set-Mailbox mary@contoso.com -MessageCopyForSentAsEnabled $true

That's it! The manager will now automatically get a copy of any messages sent by an
assistant, in their Sent Items folder.

 Tip

You can turn this off by going through the steps above and replacing $true with
$false in the [Set-Mailbox] command. For example, to turn it off for Mary, they'd
run the command: Set-Mailbox -Identity mary@contoso.com -
MessageCopyForSentAsEnabled $false .

How do I set up a mailbox to save messages

"Sent on behalf" of a manager when they're
sent by an assistant?
When you do these steps, any messages sent on behalf the manager whose mailbox
you're configuring, will be saved to the manager's Sent Items folder. To set this up, just
follow the steps below. You'll need to use Windows PowerShell to complete the steps; if
you haven't used it before, go to Connect to Exchange Online PowerShell for
instructions on how to get connected. There's a great video too!

1. Connect to Exchange Online PowerShell.

2. Get the email address of the manager.

3. Use the following syntax in the Exchange Online PowerShell:

 PowerShell

Set-Mailbox <manager's email address> -

MessageCopyForSendOnBehalfEnabled $true

For example, if Mary's email address is mary@contoso.com, her IT department would

run the following command

PowerShell

Set-Mailbox mary@contoso.com -MessageCopyForSendOnBehalfEnabled $true

That's it! The manager will now automatically get a copy of any messages sent by an
assistant, in their Sent Items folder.

 Tip

You can turn this off by going through the steps above and replacing $true with
$false in the [Set-Mailbox] command. For example, to turn it off for Mary, they'd
run the command Set-Mailbox mary@contoso.com -
MessageCopyForSendOnBehalfEnabled $false .
Clutter notifications in Outlook in
Exchange Online
Article • 02/22/2023

 Tip

Focused Inbox is replacing Clutter. Learn more here: Update on Focused Inbox
and our plans for Clutter .

Clutter is a feature in Microsoft 365 and Office 365 that helps users focus on the most
important messages in their Inbox by moving lower priority messages into a new Clutter
folder.

Clutter Notifications
Clutter is enabled by users in their Microsoft 365 or Office 365 Settings options. This
article contains information for Microsoft 365 or Office 365 administrators about
notifications from Clutter to end-users.

These notifications are an integral part of the Clutter feature and therefore can't be
suspended by administrators. Clutter is a user election, similar to someone opting to use
Conversation view, and the notifications help the user understand the state of Clutter
across all clients. There is no central reporting available at this time. For information on
how to change the branding of the notifications see Change the branding of Clutter
notifications.

７ Note

For information on how end users can enable and begin using Clutter, see Use
Clutter to sort low priority messages in Outlook on the web .

Invitation to use Clutter

Before users enable Clutter, they may receive a Clutter invitation in their Inbox. The
invitation lets the user know that the feature is available and covers the benefits of using
Clutter.
Clutter is always running in the background, as Exchange looks at a user's mailbox and
tries to train itself to identify low-priority messages. The invitation that a user receives
provides a link to turn Clutter "on" (or enable Clutter), meaning the user now allows
Clutter to automatically move low-priority message from their Inbox to a dedicated
folder.

To determine whether or not a user receives an invitation to enable Clutter, there are
several criteria, including:

Has Exchange looked at enough information in a user's mailbox to determine the

parameters for Clutter?

Sufficient email: Does the user receive at least 3 clutter messages and at least 3
non-clutter messages?

Watermark current : Is the state of training reflective of the user's current state?

Supported classification version: Is the version for which training is complete still
supported?

True positive rate: Are at least 85% of true clutter messages classified as clutter?

False positive rate: Are less than 20% of messages classified as clutter actually non-
clutter?

An example of the invitation notification is as follows:

Around the time that an invitation is sent, a new folder called Clutter is created and
added to their Favorites. The same invitation message will appear as the first message
inside the Clutter folder.
Cleaning up
To make sure the user understands that the new feature is on, Clutter will send another
notification to their Inbox, describing how Clutter works and how to correct Clutter
when it incorrectly moves a message to the Clutter folder. Clutter is a "learning" feature,
which means that after the user provides information to Clutter by manually moving
low-priority messages to the Clutter folder, Clutter will be able to identify similar
messages and move them automatically.

If the user finds that Clutter isn't what they need, this notification also provides a link for
turning Clutter off. In newer clients, there are specific controls to control Clutter, but
these are unavailable in older clients.

Hard at work
During the first three weeks of Clutter usage, the following notification is sent
periodically for two reasons. First, it reminds the user to inspect the Clutter folder and
make sure that Clutter is filtering messages correctly. Second, this notification provides a
way for the user to provide feedback on Clutter. Additionally, there are links that provide
more information about the feature and that turn Clutter off.
Change the branding of Clutter
notifications in Exchange Online
Article • 02/22/2023

 Tip

Focused Inbox is going to replace Clutter. Learn more: Update on Focused Inbox
and our plans for Clutter .

The Clutter feature uses Inbox notifications to invite users and to send status messages.
The default branding used for these notifications is Outlook, but you can modify the
branding for your organization.

Change the branding of Clutter notifications

(new EAC)
This article describes how to change the branding of Clutter notifications to match that
of your school, business, or organization.

７ Note

For more information about the types of Clutter notifications that end users in your
organization receive, see Clutter notifications in Outlook.

To begin, you will need to sign in to Microsoft 365 or Office 365 with your work or
school account.

1. Once signed in to Microsoft 365 or Office 365, go to the Microsoft 365 admin
center.

2. Click to expand Users, then select Active Users.

3. Select Add to add a user. The Create a new user account dialog will open.

4. In the Create a new user account dialog, enter a Display name and a username.
The display name will appear in the Sender field for all Clutter notifications sent to
your users. A new temporary password is generated for the new user account. Click
Create to create the account.
 5. Go to the new Exchange admin center (EAC).

6. Click Recipients, and then click Mailboxes.

7. Select the user you just created. A details pane will be shown.

8. Under Mailbox settings > Email addresses, click Manage email address types.

9. In the Manage email address types display pane, click Add email address type
to add an email address to the new user account.

10. In the new email address dialog, select SMTP as the email address type, and then,
in the Email address:* box, type the following: 7a694ec2-b7c9-41eb-b562-
08fd2b277ae0@[your default domain], where [your default domain] is the domain
that your organization uses. For most organizations, this would be [your domain
name].onmicrosoft.com. When finished, click OK.

11. Back in the Manage email address types dialog, click Save to associate the new
email address with the user account. All Clutter notifications sent to end users in
your organization will now originate from this account.

Change the branding of Clutter notifications

(Classic EAC)
This article describes how to change the branding of Clutter notifications to match that
of your school, business, or organization.

７ Note

For more information about the types of Clutter notifications that end users in your
organization receive, see Clutter notifications in Outlook.

To begin, you will need to sign in to Microsoft 365 or Office 365 with your work or
school account.

1. Once signed in to Microsoft 365 or Office 365, go to the Microsoft 365 admin
center.

2. Click to expand Users, then select Active Users.

3. Select Add to add a user. The Create a new user account dialog will open.
4. In the Create a new user account dialog, enter a Display name and a username.
The display name will appear in the Sender field for all Clutter notifications sent to
your users. A new temporary password is generated for the new user account. Click
Create to create the account.

5. Go the Exchange admin center.

6. Click recipients, and then click mailboxes.

7. Select the user you just created, and then click the pencil icon to edit the account,
as shown in the following example.

8. In the user account dialog, click Email address, and then click Add to add an
email address to the new user account.
9. In the new email address dialog, select SMTP as the email address type, and then,
in the Email address box, type the following: 7a694ec2-b7c9-41eb-b562-
08fd2b277ae0@[your default domain], where [your default domain] is the domain
that your organization uses. For most organizations, this would be [your domain
name].onmicrosoft.com.

When finished, click OK.

 10. Back in the user account dialog, click save to associate the new email address with
the user account. All Clutter notifications sent to end users in your organization will
now originate from this account.

Change the branding of Clutter notifications

using PowerShell
You can also create a new shared mailbox as the branding mailbox using PowerShell.
Follow these steps.

1. Connect to Exchange PowerShell.

2. Type the following commands:

PowerShell

New-Mailbox -Shared -Name branding@contoso.com -DisplayName "Branding

Clutter Mailbox" -Alias branding
Set-Mailbox "IT Admin" -EmailAddresses SMTP: branding@contoso
Enable or disable single item recovery
for a mailbox in Exchange Online
Article • 02/22/2023

You can use Exchange Online PowerShell to enable or disable single item recovery on a
mailbox. In Exchange Online, single item recovery is enabled by default when a new
mailbox is created. In Exchange Server, single item recovery is disabled when a mailbox
is created. If single item recovery is enabled, messages that are permanently deleted
(purged) by the user are retained in the Recoverable Items folder of the mailbox until
the deleted item retention period expires. This lets an administrator recover messages
purged by the user before the deleted item retention period expires.

What do you need to know before you begin?

Estimated time to complete: 2 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Retention policies" entry
in the Feature permissions in Exchange Online topic.

You can't use the Exchange admin center (EAC) to enable or disable single item
recovery.

In Exchange Online, the deleted item retention period is set to 14 days, by default.
You can change this setting to a maximum of 30 days. For details, see Change how
long permanently deleted items are kept for an Exchange Online mailbox.

In Exchange Server, the mailbox uses the deleted item retention settings of the
mailbox database, by default. The deleted item retention period for a mailbox
database is set to 14 days, but you can override the default by configuring this
setting on a per-mailbox basis. For details, see Change how long permanently
deleted items are kept for an Exchange Online mailbox.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange
Online or Exchange Online Protection .
Use Exchange Online PowerShell to enable
single item recovery
This example enables single item recovery for the mailbox of April Summers.

PowerShell

Set-Mailbox -Identity "April Summers" -SingleItemRecoveryEnabled $true

This example enables single item recovery for the mailbox of Pilar Pinilla and sets the
number of days that deleted items are retained to 30 days.

PowerShell

Set-Mailbox -Identity "Pilar Pinilla" -SingleItemRecoveryEnabled $true -

RetainDeletedItemsFor 30

This example enables single item recovery for all user mailboxes in the organization.

PowerShell

Get-Mailbox -ResultSize unlimited -Filter "RecipientTypeDetails -eq

'UserMailbox'" | Set-Mailbox -SingleItemRecoveryEnabled $true

This example enables single item recovery for all user mailboxes in the organization and
sets the number of days that deleted items are retained to 30 days

PowerShell

Get-Mailbox -ResultSize unlimited -Filter "RecipientTypeDetails -eq

'UserMailbox'" | Set-Mailbox -SingleItemRecoveryEnabled $true -
RetainDeletedItemsFor 30

For detailed syntax and parameter information, see Set-Mailbox.

Use Exchange Online PowerShell to disable

single item recovery
You might need to disable single item recovery for a user's mailbox. For example, before
you can permanently delete content from a mailbox, you have to disable single item
recovery.
This example disables single item recovery for the mailbox of Ayla Kol.

PowerShell

Set-Mailbox -Identity "Ayla Kol" -SingleItemRecoveryEnabled $false

How do you know this worked?

To verify that you've enabled single item recovery for a mailbox and display the value for
how long deleted items will be retained (in days), run the following command.

PowerShell

Get-Mailbox <Name> | Format-List

SingleItemRecoveryEnabled,RetainDeletedItemsFor

You can use this same command to verify that single item recovery is disabled for a
mailbox.

More information
To learn more about single item recovery, see Recoverable Items folder in
Exchange Online. To recover messages purged by the user before the deleted item
retention period expires, see Recover deleted messages in a user's mailbox.

If a mailbox is placed on In-Place Hold or Litigation Hold, messages in the

Recoverable Items folder are retained until the hold duration expires. If the hold
duration is unlimited, then items are retained until the hold is removed or the hold
duration is changed.
Recover deleted messages in a user's
mailbox in Exchange Online
Article • 02/22/2023

） Important

Effective from December 2022, the classic Exchange Admin Center will be
deprecated for worldwide customers. Microsoft recommends using the new
Exchange Admin Center , if not already doing so.

While most of the features have been migrated to new EAC, some have been
migrated to other admin centers and remaining ones will soon be migrated to New
EAC. Find features that are not yet there in new EAC at Other Features or use
Global Search that will help you navigate across new EAC.

） Important

Check out the new Exchange admin center! The experience is modern, intelligent,
accessible, and better. Personalize your dashboard, manage cross tenant migration,
experience the improved Groups feature, and more. Try it now !

(This article is intended for Exchange administrators.)

Administrators can search for and recover deleted email messages in a user's mailbox.
This includes items that are permanently deleted (purged) by a person (by using the
Recover Deleted Items feature in Outlook or Outlook on the web (formerly known as
Outlook Web App)), or items deleted by an automated process, such as the retention
policy assigned to user mailboxes. In these situations, the purged items can't be
recovered by a user. But administrators can recover purged messages if the deleted item
retention period for the item hasn't expired.

７ Note

In addition to using this procedure to search for and recover deleted items (which
are moved to the Recoverable Items\Purges folder if either single item recovery or
litigation hold is enabled), you can also use this procedure to search for items
residing in other folders in the mailbox and to delete items from the source
mailbox (also known as search and destroy).
What you need to know before you begin?
Estimated time to complete: 15-30 minutes.

Procedures in this article require specific permissions. See each procedure for its
permissions information.

Single item recovery must be enabled for a mailbox before the item you want to
recover is deleted. In Exchange Online, single item recovery is enabled by default
when a new mailbox is created. In Exchange Server, single item recovery is disabled
when a mailbox is created. For more information, see Enable or disable single item
recovery for a mailbox.

To search for and recover items, you must have the following information:

Source mailbox: This is the mailbox being searched.

Target mailbox: This is the discovery mailbox in which messages will be

recovered. Exchange Setup creates a default discovery mailbox. In Exchange
Online, a discovery mailbox is also created by default. If necessary, you can
create additional discovery mailboxes. For details, see Create a discovery
mailbox.

Search criteria: Criteria include sender or recipient, or keywords (words or

phrases) in the message.

This article focuses on using PowerShell to recover deleted items in a user's

mailbox. You can also use the GUI-based In-Place eDiscovery tool to find and
export deleted items to a PST file. The user will use this PST file to restore the
deleted messages to their mailbox. For detailed instructions, see Recover deleted
items in a user's mailbox - Admin Help.

Use new EAC for recovering deleted messages

1. In the new EAC, navigate to Recipients > Mailboxes.

2. Select the mailbox for which you want to recover deleted messages, and click on
the display name.

3. Under More actions, click Recover deleted items.

4. Enter values for each or either of the filter criteria from the drop-down lists.

5. Click Apply filter.

Using PowerShell to manage deleted items

Step 1: Connect to Exchange Online PowerShell

For instructions, see Connect to Exchange Online PowerShell.

Step 2: Search for and recover missing items

You need the Mailbox Import Export RBAC role before you can do this procedure or
procedures.

７ Note

You can use In-Place eDiscovery in the Exchange admin center (EAC) to search for
missing items. However, when using the EAC, you can't restrict the search to the
Recoverable Items folder. Messages matching your search parameters will be
returned even if they're not deleted. After they're recovered to the specified
discovery mailbox, you may need to review the search results and remove
unnecessary messages before recovering the remaining messages to the user's
mailbox or exporting them to a .pst file. For details about how to use the EAC to
perform an In-Place eDiscovery search, see Create an In-Place eDiscovery search.

Use the Exchange Online PowerShell to search for

messages
PowerShell

Get-RecoverableItems -Identity laura@contoso.com -SubjectContains "FY17

Accounting" -FilterItemType IPM.Note -FilterStartTime "2/1/2018 12:00:00 AM"
-FilterEndTime "2/5/2018 11:59:59 PM"

This example returns all of the available recoverable deleted messages with the specified
subject in the mailbox laura@contoso.com for the specified date/time range.

 Tip

Use the Get-RecoverableItems cmdlet to create a search query to find an Outlook

item. Once you have a list of results you can use properties like last modified date,
item type, etc. to narrow the amount of items restored or to restore a specific item.
For detailed syntax and parameter information, see Get-RecoverableItems.

How do you know this worked?

To verify that you have successfully searched the messages you want to recover, log on
to the discovery mailbox you selected as the target mailbox and review the search
results.

Step 3: Restore recovered items

You need the Mailbox Import Export RBAC role before you can do this procedure or
procedures.

７ Note

You can't use the EAC to restore recovered items.

After messages have been recovered to a discovery mailbox, you can restore them to
the user's mailbox by using the Restore-RecoverableItems cmdlet.

Use Exchange Online PowerShell to restore messages

PowerShell

Restore-RecoverableItems -Identity "malik@contoso.com","lillian@contoso.com"

-FilterItemType IPM.Note -SubjectContains "COGS FY17 Review" -
FilterStartTime "3/15/2019 12:00:00 AM" -FilterEndTime "3/25/2019 11:59:59
PM" -MaxParallelSize 2

After using the Get-RecoverableItems cmdlet to verify the existence of the item, this
example restores the specified deleted items in the specified mailboxes:

Mailboxes: malik@contoso.com, lillian@contoso.com

Item type: Email message

Message subject: COGS FY17 Review

Location: Recoverable Items\Deletions

Date range: 3/15/2019 to 3/25/2019

Number of mailboxes processed simultaneously: 2

For detailed syntax and parameter information, see Restore-RecoverableItems.

How do you know this worked?

To verify that you have successfully recovered messages to the user's mailbox, have the
user review messages in the target folder you specified in the above command.

More information
The ability to recover deleted items is enabled by single item recovery, which lets
an administrator recover a message that's been purged by a user or by retention
policy as long as the deleted item retention period hasn't expired for that item. To
learn more about single item recovery, see Recoverable Items folder in Exchange
Online.

An Exchange Online mailbox is configured to retain deleted items for 14 days, by

default. You can change this setting to a maximum of 30 days. For more
information, see Change how long permanently deleted items are kept for an
Exchange Online mailbox.

As previously explained, you can also use the In-Place eDiscovery tool to find and
export deleted items to a PST file. The user will use this PST file to restore the
deleted messages to their mailbox. For detailed instructions, see Recover deleted
items in a user's mailbox - Admin Help.

Users can recover a deleted item if it hasn't been purged and if the deleted item
retention period for that item hasn't expired. If users need to recover deleted items
from the Recoverable Items folder, point them to the following articles:

Recover deleted items in Outlook for Windows

Recover deleted email messages in Outlook on the web

In addition to using this procedure to search for and recover deleted items, you
can also use a similar procedure to search for items in user mailboxes and then
delete those items from the source mailbox. For more information, see Search for
and delete email messages.

Related article
Are you using Exchange Server? See Recover deleted messages in a user's mailbox in
Exchange Server.
Use Exchange Online PowerShell to
display Microsoft 365 or Office 365
mailbox information
Article • 02/22/2023

） Important

Check out the new Exchange admin center! The experience is modern, intelligent,
accessible, and better. Personalize your dashboard, manage cross tenant migration,
experience the improved Groups feature, and more. Try it now !

Admins can learn how to use Exchange Online PowerShell to display information about
mailboxes in their Microsoft 365 or Office 365 organization.

To give you an idea of some of the things you can do with PowerShell in Microsoft 365
and Office 365, let's take a look at user mailboxes in Exchange Online PowerShell.

Before you begin

To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.

Display mailbox information with Exchange

Online PowerShell
You can easily get information about a single user mailbox. For example, here's a
command that returns some information about Ken Myer's mailbox:

PowerShell

Get-Mailbox -Identity "Ken Myer"

This command will return something similar to this:

PowerShell

Name Alias ServerName ProhibitSendQuota

---- ----- ---------- -----------------
kenmyer kenmyer bn1pr02mb038 49.5 GB (53,150,220,288 bytes)
You can see things like Ken's alias and his mailbox size quota. But there's a lot more
information that's associated with an Exchange Online mailbox than just the four
properties returned by the Get-Mailbox cmdlet.

Here's an example command that displays all the information for a specific mailbox:

PowerShell

Get-Mailbox -Identity "Ken Myer" | Format-List

The command instructs Exchange Online PowerShell to return all of the available
properties for the mailbox in a list. There are about 200 different properties and
property values. You can also use the Format-List and Format-Table cmdlets to return
only specific property values. For example, you can also view litigation hold-related
properties for Ken Myer with this command:

PowerShell

Get-Mailbox -Identity "Ken Myer" | Format-List DisplayName,

LitigationHoldEnabled, LitigationHoldDate, LitigationHoldOwner,
LitigationHoldDuration

You can also use wildcard characters when working with the Format-List cmdlet. For
example, all the litigation hold properties start with the letters lit . You can retrieve this
same information by using this command:

PowerShell

Get-Mailbox -Identity "Ken Myer" | Format-List DisplayName, Lit*

This command tells Get-Mailbox to retrieve the value of Ken's DisplayName property
along with the values of any properties that have names that begin with the letters lit .
Here's an example of what we get back:

PowerShell

DisplayName : Ken Myer

LitigationHoldEnabled : False
LitigationHoldDate :
LitigationHoldOwner :
LitigationHoldDuration : Unlimited

You can return information about multiple mailboxes by leaving out the Identity
parameter. This example returns the DisplayName and LitigationHoldEnabled
properties for all mailboxes:

PowerShell

Get-Mailbox -ResultSize unlimited | Format-Table DisplayName,

LitigationHoldEnabled -Auto

In many cases, you only want to look at a subset of your mailboxes. For example,
suppose you are asked to come up with a list of all the mailboxes that have been
assigned a litigation hold. You can use the Where-Object cmdlet in conjunction with the
Get-Mailbox cmdlet. The Where-Object cmdlet needs a filter phrase to tell Exchange
Online PowerShell what set of mailboxes you are interested in.

In their simplest form, filter phrases use the syntax "<PropertyName> -

<ComparisonOperator> <PropertyValue>" .

Some commonly used comparison operators are:

eq (equals; not case-sensitive)

ne (does not equal; not case-sensitive)

gt (greater than)

lt (less than)

For a complete list of comparison operators, see Where-Object.

Values for <PropertyValue> depend on the property, and can be values like strings,
numbers, Boolean values ( $True or $False ), or no value ( $Null ). Text values with
spaces require quotation marks around the value. Numerical values, Boolean values, and
$Null don't require quotation marks around the value.

Returning to our example of all the mailboxes that have been assigned a litigation hold,
the filter phrase is "LitigationHoldEnabled -eq $True" :

The property name is LitigationHoldEnabled .

The comparison operator is eq .

The property value we're looking for is $True .

Once you have the filter phrase, you can construct the Where-Object portion of the
command using this syntax:
 PowerShell

Get-Mailbox -ResultSize unlimited | Where-Object {$_.<Filter Phrase>}

Here's the command for our example:

PowerShell

Get-Mailbox -ResultSize unlimited | Where-Object {$_.LitigationHoldEnabled -

eq $True}

For another example, suppose you'd like to make sure that all of your users have the
junk email rule enabled. Here's a quick command to find any users who don't have that
rule enabled:

PowerShell

Get-Mailbox -ResultSize unlimited | Get-MailboxJunkEmailConfiguration |

Where-Object {$_.Enabled -eq $False}

This is just one example. If you want to display a set of mailboxes based on a setting and
can't filter on that setting in the Microsoft 365 admin center, do these steps:

1. Find the mailbox property that corresponds to the setting you're interested in by
running the command Get-Mailbox -Identity "<MailboxIdentity" | Select-Object
* to list all the properties of a mailbox. <MailboxIdentity> is any unique identifier

for the mailbox (name, email address, alias, etc.)

2. Construct your Office 365 PowerShell command like this: Get-Mailbox -ResultSize
unlimited | Where-Object {$_.<PropertyName> -<ComparisonOperator>

<PropertyValue>}
Create and manage groups in the new
Exchange admin center in Exchange
Online
Article • 01/27/2023

Use the new Exchange admin center (EAC) to create, modify, export, or remove groups
in your Exchange Online organization.

There are four types of groups that can be used to distribute messages:

Microsoft 365 group (formerly known as Office 365 groups), is used for
collaboration between teams, both inside and outside your company; by giving
them a group email and a shared workspace for conversations, files, and calendars.

７ Note

Microsoft 365 group is the recommended group as it provides the teams a

shared workspace to communicate, share files, appointments, emails, contacts
and other mailbox items.

Distribution list group is used for sending emails/notifications to a group of

people.

Dynamic distribution list group is used to expedite the mass sending of email
messages and other information within a Microsoft Exchange organization.

Mail-enabled security group is used for granting access to resources such as

OneDrive, SharePoint, and emailing notifications to those users.

For more information see, groups.

Create a group
1. Login to the new Exchange admin center , and navigate to Recipients > Groups.

The Groups page is displayed.

2. Click Add a group and follow the instructions in the details pane.

For more information see, Create a group.

 In Finish tab, under Review and finish adding group, verify all the details,
and then click Create group.

3. Click Close.

For more information see, Use groups to collaborate effectively .

Edit a group
1. From the list view, select the group that you want to edit, and click the selected
group name.

2. In the details pane, do the following:

In General section, you can edit the Basic information and the Email address
of the group.

In Members section, you can view, manage, and add Owners and Members
to the group.

In Settings section, you can do the following:

a. For Microsoft 365 group, you can edit/check the confirmation boxes under
General settings, change the status in Privacy settings, and then click Save to
save the changes.

b. For Distribution list group and Mail-enabled security group, you can
edit/check the confirmation box to allow external senders to email this group
and then click Advanced Settings to edit/manage more settings in the
Exchange admin center.

In Microsoft Teams section, you can manage your Teams settings in

Microsoft Teams admin center.

７ Note

Microsoft Teams can be added to only a Microsoft 365 group. This option is
not available for the other groups. To create a team, all group owners must
have a license that includes Teams.

Export a group
You can export group details in a .csv file format.
 1. Select the group from the list view that you want to export and click Export
groups.

The dialog box to confirm the export is displayed.

2. Click Continue.

The .csv format of the group details file is downloaded.

Naming policy
You can add prefixes and suffixes to your group names.

1. Click Add naming policy.

2. In Edit group naming policy details pane, do the following:

In Policy section, provide the details.

In Blocked words, add specific words that you want to block from being used
in group names and aliases.

3. Click Save.

Upgrade the Distribution list group

You can upgrade a Distribution list group to Microsoft 365 group.

1. Select the group from the list view that you want to upgrade and click Upgrade
distribution group.

The dialog box to confirm the upgrade is displayed.

2. Click Upgrade.

７ Note

The upgrade is a permanent change and can not be reversed.

Other actions
1. Click Refresh to update the list of groups page after adding a group or editing the
details of a group.
 2. Click ... to perform the following actions:

Click Edit name and description to edit the group information.

Click Delete group to delete the selected group.

3. Select a group, click ... > Edit email address to edit Primary and Aliases email
address.

4. Click Filter to filter the groups based on the displayed options in the drop-down
list.

5. Enter information in the Search box to search a group, group email id, or other
details.

See one of the following topics for managing groups in the Classic Exchange admin
center:

Create and manage distribution groups

Manage mail-enabled security groups

Create and manage distribution list
groups in Exchange Online
Article • 06/01/2023

） Important

Effective from December 2022, the classic Exchange Admin Center will be
deprecated for worldwide customers. Microsoft recommends using the new
Exchange Admin Center , if not already doing so.

While most of the features have been migrated to new EAC, some have been
migrated to other admin centers and remaining ones will soon be migrated to New
EAC. Find features that are not yet there in new EAC at Other Features or use
Global Search that will help you navigate across new EAC.

） Important

Check out the new Exchange admin center! The experience is modern, intelligent,
accessible, and better. Personalize your dashboard, manage cross tenant migration,
experience the improved Groups feature, and more. Try it now !

Use the Exchange admin center (EAC) or Exchange Online PowerShell to create, modify,
or remove distribution list groups in your Exchange Online organization.

You can use Exchange Online PowerShell to convert an existing distribution list group
into a shared mailbox. For information on how to do it, see Use the Exchange
Management Shell to convert a distribution list group into a shared mailbox.

There are two types of groups that can be used to distribute messages:

Mail-enabled universal distribution groups (also called distribution list groups) can
be used only to distribute messages.

Mail-enabled universal security groups (also called security groups) can be used to
distribute messages and to grant access permissions to resources. For more
information, see Manage mail-enabled security groups.

It's important to note the terminology differences between Active Directory and
Exchange Online. In Active Directory, a distribution list group refers to any group that
doesn't have a security context, whether it's mail-enabled or not. In contrast, in
Exchange Online, all mail-enabled groups are referred to as distribution list groups,
whether they have a security context or not.

What do you need to know before you begin?

Estimated time to complete: 2 to 5 minutes.

To open the Exchange admin center, see Exchange admin center in Exchange
Online.

To connect to Exchange Online PowerShell, see Connect to Exchange Online

PowerShell.

You need permissions before you can do this procedure or procedures. To see
what permissions you need, see the "Recipients" entry in the Feature permissions
in Exchange Online article.

If your organization has configured a group naming policy, it's applied only to
groups created by users. When you or other administrators use the EAC to create
distribution list groups, the group naming policy is ignored and isn't applied to the
group name. However, if you use Exchange Online PowerShell to create or rename
a distribution list group, the policy is applied unless you use the
IgnoreNamingPolicy parameter to override the group naming policy. For more
information, see:

Create a distribution group naming policy

Override the distribution group naming policy

Use the Exchange admin center to manage

distribution list groups

Use the new EAC to create distribution list groups

1. In the new EAC , navigate to Recipients > Groups > Distribution list.

2. Click Add a group and follow the instructions in the details pane.

Under Choose a group type section, select Distribution and click Next.

Under Set up the basics section, enter the details and click Next.
 3. In Assign owners section, click + Assign owners, select the group owner from the
list, and click Next.

4. Under Add members, click + Add members, select the group members from the
list, and click Next.

5. In Edit settings section, enter the group email address, select the following boxes
and then click Next:

Communication: Select the checkbox to allow people outside of the

organization to send email to this distribution list group.

Joining the group: Select who are allowed to join the group.

a. Open: Anyone can join this group without owner approval.

b. Closed: Only group owners can add members. All requests to join are
automatically denied.

c. Owner approval: Anyone can request to join this group and owners must
approve the request.

Leaving the group: Select who are allowed to leave the group.

a. Open: Anyone can leave this group without group owner approval.

b. Closed: Only group owners can remove members. All requests to leave are
automatically denied.

6. In Review and finish adding group section, verify all the details, click Create
group, and then click Close.

Use the new EAC to modify distribution list groups

1. In the new EAC, navigate to Recipients > Groups > Distribution list.

2. In the list of groups, click the distribution list group that you want to view or
change.

3. On the group's properties page, click one of the following sections to view or
change properties.

When you're finished, click Save.

Use the new EAC to convert distribution list groups into
shared mailboxes

） Important

Prior to converting an existing distribution list group into a shared mailbox, replace
your existing distribution list group's address with another address so that this
distribution list group is free to be converted into a shared mailbox. An address
being used for a distribution list group cannot be converted into a shared mailbox.

Once you've freed the existing distribution list group from the email address that's to be
used for the shared mailbox, perform the following steps:

1. Created the shared mailbox.

2. Add users to the shared mailbox.
3. Assign Full Access and Send As permissions to members of a shared mailbox

Created the shared mailbox

1. Go to Recipients > Shared > Add .

2. Fill-in the required fields:

Display name: A display name based on your discretion

Email address: Specifically the email address that was freed from the
distribution list group.

3. Click Save to save your changes and create the shared mailbox.

Add users to the shared mailbox

1. Select the newly created shared mailbox. The details of this shared mailbox are
displayed.
2. Select Add members to this mailbox.
3. In the Search text box under the Search to add members pane, enter the names of
the persons who were part of the distribution list group that you had freed the
email address from.
4. Once their names appear under Members, check the checkbox corresponding to
the names of those persons you want to add as members of the shared mailbox.
5. Select Save.
Assign Full Access and Send As permissions to members of a
shared mailbox

1. Go to Recipients > Shared > Edit .

2. Click Mailbox delegation

3. To grant Full Access and Send As permissions, click Add and then select the
users you want to grant permissions to.

７ Note

The Full Access permission allows a user to open the mailbox as well as create
and modify items in it. The Send As permission allows anyone other than the
mailbox owner to send email from this shared mailbox. Both permissions are
required for successful shared mailbox operation.

4. Click Save to save your changes.

Use the Exchange Management Shell to convert a

distribution list group into a shared mailbox
This section describes the procedure of converting a distribution list group into a shared
mailbox using Exchange Management Shell. Prior to implementing this procedure,
ensure you have fulfilled the following prerequisites:

1. Exchange Management Shell is installed to launch.

2. You have the LegacyExchangeDN of the distribution list group you're converting
into a shared mailbox by running the following command in your Exchange
Management Shell:

Get-DistributionGroup "DistributionGroupName" | Select LegacyExchangeDN

Once you've fulfilled these prerequisites, perform the following steps:

1. Delete the distribution list group and create a shared mailbox with the email
address that was freed from the distribution list group. Do this step by running the
following command:

PowerShell

New-mailbox shareduser –shared –userprincipalname name@domain.com

 1. Replace the "mailboxname" with the SMTP mail address that was used by the
distribution list. For example, if the distribution list was orders@website.com,
replace the address in the command with the exact address you want your shared
mailbox to use so Microsoft knows where to send the emails.

2. Ensure that you are adding to the shared mailbox the email addresses of all the
persons you intended to add as members to the shared mailbox. For more
information on how to add persons as members to the shared mailbox, see Add
users to the shared mailbox.

3. Convert the email address of the newly created shared mailbox into an x500 email
address by performing the following steps:
a. From the page displaying details of the newly created shared mailbox, click the
Email address tab.
b. Click Add Icon., select Custom address, and then perform the following steps:

i. Enter the Distribution List’s LegacyExchangeDN.

７ Note

The value you enter should be similar to

/o=Organisation/ou=Administrative Group/cn= Recipients/cn=Username.

ii. Select the x500 from the Email type dropdown list.

4. Select Save. The shared mailbox is created.

5. After adding the members to the newly created shared mailbox, assign the Full
Access and Send As permissions to these members by running the following
command.

PowerShell

Set-mailbox -Identity <MailboxOrGroupIdentity> -GrantSendOnBehalfTo

<Delegates> | Add-MailboxPermission -Identity <MailboxIdentity> -User
<DelegateIdentity> -AccessRights FullAccess -InheritanceType All [-
AutoMapping $false]

Use this command syntax in the following example:

PowerShell

Set-Mailbox -GrantSendAsTo MarketingSG | Add-MailboxPermission -User

MarketingSG -AccessRights FullAccess -InheritanceType All
This example grants Full Access and Send As permissions for the security group
MarketingSG. Users who are members of the security group will be granted the
permissions to the mailbox.

General
Use this section to view or change basic information about the group.

Name: This name appears in the address book, on the To line when email is sent to
this group, and in the Groups list. The display name is required and should be
user-friendly so people recognize what it is. It also has to be unique in your
domain.

Description: Use this box to describe the group so people know what the purpose
of the group is. This description appears in the address book and in the Details
pane in the new EAC.

Email options
Use this section to view or change the email addresses associated with the group. This
includes the group's primary SMTP addresses and any associated proxy addresses.
Under Edit email addresses page, change/edit the Primary email address, add/delete
Aliases, and then click Save changes.

You can also select the group and then click Edit email address from the toolbar to
change/edit the Primary email address, add/delete Aliases, and then click Save
changes.

Members
Use this section to change/edit the following:

Under Owners section, click View all and manage owners to add/remove group
owners from the drop-down list and then click Save changes. The distribution list
group must have at least one owner.

Under Members section, click View all and manage members to add/remove
group members from the drop-down list and then click Save changes. The
distribution list group must have at least one member.

Settings
Under General settings section, select the checkbox Allow external senders to email
this group if you want to allow the external users to send email to this group.

Delivery management

Use this section to manage who can send email to this group.

Sender options: By default, only people inside your organization can send
message to this group. You can also allow people outside the organization to send
message to this group.

Only allow messages from people inside my organization: Select this option to
allow only senders in your organization to send messages to the group. This
means that if someone outside your organization sends an email message to this
group, it is rejected. This is the default setting.

Allow messages from people inside and outside my organization: Select this
option to allow anyone to send messages to the group.

Specified senders: You can further limit who can send messages to the group by
allowing only specific senders to send messages to this group. Select/remove one
or more recipients/group from the drop-down list. If you add senders to this list,
they are the only ones who can send mail to the group. Mail sent by anyone not in
the list will be rejected.

） Important

If you've configured the group to allow only senders inside your organization
to send messages to the group, email sent from a mail contact is rejected,
even if they're added to this list.

Manage delegates
Use this section to assign permissions to a user (called a delegate) to allow them to send
messages as the group or send messages on behalf of the group. You can assign the
following permissions:

Send As: This permission allows the delegate to send messages as the group. After
this permission is assigned, the delegate has the option to add the group to the
From line to indicate that the message was sent by the group.
 Send on Behalf: This permission also allows a delegate to send messages on
behalf of the group. After this permission is assigned, the delegate has the option
to add the group to the From line. The message will appear to be sent by the
group and will say that it was sent by the delegate on behalf of the group.

To assign permissions to delegates in new EAC, add the delegates under the Edit
delegates page, select the Permission type from the drop-down list and click Save
changes.

Message approval

Use this section to set options for moderating the group. Moderators approve or reject
messages sent to the group before they reach the group members.

Require moderator approval for messages sent to this group: This check box isn't
selected by default. If you select this check box, incoming messages are reviewed
by the group moderators before delivery. Group moderators can approve or reject
incoming messages.

Group moderators: To add/remove group moderators, search/add users from the

drop-down list. If you've selected Require moderator approval for messages sent
to this group and you don't select a moderator, messages to the group are sent to
the group owners for approval.

Add senders who don't require message approval: To add/remove users that can
bypass moderation for this group, search/add users from the drop-down list.

Notify a sender if their message isn't approved: Use this section to set how users
are notified about message approval.

Only sender: This is the default setting. Notify all senders, inside and outside your
organization, when their message isn't approved.

Only senders in your organization: When you select this option, only users or
groups in your organization are notified when a message that they sent to the
group isn't approved by a moderator.

No notifications: When you select this option, notifications aren't sent to senders
whose messages aren't approved by the group moderators.

Membership approvals
Use this section to edit membership approvals and to specify if group owner approval is
needed for users to join or leave this group.

Joining the group: View/Edit who are allowed to join the group.

1. Open: Anyone can join this group without owner approval.

2. Closed: Only group owners can add members. All requests to join are
automatically denied.

3. Owner approval: Anyone can request to join this group and owners must
approve the request.

Leaving the group: View/Edit who are allowed to leave the group.

1. Open: Anyone can leave this group without group owner approval.

2. Closed: Only group owners can remove members. All requests to leave are
automatically denied.

Use the new EAC to remove distribution list groups

1. In the new EAC, go to Recipients > Groups.

2. In the list of groups, select the distribution list group that you want to remove, and
then click Delete group from the toolbar.

Use the new EAC to convert distribution list groups into

shared mailboxes
You can convert an existing distribution list group into a shared mailbox. For information
on how to do it, see How to convert a distribution list to a shared mailbox .

Use the Classic EAC to create distribution list groups

You can now create a Microsoft 365 group instead of a distribution group, if you have a
Microsoft 365 or Office 365 for business plan or an Exchange Online plan. Microsoft 365
groups have the features of a distribution group and much more. With Microsoft 365
groups, you can send email to a group, share a common calendar, and have a library for
storing and working on group files and folders. Click New > Microsoft 365 group to
get started and see Learn about Microsoft 365 Groups .
If you have existing distribution groups that you want to migrate to Microsoft 365
groups, see Upgrade distribution lists to Microsoft 365 Groups in Outlook.

If you still want to create distribution list groups, use the following steps:

1. In the Classic EAC, go to Recipients > Groups.

2. Click New , and then select Distribution group.

3. In the New distribution group page that opens, configure the following settings.
Settings marked with an * are required.

*
Display name: This name appears in your organization's address book, on
the To: line when email is sent to this group, and in the Groups list in the EAC.
The display name is required, must be unique, and should be user-friendly so
people recognize what it is.

*
Alias: Use this box to type the name of the alias for the group. The alias can't
exceed 64 characters and must be unique. When a user types the alias in the
To line of an email message, it resolves to the group's display name.

*Email address: The email address consists of the alias on the left side of the
at (@) symbol, and a domain on the right side. By default, the value of Alias is
used for the alias value, but you can change it. For the domain value, click the
drop-down and select and accepted domain in your organization.

Notes: This description appears in the address book and in the Details pane
in the Classic EAC.

*Owners: A group owner can add members to the group, approve or reject
requests to join or leave the group, and approve or reject messages sent to
the group. By default, the person who creates a group is the owner. All
groups must have at least one owner.

To add owners, click Add . In the dialog that appears, find, and select a
recipient or group, and then click add ->. Repeat this step as many times as
necessary. When you're finished, click OK.

To remove an owner, select the owner, and then click Remove .

Members: Add and remove group members and specify whether approval is
required for people to join or leave the group.

Use Add group owners as members to add or remove the owners as

members (this setting is selected by default).
 To add members, click Add . In the dialog that appears, find, and select a
recipient or group, and then click add ->. Repeat this step as many times as
necessary. When you're finished, click OK.

To remove a member, select the member, and then click Remove .

Choose whether owner approval is required to join the group: Specify

whether approval is required for people to join the group. Select one of the
following settings:

Open: Anyone can join this group without being approved by the group
owners. This is the default value.

Closed: Members can be added only by the group owners. All requests to
join will be rejected automatically

Owner Approval: All requests are manually approved or rejected by the

group owners. If you select this option, the group owners will receive an
email message requesting approval to join the group.

Choose whether the group is open to leave: Specify whether approval is

required for people to leave the group. Select one of the following settings:

Open: Anyone can leave this group without being approved by the group
owners. This is the default value.

Closed: Members can be removed only by the group owners. All requests
to leave will be rejected automatically.

For more information about using Exchange Online PowerShell to create

distribution groups, see New-DistributionGroup.

4. When you're finished, click Save to create the distribution list group.

７ Note

By default, new distribution groups only accept messages from

authenticated (internal) senders, and messages from external senders
are rejected. To configure a distribution group to accept messages from
all senders, you need to modify the message delivery restriction
settings for the group.
You can create or mail-enable only universal distribution groups. To
convert a domain-local or a global group to a universal group, you can
 use the Set-Group cmdlet using Exchange Online PowerShell. You may
have mail-enabled groups that were migrated from previous versions of
Exchange that are not universal groups. You can use the Classic EAC or
Exchange Online PowerShell to manage these groups

Use the Classic EAC to modify distribution list groups

1. In the Classic EAC, go to Recipients > Groups.

2. In the list of groups, select the distribution list group that you want to modify, and
then click Edit .

3. On the distribution group properties page that opens, click one of the following
tabs to view or change properties.

4. When you're finished, click Save.

General
Use this tab to view or change basic information about the group.

Display name: This name appears in the address book, on the To line when email is
sent to this group, and in the Groups list. The display name is required and should
be user-friendly so people recognize what it is. It also has to be unique in your
domain.

If you've implemented a group naming policy, the display name has to conform to the
naming format defined by the policy.

Alias: This is the portion of the email address that appears to the left of the at (@)
symbol. If you change the alias, the primary SMTP address for the group will also
be changed, and contain the new alias. Also, the email address with the previous
alias will be kept as a proxy address for the group.

Email address: The email address consists of the alias on the left side of the at (@)
symbol, and a domain on the right side. By default, the value of Alias is used for
the alias value, but you can change it. For the domain value, click the drop-down
and select and accepted domain in your organization.

Notes: This description appears in the address book and in the Details pane in the
Classic EAC.
 Hide this group from address lists: Select this check box if you don't want users to
see this group in the address book. To send email to this group, a sender has to
type the group's alias or email address on the To: or Cc: lines.

Ownership
Use this tab to assign group owners. The group owner can add members to the group,
approve or reject requests to join or leave the group, and approve or reject messages
sent to the group. By default, the person who creates a group is the owner. All groups
must have at least one owner.

To add owners, click Add . In the dialog that appears, find and select a recipient, and
then click add ->. Repeat this step as many times as necessary. When you're finished,
click OK.

To remove an owner, select the owner, and then click Remove .

Membership
Use this tab to add or remove group members. Group owners don't need to be
members of the group.

To add members, click Add . In the dialog that appears, find, and select a recipient or
group, and then click add ->. Repeat this step as many times as necessary. When you're
finished, click OK.

To remove a member, select the member, and then click Remove .

Membership approval
Use this tab to specify whether approval is required for users to join or leave the group.

Choose whether owner approval is required to join the group: Select one of the
following settings:

Open: Anyone can join this group without being approved by the group
owners. This is the default value.

Closed: Members can be added only by the group owners. All requests to join
will be rejected automatically

Owner Approval: All requests are manually approved or rejected by the group
owners. If you select this option, the group owners will receive an email
 message requesting approval to join the group.

Choose whether the group is open to leave: Specify whether approval is required
for people to leave the group. Select one of the following settings:

Open: Anyone can leave this group without being approved by the group
owners. This is the default value.

Closed: Members can be removed only by the group owners. All requests to
leave will be rejected automatically.

Delivery management

Use this tab to manage who can send email to this group.

Only senders inside my organization: Only internal (authenticated) senders are

allowed to send messages to this group. Messages from external senders are
rejected. This is the default setting.

Senders inside and outside of my organization: Allow anyone to send messages

to the group.

You can configure the group to accept messages only from specific senders.

To add senders, click Add . In the dialog that appears, find, and select a sender or
group, and then click add ->. Repeat this step as many times as necessary. When you're
finished, click OK.

To remove a sender from the list, select the sender, and then click Remove .

） Important

Mail contacts are always considered external users. So, if you configure the group
to only accept messages from internal senders and you add mail contacts to the list
of allowed senders, messages from those mail contacts are still rejected.

Message approval
Use this tab to set options for moderating the group. Moderators approve or reject
messages sent to the group before they reach the group members.

Messages sent to this group need to be approved by a moderator: When you

enable moderation for the group, messages sent to the group require approval by
 a specified moderator or a group owner before the message is delivered to the
group members. This setting is disabled by default.

Group moderators: To add moderators, click Add . In the dialog that appears,
find and select a recipient, and then click add ->. Repeat this step as many times as
necessary. When you're finished, click OK.

To remove a moderator, select the moderator, and then click Remove .

If you enable moderation for the group but don't specify any moderators, group owners
are responsible for approving messages that are sent to the group.

Senders who don't require message approval: Messages sent to the group by the
specified senders don't require approval from a moderator.

To add senders, click Add . In the dialog that appears, find, and select a sender or
group, and then click add ->. Repeat this step as many times as necessary. When you're
finished, click OK.

To remove senders, select the senders, and then click Remove .

Select moderation notifications: Configure the sender notification options for

message approval:

Notify all senders when their messages aren't approved: Internal and external
senders are notified when their messages aren't approved. This is the default value.

Notify senders in your organization when their messages aren't approved:

Internal senders are notified when their messages aren't approved. External
senders aren't notified.

Don't notify anyone when a message isn't approved: No notification messages

are sent.

Email options
Use the Email addresses tab to view or change the email addresses associated with the
group. This includes the group's primary SMTP address and any associated proxy
addresses. The primary SMTP address (also known as the reply address) is displayed in
bold text in the address list, with the uppercase SMTP value in the Type column.

Add: Click Add . In the New email address page that appears, configure the
following settings:

Email address type: Verify SMTP is selected.

 Email address: Enter the email address to add.

Make this the reply address

When you're finished, click OK.

Edit: Select the email address that you want to modify, and then click Edit . In
the Email address page that appears, configure the following settings:

Email address: Modify the existing email address.

Make this the reply address: This setting only appears if the email address you
selected isn't already the reply address.

When you're finished, click OK.

Remove: Select the email address that you want to remove, and then click Remove
. You can't remove the reply address.

MailTip
Use the MailTip tab to add an alert for potential issues before a user sends messages to
this recipient. The text is displayed in the InfoBar when this recipient is added to the To,
Cc, or Bcc lines of a new email message.

MailTips can include HTML tags, but scripts aren't allowed. The length of a custom
MailTip can't exceed 175 displayed characters. HTML tags aren't counted in the limit.

Group delegation
Use this section to assign permissions to a user (called a delegate) to allow them to send
messages as the group or send messages on behalf of the group. You can assign the
following permissions:

Send As: Allows the delegate to send messages as if they came directly from the
group. There's no indication that the message was sent by the delegate. After this
permission is assigned, the delegate has the option to add the group to the From:
line to indicate that the message was sent by the group.

Send on Behalf: Allows the delegate to send messages from the group. The From
address of these messages clearly shows that the message was sent by the
delegate ("<Delegate> on behalf of <Group>"). However, replies to these
messages are sent to the group, not to the delegate. After this permission is
assigned, the delegate has the option to add the group in the From: line.
To add senders, click Add . In the dialog that appears, find, and select a sender or
group, and then click add ->. Repeat this step as many times as necessary. When you're
finished, click OK.

To remove a sender from the list, select the sender, and then click Remove .

Use the Classic EAC to remove distribution list groups

1. In the Classic EAC, go to Recipients > Groups.

2. In the list of groups, select the distribution list groups that you want to remove,
and then click Remove .

Use PowerShell to manage distribution list

groups

Use Exchange Online PowerShell to create distribution list

groups
This example creates a distribution list group with an alias itadmin and the name IT
Administrators. The distribution group is created in the default OU, and anyone can join
this group without approval by the group owners.

PowerShell

New-DistributionGroup -Name "IT Administrators" -Alias itadmin -

MemberJoinRestriction open

For detailed syntax and parameter information, see New-DistributionGroup.

Use Exchange Online PowerShell to modify distribution

list groups
Use the Get-DistributionGroup and Set-DistributionGroup cmdlets to view and change
properties for distribution list groups. Advantages of using Exchange Online PowerShell
are the ability to change the properties that aren't available in the EAC and to change
properties for multiple groups. For information about which parameters correspond to
distribution list group properties, see the following articles:

Get-DistributionGroup
 Set-DistributionGroup

Here are some examples of using Exchange Online PowerShell to change distribution
group properties.

This example changes the primary SMTP address (also called the reply address) for the
Seattle Employees distribution group from employees@contoso.com to
sea.employees@contoso.com. Also, the previous reply address will be kept as a proxy
address.

PowerShell

Set-DistributionGroup "Seattle Employees" -EmailAddresses

SMTP:sea.employees@contoso.com,smtp:employees@contoso.com

This example enables moderation for the distribution group Customer Support and sets
the moderator to Amy. In addition, this moderated distribution group will notify senders
who send mail from within the organization if their messages aren't approved.

PowerShell

Set-DistributionGroup -Identity "Customer Support" -ModeratedBy "Amy" -

ModerationEnabled $true -SendModerationNotifications 'Internal'

This example changes the user-created distribution group Dog Lovers to require the
group manager to approve users' requests to join the group. In addition, by using the
BypassSecurityGroupManagerCheck parameter, the group manager will not be notified
that a change was made to the distribution list group's settings.

PowerShell

Set-DistributionGroup -Identity "Dog Lovers" -MemberJoinRestriction

'ApprovalRequired' -BypassSecurityGroupManagerCheck

This example exports the members of a distribution group to a .csv file named
DLGroupMembers.csv.

PowerShell

$Groups = Get-DistributionGroup -ResultSize Unlimited

$Groups | ForEach-Object {
$group = $_
Get-DistributionGroupMember -Identity $group.Name -ResultSize Unlimited |
ForEach-Object {
New-Object -TypeName PSObject -Property @{
 Group = $group.DisplayName
Member = $_.Name
EmailAddress = $_.PrimarySMTPAddress
RecipientType= $_.RecipientType
}
}
} | Export-CSV ".\DLGroupMembers.csv" -NoTypeInformation -Encoding UTF8

This example exports the members of a dynamic distribution group to a .csv file named
DDLGroupMembers.csv.

PowerShell

$Groups = Get-DynamicDistributionGroup -ResultSize Unlimited

$Groups | ForEach-Object {
$group = $_
Get-DynamicDistributionGroupMember -Identity $group.Name -ResultSize
Unlimited | ForEach-Object {
New-Object -TypeName PSObject -Property @{
Group = $group.DisplayName
Member = $_.Name
EmailAddress = $_.PrimarySMTPAddress
RecipientType= $_.RecipientType
}
}
} | Export-CSV ".\DDLGroupMembers.csv" -NoTypeInformation -Encoding UTF8

How do you know these procedures worked?

To verify that you've successfully created, modified, or removed a distribution list group,
do any of the following steps:

In the new EAC, select the group to view the property or feature that you changed.
Depending on the property that you changed, it might be displayed in the details
pane for the selected group.

In the Classic EAC, go to Recipients > Groups. Verify that the group is listed (or not
listed). The Group Type is Distribution group. Select the group and click Edit to
verify the property settings.

In Exchange Online PowerShell, replace <GroupIdentity> with the name, alias, or

email address of the distribution list group, and run the following command to
verify the settings:

PowerShell

Get-DistributionGroup -Identity "<GroupIdentity>" | Format-List

To view specific properties, run the following command:

PowerShell

Get-DistributionGroup -Identity "<GroupIdentity>" | Format-List

Name,PrimarySmtpAddress

To get a list of members in the group, replace <GroupIdentity> with the name,
alias, or email address of the distribution list group, and run the following
command:

PowerShell

Get-DistributionGroupMember -Identity "<GroupIdentity>"

For detailed syntax and parameter information, see Get-DistributionGroupMember.

Upgrade distribution lists to Microsoft
365 Groups
Article • 08/02/2023

Admins allow end users (owners) of distribution lists to upgrade their list to a Microsoft
365 Group. The end owners can't initiate this process; admins have complete control
and decide which distribution list needs to be upgraded.

Convert an existing distribution list to a

Microsoft 365 Group
Admins can select the distribution list and trigger an email to the owner(s) of the eligible
distribution list from the Exchange admin center. Owners of the eligible distribution list
can upgrade it to a Microsoft 365 Group by selecting it in the email. It takes a maximum
of 5 to 10 minutes for the upgrade to complete. Both owners and admins can see the
upgraded distribution list in the Microsoft 365 Groups section once the upgrade is done.

To convert an existing distribution list to a Microsoft 365 Group, do the following:

1. In the Exchange Admin Center, go to Recipients > Group > Distribution List and
select the specific distribution list. Admins can now see the new option "Send
upgrade request". The email isn't sent at this stage.

2. If the distribution list is eligible for an upgrade, select the owners to send this
email. You can either choose all the owners or specific owners to send this email.
 

3. Select Send Request.

７ Note

You can upgrade only cloud-managed, simple, non-nested distribution lists to

Microsoft 365 groups. You can't upgrade distribution lists to Microsoft 365
groups.

If the distribution list isn't eligible for an upgrade. You get the following error message
for such distribution lists.
 

The end user gets the email. And once the user selects the Upgrade in the email, the
distribution list gets converted to a Microsoft 365 Group.


 

Distribution list has been upgraded to Microsoft 365 Group successfully.

７ Note

The email address of the distribution list will not change when users upgrade.
Create a distribution group naming
policy in Exchange Online
Article • 02/22/2023

A group naming policy lets you standardize and manage the names of distribution
groups created by users in your organization. You can add specific prefix and suffix to
the name of a distribution group when it's created. And you can also block specific
words from being used. This helps you minimize the use of inappropriate words in
group names.

A group naming policy:

Enforces a consistent naming strategy for groups created by users.

Identifies distribution groups in the shared address book.

Suggests the function or membership of the group.

Identifies the type of users who are likely members of the group.

Identifies the geographic region the group is used in.

Blocks inappropriate words in group names.

How does a group naming policy work? When a user creates a group, they specify a
name in the Display Name field. After the group is created, Microsoft Exchange applies
the group naming policy by adding any prefix or suffix that you've defined in the group
naming policy. The full name is displayed in the distribution groups list in the Exchange
admin center (EAC), the shared address book, and the To:, Cc:, and From: fields in email
messages. If a user tries to use a word that you've blocked, they get an error message
when they try to save the new group and are asked to remove the blocked word and
save the group again.

Here are some examples of a group naming policy. In each, <Group Name> is a
descriptive name provided by the person who creates the group. Exchange adds the
prefixes and suffixes defined by the policy to the display name when the group is
created.

Text strings, with underscore characters, used for a single prefix (DG) and suffix
(Users):

DG_<Group Name>_Users
 Multiple prefixes (DG and Contoso) and one suffix (Users), using text strings:

DG_Contoso_<Group Name>_Users

An attribute (Department) used for the prefix:

Department_<Group Name>

For example, say that your school populates the Department attribute for faculty
members. Here's an example of a group name created by a faculty member in the
Psychology department:

Psychology_Cognitive201

In this example, the underscore character (_) is provided as the only text string in a
second prefix to separate the department name from the group name.

What do you need to know before you begin?

Estimated time to complete: 5 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Recipients" entry in the
Feature permissions in Exchange Online topic.

The maximum length for a group name is 64 characters. This includes the
combined number of characters in the prefix, the group name provided by the
user, and the suffix.

The group naming policy is applied only to groups created by users. When you or
other administrators use the EAC to create distribution groups, the group naming
policy is ignored and not applied to the group name.

Group names are created without spacing. We recommend that you use an
underscore character (_) or some other placeholder between text strings,
attributes, and the group name.

You can use Windows PowerShell to override the group naming policy when you
create and edit a distribution group. For more information, see Override the
distribution group naming policy.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.
  Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the new EAC to create a group naming

policy
1. Go to new Exchange admin center , and navigate to Recipients > Groups.

2. Click Add naming policy to add prefixes and suffixes to your group names.

3. In Edit group naming policy details pane, under Policy section, configure the
prefix by selecting either Attribute or Text in the drop-down menu.

4. Click Add prefix to add more prefixes.

5. For the suffix, in the drop-down menu, select either Attribute or Text, and
configure the suffix.

6. Click Add suffix to add more prefixes.

After you add a prefix and suffix, notice that a preview of the group naming policy
is displayed.

7. To delete a prefix or suffix from the policy, select X.

8. Under Blocked words section, add specific words that you want to block from
being used in group names and aliases.

9. When you are finished, click Save.

Use the Classic EAC to create a group naming

policy
1. In the Classic EAC, select Groups > More > Configure group naming policy.

2. Under Group Naming Policy, configure the prefix by selecting either Attribute or
Text in the pull-down menu.

Attribute: Select the attribute and then click OK.

 Text: Type the text string and click OK.

Notice that the text string that you typed or the attribute you selected is displayed
as a hyperlink. Click the hyperlink to change the text string or attribute.

3. Click Add to add more prefixes.

4. For the suffix, in the pull-down menu, select either Attribute or Text, and configure
the suffix.

5. Click Add to add more suffixes.

After you add a prefix or suffix, notice that a preview of the group naming policy is
displayed.

6. To delete a prefix or suffix from the policy, click Remove .

7. Click Blocked Words to add or remove blocked words.

To add a word to the list, type the word to block and click Add .

To remove a word from the list, select it and click Remove.

To edit an existing blocked word, select it and click Edit.

8. When you are finished, click Save.

How do you know this worked?

To verify that you've successfully created a group naming policy, do the following:

In the new EAC, select Recipients > Groups > Add naming policy.

In Edit group naming policy details pane, the group naming policy that you
defined is displayed under Preview policy section.

In the Classic EAC, select Groups > More > Configure group naming policy.

On the Group naming policy page, the group naming policy that you defined is
displayed under Preview of policy.

In Windows PowerShell, run the following command to display the group naming
policy.

PowerShell

Get-OrganizationConfig | Format-List DistributionGroupNamingPolicy

Override the distribution group naming
policy in Exchange Online
Article • 02/22/2023

The group naming policy for distribution groups is applied only to groups created by
users and to groups created by administrators using the new Exchange admin center
(new EAC). When you or other administrators use the classic Exchange admin center
(classic EAC) to create distribution groups, the group naming policy is ignored and not
applied to the group name.

However, if you use Exchange Online PowerShell to create or rename a distribution

group, the group naming policy is applied to groups created by administrators unless
you use the IgnoreNamingPolicy parameter to override the group naming policy.

What do you need to know before you begin?

Estimated time to complete: 2 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Recipients" entry in the
Feature permissions in Exchange Online topic.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use Exchange Online PowerShell to override

the group naming policy when you create a
new group
To override the group naming policy, run the following command.

PowerShell
 New-DistributionGroup -Name <Group Name> -IgnoreNamingPolicy

For example, if the group naming policy for your organization is DG_<Group
Name>_Users, run the following command to create a group named All Administrators.

PowerShell

New-DistributionGroup -Name "All Administrators" -IgnoreNamingPolicy

When Microsoft Exchange creates this group, it uses All Administrators for both the
Name and DisplayName parameters.

Use Exchange Online PowerShell to override

the group naming policy when you rename a
group
To override the group naming policy when you rename an existing group with Exchange
Online PowerShell, run the following command.

PowerShell

Set-DistributionGroup -Identity <Old Group Name> -Name <New Group Name> -

DisplayName <New Group Name> -IgnoreNamingPolicy

For example, let's say you created a group naming policy late one night and the next
morning you realized you misspelled the text string in the prefix. The next morning, you
see that a new group has already been created with the misspelled prefix. You can fix
the group naming policy in the EAC, but you have to use Exchange Online PowerShell to
rename the group with the misspelled name. Run the following command.

PowerShell

Set-DistributionGroup -Identity "Government_Contracts_NWRegion" -Name

"Government_ContractEstimates_NWRegion" -DisplayName
"Government_ContractEstimates_NWRegion" -IgnoreNamingPolicy

） Important

Be sure to include the DisplayName parameter when you rename a group. If you
don't, the old name is still displayed in the shared address book on the To:, Cc:, and
 From: lines in email messages.

How do you know this worked?

To verify that you've successfully created or renamed a distribution group that ignores
the group naming policy, run the following commands.

PowerShell

Get-DistributionGroup <Name> | Format-List DisplayName

PowerShell

Get-OrganizationConfig | Format-List DistributionGroupNamingPolicy

If the format of the display name for the group is different than the one enforced by
your organization's group naming policy, it worked.
Manage dynamic distribution groups in
Exchange Online
Article • 02/22/2023

７ Note

A new version of this feature is currently being rolled out to customers. Modern
Dynamic Distribution Groups will be fully released by April 2022, replacing the
earlier method.

Dynamic distribution groups (DDGs) are mail-enabled Active Directory group objects
that are created to expedite the mass sending of email messages and other information
within a Microsoft Exchange organization.

DDGs in Exchange Online have been modernized to bring a more reliable, predictable,
and better performing experience. This change will reduce mail delivery latency, improve
service reliability, and allow you to see the members of a DDG before sending a
message.

The membership list is now stored for each DDG and is updated once every 24 hours.
You'll know exactly to whom the message is being sent, and it also addresses potential
compliance issues. By storing the calculated list of members on the DDG object,
messages can be delivered more quickly and our service will have greater reliability.

） Important

Government cloud: If your tenant resides in a government cloud, including GCC,

GCC High, or DoD, Dynamic Distribution Groups function differently.

To learn more, see Using Dynamic Distribution groups in a government cloud

Important changes in DDGs

As of April 2022, DDGs now perform differently than before. Review the changes in the
table below:

Area Old behavior New behavior

Area Old behavior New behavior

Mail delivery Unpredictable. The time it takes to Faster and more predictable overall. You
latency deliver mail to a DDG depends on should see delivery times more in line
how complex the filters are on that with those for regular distribution groups.
DDG.

Creation DDGs could be used immediately It takes 2 hours for the initial membership
after being created. list to be calculated and be available for
use.

Modification DDGs could be used immediately Users have to wait up to 2 hours for the
after any changes were made membership list to be recalculated and
links updated.

Membership The list of members was up to date in The list of members for each DDG is
list real time. refreshed every 24 hours.
"freshness"

） Important

The list of DDG members might become stale. For example, if a user has left a
department that was used as a filter for the DDG, they might continue to
receive mail that's sent to the DDG for the next 24 hours util the membership
list is refreshed.
Mail flow rules (also known as transport rules) are also affected by this
behavior, because the membership list that the mail flow rules use is also
refreshed once every 24 hours.
A dynamic distribution group includes any recipient in Active Directory with
attribute values that match its filter. If a recipient's properties are modified to
match the filter, the recipient could inadvertently become a group member
and start receiving messages that are sent to the group. Well-defined,
consistent account provisioning processes will reduce the chances of this
issue occurring.
Dynamic distribution groups are not synced from Exchange Online to Azure
Active Directory or to your on-premises Active Directory. Therefore, features
such as Azure Conditional Access do not support being scoped to an
Exchange Online dynamic distribution group.

Before you begin

 You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Recipients" entry in the
Feature permissions in Exchange Online article.

For information about keyboard shortcuts that may apply to the procedures in this
article, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Create a dynamic distribution group

In the new EAC

Use the new EAC to create a dynamic distribution group.

） Important

It can take up to 2 hours for the initial membership list to be calculated and be
available for use.

1. In the new EAC, navigate to Recipients > Groups.

2. Select Add a group and follow the instructions in the details pane.

Under Choose a group type section, select Dynamic distribution group

and select Next.

Under Set up the basics section, enter the details and select Next.

3. In Assign Users section, select the group owner from the drop-down list.

4. Use the Members section to specify the types of recipients for the group and
set up rules that will determine membership. Select one of the following
boxes:

All recipient types: Choose this option to send messages that meet the
criteria defined for this group to all recipient types.
 Only the following recipient types: Messages that meet the criteria
defined for this group will be sent to one or more of the following
recipient types:

Users with Exchange mailboxes: Select this check box if you want to
include users that have Exchange mailboxes. Users that have
Exchange mailboxes are those that have a user domain account and a
mailbox in the Exchange organization. Resource mailboxes are also
included.

Mail users with external email addresses: Select this check box if you
want to include users that have external email addresses. Users that
have external email accounts have user domain accounts in Active
Directory, but use email accounts that are external to the
organization. This enables them to be included in the global address
list (GAL) and added to distribution lists.

Resource mailboxes: Select this check box if you want to include

Exchange resource mailboxes. Resource mailboxes allow you to
administer company resources through a mailbox, such as a
conference room or a company vehicle.

Mail contacts with external email addresses: Select this check box if
you want to include contacts that have external email addresses.
Contacts that have external email addresses don't have user domain
accounts in Active Directory, but the external email address is
available in the GAL.

Mail-enabled groups: Select this check box if you want to include

security groups or distribution groups that have been mail-enabled.
Mail-enabled groups are similar to distribution groups. Email
messages that are sent to a mail-enabled group account will be
delivered to several recipients.

5. Select one of the following attributes from the drop-down list and provide a
value to define the criteria for membership in this group.

Attribute Send message to a recipient if...

State or province The specified value matches the recipient's

State or province property.

Company The specified value matches the recipient's

Company property.
 Attribute Send message to a recipient if...

Department The specified value matches the recipient's

Department property.

Custom attribute N (where N is a The specified value matches the recipient's

number from 1 to 15) CustomAttributeN property.

） Important

The values that you enter for the selected attribute must exactly match
those that appear in the recipient's properties. For example, if you enter
Washington for State or province, but the value for the recipient's
property is WA, the condition will not be met. Also, text-based values that
you specify aren't case-sensitive. For example, if you specify Contoso for
the Company attribute, messages will be sent to a recipient if this value is
contoso.

6. To add another rule to define the criteria for membership, select Add another
rule, when you've finished, select Next.

） Important

If you add multiple rules to define membership, a recipient must meet

the criteria of each rule to receive a message sent to the group. In other
words, each rule is connected with the Boolean operator AND.

7. In Edit settings section, enter the group email address and select Next.

8. In Review and finish adding group section, verify all the details, select Create
group and then select Close.

７ Note

If you want to specify rules for attributes other than the ones available in the
new EAC, you must use Exchange Online PowerShell to create a dynamic
distribution group. Keep in mind that the filter and condition settings for
dynamic distribution groups that have custom recipient filters can be managed
only by using Exchange Online PowerShell. For an example of how to create a
dynamic distribution group with a custom query, see the next section on using
Exchange Online PowerShell to create a dynamic distribution group.
View members of a dynamic distribution
group in Exchange Online
Article • 02/22/2023

Use Exchange Online PowerShell to view the list of recipients for a Dynamic Distribution
group (DDG). You can't view members of a dynamic distribution in the Exchange admin
center (EAC).

Do not use the old procedure for viewing members. The old procedure returns all users
that satisfy the DDG filters at the time you run the command. The calculated list of
members that are stored on the DDG object are not returned.

） Important

If your tenant resides in a government cloud, including GCC, GCC High, or DoD,
Dynamic Distribution groups function differently.

See Using Dynamic Distribution groups in a government cloud for steps on how
to view members.

To view the members of a DDG, replace <DDGIdentity> with the name, alias, or email
address of the DDG and run the following command in Exchange Online PowerShell. The
command returns the calculated list of members that's stored on the dynamic
distribution group object.

PowerShell

Get-DynamicDistributionGroupMember -Identity <DDGIdentity>

For detailed parameter and syntax information, see Get-

DynamicDistributionGroupMember.

Refresh the membership of a DDG

If your DDG membership list isn't updated after the next 24-hour refresh interval, you
can force a membership refresh by replacing <DDGIdentity> with the name, alias, or
email address of the DDG and running the following command in Exchange Online
PowerShell:

PowerShell
 Set-DynamicDistributionGroup -Identity <DDGIdentity> -ForceMembershipRefresh

For detailed syntax and parameter information, see Set-DynamicDistributionGroup

７ Note

You can run the refresh command only after more than one hour has passed since
the last membership refresh.

Dynamic distribution groups are distribution groups whose membership is periodically

calculated based on specific recipient properties that are used as filters (precanned
filters for custom filters). For more information, see Manage dynamic distribution
groups.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
Moderated recipients in Exchange
Online
Article • 02/22/2023

Sometimes it makes sense to have a second set of eyes on a message before the
message is delivered. As an Exchange Online admin, you can set this up. Requiring
approval before a message is deliver is called moderation, and the approver of the
message is called the moderator.

There are two basic ways to do moderated mail flow in Exchange Online:

Require the approval of a moderator for messages sent to a specific recipient:

You can configure groups for moderation in the Exchange admin center (EAC). For
other recipient types, you need to use Exchange Online PowerShell. For
instructions, see Configure moderated recipients in Exchange Online

Require approval for messages that match specific criteria: You use mail flow
rules (also known as transport rule) to specify the message criteria (for example,
message content, the message sender, or message recipients) and who needs to
approve the message for delivery (which might include multiple levels of approval).
For instruction, see Use mail flow rules for message approval scenarios in Exchange
Online.

The rest of this article describes how moderation works in Exchange Online.

How the message approval process works

When you send a message to a moderated recipient in Outlook on the web (formerly
known as Outlook Web App), you're notified that your message might be delayed as
shown in the following screenshot:
The moderator receives an email notification to approve or reject the delivery of the
message. The text of the notification includes buttons to approve or reject the message,
and the attachment includes the original message to review.

７ Note

If an admin with the appropriate RBAC permissions joins a moderated distribution

group that's configured with auto-approval, no email notifications will be sent to
the moderator or to owners.
A message that's waiting for approval is temporarily stored in a system mailbox called
the arbitration mailbox. The original message is kept in the arbitration mailbox until a
moderator takes action on the message. The moderator can take one of the following
actions:

Approve: The message goes to the original intended recipients. The original
sender isn't notified.

Reject: A rejection message is sent to the sender. The moderator can add an
explanation as shown in the following screenshot:
 Ignore or delete the approval message An expiration message is sent to the
sender. In Exchange Online, the approval request expires after two days.

７ Note

The processing of expired moderated messages runs every seven days. This
means that a moderated message can expire at any time between two and
nine days.

The message flow and result of a moderator's actions are described in the following
diagram:
Moderated recipient FAQ

Q: What's the difference between a group moderator and

a group owner?
A: The owner of a distribution group is responsible for managing the membership of the
group. For example, an IT admin might be the owner of the All Employees distribution
group, but the Human Resources manager might be set up as the moderator who's
responsible for approving messages that are sent to the group.

Also, messages that the owner sends to the distribution group do not need to be
approved by a moderator.

Q: What happens when the moderator sends a message

to the distribution group?
A: The message goes directly to the group, bypassing the approval process.

Q: What happens when only a subset of recipients need

approval?
A: Consider a message that's sent to 12 recipients, one of which is a moderated
distribution group. The message is automatically split into two copies. One message is
delivered immediately to the 11 recipients that don't require approval, and the second
message is submitted to the approval process for the moderated distribution group.

If a message is intended for more than one moderated recipient, a separate copy of the
message is automatically created for each moderated recipient and each copy goes
through the appropriate approval process.

Q: What if a distribution group contains moderated

recipients that require approval?
A: A distribution group can include moderated recipients that also require approval. In
this case, after the message to the distribution group is approved, a separate approval
process occurs for each moderated recipient that's a member of the distribution group.
However, you can also enable the automatic approval of the distribution group
members after the message to the moderated distribution group is approved. To do
this, you use the BypassNestedModerationEnabled parameter on the Set-
DistributionGroup cmdlet.
Q: Is this process different if we have our own Exchange
servers?
A: By default, one arbitration mailbox is used for each on-premises Exchange
organization. If you have your own Exchange servers and need more arbitration
mailboxes for load balancing, follow the instructions for adding arbitration mailboxes in
Reassign and remove arbitration mailboxes that are used for moderated recipients.
Arbitration mailboxes are system mailboxes and don't require an Exchange license.
Configure moderated recipients in
Exchange Online
Article • 02/22/2023

In your Exchange Online organization, messages that are sent to moderated recipients
require the approval of a moderator before they're actually delivered. For more
information, see Moderated recipients in Exchange Online.

This article described how to configure moderated groups in the Exchange admin center
(EAC) and all recipient types in Exchange Online Powershell.

What do you need to know before you begin?

Estimated time to complete: 5 minutes

For more granular control over messages that need approval, you can use mail
flow rules (transport rules). For details, see Use mail flow rules for message
approval scenarios in Exchange Online.

The moderation parameters are available to modify the following types of

recipients using the corresponding cmdlets:
Set-DistributionGroup
Set-DynamicDistributionGroup
Set-Mailbox
Set-MailContact
Set-MailPublicFolder
Set-MailUser
Set-UnifiedGroup

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the"Moderated Transport"
entry in the Feature permissions in Exchange Online topic.

You can use the EAC or PowerShell to configure groups for moderation. All other
recipient types can only be configured for moderation using PowerShell. To open
the EAC, see Exchange admin center in Exchange Online. To connect to Exchange
Online PowerShell, see Connect to Exchange Online PowerShell.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.
  Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the EAC to configure a moderated

distribution group

７ Note

You can configure moderation for Microsoft 365 Groups only in Exchange Online
PowerShell using the Set-UnifiedGroup command.

Messages that the owner of the group sends to the distribution group do not need
to be approved by a moderator

The folowing steps are basically the same for all other group types: distribution
groups, mail-enabled security groups, and dynamic distribution groups.

A common scenario for moderation is to control email replies to large groups. In fact,
groups with more than 5,000 members automatically have moderation configured.

This example configures moderation for the distribution group named All Employees
with the following settings:

Assign Bonnie Kearney and Rob Young as moderators.

Allow the members of the distribution group named Legal Team to bypass
moderation.
Notify internal senders if their message to the distribution group is rejected, but
do not send any notifications to external senders.

To accomplish the tasks in this example scenario, perform the following procedure:

1. In the EAC, go to Recipients > Groups.

2. In the result pane, select the All employees distribution group and click Edit .
3. On the properties page that opens, select the Message approval tab and configure
the following settings:

Select the Messages sent to this group have to be approved by a

moderator check box. You need to do this to make the remaining settings
available.
 In the Group moderators list, click Add .
In the Select group moderators dialog that opens, find and select Bonnie
Kearney, click Add, find and select Rob Young, and click Add. When you're
finished, click OK.
In the Senders who don't require message approval list, click Add .
In the Select senders dialog that opens, find and select Legal Team from the
list and click Add. When you're finished, click OK.
In the Select moderation notifications section, select Notify senders in your
organization when their messages aren't approved.

4. When you're finished, click Save.

Use Exchange Online PowerShell to configure a

moderated recipient
Run the following command:
 PowerShell

Set-<RecipientType> -Identity <Identity> -ModerationEnabled $true -

ModeratedBy <recipient1,recipient2...> -ByPassModerationFromSendersOrMembers
<recipient1,recipient2...> -SendModerationNotifications <Never | Always |
Internal>

This example configures the following moderation settings for the distribution group
named All Employees:

Enable moderation for the distribution group.

Designate David Hamilton and Yossi Ran as moderators.
Allow the members of the distribution group named HR to bypass moderation.
Notify internal senders if their message to the distribution group is rejected, but
do not send any notifications to external senders.

To accomplish the tasks in this example scenario, run the following command:

PowerShell

Set-DistributionGroup -Identity "All Employees" -ModerationEnabled $true -

ModeratedBy "David Hamilton","Yossi Ran" -
ByPassModerationFromSendersOrMembers HR -SendModerationNotifications
Internal

To add or remove users from the list of moderators or recipients who bypass
moderation without affecting other entries, use the following syntax:

PowerShell

Set-<RecipientType> -Identity <Identity> -ModeratedBy @{Add="<recipient1>","

<recipient2>"...; Remove="<recipient1>","<recipient2>"...} -
ByPassModerationFromSendersOrMembers @{Add="<recipient1>","<recipient2>"...;
Remove="<recipient1>","<recipient2>"...}

This example configures the following moderation settings for the distribution group
named All Employees:

Add the user chris@contoso.com to the list of existing moderators.

Remove the user michelle@contoso.com from the list of existing senders who
bypass moderation.

PowerShell

Set-DistributionGroup -Identity "All Employees" -ModeratedBy

@{Add="chris@contoso.com"} -ByPassModerationFromSendersOrMembers
 @{Remove="michelle@contoso.com"

How do you know this worked?

To verify that you have successfully configured a recipient for moderation, do the
following steps:

1. Send a test message to the moderated recipient.

2. Verify the designated moderators receive notification.
3. Verify the recipients who bypass moderation receive the message directly.
Manage mail-enabled security groups in
Exchange Online
Article • 02/22/2023

） Important

Check out the new Exchange admin center! The experience is modern, intelligent,
accessible, and better. Personalize your dashboard, manage cross tenant migration,
experience the improved Groups feature, and more. Try it now !

A mail-enabled security group can be used to distribute messages and to grant access
permissions to resources in Active Directory. For more information, see Recipients in
Exchange Online.

What do you need to know before you begin?

Estimated time to complete: 2 to 5 minutes.

You need permissions before you can do this procedure or procedures. To see
what permissions you need, see the "Recipients" entry in the Feature permissions
in Exchange Online article.

For information about keyboard shortcuts that may apply to the procedures in this
article, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the Exchange admin center to manage a

mail-enabled security group

Use the new EAC to create a mail-enabled security group

1. In the new EAC , navigate to Recipients > Groups > Mail-enabled security.
 2. Click Add a group and follow the instructions in the details pane.

Under Choose a group type section, select Mail-enabled security and click
Next.

Under Set up the basics section, enter the details and click Next.

3. In Assign owners section, click + Assign owners, select the group owner from the
list, and click Next.

4. Under Add members, click + Add members, select the group members from the
list, and click Next.

5. In Edit settings section, enter the group email address, configure the following and
then click Next:

Privacy: Set it to either public or private.

Add Microsoft Teams to your group: Select this to create a Team for your
group.

6. In Review and finish adding group section, verify all the details, click Create
group, and then click Close.

Use the new EAC to change mail-enabled security group

properties
1. In the new EAC, navigate to Recipients > Groups > Mail-enabled security.

2. In the list of groups, click the mail-enabled security group that you want to view or
change.

3. On the group's properties page, click one of the following sections to view or
change properties.

When you're finished, click Save.

General

Use this section to view or change basic information about the group.

Name: This name appears in the address book, on the To line when email is
sent to this group, and in the Groups list. The display name is required and
should be user-friendly so people recognize what it is. It also has to be
unique in your domain.
 Description: Use this box to describe the group so people know what the
purpose of the group is. This description appears in the address book and in
the Details pane in the new EAC.

Email options
Use this section to view or change the email addresses associated with the group.
This includes the group's primary SMTP addresses and any associated proxy
addresses. Under Edit email addresses page, change/edit the Primary email
address, add/delete Aliases, and then click Save changes.

You can also select the group and then click Edit email address from the toolbar to
change/edit the Primary email address, add/delete Aliases, and then click Save
changes.

Members

Use this section to change/edit the following:

Under Owners section, click View all and manage owners to add/remove
group owners from the drop-down list and then click Save changes. The
mail-enabled security group must have at least one owner.

Under Members section, click View all and manage members to add/remove
group members from the drop-down list and then click Save changes. The
mail-enabled security group must have at least one member.

Settings
Under General settings section, select the checkbox Allow external senders to
email this group if you want to allow the external users to send email to this
group.

Delivery management

Use this section to manage who can send email to this group.

Sender options

By default, only people inside your organization can send messages to this
group. You can also allow people outside the organization to send messages
to this group.
 Only allow messages from people inside my organization: Select this
option to allow only senders in your organization to send messages to the
group. This means that if someone outside your organization sends an
email message to this group, it is rejected. This is the default setting.

Allow messages from people inside and outside my organization: Select

this option to allow anyone to send messages to the group.

Specified senders

You can further limit who can send messages to the group by allowing only
specific senders to send messages to this group. Select/remove one or more
recipients/group from the drop-down list. If you add senders to this list, they
are the only ones who can send mail to the group. Mail sent by anyone not in
the list will be rejected.

） Important

If you've configured the group to allow only senders inside your

organization to send messages to the group, email sent from a mail
contact is rejected, even if they're added to this list.

Manage delegates
Use this section to assign permissions to a user (called a delegate) to allow them to
send messages as the group or send messages on behalf of the group. You can
assign the following permissions:

Send As: This permission allows the delegate to send messages as the group.
After this permission is assigned, the delegate has the option to add the
group to the From line to indicate that the message was sent by the group.

Send on Behalf: This permission also allows a delegate to send messages on

behalf of the group. After this permission is assigned, the delegate has the
option to add the group to the From line. The message will appear to be sent
by the group and will say that it was sent by the delegate on behalf of the
group.

To assign permissions to delegates in new EAC, add the delegates under the Edit
delegates page, select the Permission type from the drop-down list and click Save
changes.
 Message approval
Use this section to set options for moderating the group. Moderators approve or
reject messages sent to the group before they reach the group members.

Require moderator approval for messages sent to this group: This check
box isn't selected by default. If you select this check box, incoming messages
are reviewed by the group moderators before delivery. Group moderators
can approve or reject incoming messages.

Group moderators: To add/remove group moderators, search/add users from

the drop-down list. If you've selected Require moderator approval for
messages sent to this group and you don't select a moderator, messages to
the group are sent to the group owners for approval.

Add senders who don't require message approval: To add/remove users that
can bypass moderation for this group, search/add users from the drop-down
list.

Notify a sender if their message isn't approved: Use this section to set how
users are notified about message approval.

Only sender: This is the default setting. Notify all senders, inside and
outside your organization, when their message isn't approved.

Only senders in your organization: When you select this option, only
users or groups in your organization are notified when a message that
they sent to the group isn't approved by a moderator.

No notifications: When you select this option, notifications aren't sent to

senders whose messages aren't approved by the group moderators.

Membership approvals
Use this section to specify if group owner approval is needed for users to join this
group.

Use the Classic EAC to create a mail-enabled security

group
1. In the Classic EAC, navigate to Recipients > Groups.

2. Click New > Security group.

3. On the New security group page, complete the following fields:

* Display name: Use this box to type the display name. This name appears in
the shared address book, on the To: line when email is sent to this group, and
in the Groups list in the Classic EAC. The display name is required and should
be user-friendly so people recognize what it is. It also must be unique in the
forest.

７ Note

If a group naming policy is applied, you must follow the naming

constraints enforced for your organization. For more information, see
Create a distribution group naming policy. If you want to override your
organization's group naming policy, see Override the distribution group
naming policy.

* Alias: Use this box to type the alias for the security group. The alias can't
exceed 64 characters and must be unique in the forest. When a user types the
alias on the To: line of an email message, it resolves to the group's display
name.

Description: Use this box to describe the security group so people know what
the purpose of the group is.

Organizational unit: You can select an organizational unit (OU) other than the
default (which is the recipient scope). If the recipient scope is set to the
forest, the default value is set to the Users container in the Active Directory
domain that contains the computer on which the Classic EAC is running. If the
recipient scope is set to a specific domain, the Users container in that domain
is selected by default. If the recipient scope is set to a specific OU, that OU is
selected by default.

To select a different OU, click Browse. The dialog box displays all OUs in the
forest that are within the specified scope. Select the desired OU, and then
click OK.

* Owners: By default, the person who creates a group is the owner. All groups
must have at least one owner. You can add owners by clicking Add.

Members: Use this section to add members and to specify whether approval
is required for people to join or leave the group.
 Group owners don't have to be members of the group. Use Add group
owners as members to add or remove the owners as members.

To add members to the group, click Add . When you've finished adding
members, click OK to return to the New security group page.

Select the Owner approval is required check box if you want the group
owners to receive user requests to join the group. If you select this option,
members can only be removed by the group owners.

4. When you've finished, click Save to create the security group.

７ Note

By default, all new mail-enabled security groups require that all senders be
authenticated. This prevents external senders from sending messages to mail-
enabled security groups. To configure a mail-enabled security group to accept
messages from all senders, you must modify the message delivery restriction
settings for that group.

Use the Classic EAC to change mail-enabled security

group properties
1. In the Classic EAC, navigate to Recipients > Groups.

2. In the list of groups, click the security group that you want to view or change, and
then click Edit .

3. On the group properties page, click one of the following sections to view or
change properties.

When you're finished, click Save.

General
Use this section to view or change basic information about the group.

* Display name: This name appears in the address book, on the To: line when
email is sent to this group, and in the Groups list. The display name is
required and should be user-friendly so people recognize what it is. It also
has to be unique in your domain.
 * Alias: This is the portion of the email address that appears to the left of the
at (@) symbol. If you change the alias, the primary SMTP address for the
group will also be changed, and contain the new alias. Also, the email address
with the previous alias will be kept as a proxy address for the group.

Description: Use this box to describe the group so people know what the
purpose of the group is. This description appears in the address book and in
the Details pane in the EAC.

Hide this group from address lists: Select this check box if you don't want
users to see this group in the address book. If this check box is selected, a
sender has to type the group's alias or email address on the To: or Cc: lines to
send mail to the group.

 Tip

Consider hiding security groups because they're typically used to assign

permissions to group members and not to send email.

Organizational unit: This read-only box displays the organizational unit (OU)
that contains the security group. You have to use Active Directory Users and
Computers to move the group to a different OU.

Ownership

Use this section to assign group owners. The group owner can add members to
the group, and approve or reject requests to join the group. By default, the person
who creates a group is the owner. All groups must have at least one owner.

You can add owners by clicking Add . You can remove an owner by selecting the
owner and then clicking Remove .

Membership
Use this section to add or remove members. Group owners don't have to be
members of the group. Under Members, you can add members by clicking Add .
You can remove a member by selecting a user in the member list and then clicking
Remove .

Membership approval
Use this section to specify whether owner approval is required for users to join the
group. If you select the Owner approval is required check box, the group owner or
owners receive an email requesting approval to join the group. As previously
mentioned, only owners can remove members from the group.

７ Note

This option will not work with mail-enabled security groups because of
security-related limitations.

Delivery management

Use this section to manage who can send email to this group.

Only senders inside my organization: Select this option to allow only senders
in your organization to send messages to the group. This means that if
someone outside of your organization sends an email message to this group,
it will be rejected. This is the default setting.

Senders inside and outside of my organization: Select this option to allow

anyone to send messages to the group.

You can further limit who can send messages to the group by allowing only
specific senders to send messages to this group. Click Add and then select
one or more recipients. If you add senders to this list, they are the only ones
who can send mail to the group. Mail sent by anyone not in the list will be
rejected.

To remove a person or a group from the list, select them in the list and then
click Remove .

） Important

If you've configured the group to allow only senders inside your

organization to send messages to the group, email sent from a mail
contact will be rejected, even if they're added to this list.

Message approval

Use this section to set options for moderating the group. Moderators approve or
reject messages sent to the group before they reach the group members.
 Messages sent to this group have to be approved by a moderator: This
check box isn't selected by default. If you select this check box, incoming
messages will be reviewed by the group moderators before delivery. Group
moderators can approve or reject incoming messages.

Group moderators: To add group moderators, click Add . To remove a

moderator, select the moderator, and then click Remove . If you've selected
"Messages sent to this group have to be approved by a moderator" and you
don't select a moderator, messages to the group will be sent to the group
owners for approval.

Senders who don't require message approval: To add people or groups that
can bypass moderation for this group, click Add . To remove a person or a
group, select the item, and then click Remove .

Select moderation notifications: Use this section to set how users are
notified about message approval.

Notify all senders when their messages aren't approved: This is the
default setting. Senders inside and outside your organization will be
notified when their messages aren't approved.

Notify senders in your organization when their messages aren't

approved: When you select this option, only people or groups in your
organization are notified when a message that they sent to the group isn't
approved by a moderator.

Don't notify anyone when a message isn't approved: When you select
this option, notifications aren't sent to message senders whose messages
aren't approved by the group moderators.

Email options

Use this section to view or change the email addresses associated with the group.
This includes the group's primary SMTP addresses and any associated proxy
addresses. The primary SMTP address (also known as the reply address) is
displayed in bold text in the address list, with the uppercase SMTP value in the
Type column.

Add: Click Add to add a new email address for this mailbox. Select one of
following address types:
 SMTP: This is the default address type. Click this button and then type the
new SMTP address in the * Email address box.

７ Note

To make the new address the primary SMTP address for the group,
select the Make this the reply address check box. This check box is
displayed only when the Automatically update email addresses
based on the email address policy applied to this recipient check
box isn't selected.

Custom address type: Click this button and type one of the supported
non-SMTP email address types in the * Email address box.

７ Note

With the exception of X.400 addresses, Exchange doesn't validate

custom addresses for correct formatting. You must make sure that the
custom address you specify complies with the format requirements
for that address type.

Edit: To change an email address associated with the group, select it in the
list, and then click Edit .

７ Note

To make an existing address the primary SMTP address for the group,
select the Make this the reply address check box. As previously
mentioned, this check box is displayed only when the Automatically
update email addresses based on the email address policy applied to
this recipient check box isn't selected.

Remove: To delete an email address associated with the group, select it in the
list, and then click Remove .

Automatically update email addresses based on the email address policy

applied to this recipient: Select this check box to have the recipient's email
addresses automatically updated based on changes made to email address
policies in your organization. By default, this box is selected.
 MailTip
Use this section to add a MailTip to alert users of potential issues before they send
a message to this group. A MailTip is text that's displayed in the InfoBar when this
group is added to the To, Cc, or Bcc lines of a new email message. For example,
you could add a MailTip to large groups to warn potential senders that their
message will be sent to lots of people.

７ Note

MailTips can include HTML tags, but scripts aren't allowed. The length of a
custom MailTip can't exceed 175 displayed characters. HTML tags aren't
counted in the limit.

Group delegation
Use this section to assign permissions to a user (called a delegate) to allow them to
send messages as the group or send messages on behalf of the group. You can
assign the following permissions:

Send As: This permission allows the delegate to send messages as the group.
After this permission is assigned, the delegate has the option to add the
group to the From line to indicate that the message was sent by the group.

Send on Behalf: This permission also allows a delegate to send messages on

behalf of the group. After this permission is assigned, the delegate has the
option to add the group in the From line. The message will appear to be sent
by the group and will say that it was sent by the delegate on behalf of the
group.

To assign permissions to delegates, click Add under the appropriate permission to

display the Select Recipient page, which displays a list of all recipients in your
Exchange organization that can be assigned the permission. Select the recipients
you want, add them to the list, and then click OK. You can also search for a specific
recipient by typing the recipient's name in the search box and then clicking Search
.

Use PowerShell to manage mail-enabled

security groups
Use Exchange Online PowerShell to create a mail-enabled
security group
This example creates a security group with an alias fsadmin and the name File Server
Managers. The security group is created in the default OU, and anyone can join this
group with approval by the group owners.

PowerShell

New-DistributionGroup -Name "File Server Managers" -Alias fsadmin -Type

security

For more information about using Exchange Online PowerShell to create mail-enabled
security groups, see New-DistributionGroup.

How do you know this worked?

To verify that you've successfully created a mail-enabled security group, do one of the
following:

In the new EAC, navigate to Recipients > Groups > Mail-enabled security. The
new mail-enabled security group is displayed in the group list.

In the Classic EAC, navigate to Recipients > Groups. The new mail-enabled security
group is displayed in the group list. Under Group Type, the type is Security group.

In Exchange Online PowerShell, run the following command to display information

about the new mail-enabled security group.

PowerShell

Get-DistributionGroup <Name> | Format-List

Name,RecipientTypeDetails,PrimarySmtpAddress

Use Exchange Online PowerShell to change mail-enabled

security group properties
Use the Get-DistributionGroup and Set-DistributionGroup cmdlets to view and change
properties for security groups. Advantages of using Exchange Online PowerShell are the
ability to change the properties that aren't available in the EAC and to change properties
for multiple security groups. For information about which parameters correspond to
which distribution group properties, see the following articles:
 Get-DistributionGroup

Set-DistributionGroup

Here are some examples of using Exchange Online PowerShell to change security group
properties.

This example displays a list of all security groups in the organization.

PowerShell

Get-DistributionGroup -ResultSize unlimited -Filter "RecipientTypeDetails -

eq 'MailUniversalSecurityGroup'"

This example changes the primary SMTP address (also called the reply address) for the
Seattle Administrators security group from admins@contoso.com to
seattle.admins@contoso.com. The previous reply address will be kept as a proxy
address.

PowerShell

Set-DistributionGroup "Seattle Employees" -EmailAddresses

SMTP:sea.admins@contoso.com,smtp:admins@contoso.com

This example hides all security groups in the organization from the address book.

PowerShell

Get-DistributionGroup -ResultSize unlimited -Filter "RecipientTypeDetails -

eq 'MailUniversalSecurityGroup'" | Set-DistributionGroup -
HiddenFromAddressListsEnabled $true

How do you know this worked?

To verify that you've successfully changed properties for a security group, do the
following:

In the new EAC, select the group to view the property or feature that you changed.
Depending on the property that you changed, it might be displayed in the details
pane for the selected group.

In the Classic EAC, select the group and then click Edit to view the property or
feature that you changed. Depending on the property that you changed, it might
be displayed in the Details pane for the selected group.
In Exchange Online PowerShell, use the Get-DistributionGroup cmdlet to verify the
changes. One advantage of using Exchange Online PowerShell is that you can view
multiple properties for multiple groups. In the example above where all security
groups were hidden from the address book, run the following command to verify
the new value.

PowerShell

Get-DistributionGroup -ResultSize unlimited -Filter

"RecipientTypeDetails -eq 'MailUniversalSecurityGroup'" | Format-List
Name,HiddenFromAddressListsEnabled
Manage guest access to Microsoft 365
groups in Exchange Online
Article • 02/22/2023

You can allow or block guest users who are using a specific domain. For example, let's
say your business (Contoso) has a partnership with another business (Fabrikam). You can
add Fabrikam to your allowlist so your users can add those guests to their groups.

Or, let's say you want to block personal email address domains. You can set up a
blocklist that contains domains like Gmail.com and Outlook.com.

Important information about how blocklists

work
You can create either an allowlist or blocklist. But you can't set up both types of
lists. By default, whatever domains aren't in an allowlist are on a blocklist, and vice
versa.

You can create only one policy per organization. You can update that policy with
more domains, or you can delete that policy to create a new one.

This list works independently from SPO allow/block list. You would need to set up
Allow/Block list for SPO if you want to restrict individual file sharing of Group
connected site.

This list doesn't apply to already added guest members. This will be enforced for
all the guests added after the list is set up.

Install the preview version of the Azure Active

Directory Module for Windows PowerShell
IMPORTANT: The procedures in this article require the PREVIEW version Azure Active
Directory Module for Windows PowerShell, specifically, the AzureADPreview module
version 2.0.0.98 or later.

1. Open Windows PowerShell as an administrator:

a. In your search bar, type Windows PowerShell.

b. Right-click on Windows PowerShell and select Run as Administrator.

 The Windows PowerShell window will pop open. The prompt
C:\Windows\system32 means you opened it as an administrator.

2. Run this command to see if you have any versions of the Azure Active Directory
Module for Windows PowerShell installed on your computer:

PowerShell

Get-Module -ListAvailable AzureAD*

If no results are returned, run this command to install the latest version of the
AzureADPreview module:

PowerShell

Install-Module AzureADPreview

If only the AzureAD module is shown in the results, run these commands to
install the AzureADPreview module:

PowerShell

Uninstall-Module AzureAD

PowerShell

Install-Module AzureADPreview

If only the AzureADPreview module is shown in the results, but the version is
less than 2.0.0.98, run these commands to update it:

PowerShell

Uninstall-Module AzureADPreview

PowerShell

Install-Module AzureADPreview

If both the AzureAD and AzureADPreview modules are shown in the results,
but the version of the AzureADPreview module is less than 2.0.0.98, run
these commands to update it:
 PowerShell

Uninstall-Module AzureAD

PowerShell

Uninstall-Module AzureADPreview

PowerShell

Install-Module AzureADPreview

Create a new Allow or blocklist policy

1. Did you install the AzureADPreview module as instructed above? Not having the
preview version is the #1 reason these steps don't work for people.

2. Go to Script for Allow/Block policy at Microsoft Download Center to download

the script ( Set-GuestAllowBlockDomainPolicy.ps1) for Allow/Block policy.

3. Run the script with this command:

PowerShell

Set-GuestAllowBlockDomainPolicy.ps1 -Update -AllowList @("contoso.com",

"fabrikam.com")

Where you replace contoso.com and fabrikam.com with the domains you want to
allow.

OR

PowerShell

Set-GuestAllowBlockDomainPolicy.ps1 -Update -BlockList @("contoso.com",

"fabrikam.com")

Remember, you can create only one policy. You'll get an error if you try to create
another one.
Replace the existing policy with a new list of
domains
To replace the existing policy with new list of domains, run this command:

PowerShell

Set-GuestAllowBlockDomainPolicy.ps1 -Update -AllowList @("contoso.com",

"fabrikam.com")

Where you replace contoso.com and fabrikam.com with the domains you want to
allow.

OR

PowerShell

Set-GuestAllowBlockDomainPolicy.ps1 -Update -BlockList @("contoso.com",

"fabrikam.com")

Add more domains to an existing policy

To append a new domain to your policy, run this command:

PowerShell

Set-GuestAllowBlockDomainPolicy.ps1 -Append -AllowList @("contoso.com")

Where you replace contoso.com and fabrikam.com with the domains you want to
allow.

OR

PowerShell

Set-GuestAllowBlockDomainPolicy.ps1 -Append -BlockList @("contoso.com")

Migrate the existing allow/block policy from

SharePoint Online
This list works independently from the SharePoint Online allow/block list. You would
need to set up allow/block list for SharePoint Online if you want to restrict individual file
sharing of Group connected site.

However, if your organization already has an allow/block list for SharePoint Online, you
can migrate that list using this command.

1. Install the SharePoint Online Management tool .

2. Run this command:

PowerShell

Set-GuestAllowBlockDomainPolicy.ps1 -MigrateFromSharepoint

Clear the domain list

To remove all the domains from your policy, run this command:

PowerShell

Set-GuestAllowBlockDomainPolicy.ps1 -Remove

Script for Allow/Block policy

Go to Script for Allow/Block policy at Microsoft Download Center to download the
script (Set-GuestAllowBlockDomainPolicy.ps1) for Allow/Block policy.
Manage mail contacts in Exchange
Online
Article • 02/22/2023

） Important

Check out the new Exchange admin center! The experience is modern, intelligent,
accessible, and better. Personalize your dashboard, manage cross tenant migration,
experience the improved Groups feature, and more. Try it now !

In Exchange Online organizations, mail contacts are mail-enabled objects that contain
information about people who exist outside your organization. Each mail contact has an
external email address. For more information about mail contacts, see Recipients in
Exchange Online.

You manage mail contacts in the Exchange admin center (EAC) or in PowerShell
(Exchange Online PowerShell in organizations with Exchange Online mailboxes;
standalone Exchange Online Protection (EOP) in organizations without Exchange Online
mailboxes).

What do you need to know before you begin?

To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online.

To connect to Exchange Online PowerShell, see Connect to Exchange Online

PowerShell. To connect to standalone EOP PowerShell, see Connect to Exchange
Online Protection PowerShell.

You need permissions before you can do this procedure or procedures. To see
what permissions you need, see the "Recipients" entry in the Feature permissions
in Exchange Online article.

For information about keyboard shortcuts that may apply to the procedures in this
article, see Keyboard shortcuts for the Exchange admin center.

 Tip
 Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the Exchange admin center to manage mail

contacts

Use the new EAC to create mail contacts

1. In the new EAC , go to Recipients > Contacts.

2. Click + Add a contact and configure the following settings in the details pane.
Settings marked with an * are required.

Contact type: Select Mail contact from the drop-down list.

First name

Last name

*
Display name: By default, this box shows the values from the First name, and
Last name boxes. You can accept this value or change it.

*
Email: Enter the user's email address. The domain should be external to your
cloud-based organization.

Company

Work phone

Mobile phone

3. When you're finished, click Add and then click Close.

Use the new EAC to modify mail contacts

1. In the new EAC, go to Recipients > Contacts.

2. In the list of contacts, select the mail contact that you want to modify.

3. In the details pane, click to view or edit the user's contact details.

When you're finished, click Save.

 Contact Information
Use the Contact information section, to view, or edit the user's contact
information. The information on this page is displayed in the address book.

Web site

Fax phone

Street

City

State/Province

ZIP/Postal code

Country/Region

Organization
Use the Organization section, to record detailed information about the user's role
in the organization. This information is displayed in the address book. Also, you
can create a virtual organization chart that's accessible from email clients such as
Outlook.

Title: Use this box to view or change the recipient's title.

Department: Use this box to view or change the department in which the
user works. You can use this box to create recipient conditions for dynamic
distribution groups, email address policies, or address lists.

Manager: To add a manager, enter the name and select from the drop-down
list.

Direct reports: You can't modify this box. A direct report is a user who reports
to a specific manager. If you've specified a manager for the user, that user
appears as a direct report in the details of the manager's mailbox. For
example, Kari manages Chris and Kate, so Kari is specified in the Manager
box for Chris and Kate, and Chris and Kate appear in the Direct reports box in
the properties of Kari's account.

Use the new EAC to remove mail contacts

1. In the new EAC, go to Recipients > Contacts.
 2. Select the mail contact that you want to remove, and then click Delete.

７ Note

New EAC doesn't allow bulk edit of mail contacts yet.

Use the Classic EAC to create mail contacts

1. In the Classic EAC, go to Recipients > Contacts

2. Click New and then select Mail contact.

3. In the New mail contact page that opens, configure the following settings.
Settings marked with an * are required.

First name

Initials: The person's middle initial.

Last name

*
Display name: By default, this box shows the values from the First name,
Initials, and Last name boxes. You can accept this value or change it. The
value should be unique, and has a maximum length of 64 characters.

*
Alias: Enter a unique alias, using up to 64 characters, for the user

*
External email address: Enter the user's email address. The domain should
be external to your cloud-based organization.

4. When you're finished, click Save.

Use the Classic EAC to modify mail contacts

1. In the Classic EAC, go to Recipients > Contacts.

2. In the list of contacts, select the mail contact that you want to modify, and then
click Edit .

3. On the mail contact properties page that opens, click one of the following tabs to
view or change properties.

When you're finished, click Save.

General
Use the General section to view or change basic information about the mail
contact.

First name

Initials

Last name

Display name: This name appears in your organization's address book, on the
To: and From: lines in email, and in the list of contacts in the EAC. This name
can't contain empty spaces before or after the display name.

Alias: This is the mail contact's alias. If you change it, it must be unique in the
organization and must be 64 characters or less.

External email address: This is mail contact's primary SMTP address in their
external email organization. Email sent to this contact is forwarded to this
email address.

Hide from address lists: Select this check box to prevent the mail contact
from appearing in the address book and other address lists that are defined
in your organization. After you select this check box, users can still send
messages to the recipient by using the email address.

Contact Information
Use the Contact information tab to view or change the user's contact information.
The information on this page is displayed in the address book.

Street

City

State/Province

ZIP/Postal code

Country/Region

Office

Work phone
 Fax

Home phone

Mobile phone

Notes

 Tip

You can use the State/Province value to create recipient conditions for
dynamic distribution groups, email address policies, or address lists.

Organization

Use the Organization tab to record detailed information about the user's role in
the organization. This information is displayed in the address book. Also, you can
create a virtual organization chart that's accessible from email clients such as
Outlook.

Title: Use this box to view or change the recipient's title.

Department: Use this box to view or change the department in which the
user works. You can use this box to create recipient conditions for dynamic
distribution groups, email address policies, or address lists.

Company: Use this box to view or change the company for which the user
works. You can use this box to create recipient conditions for dynamic
distribution groups, email address policies, or address lists.

Manager: To add a manager, click Browse. In Select Manager, select a

person, and then click OK.

Direct reports: You can't modify this box. A direct report is a user who reports
to a specific manager. If you've specified a manager for the user, that user
appears as a direct report in the details of the manager's mailbox. For
example, Kari manages Chris and Kate, so Kari is specified in the Manager
box for Chris and Kate, and Chris and Kate appear in the Direct reports box in
the properties of Kari's account.

Email Options
 Use the Email Options section to add or remove proxy addresses for the mail
contact or edit existing proxy addresses. The mail contact's primary SMTP address
is also displayed in this section, but you can't change it. To change it, you have to
change the contact's external email address in the General section.

７ Note

The Email Options section is only available in Exchange Server. It's not
available in Exchange Online.

MailTip

Use the MailTip tab to add an alert for potential issues before a user sends
messages to this recipient. The text is displayed in the InfoBar when this recipient
is added to the To, Cc, or Bcc lines of a new email message.

MailTips can include HTML tags, but scripts aren't allowed. The length of a custom
MailTip can't exceed 175 displayed characters. HTML tags aren't counted in the
limit.

Use the Classic EAC to bulk edit mail contacts

When you bulk edit mail contacts in the EAC, you can change the following types of
properties:

Contact information

Organization

1. In the Classic EAC, navigate to Recipients > Contacts.

2. In the list of contacts, select two or more mail contacts. You can't bulk edit a
combination of mail contacts and mail users.

 Tip

You can select multiple adjacent mail contacts by holding down the Shift key
and clicking the first mail contact, and then clicking the last mail contact you
want to edit. You can also select multiple mail contacts by holding down the
Ctrl key and clicking each one that you want to edit.
 3. In the Details pane, under Bulk Edit, click Update under Contact Information or
Organization.

4. Make the changes on the properties page and then save your changes.

Use the Classic EAC to remove mail contacts

1. In the Classic EAC, go to Recipients > Contacts.

2. Select the mail contact that you want to remove, and then click Remove .

Use PowerShell to manage mail contacts

Use Exchange Online PowerShell to create mail contacts

This example creates a mail contact for Debra Garcia

The name and display name is Debra Garcia (if you don't use the DisplayName
parameter, the value of the Name parameter is used for the display name).

The alias is dgarcia.

PowerShell

New-MailContact -Name "Debra Garcia" -ExternalEmailAddress

dgarcia@tailspintoys.com -Alias dgarcia

For detailed syntax and parameter information, see New-MailContact.

Use Exchange Online PowerShell to modify mail contacts

In general, use the Get-Contact and Set-Contact cmdlets to view and change
organization and contact information properties. Use the Get-MailContact and Set-
MailContact cmdlets to view or change mail-related properties, such as email addresses,
the MailTip, custom attributes, and whether the contact is hidden from address lists.

For more information, see the following articles:

Get-Contact

Set-Contact

Get-MailContact
 Set-MailContact

Here are some examples of using Exchange Online PowerShell to change mail contact
properties:

This example configures the Title, Department, Company, and Manager properties for
the mail contact Kai Axford.

PowerShell

Set-Contact "Kai Axford" -Title Consultant -Department "Public Relations" -

Company Fabrikam -Manager "Karen Toh"

This example sets the CustomAttribute1 property to a value of PartTime for all mail
contacts and hides them from the organization's address book.

PowerShell

$Contacts = Get-MailContact -Resultsize unlimited

$Contacts | foreach {Set-MailContact -Identity $_ -CustomAttribute1 PartTime
-HiddenFromAddressListsEnabled $true}

This example sets the CustomAttribute15 property to a value of TemporaryEmployee for

all mail contacts in the Public Relations department.

PowerShell

$PR = Get-Contact -ResultSize unlimited -Filter "Department -eq 'Public

Relations'"
$PR | foreach {Set-MailContact -Identity $_ -CustomAttribute15
TemporaryEmployee}

Use Exchange Online PowerShell to remove mail contacts

To remove a mail contact, use the following syntax:

PowerShell

Remove-MailContact -Identity <MailUserIdentity>

This example removes the mail contact for Pilar Pinilla:

PowerShell

Remove-MailContact -Identity "Pilar Pinilla"

For detailed syntax and parameter information, see Remove-MailContact.

How do you know these procedures worked?

To verify that you've successfully created, modified, or removed mail contacts, do any of
the following steps:

In the new EAC, go to Recipients > Contacts. Verify the mail contact is listed (or
not listed). The Contact Type value is MailContact. Select the mail contact from the
list, and click to view or edit the user's details.

In the Classic EAC, go to Recipients > Contacts. Verify the mail contact is listed (or
not listed). The Contact Type value is Mail contact. Select the mail contact from
the list, and click Edit to view the properties.

In Exchange Online PowerShell, replace <MailContactIdentity> with the name,

email address, or alias of the mail contact, and run the following command to
verify that the mail contact is listed (or not listed).

PowerShell

Get-MailContact -Identity <MailContactIdentity> | Format-List

Name,Alias,DisplayName,ExternalEmailAddress

In Exchange Online PowerShell, use the Get-Contact and Get-Contact cmdlets to

verify the property changes you made.

PowerShell

Get-MailContact | Format-List
Name,CustomAttribute1,HiddenFromAddressListsEnabled

PowerShell

Get-Contact -Filter "Department -eq 'Public Relations'" | Get-

MailContact | Format-List Name,CustomAttribute15
Manage mail users in Exchange Online
Article • 02/22/2023

In Exchange Online organizations, mail users are similar to mail contacts. Both have
external email addresses and both contain information about people outside your
Exchange Online organization that can be displayed in the shared address book and
other address lists. However, unlike a mail contact, a mail user has sign in credentials in
your Microsoft 365 organization and can access resources. For more information about
mail contacts and mail users, see Recipients in Exchange Online.

You manage mail users in the Exchange admin center (EAC) or in PowerShell (Exchange
Online PowerShell in organizations with Exchange Online mailboxes.

What do you need to know before you begin?

To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online.

To connect to Exchange Online PowerShell, see Connect to Exchange Online

PowerShell. To connect to standalone EOP PowerShell, see Connect to Exchange
Online Protection PowerShell.

Mail users don't require licenses in Exchange Online.

When you create mail users in EOP PowerShell, you might encounter throttling.
Also, the EOP PowerShell cmdlets use a batch processing method that results in a
propagation delay of a few minutes before the results of the commands are visible.

You need permissions before you can perform this procedure or procedures. To
see what permissions you need, see the "Recipients" entry in the Feature
permissions in Exchange Online article.

For information about keyboard shortcuts that may apply to the procedures in this
article, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
Use the Exchange admin center to manage mail
users

Use the new EAC to create mail users

1. In the new EAC , go to Recipients > Contacts.

2. Click + Add a contact and configure the following settings in the details pane.
Settings marked with an * are required.

Contact type: Select Mail user from the drop-down list.

First name
Last name
*Display name: By default, this box shows the values from the First name, and
Last name boxes. You can accept this value or change it.
*Email: Enter the user's email address. The domain should be external to your
cloud-based organization.
*Alias: Enter a unique alias, using up to 64 characters for the user.
*
User ID and Domain: Enter the account that the person will use to sign in to
the service. The user ID consists of a username on the left side of the at (@)
symbol and a domain on the right side. Select the domain from the drop-
down list.
Password
Confirm

3. When you're finished, click Add and then click Close.

Use the new EAC to modify mail users

1. In the new EAC, go to Recipients > Contacts.

2. In the list of users, select the mail user that you want to modify.

3. In the details pane, click to view or edit the user's details.

When you're finished, click Save.

Contact Information:

Use the Contact information section, to view, or edit the user's information. The
information on this page is displayed in the address book.

Web site
 Fax phone
Street
City
State/Province
ZIP/Postal code
Country/Region

Organization:

Use the Organization section, to record detailed information about the user's role in the
organization. This information is displayed in the address book. Also, you can create a
virtual organization chart that's accessible from email clients such as Outlook.

Title: Use this box to view or change the recipient's title.

Department: Use this box to view or change the department in which the user
works. You can use this box to create recipient conditions for dynamic distribution
groups, email address policies, or address lists.
Manager: To add a manager, enter the name and select from the drop-down list.
Direct reports: You can't modify this box. A direct report is a user who reports to a
specific manager. If you've specified a manager for the user, that user appears as a
direct report in the details of the manager's mailbox. For example, Kari manages
Chris and Kate, so Kari is specified in the Manager box for Chris and Kate, and
Chris and Kate appear in the Direct reports box in the properties of Kari's account.

Use the new EAC to remove mail users

1. In the new EAC, go to Recipients > Contacts.

2. Select the mail user that you want to remove, and then click Delete.

７ Note

New EAC doesn't allow bulk edit of mail users yet.

Use the Classic EAC to create mail users

1. In the Classic EAC, go to Recipients > Contacts.

2. Click New and then select Mail user.

3. In the New mail user page that opens, configure the following settings. Settings
marked with an * are required.
 First name
Initials: The person's middle initial.
Last name
*
Display name: By default, this box shows the values from the First name,
Initials, and Last name boxes. You can accept this value or change it. The
value should be unique, and has a maximum length of 64 characters.
*
Alias: Enter a unique alias, using up to 64 characters, for the user
External email address: Enter the user's email address. The domain should be
external to your cloud-based organization.
*
User ID: Enter the account that the person will use to sign in to the service.
The user ID consists of a username on the left side of the at (@) symbol (@)
and a domain on the right side.
*
New password and *Confirm password: Enter and reenter the account
password. Verify that the password complies with the password length,
complexity, and history requirements of your domain.

4. When you've finished, click Save to create the mail user.

Use the Classic EAC to modify mail users

1. In the Classic EAC, go to Recipients > Contacts.

2. In the list of contacts, select the mail user that you want to modify, and then click
Edit .

3. On the mail user properties page that opens, click one of the following tabs to
view or change properties.

When you're finished, click Save.

General:

Use the General tab to view or change basic information about the mail user.

First name
Initials
Last name
Display name: This name appears in your organization's address book, on the To:
and From: lines in email, and in the list of contacts in the EAC. This name can't
contain empty spaces before or after the display name.
User ID: This is the user's account in Microsoft 365. You can't modify this value
here.
 Hide from address lists: Select this check box to prevent the mail user from
appearing in the address book and other address lists that are defined in your
organization. After you select this check box, users can still send messages to the
recipient by using the email address.
More options > Custom attributes: Click Edit in the Custom attributes pages
that opens, enter values for Custom Attribute 1 through Custom Attribute 15.
When you're finished, click OK.

Contact information:

Use the Contact information tab to view or change the user's contact information. The
information on this page is displayed in the address book.

Street

City

State/Province

ZIP/Postal code

Country/Region

Work phone

Mobile phone

Fax

More options
Office
Home phone
Web page
Notes

 Tip

You can use the State/Province value to create recipient conditions for
dynamic distribution groups, email address policies, or address lists.

Organization:

Use the Organization tab to record detailed information about the user's role in the
organization. This information is displayed in the address book. Also, you can create a
virtual organization chart that's accessible from email clients such as Outlook.
 Title: Use this box to view or change the recipient's title.
Department: Use this box to view or change the department in which the user
works. You can use this box to create recipient conditions for dynamic distribution
groups, email address policies, or address lists.
Company: Use this box to view or change the company for which the user works.
You can use this box to create recipient conditions for dynamic distribution groups,
email address policies, or address lists.
Manager: To add a manager, click Browse. In Select Manager, select a person, and
then click OK.
Direct reports: You can't modify this box. A direct report is a user who reports to a
specific manager. If you've specified a manager for the user, that user appears as a
direct report in the details of the manager's mailbox. For example, Kari manages
Chris and Kate, so Kari is specified in the Manager box for Chris and Kate, and
Chris and Kate appear in the Direct reports box in the properties of Kari's account.

Email addresses:

Use the Email addresses tab to view or change the email addresses associated with the
mail user. This includes the mail user's primary SMTP address, their external email
address, and any associated proxy addresses. The primary SMTP address (also known as
the reply address) is displayed in bold text in the address list, with the uppercase SMTP
value in the Type column. By default, the external email address is the primary SMTP
address.

Add: Click Add . In the New email address page that appears, configure the
following settings:
Email address type: Verify SMTP is selected.
Email address: Enter the email address to add.
Make this the reply address: For mail users, you shouldn't need to select this
option (the external email address is the reply address).

When you're finished, click OK.

Edit: Select the email address that you want to modify, and then click Edit . In
the Email address page that appears, configure the following settings:
Email address: Modify the existing email address.
Make this the reply address: This setting only appears if the email address you
selected isn't already the reply address.

When you're finished, click OK.

Remove: Select the email address that you want to remove, and then click Remove
. You can't remove the reply address.
Mail flow settings:

In the Message delivery restrictions section, click View details. In the Message delivery
restrictions page that opens, configure the following settings:

Accept messages from: Specify who can send messages to this mail user.
Unspecified senders are blocked.
All senders: This is the default value.
Only senders in the following list: Click Add . Select a recipient, click Add,
and repeat as many times as necessary. When you're finished, click OK.

Require that all senders are authenticated: Select this option to prevent
anonymous users (external users) from sending messages to the user.

Reject messages from: Specify who isn't allowed to send messages to this mail
user.
No senders: This is the default value.
Senders in the following list: Click Add . Select a recipient, click Add, and
repeat as many times as necessary When you're finished, click OK.

When you're finished, click OK.

Member of:

Use the Member of tab to view a list of the distribution groups or mail-enabled security
groups that the user belongs to. You can't change group membership on this page.
Note that dynamic distribution groups aren't displayed on this page because their
membership is calculated each time they're used.

MailTip:

Use the MailTip tab to add an alert for potential issues before a user sends messages to
this recipient. The text is displayed in the InfoBar when this recipient is added to the To,
Cc, or Bcc lines of a new email message.

MailTips can include HTML tags, but scripts aren't allowed. The length of a custom
MailTip can't exceed 175 displayed characters. HTML tags aren't counted in the limit.

Use the Classic EAC to bulk edit mail users

When you bulk edit mail users in the EAC, you can change the following types of
properties:

Contact information
Organization
 1. In the Classic EAC, go to Recipients > Contacts.

2. In the list of contacts, select two or more mail users. You can't bulk edit a
combination of mail contacts and mail users.

You can select multiple adjacent mail users by holding down the Shift key and
clicking the first mail user, and then clicking the last mail user you want to edit. You
can also select multiple mail users by holding down the Ctrl key and clicking each
one that you want to edit.

3. In the Details pane, under Bulk Edit, click Update under Contact Information or
Organization.

4. Make the changes on the properties page and then save your changes.

Use the Classic EAC to remove mail users

1. In the Classic EAC, go to Recipients > Contacts.
2. Select the mail user that you want to remove, and then click Remove .

Use PowerShell to manage mail users

In Exchange Online PowerShell, you use the following cmdlets to manage mail users:

Get-User
Set-User
Get-MailUser
New-MailUser
Remove-MailUser
Set-MailUser

Use Exchange Online PowerShell to create mail users

This example creates a mail user for Rene Valdes:

The name and display name is Rene Valdes (if you don't use the DisplayName
parameter, the value of the Name parameter is used for the display name).
The alias is renev.
The external email address is renevaldes@fabrikam.com.
The sign in name is renev@contoso.onmicrosoft.com.
The password is Pa$$word1.
 PowerShell

New-MailUser -Name "Rene Valdes" -Alias renev -ExternalEmailAddress

renevaldes@fabrikam.com -FirstName Rene -LastName Valdes -
MicrosoftOnlineServicesID renev@contoso.onmicrosoft.com -Password
(ConvertTo-SecureString -String 'P@ssw0rd' -AsPlainText -Force)

For detailed syntax and parameter information, see New-MailUser.

Use Exchange Online PowerShell to modify mail users

In general, use the Get-User and Set-User cmdlets to view and change organization and
contact information properties. Use the Get-MailUser and Set-MailUser cmdlets to view
or change mail-related properties, such as email addresses, the MailTip, custom
attributes, and whether the mail user is hidden from address lists.

Use the Get-MailUser and Set-MailUser cmdlets to view and change properties for mail
users. For information, see the following articles:

Get-User
Set-User
Get-MailUser
Set-MailUser

Here are some examples of using Exchange Online PowerShell to change mail user
properties.

This example sets the external email address for Pilar Pinilla.

PowerShell

Set-MailUser "Pilar Pinilla" -ExternalEmailAddress pilarp@tailspintoys.com

This example hides all mail users from the organization's address book.

PowerShell

$MEU = Get-MailUser -ResultSize unlimited

$MEU | foreach {Set-MailUser -Identity $_ -HiddenFromAddressListsEnabled
$true}

This example sets the Company property for all mail users to Contoso.

PowerShell
 $U = Get-User -ResultSize unlimited -Filter "RecipientTypeDetails -eq
'mailuser'"
$U | foreach {Set-User -Identity $_ -Company Contoso}

This example sets the CustomAttribute1 property to a value of ContosoEmployee for all
mail users that have a value of Contoso in the Company property.

PowerShell

$Contoso = Get-User -ResultSize unlimited -Filter "(RecipientTypeDetails -eq

'mailuser') -and (Company -eq 'Contoso')"
$Contoso | foreach {Set-MailUser -Identity $_ -CustomAttribute1
ContosoEmployee}

Use Exchange Online PowerShell to remove mail users

To remove a mail user, use the following syntax:

PowerShell

Remove-MailUser -Identity <MailUserIdentity>

This example removes the mail user for Pilar Pinilla:

PowerShell

Remove-MailUser -Identity "Pilar Pinilla"

For detailed syntax and parameter information, see Remove-MailUser

How do you know these procedures worked?

To verify that you've successfully created, modified, or removed mail users, do any of the
following steps:

In the new EAC, go to Recipients > Contacts. Verify the mail user is listed (or not
listed). The Contact Type value is MailUser. Select the mail user from the list, and
click to view or edit the user's details.

In the Classic EAC, go to Recipients > Contacts. Verify the mail user is listed (or not
listed). The Contact Type value is Mail user. Select the mail user from the list, and
click lick Edit to view the properties.
 In Exchange Online PowerShell, replace <MailUserIdentity> with the name, email
address, or alias of the mail user, and run the following command to verify that the
mail user is listed (or not listed).

PowerShell

Get-MailUser -Identity <MailUserIdentity> | Format-List

Name,Alias,DisplayName,ExternalEmailAddress

In Exchange Online PowerShell, use the Get-User and Get-MailUser cmdlets to

verify the property changes you made.

PowerShell

Get-MailUser | Format-List Name,CustomAttribute1

PowerShell

Get-User -ResultSize unlimited -Filter "RecipientTypeDetails -eq

'mailuser'" | Format-List Name,Company

Use directory synchronization to manage mail

users
In Exchange Online, directory synchronization is available for hybrid customers with on-
premises and cloud-hosted mailboxes, and for fully-hosted Exchange Online customers
whose Active Directory is on-premises.

In standalone EOP, directory synchronization is available for customers with on-premises

Active Directory.

Notes:

If you use directory synchronization to manage your recipients, you can still add
and manage users in the Microsoft 365 admin center, but they will not be
synchronized with your on-premises Active Directory. This is because directory
synchronization only syncs recipients from your on-premises Active Directory to
the cloud.

Using directory synchronization is recommended for use with the following

features:
 Outlook Safe Sender lists and Blocked Sender lists: When synchronized to the
service, these lists will take precedence over spam filtering in the service. This
lets users manage their own Safe Sender list and Blocked Sender list with
individual sender and domain entries. For more information, see Configure junk
email settings on Exchange Online mailboxes.
Directory Based Edge Blocking (DBEB): For more information about DBEB, see
Use Directory Based Edge Blocking to reject messages sent to invalid recipients.
End user access to quarantine: To access their quarantined messages, recipients
must have a valid user ID and password in the service. For more information
about quarantine, see Find and release quarantined messages as a user.
Mail flow rules (also known as transport rules): When you use directory
synchronization, your existing Active Directory users and groups are
automatically uploaded to the cloud, and you can then create mail flow rules
that target specific users and/or groups without having to manually add them in
the service. Note that dynamic distribution groups can't be synchronized via
directory synchronization.

Get the necessary permissions and prepare for directory synchronization, as described in
What is hybrid identity with Azure Active Directory?.

Synchronize directories with Azure Active Directory

Connect (AAD Connect)
1. Activate directory synchronization as described in Azure AD Connect sync:
Understand and customize synchronization.

2. Install and configure an on-premises computer to run AAD Connect as described

in Prerequisites for Azure AD Connect.

3. Select which installation type to use for Azure AD Connect:

Express
Custom
Pass-through authentication

） Important

When you finish the Azure Active Directory Sync Tool Configuration Wizard, the
MSOL_AD_SYNC account is created in your Active Directory forest. This account is
used to read and synchronize your on-premises Active Directory information. In
order for directory synchronization to work correctly, make sure that TCP 443 on
your local directory synchronization server is open.
After configuring your sync, be sure to verify that AAD Connect is synchronizing
correctly. In the EAC, go to Recipients > Contacts and view that the list of users was
correctly synchronized from your on-premises environment.
Manage resource mailboxes in Exchange
Online
Article • 02/22/2023

Use the new Exchange admin center (EAC) to create, modify, and manage your
resources through email/delegation in your Exchange Online organization.

There are two types of resources that admin can manage:

Room mailbox is a resource mailbox that's assigned to a physical location, such as

a conference room, an auditorium, or a training room. After an administrator
creates room mailboxes, users can easily reserve rooms by including room
mailboxes in meeting requests.

Equipment mailbox is a resource mailbox assigned to a resource that's not

location specific, such as a portable computer, projector, microphone, or a
company car. After an administrator creates an equipment mailbox, users can
easily reserve the piece of equipment by including the corresponding equipment
mailbox in a meeting request. You can use the new EAC and Exchange Online
PowerShell to create an equipment mailbox or change equipment mailbox
properties.

For more information see, Recipients in Exchange Online.

Create a resource mailbox (room or equipment

mailbox)
1. Login to the new Exchange admin center , and navigate to Recipients >
Resources.

The Resources page is displayed.

2. Click Add a resource and follow the instructions in the details pane.

3. In Review resource tab, under Review the resource information you have entered,
verify all the details, and then click Create.

4. Click Done.

Edit a resource
 1. From the list view, select the resource that you want to edit, and click the selected
resource.

2. In the details pane, do the following:

Click Edit address, to edit the resource address.

Click Additional information, to edit audio/display/video details.

７ Note

This is available only for Room mailbox.

Click Manage settings > Manage booking options, to edit the settings for
booking policy that defines when the resource can be scheduled.

Click Manage delegates, to add or remove delegates from the list.

Booking options
Use the Manage booking options section to view or change the settings for the
booking policy that defines when the room can be scheduled, how long it can be
reserved, and how far in advance it can be reserved.

Allow repeated meetings: This setting allows or prevents repeated meetings for
the room. By default, this setting is enabled, so repeated meetings are allowed.

Allow scheduling only during working hours: This setting accepts or declines
meeting requests that aren't scheduled during the working hours defined for the
room. The default working hours are 8:00 A.M. to 5:00 P.M. Monday through
Friday. By default, this setting is disabled, so meeting requests are allowed outside
the working hours.

Auto-accept meeting request: When enabled, this setting allows automatic

acceptance of the meeting requests. By default, this setting is enabled. You can set
it as Off, to allow the delegates to accept the meetings manually.

Automatically decline meetings outside the limits below: By default, this setting is
enabled.
Booking window (days): This setting specifies the maximum number of days in
advance that a room can be booked. The default value is 180 days.
Maximum duration (hours): This setting specifies the maximum duration that
the room can be reserved in a booking request. The default value is 24 hours.
Booking delegates
In Manage booking options section, under Booking delegates, add/remove the
delegates for the meeting requests. Resource delegates are responsible for accepting or
declining meeting requests that are sent to the room mailbox.

７ Note

For the delegates, you can also select the permission types from the following as
Full access, Send as or Send on behalf.

Managing resource mailboxes in Classic

Exchange admin center
A room mailbox is a resource mailbox that's assigned to a physical location, such as a
conference room, an auditorium, or a training room. After an administrator creates room
mailboxes, users can easily reserve rooms by including room mailboxes in meeting
requests.

An equipment mailbox is a resource mailbox assigned to a resource that's not location

specific, such as a portable computer, projector, microphone, or a company car. After an
administrator creates an equipment mailbox, users can easily reserve the piece of
equipment by including the corresponding equipment mailbox in a meeting request.
You can use the Classic Exchange admin center and Exchange Online PowerShell to
create an equipment mailbox or change equipment mailbox properties.

For more information, see Recipients in Exchange Online.

What do you need to know before you begin?

Estimated time to complete a room mailbox: 5 to 10 minutes.

You must be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Recipients" entry in the
Feature permissions in Exchange Online topic.

） Important

If you're running Exchange Server in a hybrid scenario, ensure you create the
room mailboxes in the appropriate place. Create your room mailboxes for
 your on-premises organization on-premises, and room mailboxes for
Exchange Online side should be created in the cloud.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Create a room mailbox

Use the Classic Exchange admin center to create a room mailbox

1. In the Classic Exchange admin center, navigate to Recipients > Resources.

2. To create a room mailbox, click New > Room mailbox.

3. Use the options on the page to specify the settings for the new resource mailbox.

* Room name: Use this box to type a name for the room mailbox. This is the
name that's listed in the resource mailbox list in the Classic Exchange admin
center and in your organization's address book. This name is required and it
can't exceed 64 characters.

 Tip

Although there are other fields that describe the details of the room, for
example, Location and Capacity, consider summarizing the most
important details in the room name using a consistent naming
convention. Why? So users can easily see the details when they select
the room from the address book in the meeting request.

* Email address: A room mailbox has an email address so it can receive

booking requests. The email address consists of an alias on the left side of
the @ symbol, which must be unique in the forest, and your domain name on
the right. The email address is required.
 Location, Phone, Capacity: You can use these fields to enter details about the
room. However, as explained earlier, you can include some or all of this
information in the room name so users can see it.

4. When you're finished, click Save to create the room mailbox.

Once you've created your room mailbox, you can edit your room mailbox to update info
about booking options, MailTips and mailbox delegation. Check out the Use the Classic
Exchange admin center section below to change room mailbox properties.

Use Exchange Online PowerShell to create a room mailbox

This example creates a room mailbox with the following configuration:

The mailbox's name is ConfRoom1. This name will also be used to create the
room's email address.
The display name in the Classic Exchange admin center and the address book will
be Conference Room 1.
The Room switch specifies that this mailbox will be created as a room mailbox.

PowerShell

New-Mailbox -Name ConfRoom1 -DisplayName "Conference Room 1" -Room

For detailed syntax and parameter information, see New-Mailbox.

How do you know this worked?

You can make sure you've created the room mailbox correctly a couple of different ways:

In the Classic Exchange admin center, navigate to Recipients > Resources. The new
room mailbox is displayed in the mailbox list. Under Mailbox Type, the type is
Room.

In Exchange Online PowerShell, run the following command to display information

about the new room mailbox.

PowerShell

Get-Mailbox <Name> | Format-List

Name,RecipientTypeDetails,PrimarySmtpAddress

Create a room list

If you're planning to have more than a hundred rooms, or already have more than a
hundred rooms created, use a room list to help you organize your rooms. If your
company has several buildings with rooms that can be booked for meetings, it might
help to create room lists for each building. Room lists are specially marked distribution
groups that you can use the same way you use distribution groups. However, you can
only create room lists using Exchange Online PowerShell.

Use Exchange Online PowerShell to create a room list

This example creates a room list for building 32.

PowerShell

New-DistributionGroup -Name "Building 32 Conference Rooms" -

OrganizationalUnit "contoso.com/rooms" -RoomList

Use Exchange Online PowerShell to add a room to a room list

This example adds confroom3223 to the building 32 room list.

PowerShell

Add-DistributionGroupMember -Identity "Building 32 Conference Rooms" -Member

confroom3223@contoso.com

Use Exchange Online PowerShell to convert a distribution group to

a room list

You may already have created distribution groups in the past that contain your
conference rooms. You don't need to recreate them; we can convert them quickly into a
room list.

This example converts the distribution group, building 34 conference rooms, to a room
list.

PowerShell

Set-DistributionGroup -Identity "Building 34 Conference Rooms" -RoomList

Change room mailbox properties

After you create a room mailbox, you can make changes and set additional properties
by using the Classic Exchange admin center or Exchange Online PowerShell.

Use the Classic Exchange admin center to change room mailbox

properties
1. In the Exchange admin center, navigate to Recipients > Resources.

2. In the list of resource mailboxes, click the room mailbox that you want to change
the properties for, and then click Edit .

3. On the room mailbox properties page, click one of the following sections to view
or change properties.

General:

Use the General section to view or change basic information about the resource.

* Room name: This name appears in the resource mailbox list in the Classic
Exchange admin center and in your organization's address book. It can't exceed 64
characters if you change it.

* Email address: This read-only box displays the email address for the room
mailbox. You can change it in the Email Address section.

Capacity: Use this box to enter the maximum number of people who can safely
occupy the room.

Click More options to view or change these additional properties:

Organizational unit: This read-only box displays the organizational unit (OU) that
contains the account for the room mailbox. You have to use Active Directory Users
and Computers to move the account to a different OU.

Mailbox database: This read-only box displays the name of the mailbox database
that hosts the room mailbox. Use the Migration page in the Classic Exchange
admin center to move the mailbox to a different database.

* Alias: Use this box to change the alias for the room mailbox.

Hide from address lists: Select this check box to prevent the room mailbox from
appearing in the address book and other address lists that are defined in your
Exchange organization. After you select this check box, users can still send booking
messages to the room mailbox by using the email address.
 Department: Use this box to specify a department name that the room is
associated with. You can use this property to create recipient conditions for
dynamic distribution groups and address lists.

Company: Use this box to specify a company that the room is associated with, if
applicable. Like the Department property, you can use this property to create
recipient conditions for dynamic distribution groups and address lists.

Address book policy: Use this option to specify an address book policy (ABP) for
the room mailbox. ABPs contain a global address list (GAL), an offline address book
(OAB), a room list, and a set of address lists. To learn more, see Address book
policies.

In the drop-down list, select the policy that you want associated with this mailbox.

Custom attributes: This section displays the custom attributes defined for the
room mailbox. To specify custom attribute values, click Edit . You can specify up
to 15 custom attributes for the recipient.

Delegates:

Use this section to view or change how the room mailbox handles reservation requests
and to define who can accept or decline booking requests if it isn't done automatically.

Booking requests: Select one of the following options to handle booking requests.

Accept or decline booking requests automatically: A valid meeting request

automatically reserves the room. If there's a scheduling conflict with an existing
reservation, or if the booking request violates the scheduling limits of the
resource, for example, the reservation duration is too long, the meeting request
is automatically declined.

Select delegates who can accept or decline booking requests: Resource

delegates are responsible for accepting or declining meeting requests that are
sent to the room mailbox. If you assign more than one resource delegate, only
one of them has to act on a specific meeting request.

Delegates: If you selected the option requiring that booking requests be sent to
delegates, the specified delegates are listed. Click Add or Remove to add or
remove delegates from this list.

Booking Options
Use the Booking Options section to view or change the settings for the booking policy
that defines when the room can be scheduled, how long it can be reserved, and how far
in advance it can be reserved.

Allow repeating meetings: This setting allows or prevents repeating meetings for
the room. By default, this setting is enabled, so repeating meetings are allowed.

Allow scheduling only during working hours: This setting accepts or declines
meeting requests that aren't during the working hours defined for the room. By
default, this setting is disabled, so meeting requests are allowed outside the
working hours. By default, working hours are 8:00 A.M. to 5:00 P.M. Monday
through Friday. You can configure the working hours of the room mailbox in the
Appearance section on the Calendar page.

Always decline if the end date is beyond this limit: This setting controls the
behavior of repeating meetings that extend beyond the date specified by the
maximum booking lead time setting.

If you enable this setting, a repeating booking request is automatically declined

if the bookings start on or before the date specified by the value in the
Maximum booking lead time box, and they extend beyond the specified date.
This is the default setting.

If you disable this setting, a repeating booking request is automatically

accepted if booking requests start on or before the date specified by the value
in the Maximum booking lead time box, and they extend beyond the specified
date. However, the number of bookings is reduced so bookings won't occur
after the specified date.

Maximum booking lead time (days): This setting specifies the maximum number
of days in advance that the room can be booked. Valid input is an integer between
0 and 1080. The default value is 180 days.

Maximum duration (hours): This setting specifies the maximum duration that the
room can be reserved in a booking request. The default value is 24 hours.

For repeating booking requests, the maximum booking duration applies to the
length of Classic Exchange admin center instance of the repeating booking
request.

There's also a box on this page that you can use to write a message that will be sent to
users who send booking requests to reserve the room.

Contact Information:
Use the Contact Information section to view or change the contact information for the
room. The information on this page is displayed in the address book.

 Tip

You can use the State/Province box to create recipient conditions for dynamic
distribution groups, email address policies, or address lists.

Email address:

Use the Email address section to view or change the email addresses associated with
the room mailbox. This includes the mailbox's primary SMTP address and any associated
proxy addresses. The primary SMTP address (also known as the reply address) is
displayed in bold text in the address list, with the uppercase SMTP value in the Type
column.

Add: Click Add to add a new email address for this mailbox. Select one of
following address types:

SMTP: This is the default address type. Click this button and then type the new
SMTP address in the * Email address box.

Custom address type: Click this button and type one of the supported non-
SMTP email address types in the * Email address box.

７ Note

With the exception of X.400 addresses, Exchange doesn't validate custom

addresses for correct formatting. You must make sure that the custom
address you specify complies with the format requirements for that
address type.

When you add a new email address, you have the option to make it the
primary SMTP address.

Automatically update email addresses based on the email address policy applied
to this recipient: Select this check box to have the recipient's email addresses
automatically updated based on changes made to email address policies in your
organization.

MailTip:
Use the MailTip section to add a MailTip to alert users of potential issues before they
send a booking request to the room mailbox. A MailTip is text that's displayed in the
InfoBar when this recipient is added to the To, Cc, or Bcc lines of a new email message.

７ Note

MailTips can include HTML tags, but scripts aren't allowed. The length of a custom
MailTip can't exceed 175 displayed characters. HTML tags aren't counted in the
limit.

Use Exchange Online PowerShell to change room mailbox

properties
Use the following sets of cmdlets to view and change room mailbox properties.

Get-User and Set-User: Use these cmdlets to view and set general properties such
as location, department, and company names.
Get-Mailbox and Set-Mailbox: Use these cmdlets to view and set mailbox
properties, such as email addresses.
Get-CalendarProcessing and Set-CalendarProcessing: Use these cmdlets to view
and set booking options and delegates.
Get-MailboxFolderPermission and Set-MailboxFolderPermission: Use this cmdlet
to view and modify delegate permissions on the Calendar folder of the room
mailbox.

For information about these cmdlets, see the following topics:

Get-User
Set-User
Get-Mailbox
Set-Mailbox
Get-CalendarProcessing
Set-CalendarProcessing
Get-MailboxFolderPermission
Set-MailboxFolderPermission

Here are some examples of using Exchange Online PowerShell to change room mailbox
properties.

This example changes the display name, the primary SMTP address (called the default
reply address), and the room capacity. Also, the previous reply address is kept as a proxy
address.
 PowerShell

Set-Mailbox "Conf Room 123" -DisplayName "Conf Room 31/123 (12)" -

EmailAddresses SMTP:Rm33.123@contoso.com,smtp:rm123@contoso.com -
ResourceCapacity 12

This example configures room mailboxes to allow booking requests to be scheduled

only during working hours and sets a maximum duration of 9 hours.

PowerShell

Get-Mailbox -ResultSize unlimited -Filter "RecipientTypeDetails -eq

'RoomMailbox'" | Set-CalendarProcessing -ScheduleOnlyDuringWorkHours $true -
MaximumDurationInMinutes 540

This example does the following actions:

The Get-User cmdlet finds all room mailboxes that correspond to private
conference rooms.
The Set-CalendarProcessing cmdlet sends booking requests to a delegate named
Robin Wood to accept or decline.
The Set-MailboxFolderPermission cmdlet gives Robin the required Calendar folder
permissions to the private conference room mailboxes.

PowerShell

$P = Get-User -ResultSize unlimited -Filter "(RecipientTypeDetails -eq

'RoomMailbox') -and (DisplayName -like 'Private*')"
$P | foreach {Set-CalendarProcessing -Identity $_.Identity -AllBookInPolicy
$false -AllRequestInPolicy $true -ResourceDelegates "Robin Wood"}
$P | foreach {Set-MailboxFolderPermission -Identity "$_`:\Calendar" -User
"Robin Wood" -AccessRights Editor -SharingPermissionFlags Delegate}

How do you know this worked?

To verify that you've successfully changed properties for a room mailbox, do the
following:

In the Classic Exchange admin center, select the mailbox and then click Edit to
view the property or feature that you changed. Depending on the property that
you changed, it might be displayed in the Details pane for the selected mailbox.

In Exchange Online PowerShell, use the Get-Mailbox cmdlet to verify the changes.
One advantage of using Exchange Online PowerShell is that you can view multiple
properties for multiple mailboxes. In the example above where booking requests
 could be scheduled only during working hours and have a maximum duration of 9
hours, run the following command to verify the new values.

PowerShell

Get-Mailbox -ResultSize unlimited -Filter "RecipientTypeDetails -eq

'RoomMailbox'" | Get-CalendarProcessing | Format-List
Identity,ScheduleOnlyDuringWorkHours,MaximumDurationInMinutes

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Create an equipment mailbox

Use the Classic Exchange admin center to create an

equipment mailbox
1. In the Classic Exchange admin center, navigate to Recipients > Resources.

2. To create an equipment mailbox, click New > Equipment mailbox. To create a

room mailbox, click New > Room mailbox.

3. Use the options on the page to specify the settings for the new resource mailbox.

* Equipment name: Use this box to type a name for the equipment mailbox.
This is the name that's listed in the resource mailbox list in the Classic
Exchange admin center and in your organization's address book. This name is
required and it can't exceed 64 characters.

 Tip

Although there are other fields that describe the details of the room, for
example, Capacity, consider summarizing the most important details in
the equipment name using a consistent naming convention. Why? So
users can easily see the details when they select the equipment from the
address book in a meeting request.
 * Email address: An equipment mailbox has an email address so it can receive
booking requests. The email address consists of an alias on the left side of
the @ symbol, which must be unique in the forest, and your domain name on
the right. The email address is required.

4. When you're finished, click Save to create the equipment mailbox.

Once you've created your equipment mailbox, you can edit your equipment mailbox to
update info about booking options, MailTips and delegates. Check out the Change
equipment mailbox properties section below to change room mailbox properties

Use Exchange Online PowerShell to create an equipment

mailbox
This example creates an equipment mailbox with the following configuration:

The equipment mailbox resides on Mailbox Database 1.

The equipment's name is MotorVehicle2 and the name will display in the GAL as
Motor Vehicle 2.
The email address is MotorVehicle2@contoso.com.
The mailbox is in the Equipment organizational unit.
The Equipment parameter specifies that this mailbox will be created as an
equipment mailbox.

PowerShell

New-Mailbox -Database "Mailbox Database 1" -Name MotorVehicle2 -

OrganizationalUnit Equipment -DisplayName "Motor Vehicle 2" -Equipment

For detailed syntax and parameter information, see New-Mailbox.

How do you know this worked?

To verify that you've successfully created a user mailbox, do one of the following:

In the Classic Exchange admin center, navigate to Recipients > Resources. The new
user mailbox is displayed in the mailbox list. Under Mailbox Type, the type is
Equipment.

In Exchange Online PowerShell, run the following command to display information

about the new equipment mailbox.

PowerShell
 Get-Mailbox <Name> | Format-List
Name,RecipientTypeDetails,PrimarySmtpAddress

Change equipment mailbox properties

After you create an equipment mailbox, you can make changes and set additional
properties by using the Classic Exchange admin center or Exchange Online PowerShell.

Use the Classic Exchange admin center to change

equipment mailbox properties
1. In the Classic Exchange admin center, navigate to Recipients > Resources.

2. In the list of resource mailboxes, click the equipment mailbox that you want to
change the properties for, and then click Edit .

3. On the equipment mailbox properties page, click one of the following sections to
view or change properties.

General:

Use the General section to view or change basic information about the resource.

* Equipment name: This name appears in the resource mailbox list in the Classic
Exchange admin center and in your organization's address book. It can't exceed 64
characters if you change it.

* Email address: This read-only box displays the email address for the equipment
mailbox. You can change it in the Email Address section.

Capacity: Use this box to enter the maximum number of people who can use this
resource, if applicable, For example, if the equipment mailbox corresponds to a
compact car, you could enter 4.

Click More options to view or change these additional properties:

Organizational unit: This read-only box displays the organizational unit (OU) that
contains the account for the equipment mailbox. You have to use Active Directory
Users and Computers to move the account to a different OU.

Mailbox database: This read-only box displays the name of the mailbox database
that hosts the equipment mailbox. Use the Migration page in the Classic Exchange
admin center to move the mailbox to a different database.
 * Alias: Use this box to change the alias for the equipment mailbox.

Hide from address lists: Select this check box to prevent equipment mailbox from
appearing in the address book and other address lists that are defined in your
Exchange organization. After you select this check box, users can still send booking
messages to the equipment mailbox by using the email address.

Department: Use this box to specify a department name that the resource is
associated with. You can use this property to create recipient conditions for
dynamic distribution groups and address lists.

Company: Use this box to specify a company that the resource is associated with.
Like the Department property, you can use this property to create recipient
conditions for dynamic distribution groups and address lists.

Address book policy: Use this option to specify an address book policy (ABP) for
the resource. ABPs contain a global address list (GAL), an offline address book
(OAB), a room list, and a set of address lists. To learn more, see Address book
policies.

In the drop-down list, select the policy that you want associated with this mailbox.

Custom attributes: This section displays the custom attributes defined for the
equipment mailbox. To specify custom attribute values, click Edit . You can
specify up to 15 custom attributes for the recipient.

Delegates:

Use this section to view or change how the equipment mailbox handles reservation
requests and to define who can accept or decline booking requests if it isn't done
automatically.

Booking requests: Select one of the following options to handle booking requests.

Accept or decline booking requests automatically: A valid meeting request

automatically reserves the resource. If there's a scheduling conflict with an
existing reservation, or if the booking request violates the scheduling limits of
the resource, for example, the reservation duration is too long, the meeting
request is automatically declined.

Select delegates who can accept or decline booking requests: Resource

delegates are responsible for accepting or declining meeting requests that are
sent to the equipment mailbox. If you assign more than one resource delegate,
only one of them has to act on a specific meeting request.
 Delegates: If you selected the option requiring that booking requests be sent to
delegates, the specified delegates are listed. Click Add or Remove to add or
remove delegates from this list.

Booking Options:

Use the Booking Options section to view or change the settings for the booking policy
that defines when the resource can be scheduled, how long it can be reserved, and how
far in advance it can be reserved.

Allow repeating meetings: This setting allows or prevents repeating meetings for
the resource. By default, this setting is enabled, so repeating meetings are allowed.

Allow scheduling only during working hours: This setting accepts or declines
meeting requests that aren't during the working hours defined for the resource. By
default, this setting is disabled, so meeting requests are allowed outside the
working hours.By default, working hours are 8:00 A.M. to 5:00 P.M. Monday
through Friday. You can configure the working hours of the equipment mailbox in
the Appearance section on the Calendar page.

Always decline if the end date is beyond this limit: This setting controls the
behavior of repeating meetings that extend beyond the date specified by the
maximum booking lead time setting.

If you enable this setting, a repeating booking request is automatically declined

if the bookings start on or before the date specified by the value in the
Maximum booking lead time box, and they extend beyond the specified date.
This is the default setting.

If you disable this setting, a repeating booking request is automatically

accepted if the booking requests start on or before the date specified by the
value in the Maximum booking lead time box, and they extend beyond the
specified date. However, the number of bookings is reduced so bookings won't
occur after the specified date.

Maximum booking lead time (days): This setting specifies the maximum number
of days in advance that the resource can be booked. Valid input is an integer
between 0 and 1080. The default value is 180 days.

Maximum duration (hours): This setting specifies the maximum duration that the
resource can be reserved in a booking request. The default value is 24 hours.

For repeating booking requests, the maximum booking duration applies to the
length of each instance of the repeating booking request.
There is also a box on this page that you can use to write a message that will be sent to
users who send meeting requests to reserve the resource.

Contact Information:

Use the Contact Information section to view or change the contact information for the
resource. The information on this page is displayed in the address book.

 Tip

You can use the State/Province box to create recipient conditions for dynamic
distribution groups, email address policies, or address lists.

Email Address:

Use the Email Address section to view or change the email addresses associated with
the equipment mailbox. This includes the mailbox's primary SMTP address and any
associated proxy addresses. The primary SMTP address (also known as the reply
address) is displayed in bold text in the address list, with the uppercase SMTP value in
the Type column.

Add: Click Add to add a new email address for this mailbox. Select one of
following address types:

SMTP: This is the default address type. Click this button and then type the new
SMTP address in the * Email address box.

Custom address type: Click this button and type one of the supported non-
SMTP email address types in the * Email address box.

７ Note

With the exception of X.400 addresses, Exchange doesn't validate custom

addresses for correct formatting. You must make sure that the custom
address you specify complies with the format requirements for that
address type.

When you add a new email address, you have the option to make it the
primary SMTP address.

Automatically update email addresses based on the email address policy applied
to this recipient: Select this check box to have the recipient's email addresses
 automatically updated based on changes made to email address policies in your
organization.

MailTip:

Use the MailTip section to add a MailTip to alert users of potential issues before they
send a booking request to the equipment mailbox. A MailTip is text that's displayed in
the InfoBar when this recipient is added to the To, Cc, or Bcc lines of a new email
message.

７ Note

MailTips can include HTML tags, but scripts aren't allowed. The length of a custom
MailTip can't exceed 175 displayed characters. HTML tags aren't counted in the
limit.

Use Exchange Online PowerShell to change equipment

mailbox properties
Use the following sets of cmdlets to view and change equipment mailbox properties.

Get-User and Set-User: Use these cmdlets to view and set general properties such
as department and company names.
Get-Mailbox and Set-Mailbox: Use these cmdlets to view and set mailbox
properties, such as email addresses.
Get-CalendarProcessing and Set-CalendarProcessing: Use these cmdlets to view
and set booking options and delegates.
Get-MailboxFolderPermission and Set-MailboxFolderPermission: Use this cmdlet
to view and modify delegate permissions on the Calendar folder of the room
mailbox.

For information about these cmdlets, see the following topics:

Get-User
Set-User
Get-Mailbox
Set-Mailbox
Get-CalendarProcessing
Set-CalendarProcessing
Get-MailboxFolderPermission
Set-MailboxFolderPermission
Here are some examples of using Exchange Online PowerShell to change equipment
mailbox properties.

This example changes the display name and primary SMTP address (called the default
reply address) for the MotorPool 1 equipment mailbox. The previous reply address is
kept as a proxy address.

PowerShell

Set-Mailbox "MotorPool 1" -DisplayName "Motor Pool 1 - Compact" -

EmailAddresses SMTP:MP1.compact@contoso.com,smtp:MP.1@contoso.com

This example configures equipment mailboxes to allow booking requests to be

scheduled only during working hours.

PowerShell

Get-Mailbox -ResultSize unlimited -Filter "RecipientTypeDetails -eq

'EquipmentMailbox'" | Set-CalendarProcessing -ScheduleOnlyDuringWorkHours
$true

This example does the following actions:

The Get-User cmdlets find all equipment mailboxes in the Audio Visual
department.
The Set-CalendarProcessing cmdlet sends booking requests to a delegate named
Ann Beebe to accept or decline.
The Set-MailboxFolderPermission cmdlet gives Ann the required Calendar folder
permissions to the equipment mailboxes.

PowerShell

$AV = Get-User -ResultSize unlimited -Filter "(RecipientTypeDetails -eq

'EquipmentMailbox') -and (Department -eq 'Audio Visual')"
$AV | foreach {Set-CalendarProcessing -Identity $_.Identity -AllBookInPolicy
$false -AllRequestInPolicy $true -ResourceDelegates "Ann Beebe"}
$AV | foreach {Set-MailboxFolderPermission -Identity "$_`:\Calendar" -User
"Ann Beebe" -AccessRights Editor -SharingPermissionFlags Delegate}

How do you know this worked?

To verify that you've successfully changed properties for an equipment mailbox, do the
following:
In the Classic Exchange admin center, select the mailbox and then click Edit to
view the property or feature that you changed. Depending on the property that
you changed, it might be displayed in the Details pane for the selected mailbox.

In Exchange Online PowerShell, use the Get-Mailbox cmdlet to verify the changes.
One advantage of using Exchange Online PowerShell is that you can view multiple
properties for multiple mailboxes. In the example above where booking requests
could be scheduled only during working hours, run the following command to
verify the new value.

PowerShell

Get-Mailbox -ResultSize unlimited -Filter "RecipientTypeDetails -eq

'EquipmentMailbox'" | Get-CalendarProcessing | Format-List
Identity,ScheduleOnlyDuringWorkHours
Manage permissions for recipients in
Exchange Online
Article • 02/22/2023

） Important

Check out the new Exchange admin center! The experience is modern, intelligent,
accessible, and better. Personalize your dashboard, manage cross tenant migration,
experience the improved Groups feature, and more. Try it now !

In Exchange Online, you can use the Exchange admin center (EAC) or Exchange Online
PowerShell to assign permissions to a mailbox or group so that other users can access
the mailbox (the Full Access permission), or send email messages that appear to come
from the mailbox or group (the Send As or Send on Behalf permissions). The users that
are assigned these permissions on other mailboxes or groups are called delegates.

The permissions that you can assign to delegates for mailboxes and groups in Exchange
Online are described in the following table:

Note: Although you might be able use Exchange Online PowerShell to assign some or all
of these permissions to other delegate types on other kinds of recipient objects, this
article focuses on the delegate and recipient object types that produce useful results.

Permission Description Recipient Additional **Available

types in recipient delegate
the EAC types in types
PowerShell
Permission Description Recipient Additional **Available
types in recipient delegate
the EAC types in types
PowerShell

Full Access Allows the delegate to open the User Discovery Mailboxes
mailbox, and view, add and remove the mailboxes mailboxes with user
contents of the mailbox. Doesn't allow accounts
the delegate to send messages from the Resource
mailbox. mailboxes Mail users
with
If you assign the Full Access permission Shared accounts
to a mailbox that's hidden from address mailboxes
lists, the delegate won't be able to open Mail-
the mailbox. By default, discovery enabled
mailboxes are hidden from address lists. security
groups
By default, the mailbox auto-mapping
feature uses Autodiscover to
automatically open the mailbox in the
delegate's Outlook profile (in addition
to their own mailbox). Note that auto-
mapping will only work for individual
users granted the proper permissions
and will not work for any kind of group.
If you don't want mailboxes to be auto-
mapped, you need to take one of the
following actions:

Use the Add-MailboxPermission

cmdlet in Exchange Online
PowerShell to assign the Full
Access permission with the -
AutoMapping $false setting. For
more information, see the Use
Exchange Online PowerShell to
assign the Full Access permission
to mailboxes section in this article.
Assign the Full Access permission
to a mail-enabled security group.
The mailbox won't open in the
Outlook profile of each member.
Permission Description Recipient Additional **Available
types in recipient delegate
the EAC types in types
PowerShell

Send As Allows the delegate to send messages User n/a Mailboxes

as if they came directly from the mailbox mailboxes with user
or group. There's no indication that the accounts
message was sent by the delegate. Resource
mailboxes Mail users
Doesn't allow the delegate to read the with
contents of the mailbox. Shared accounts
mailboxes
If you assign the Send As permission to Mail-
a mailbox that's hidden from address Distribution enabled
lists, the delegate won't be able to send groups security
messages from the mailbox. groups
Dynamic
distribution
groups

Mail-
enabled
security
groups

Microsoft
365 groups

Send on Allows the delegate to send messages User Shared Mailboxes

Behalf from the mailbox or group. The From mailboxes mailboxes with user
address of these messages clearly shows accounts
that the message was sent by the Resource
delegate (" <Delegate> on behalf of mailboxes Mail users
<MailboxOrGroup>"). However, replies with
to these messages are sent to the Distribution accounts
mailbox or group, not to the delegate. groups
Mail-
Doesn't allow the delegate to read the Dynamic enabled
contents of the mailbox. distribution security
groups groups
If you assign the Send on Behalf
permission to a mailbox that's hidden Mail- Distribution
from address lists, the delegate won't be enabled groups
able to send messages from the security
mailbox. groups

Microsoft
365 groups
 ７ Note

If a user has both Send As and Send on Behalf permissions to a mailbox or group,
the Send As permission is always used.

What do you need to know before you begin?

Estimated time to complete each procedure: 2 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Mailbox settings" entry in
the Feature permissions in Exchange Online article.

To open and use the EAC, see Exchange admin center in Exchange Online. To
connect to Exchange Online PowerShell, see Connect to Exchange Online
PowerShell.

When a mailbox is added to Outlook using Advanced Settings, only the primary
mailbox will be added; the archive mailbox won't be added. If a user needs to also
access the archive mailbox, the mailbox should be added to Outlook as a second
account in the same Outlook profile.

For information about keyboard shortcuts that may apply to the procedures in this
article, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the EAC to assign permissions to individual

mailboxes
1. In the EAC, click Recipients in the feature pane. Depending on the type of mailbox
that you want to assign permissions for, click on one of the following tabs:

Mailboxes: User or linked mailboxes.

Resources: Room or equipment mailboxes.
Shared: Shared mailboxes.
 2. In the list of mailboxes, select the mailbox that you want to assign permissions for,
and then click Edit .

3. On the mailbox properties page that opens, click Mailbox delegation and
configure one or more of the following permissions:

Send As: Messages sent by a delegate appear to come from the mailbox.
Send on Behalf: Messages sent by a delegate have " <Delegate> on behalf of
<Mailbox>" in the From address. Note that this permission isn't available in
the EAC for shared mailboxes.
Full Access: The delegate can open the mailbox and do anything except send
messages.

To assign permissions to delegates, click Add under the appropriate permission.

A dialog box appears that lists the users or groups that can have the permission
assigned to them. Select the user or group from the list, and then click Add.
Repeat this process as many times as necessary. You can also search for users or
groups in the search box by typing all or part of the name, and then clicking
Search . When you're finished selecting delegates, click OK.

To remove a permission from a delegate, select the delegate in the list under the
appropriate permission, and then click Remove .

4. When you're finished, click Save.

Use the EAC to assign permissions to multiple

mailboxes at the same time
1. In the EAC, go to Recipients > Mailboxes.

2. Select the mailboxes that you want to assign permissions for. Use click + Shift key
+ click to select a range of mailboxes, or Ctrl key + click to select multiple
individual mailboxes. The title of the details pane changes to Bulk Edit as shown in
the following diagram.
 3. At the bottom of the details pane, click More options. Under the Mailbox
Delegation option that appears, choose Add or Remove. Depending on your
selection, do one of the following steps:

Add: In the Bulk Add Delegation dialog box that appears, click Add under
the appropriate permission (Send As, Send on Behalf, or Full Access). When
you're finished selecting users or groups to add as delegates, click Save.
Remove: In the Bulk Remove Delegation dialog box that appears, click Add
under the appropriate permission (Send As, Send on Behalf, or Full
Access). When you're finished selecting users or groups to remove from the
existing delegates, click Save.

Use the EAC to assign permissions to groups

1. In the EAC, go to Recipients > Groups.

2. In the list of groups, select the group that you want to assign permissions for, and
then click Edit .

3. On the group properties page that opens, click Group delegation and configure
one of the following permissions:

Send As: Messages sent by a delegate appear to come from the group.
Send on Behalf: Messages sent by a delegate have " <Delegate> on behalf of
<Group>" in the From address.
 4. To assign permissions to delegates, click Add under the appropriate permission.
A dialog box appears that lists the users or groups that can have the permission
assigned to them. Select the user or group from the list, and then click Add.
Repeat this process as many times as necessary. You can also search for users or
groups in the search box by typing all or part of the name, and then clicking
Search . When you're finished selecting delegates, click OK.

To remove a permission from a delegate, select the delegate in the list under the
appropriate permission, and then click Remove .

5. When you're finished, click Save.

Use Exchange Online PowerShell to assign the

Full Access permission to mailboxes
You use the Add-MailboxPermission and Remove-MailboxPermission cmdlets to
manage the Full Access permission for mailboxes. These cmdlets use the same basic
syntax:

PowerShell

Add-MailboxPermission -Identity <MailboxIdentity> -User <DelegateIdentity> -

AccessRights FullAccess -InheritanceType All [-AutoMapping $false]

PowerShell

Remove-MailboxPermission -Identity <MailboxIdentity> -User

<DelegateIdentity> -AccessRights FullAccess -InheritanceType All

This example assigns the delegate Raymond Sam the Full Access permission to the
mailbox of Terry Adams.

PowerShell

Add-MailboxPermission -Identity "Terry Adams" -User raymonds -AccessRights

FullAccess -InheritanceType All

This example assigns Esther Valle the Full Access permission to the organization's
default discovery search mailbox, and prevents the mailbox from automatically opening
in Esther Valle's Outlook.

PowerShell
 Add-MailboxPermission -Identity "DiscoverySearchMailbox{D919BA05-46A6-415f-
80AD-7E09334BB852}" -User estherv -AccessRights FullAccess -InheritanceType
All -AutoMapping $false

This example assigns members of the Helpdesk mail-enabled security group the Full
Access permission to the shared mailbox named Helpdesk Tickets.

PowerShell

Add-MailboxPermission -Identity "Helpdesk Tickets" -User Helpdesk -

AccessRights FullAccess -InheritanceType All

This example removes Full Access permission for Jim Hance from Ayla Kol's mailbox.

PowerShell

Remove-MailboxPermission -Identity ayla -User "Jim Hance" -AccessRights

FullAccess -InheritanceType All

For detailed syntax and parameter information, see:

Add-MailboxPermission.
Remove-MailboxPermission.

How do you know this worked?

To verify that you've successfully assigned or removed the Full Access permission for a
delegate on a mailbox, use either of the following procedures:

In the properties of the mailbox in the EAC, verify the delegate is or isn't listed in
Mailbox delegation > Full Access.

Replace <MailboxIdentity> with the identity of the mailbox and run the following
command in Exchange Online PowerShell to verify that the delegate is or isn't
listed..

PowerShell

Get-MailboxPermission <MailboxIdentity> | where {$_.AccessRights -like

'Full*'} | Format-Table User,Deny,IsInherited,AccessRights -Auto

For more information, see Get-MailboxPermission.

Use Exchange Online PowerShell to assign the
Send As permission to mailboxes and groups
You use the Add-RecipientPermission and Remove-RecipientPermission cmdlets to
manage the Send As permission for mailboxes and groups. These cmdlets use the same
basic syntax:

PowerShell

<Add-RecipientPermission | Remove-RecipientPermission> -Identity

<MailboxOrGroupIdentity> -Trustee <DelegateIdentity> -AccessRights SendAs

This example assigns the Send As permission to the Printer Support group on the
shared mailbox named Contoso Printer Support.

PowerShell

Add-RecipientPermission -Identity "Contoso Printer Support" -Trustee

"Printer Support" -AccessRights SendAs

This example removes the Send As permission for the user Karen Toh on the mailbox for
Yan Li.

PowerShell

Remove-RecipientPermission -Identity "Yan Li" -Trustee "Karen Toh" -

AccessRights SendAs

For detailed syntax and parameter information, see:

Add-RecipientPermission
Remove-RecipientPermission

How do you know this worked?

To verify that you've successfully assigned or removed the Send As permission for a
delegate on a mailbox or group, use either of the following procedures:

In the properties of the mailbox or group in the EAC, verify the delegate is or isn't
listed in Mailbox delegation > Send As or Group delegation > Send As.

Replace <MailboxIdentity> and <DelegateIdentity> with the name, alias, or email

address of the mailbox or group and run the following command in Exchange
 Online PowerShell to verify that the delegate is or isn't listed.

PowerShell

Get-RecipientPermission -Identity <MailboxIdentity> -Trustee

<DelegateIdentity>

Use Exchange Online PowerShell to assign the

Send on Behalf permission to mailboxes and
groups
You use the GrantSendOnBehalfTo parameter on the various mailbox and group Set-
cmdlets to manage the Send on Behalf permission for mailboxes and groups:

Set-Mailbox
Set-DistributionGroup: Distribution groups and mail-enabled security groups.
Set-DynamicDistributionGroup
Set-UnifiedGroup: Microsoft 365 groups.

The basic syntax for these cmdlets is:

PowerShell

<Cmdlet> -Identity <MailboxOrGroupIdentity> -GrantSendOnBehalfTo <Delegates>

The GrantSendOnBehalfTo parameter has the following options for delegate values:

Replace existing delegates: <DelegateIdentity> or "<DelegateIdentity1>","

<DelegateIdentity2>",...

Add or remove delegates without affecting other delegates: @{Add="\

<value1\>","\<value2\>"...; Remove="\<value1\>","\<value2\>"...}
Remove all delegates: Use the value $null .

This example assigns the delegate Holly Holt the Send on Behalf permission to the
mailbox of Sean Chai.

PowerShell

Set-Mailbox -Identity seanc@contoso.com -GrantSendOnBehalfTo hollyh

This example adds the group tempassistants@contoso.com to the list of delegates that
have Send on Behalf permission to the Contoso Executives shared mailbox.

PowerShell

Set-Mailbox "Contoso Executives" -GrantSendOnBehalfTo

@{Add="tempassistants@contoso.com"}

This example assigns the delegate Sara Davis the Send on Behalf permission to the
Printer Support distribution group.

PowerShell

Set-DistributionGroup -Identity printersupport@contoso.com -

GrantSendOnBehalfTo sarad

This example removes the Send on Behalf permission that was assigned to the
administrator on the All Employees dynamic distribution group.

PowerShell

Set-DynamicDistributionGroup "All Employees" -GrantSendOnBehalfTo

@{Remove="Administrator"}

How do you know this worked?

To verify that you've successfully assigned or removed the Send on Behalf permission for
a delegate on a mailbox or group, use either of the following procedures:

In the properties of the mailbox or group in the EAC, verify the delegate is or isn't
listed in Mailbox delegation > Send As or Group delegation > Send As.

Replace <MailboxIdentity> or <GroupIdentity> with the identity of the mailbox or

group and run the one of the following commands in Exchange Online PowerShell
to verify that the delegate is or isn't listed.

Mailbox:

PowerShell

Get-Mailbox -Identity <MailboxIdentity> | Format-List

GrantSendOnBehalfTo

Distribution group or mail-enabled security group:

 PowerShell

Get-DistributionGroup -Identity <GroupIdentity> | Format-List

GrantSendOnBehalfTo

Dynamic distribution group:

PowerShell

Get-DynamicDistributionGroup -Identity <GroupIdentity> | Format-List

GrantSendOnBehalfTo

Microsoft 365 group:

PowerShell

Get-UnifiedGroup -Identity <GroupIdentity> | Format-List

GrantSendOnBehalfTo

Next steps
For more information about how delegates can use the permissions that are assigned to
them on mailboxes and groups, see the following articles:

Access another person's mailbox

Open and use a shared mailbox in Outlook for Windows
Open and use a shared mailbox in Outlook on the web
Send email from or on behalf of an Office 365 group
Manage Facebook contact sync in your
organization in Exchange Online
Article • 02/22/2023

） Important

Facebook integration is no longer available. For more information, see Facebook

Connect is no longer available .

Facebook contact synchronization lets people set up a connection between their

Facebook account and their Microsoft 365 or Office 365 account by using Outlook on
the web (formerly known as Outlook Web App). After they set up a Facebook
connection, all their Facebook friends are listed as contacts in People in Microsoft 365 or
Office 365. They can then interact with their Facebook friends as they do with their other
contacts. Facebook contact sync is turned on by default if the feature is available in your
region.

 Tip

As an administrator, you probably want to keep Facebook contact sync turned

on if your organization uses Facebook for business purposes, such as
networking and marketing. Turn it off if you don't want your users to
download their Facebook friends as contacts in Outlook on the web. For
information about how people set up Facebook contact sync, see Manage
Facebook contact sync in your organization.

The features that are available to your Microsoft 365 or Office 365
organization are determined by the service plan for your account. Some
features aren't available to mailboxes or organizations in specific regions.

Turn Facebook contact sync on or off

You turn Facebook contact sync on or off for users in your organization by using
Outlook on the web mailbox policy (formerly known as Outlook Web App mailbox
policy) settings. Similar to other Outlook on the web mailbox policy settings, you can
change the settings for Facebook contact sync by using the Exchange admin center
(EAC) or Exchange Online PowerShell. For detailed information about managing Outlook
on the web mailbox policy settings, see View or configure Outlook on the web mailbox
policy properties.

For more information

The information for each Facebook friend is stored as a read-only contact record in the
Facebook folder in People. The information that's synchronized between Facebook and
Outlook on the web includes first name, last name, all phone numbers, all email
addresses, and all street addresses. Facebook contacts are stored in the user's mailbox
and are retained in accordance with the Microsoft 365 or Office 365 service agreement.

During the Outlook on the web and Facebook connection setup, the contacts in the
user's default contacts folder are uploaded to Facebook as part of a one-time
synchronization with Facebook. Facebook uses this contact information as part of the
"People you may know" friend suggestions on Facebook. The one-time upload of
information also allows Facebook to include the information for your users' Outlook on
the web contacts in Facebook applications that your users may choose to use, for
example, mobile phone applications.

For information about how your users can set up a connection to Facebook using a
desktop version of Outlook, see Social Connector for Microsoft Outlook .
Manage LinkedIn contact sync in your
organization in Exchange Online
Article • 02/22/2023

） Important

LinkedIn integration is no longer available.

LinkedIn contact synchronization lets people set up a connection between their LinkedIn
account and their Microsoft 365 or Office 365 account by using Outlook on the web
(formerly known as Outlook Web App). After they set up LinkedIn contact sync, all their
LinkedIn connections are listed as contacts in People in Microsoft 365 or Office 365.
They can then interact with their LinkedIn connections as they do with other contacts.
LinkedIn contact sync is turned on by default if the feature is available for your region.

 Tip

As an admin, you probably want to keep LinkedIn contact sync turned on if your
organization uses LinkedIn for business purposes, such as networking and
marketing. Turn it off if you don't want your users to download their LinkedIn
connections as contacts in Outlook on the web.

The features that are available to your Microsoft 365 or Office 365 organization are
determined by the service plan for your account. Some features aren't available to
mailboxes or organizations in specific regions.

Turn LinkedIn contact sync on or off

You turn LinkedIn contact sync on or off for users in your organization by using Outlook
on the web mailbox policy (formerly known as Outlook Web App mailbox policy)
settings. Similar to other Outlook on the web mailbox policy settings, you can change
the settings for LinkedIn contact sync by using the Exchange admin center (EAC) or
Exchange Online PowerShell. For detailed information about managing Outlook on the
web mailbox policy settings, see View or configure Outlook on the web mailbox policy
properties.

For more information

The information for each LinkedIn contact is stored as a read-only contact record in the
LinkedIn folder in People. The information that's synchronized between LinkedIn and
Outlook on the web includes first name, last name, all phone numbers, all email
addresses, and all street addresses. LinkedIn contacts are stored in the user's mailbox
and are retained in accordance with the Microsoft 365 or Office 365 service plan. For
information about how your users can set up a connection to LinkedIn using a desktop
version of Outlook, have them check out Social Connector for Microsoft Outlook .
Restore deleted email conversations
from Microsoft 365 Groups
Article • 05/16/2023

If you have accidentally deleted any email conversations from Microsoft 365 Group and
are looking for a way to restore the email conversation, you can restore them using one
of the following options:

Restore deleted items from OWA

Use Restore-RecoverableItems command

Restore the deleted items from Outlook Web Application

(OWA)
Prerequisite:

Ensure Folders and Rules feature for Microsoft 365 groups is enabled.

Ensure you're the owner of the group to and from which you're trying to restore
the deleted items.

1. Sign in to OWA.

2. Select the Microsoft 365 Group.

3. If Deleted Items folder isn't visible, right click on the group, and select Create new
subfolder option.

4. Enter the name of the folder, and select Save to create a folder.

You can expand the group now and see the Deleted Items folder along with the
new folder you created.

5. Select the Deleted Items folder, select the messages that need to be restored, and
select Restore.
 The messages are restored under Inbox folder of the Microsoft 365 group.

Use Restore-RecoverableItems command

If the deleted messages aren't present under Deleted Items folder, do the following:

Prerequisite:

Ensure you're a tenant admin to use this command.

1. Sign in to EXO PowerShell.

2. Use the following command to restore all emails from RecoverableItems folder to
Inbox:

PowerShell

Restore-RecoverableItems -Identity <M365GroupEmailAddress>

You can further filter the message to be restored by using various options mentioned in
Restore-RecoverableItems.

For example:

Related article:
Restore a deleted Microsoft 365 group
Security and compliance for Exchange
Online
Article • 02/22/2023

Email has become a reliable and ubiquitous communication medium for information
workers in organizations of all sizes. Messaging stores and mailboxes have become
repositories of valuable data. It's important for organizations to formulate messaging
policies that dictate the fair use of their messaging systems, provide user guidelines for
how to act on the policies, and where required, provide details about the types of
communication that may not be allowed.

Organizations must also create policies to manage email lifecycle, retain messages for
the length of time based on business, legal, and regulatory requirements, preserve email
records for litigation and investigation purposes, and be prepared to search and provide
the required email records to fulfill eDiscovery requests.

Leakage of sensitive information such as intellectual property, trade secrets, business

plans, and personally identifiable information (PII) collected or handled by your
organization must also be protected.

Security and compliance in Exchange Online

The following table provides an overview of the security and compliance features in
Exchange Online and includes links to topics that will help you learn about and manage
these features.

Feature Description

Archive Archive mailboxes (called In-Place Archiving) let people in your Microsoft 365 or
mailboxes in Office 365 organization take control of messaging data by providing additional
Exchange email storage. People can use Outlook or Outlook on the web (formerly known as
Online Outlook Web App) to view messages in their archive mailbox and move or copy
messages between their primary and archive mailboxes.

Litigation Litigation Hold allows you to preserve or archive mailbox content for compliance
Hold and eDiscovery.
Feature Description

Inactive You can preserve the contents of deleted mailboxes indefinitely by using inactive
mailboxes in mailboxes. You can make an inactive mailbox by placing an In-Place Hold or a
Exchange Litigation Hold on the mailbox, and then deleting the corresponding user
Online account. In addition to preserving mailbox contents, administrators or compliance
officers can use Content Search in the Microsoft Purview compliance portal to
search the contents of an inactive mailbox.

Data loss Data loss prevention (DLP) helps you identify and monitor sensitive information,
prevention such as private identification numbers, credit card numbers, or standard forms
used in your organization. You can set up DLP policies to notify users that they are
sending sensitive information or block the transmission of sensitive information.

Exchange You can use the auditing functionality in Exchange Online to track changes made
auditing to your Exchange Online configuration by Microsoft and by your organization's
reports administrators, and to audit mailbox access by persons other than the mailbox
owner. In Exchange Online, audited actions are recorded and available to view in
an online report or export to a file.

Messaging Messaging records management (MRM) helps your organization manage email
records lifecycle to meet business and regulatory requirements and reduce the legal risks
management associated with email. In Exchange Online, you can use In-Place Hold or Litigation
(MRM) Hold to preserve email and Retention tags and retention policies to archive and
delete email.

Information Information Rights Management (IRM) helps you and your users control who can
Rights access, forward, print, or copy sensitive data within an email. IRM can use your
Management on-premises Active Directory Rights Management Services (AD RMS) server.
in Exchange
Online

Message Message Encryption allows you to send encrypted messages to people inside or
Encryption outside your organization, regardless of the destination email service, whether it's
FAQ Outlook.com, Yahoo, Gmail, or another service. Designated recipients can send
encrypted replies. Message Encryption combines email encryption and rights
management capabilities. Rights management capabilities are powered by Azure
Information Protection.

S/MIME for Secure/Multipurpose Internet Mail Extensions (S/MIME) allows email users to help
Message protect sensitive information by sending signed and encrypted email within their
Signing and organization. As an administrator, you can enable S/MIME-based security for your
Encryption organization if you have mailboxes in either Exchange Server or Exchange Online.

Journaling in Journaling can help you meet legal, regulatory, and organizational compliance
Exchange requirements by recording inbound and outbound email communications. In
Online Exchange Online, you can create journal rules to deliver journal reports to your
on-premises mailbox or archiving system, or to an external archiving service.
Feature Description

Mail flow You can use mail flow rules (also known as transport rules) to inspect messages
rules sent or received by your users and take actions such as blocking or bouncing a
(transport message, holding it for review by a manager or an administrator or delivering a
rules) in copy to another recipient if the message matches specified conditions.
Exchange
Online
Modify archive policies in Exchange
Online
Article • 02/22/2023

In Exchange Online, you can use archive policies to automatically move mailbox items to
personal (on-premises) or cloud-based archives. Archive policies are retention tags that
use the Move to Archive retention action.

Exchange Setup creates a retention policy called Default MRM Policy. This policy has a
default policy tag (DPT) assigned that moves items to the archive mailbox after two
years. The policy also includes a number of personal tags that users can apply to folders
or mailbox items to automatically move or delete messages. If a mailbox doesn't have a
retention policy assigned when it's archive-enabled, the Default MRM Policy is
automatically applied to it by Exchange. You can also create your own archive and
retention policies and apply them to mailbox users. To learn more, see Retention tags
and retention policies.

You can modify retention tags included in the default policy to meet your business
requirements. For example, you can modify the archive DPT to move items to the
archive after three years instead of two. You can also create additional personal tags and
either add them to a retention policy, including the Default MRM Policy, or allow users
to add personal tags to their mailboxes from Outlook on the web (formerly known as
Outlook Web App) Options.

For additional management tasks related to archives, see Enable archive mailboxes in
the Microsoft Purview compliance portal.

７ Note

In an Exchange hybrid deployment, you can enable a cloud-based archive mailbox

for an on-premises primary mailbox. If you assign an archive policy to an on-
premises mailbox, items are moved to the cloud-based archive. If an item is moved
to the archive mailbox, a copy of it isn't retained in the on-premises mailbox. If the
on-premises mailbox is placed on hold, an archive policy will still move items to the
cloud-based archive mailbox where they are preserved for the duration specified by
the hold.

What do you need to know before you begin?

 Estimated time to completion: 5 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Messaging records
management" entry in the Feature permissions in Exchange Online topic.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the classic EAC to modify the default

archive policy
1. Navigate to Compliance management > Retention tags.

2. In the list view, select the tag Default 2 year move to archive and then click Edit .

 Tip

You can click the TYPE column to sort retention tags by type. The default
archive policy is displayed as type Default and has the Archive retention
action. Alternatively, click NAME to sort retention tags by name.

3. In Retention Tag, view or modify the following settings, and then click Save:

Name: Use this box at the top of the page to view or change the tag name.

Retention tag type: This read-only field displays the tag type.

Retention action: Don't modify this field for archive policies.

Retention period: Select one of the following options:

Never: Click this button to disable the tag. If the DPT is disabled, the tag is no
longer applied to the mailbox.

） Important
 Items that have a disabled retention tag applied aren't processed by
the Mailbox Assistant. If you want to prevent a tag from being applied
to items, we recommend disabling the tag rather than deleting it.
When you delete a tag, the tag configuration is deleted from Active
Directory, and the Mailbox Assistant processes all messages to
remove the deleted tag.

If a user applies a tag to an item believing the item will never be

moved, enabling the tag later may move items the user wanted to
retain in the primary mailbox.

When the item reaches the following age (in days): Click this button to
specify that items be moved to archive after a certain period. By default, this
setting is configured to move items to the archive after two years (730 days).
To modify this setting, in the corresponding text box, type the number of
days in the retention period. The range of values is from 1 through 24,855
days.

Comment: Use this box to type a comment that will be displayed to Outlook
and Outlook on the web users.

Use Exchange Online PowerShell to modify

archive policies
This example modifies the Default 2 year move to archive tag to move items after
1,095 days (3 years).

PowerShell

Set-RetentionPolicyTag "Default 2 year move to archive" -Name "Default 3

year move to archive" -AgeLimitForRetention 1095

This example disables the Default 2 year move to archive tag.

PowerShell

Set-RetentionPolicyTag "Default 2 year move to archive" -RetentionEnabled

$false

This example retrieves all archive DPTs and personal tags and disables them.
 PowerShell

Get-RetentionPolicyTag | ? {$_.RetentionAction -eq "MoveToArchive"} | Set-

RetentionPolicyTag -RetentionEnabled $false

For detailed syntax and parameter information, see Set-RetentionPolicyTag and Get-
RetentionPolicyTag.

How do you know this worked?

Use the Get-RetentionPolicyTag cmdlet to retrieve settings of the retention tag.

This command retrieves properties of the Default 2 year move to archive retention tag
and pipes the output to the Format-List cmdlet to display all properties in a list format.

PowerShell

Get-RetentionPolicyTag "Default 2 year move to archive" | Format-List

In-Place Hold and Litigation Hold in
Exchange Online
Article • 02/22/2023

） Important

Please refer to the Microsoft 365 security center and the Microsoft
Purview compliance portal for Exchange security and compliance features.
They are no longer available in the new Exchange admin center .
As we continue to invest in different ways to preserve mailbox content, we're
announcing the retirement of In-Place Holds in the Exchange admin center
(EAC) in Exchange Online. Starting July 1, 2020, you won't be able to create
new In-Place Holds. But you'll still be able to manage In-Place Holds in the
EAC or by using the Set-MailboxSearch cmdlet in Exchange Online
PowerShell. However, starting October 1, 2020, you won't be able to manage
In-Place Holds. You'll only be able to remove them in the EAC or by using the
Remove-MailboxSearch cmdlet. Using In-Place Holds in Exchange Server and
Exchange hybrid deployments will still be supported. You will also still be able
to place mailboxes on Litigation Hold. For more information about the
retirement of In-Place Holds in Exchange Online, see Retirement of legacy
eDiscovery tools.

When a reasonable expectation of litigation exists, organizations are required to

preserve electronically stored information (ESI), including email that's relevant to the
case. This expectation often exists before the specifics of the case are known, and
preservation is often broad. Organizations may need to preserve all email related to a
specific article or all email for certain individuals. Depending on the organization's
electronic discovery (eDiscovery) practices, the following measures can be adopted to
preserve email:

End users may be asked to preserve email by not deleting any messages. However,
users can still delete email knowingly or inadvertently.

Automated deletion mechanisms such as messaging records management (MRM)

may be suspended. This could result in large volumes of email cluttering the user
mailbox, and thus impacting user productivity. Suspending automated deletion
also doesn't prevent users from manually deleting email.
 Some organizations copy or move email to an archive to make sure it isn't deleted,
altered, or tampered with. This increase costs due to the manual efforts required to
copy or move messages to an archive, or third-party products used to collect and
store email outside Exchange.

Failure to preserve email can expose an organization to legal and financial risks such as
scrutiny of the organization's records retention and discovery processes, adverse legal
judgments, sanctions, or fines.

You can use In-Place Hold or Litigation Hold to accomplish the following goals:

Place user mailboxes on hold and preserve mailbox items immutably.

Preserve mailbox items deleted by users or automatic deletion processes such as

MRM.

Use query-based In-Place Hold to search for and retain items matching specified
criteria.

Preserve items indefinitely or for a specific duration.

Place a user on multiple holds for different cases or investigations.

Keep holds transparent from the user by not having to suspend MRM.

Enable In-Place eDiscovery searches of items placed on hold.

In-Place Hold scenarios

In previous versions of Exchange, the notion of legal hold is to hold all mailbox data for
a user indefinitely or until when hold is removed. In Exchange Online, In-Place Hold
includes a new model that allows you to specify the following parameters:

What to hold: You can specify which items to hold by using query parameters such
as keywords, senders and recipients, start and end dates, and also specify the
message types such as email messages or calendar items that you want to place
on hold.

How long to hold: You can specify a duration for items on hold.

Using this new model, In-Place Hold allows you to create granular hold policies to
preserve mailbox items in the following scenarios:

Indefinite hold: The indefinite hold scenario is similar to Litigation Hold. It's
intended to preserve mailbox items so you can meet eDiscovery requirements.
During the period of litigation or investigation, items are never deleted. The
duration isn't known in advance, so no end date is configured. To hold all mail
items indefinitely, you don't specify any query parameters or time duration when
creating an In-Place Hold.

） Important

Placing a mailbox on an indefinite hold means that mail items meeting the
hold requirements will never be removed from the mailbox. This could result
in the mailbox exceeding the Recoverable Items Quota, which could make
the mailbox unusable. Microsoft recommends enabling an Archive for the
mailbox, as well as enabling the auto-expanding archive feature. See Holds
and Mailbox Quotas for more information.

Query-based hold: If your organization preserves items based on specified query

parameters, you can use a query-based In-Place Hold. You can specify query
parameters such as keywords, start and end dates, sender and recipient addresses,
and message types. After you create a query-based In-Place Hold, all existing and
future mailbox items (including messages received at a later date) that match the
query parameters are preserved.

） Important

Items that are marked as unsearchable, generally because of failure to index

an attachment, are also preserved because it can't be determined whether
they match query parameters. For more information about partially indexed
items, see Partially indexed items in Content Search.

Time-based hold: Both In-Place Hold and Litigation Hold allow you to specify a
duration of time for which to hold items. The duration is calculated from the date a
mailbox item is received or created.

If your organization requires that all mailbox items be preserved for a specific
period, for example 7 years, you can create a time-based hold so that items on
hold are retained for a specific period of time. For example, consider a mailbox
that's placed on a time-based In-Place Hold and has a retention period set to 365
days. If an item in that mailbox is deleted after 300 days from the date it was
received, it's held for an additional 65 days before being permanently deleted. You
can use a time-based In-Place Hold in conjunction with a retention policy to make
 sure items are preserved for the specified duration and permanently removed after
that period.

You can use In-Place Hold to place a user on multiple holds. When a user is placed on
multiple holds, the search queries from any query-based hold are combined (with OR
operators). In this case, the maximum number of keywords in all query-based holds
placed on a mailbox is 500. If there are more than 500 keywords, then all content in the
mailbox is placed on hold (not just that content that matches the search criteria). All
content is held until the total number of keywords is reduced to 500 or less.

In-Place Hold and Litigation Hold

Litigation Hold uses the LitigationHoldEnabled property of a mailbox to place mailbox
content on hold. Whereas In-Place Hold provides granular hold capability based on
query parameters and the ability to place multiple holds, Litigation Hold only allows you
to place all items on hold. You can also specify a duration period to hold items when a
mailbox is placed on Litigation Hold. The duration is calculated from the date a mailbox
item is received or created. If a duration isn't set, items are held indefinitely or until the
hold is removed.

When a mailbox is placed on one or more In-Place Holds and on Litigation Hold
(without a duration period) at the same time, all items are held indefinitely or until the
holds are removed. If you remove Litigation Hold and the user is still placed on one or
more In-Place Holds, items matching the In-Place Hold criteria are held for the period
specified in the hold settings.

７ Note

When you place a mailbox on In-Place Hold or Litigation Hold, the hold is placed
on both the primary and the archive mailbox. If you place an on-premises primary
mailbox on hold in an Exchange hybrid deployment, the cloud-based archive
mailbox (if enabled) is also placed on hold.

Placing a mailbox on In-Place Hold

Authorized users that have been added to the Discovery Management role-based access
control (RBAC) role group or assigned the Legal Hold and Mailbox Search management
roles can manage or remove mailboxes on In-Place Hold. You can delegate the task to
records managers, compliance officers, or attorneys in your organization's legal
department, while assigning the least privileges. To learn more about assigning the
Discovery Management role group, see Assign eDiscovery permissions in Exchange.

You can use the In-Place eDiscovery & Hold wizard in the Exchange admin center (EAC)
or the New-MailboxSearch and related cmdlets in Exchange Online PowerShell to
remove a mailbox on In-Place Hold. To learn more about removing a mailbox on In-
Place Hold, see Remove an In-Place Hold.

Many organizations require that users be informed when they're placed on hold.
Additionally, when a mailbox is on hold, any retention policies applicable to the mailbox
user don't need to be suspended. Because messages continue to be deleted as
expected, users may not notice they're on hold. If your organization requires that users
on hold be informed, you can add a notification message to the mailbox user's
RetentionComment property and use the RetentionUrl property to link to a web page
for more information. Outlook 2010 and later displays the notification and URL in the
backstage area. You must use Exchange Online PowerShell to add and manage these
properties for a mailbox. For more information, see Set-Mailbox.

Placing public folders on hold

In Exchange Online, you can place public folders on hold by using a In-Place Hold. Using
Litigation Hold for public folders isn't supported. When you create an In-Place Hold, the
only option is to place a hold on all public folders in your organization. The result is that
an In-Place Hold is placed on all public folder mailboxes.

Additionally, when you place public folders on In-Place Hold, email messages related to
the public folder hierarchy synchronization process are also preserved. This might result
in thousands of hierarchy synchronization related email items being preserved. These
messages can fill up the storage quota for the Recoverable Items folder on public folder
mailboxes. To prevent this, you can create a query-based In-Place Hold and add the
following property:value pair to the search query:

NOT(subject:HierarchySync*)

The result is that any message (related to the synchronization of the public folder
hierarchy) that contains the phrase "HierarchySync" in the subject line is not placed on
hold.

Holds and the Recoverable Items folder

In-Place Hold and Litigation Hold uses the Recoverable Items folder to preserve items.
The Recoverable Items folder replaces the feature informally known as the dumpster in
previous versions of Exchange. The Recoverable Items folder is hidden from the default
view of Outlook, Outlook on the web (formerly known as Outlook Web App), and other
email clients. To learn more about the Recoverable Items folder, see Recoverable Items
folder in Exchange Online.

By default, when a user deletes a message from a folder other than the Deleted Items
folder, the message is moved to the Deleted Items folder. This is known as a move.
When a user soft deletes an item (accomplished by pressing the SHIFT and DELETE keys)
or deletes an item from the Deleted Items folder, the message is moved to the
Recoverable Items folder, thereby disappearing from the user's view.

Items in the Recoverable Items folder are retained for the deleted item retention period
configured for the user's mailbox. By default, the deleted item retention period is 14
days for Exchange Online mailboxes. You can also configure a storage quota for the
Recoverable Items folder. This protects the organization from a potential denial of
service (DoS) attack due to rapid growth of the Recoverable Items folder. If a mailbox
isn't placed on In-Place Hold or Litigation Hold, items are purged permanently from the
Recoverable Items folder on a first in, first out basis when the Recoverable Items
warning quota is exceeded, or the item has resided in the folder for a longer duration
than the deleted item retention period.

The Recoverable Items folder contains the following subfolders used to store deleted
items in various sites and facilitate In-Place Hold and Litigation Hold:

Deletions - Items removed from the Deleted Items folder or soft-deleted from
other folders are moved to the Deletions subfolder and are visible to the user
when using the Recover Deleted Items feature in Outlook and Outlook on the web.
By default, items reside in this folder until the deleted item retention period
configured for the mailbox expires.

Purges - When a user deletes an item from the Recoverable Items folder (by using
the Recover Deleted Items tool in Outlook and Outlook on the web, the item is
moved to the Purges folder. Items that exceed the deleted item retention period
configured for the mailbox are also moved to the Purges folder. Items in this folder
aren't visible to users if they use the Recover Deleted Items tool. When the
Managed Folder Assistant processes the mailbox, items in the Purges folder are
purged from the mailbox. When you place the mailbox user on Litigation Hold, the
Managed Folder Assistant doesn't purge items in this folder.

DiscoveryHold - If a user is placed on an In-Place Hold, deleted items are moved

to this folder. When the Managed Folder Assistant processes the mailbox, it
 evaluates messages in this folder. Items matching the In-Place Hold query are
retained until the hold period specified in the query. If no hold period is specified,
items are held indefinitely or until the user is removed from the hold.

Versions - When a user placed on In-Place Hold or Litigation Hold, mailbox items
must be protected from tampering or modification by the user or a process. This is
accomplished using a copy-on-write process. When a user or a process changes
specific properties of a mailbox item, a copy of the original item is saved in the
Versions folder before the change is committed. The process is repeated for
subsequent changes. Items captured in the Versions folder are also indexed and
returned in eDiscovery searches. After the hold is removed, copies in the Versions
folder are removed by the Managed Folder Assistant.

SubstrateHolds - If In-Place Hold, Litigation Hold, or a Microsoft 365 or Office 365

Teams Chat retention policy is enabled, this subfolder contains the original copy of
the Teams message if the message has been modified or deleted. A copy of the
item before modification is saved. This folder isn't visible to end users.

Properties that trigger copy-on-write

Item type Properties that trigger copy-on-write

Messages (IPM.Note*) Subject

Posts (IPM.Post*) Body
Attachments
Senders/Recipients
Sent/Received Dates

Items other than messages and Any change to a visible property, except the following:
posts Item location (when an item is moved between folders)
Item status change (read or unread)
Changes to retention tag applied to an item

Items in the default folder Drafts None (items in the Drafts folder are exempt from copy on
write)

） Important

Copy-on-write is disabled for calendar items in the organizer's mailbox when

meeting responses are received from attendees and the tracking information for
the meeting is updated. For calendar items and items that have a reminder set,
copy-on-write is disabled for the ReminderTime and ReminderSignalTime
properties. Changes to these properties are not captured by copy-on-write.
Changes to RSS feeds aren't captured by copy-on-write.
Although the DiscoveryHold, Purges, and Versions folders aren't visible to the user, all
items in the Recoverable Items folder are indexed by Exchange Search and are
discoverable using In-Place eDiscovery. After a mailbox user is removed from In-Place
Hold or Litigation Hold, items in the DiscoveryHold, Purges, and Versions folders are
purged by the Managed Folder Assistant.

Holds and mailbox quotas

Items in the Recoverable Items folder aren't calculated toward the user's mailbox quota.
In Exchange Online, the Recoverable Items folder has its own quota. For Exchange, the
default values for the RecoverableItemsWarningQuota and RecoverableItemsQuota
mailbox properties are set to 20 GB and 30 GB respectively. In Exchange Online, the
quota for the Recoverable Items folder (in the user's primary mailbox) is automatically
increased to 100 GB when you place a mailbox on Litigation Hold or In-Place Hold.
When the storage quota for the Recoverable Items folder in the primary mailbox of a
mailbox on hold is close to reaching its limit, you can do the following things:

Enable the archive mailbox and turn on auto-expanding archiving - You can
enable an unlimited storage capacity for the Recoverable Items folder simply by
enabling the archive mailbox and then turning on the auto-expanding archiving
feature in Exchange Online. This results in 110 GB for the Recoverable Items folder
in the primary mailbox and an unlimited amount of storage capacity for the
Recoverable Items folder in the user's archive. See how: Enable archive mailboxes
in the compliance portal and Enable unlimited archiving - Admin help.

７ Note

After you enable the archive for a mailbox that's close to exceeding the
storage quota for the Recoverable Items folder, you might want to run the
Managed Folder Assistant to manually trigger the assistant to process the
mailbox so that expired items are moved the Recoverable Items folder in
the archive mailbox. For instructions, see Step 4 in Increase the
Recoverable Items quota for mailboxes on hold.

Note that other items in the user's mailbox might be moved to the new
archive mailbox. Consider telling the user that this might happen after you
enable the archive mailbox.

Create a custom retention policy for mailboxes on hold - In addition to enabling

the archive mailbox and auto-expanding archiving for mailboxes on Litigation Hold
 or In-Place Hold, you might also want to create a custom MRM retention policy in
Exchange Online for mailboxes on hold. This let's you apply a retention policy to
mailboxes on hold that's different from the Default MRM Policy that's applied to
mailboxes that aren't on hold. This lets you apply retention tags that are
specifically designed for mailboxes on hold. This includes creating a new retention
tag for the Recoverable Items folder.

For more information, see Increase the Recoverable Items quota for mailboxes on hold.

Holds and email forwarding

Users can use Outlook and Outlook on the web to set up email forwarding for their
mailbox. Email forwarding lets users configure their mailbox to forward email messages
sent to their mailbox to another mailbox located in or outside of their organization.
Email forwarding can be configured so that any message sent to the original mailbox
isn't copied to that mailbox and is only sent to the forwarding address.

If email forwarding is set up for a mailbox and messages aren't copied to the original
mailbox, what happens if the mailbox is on hold? The hold settings for the mailbox are
checked during the delivery process. If the message meets the hold criteria for the
mailbox, a copy of the message is saved to the Recoverable Items folder. That means
you can use eDiscovery tools to search the original mailbox to find messages that were
forwarded to another mailbox.

Deleting a mailbox on hold

When you delete the corresponding Microsoft 365 or Office 365 account for a mailbox
that's been placed on Litigation Hold or In-Place Hold, the mailbox is converted to an
inactive mailbox, which is a type of soft-deleted mailbox. Inactive mailboxes are used to
preserve the contents of a user's mailbox after they leave your organization. Items in an
inactive mailbox are preserved during the hold that was placed on the mailbox before it
was made inactive. This allows administrators, compliance officers, or records managers
to use the Content Search tool in the Microsoft Purview compliance portal to access and
search the contents of an inactive mailbox. Inactive mailboxes can't receive email and
aren't displayed in your organization's shared address book or other lists. For more
information, see Overview of inactive mailboxes.
Remove an In-Place Hold in Exchange
Online
Article • 02/22/2023

） Important

As we continue to invest in different ways to preserve mailbox content, we're

announcing the retirement of In-Place Holds in the Exchange admin center (EAC) in
Exchange Online. Starting July 1, 2020, you won't be able to create new In-Place
Holds. But you'll still be able to manage In-Place Holds in the EAC or by using the
Set-MailboxSearch cmdlet in Exchange Online PowerShell. However, starting
October 1, 2020, you won't be able to manage In-Place Holds. You'll only be
remove them in the EAC or by using the Remove-MailboxSearch cmdlet. Using In-
Place Holds in Exchange Server and Exchange hybrid deployments will still be
supported. For more information about the retirement of In-Place Holds in
Exchange Online, see Retirement of legacy eDiscovery tools.

An In-Place Hold preserves all mailbox content, including deleted items and original
versions of modified items. All such mailbox items are returned in an In-Place eDiscovery
search. When you place an In-Place Hold on a user's mailbox on, the contents in the
corresponding archive mailbox (if it's enabled) are also placed on hold, and returned in a
eDiscovery search.

What do you need to know before you begin?

Estimated time to complete: 5 minutes

You need to be assigned permissions before you can perform this procedure. To
see what permissions you need, see the "In-Place Hold" entry in the Feature
permissions in Exchange Online topic.

Depending on your Active Directory topology and replication latency, it may take
up to an hour for the removal of an In-Place Hold to take effect.

As previously explained, when you place an In-Place Hold on a user's mailbox,

content in the user's archive mailbox is also placed on hold. When you remove an
In-Place Hold on an on-premises primary mailbox in an Exchange hybrid
deployment, the hold is also removed from the cloud-based archive mailbox (if
enabled).
 If a user was placed on multiple In-Place Holds, the search queries from any query-
based hold are combined (with OR operators). In this case, the maximum number
of keywords in all query-based holds placed on a mailbox is 500. If there are more
than 500 keywords, then all content in the mailbox is placed on hold (not just that
content that matches the search criteria). All content is held until the total number
of keywords is reduced to 500 or less.

Remove an In-Place Hold

） Important

Mailbox searches can be used for an In-Place Hold and In-Place eDiscovery. You
can't remove a mailbox search that's used for In-Place Hold. You must first disable
the In-Place Hold by clearing the Place content matching the search query in
selected mailboxes on hold check box on the In-Place Hold settings page or by
setting the InPlaceHoldEnabled parameter to $false in Exchange Online
PowerShell. You can also remove a mailbox by using the SourceMailboxes parameter
specified in the search.

Use the EAC to remove an In-Place Hold

1. Navigate to Compliance management > In-Place eDiscovery & hold.

2. In the list view, select the In-Place Hold you want to remove and then click Edit .

3. In In-Place eDiscovery & Hold properties, on the In-Place Hold page, clear the
Place content matching the search query in selected mailboxes on hold, and
then click Save.

4. Select the In-Place Hold again from the list view, and then click Delete .

5. In warning, click Yes to remove the search.

Use Exchange Online PowerShell to remove an In-Place

Hold
This example first disables In-Place Hold named Hold-CaseId012 and then removes the
mailbox search.

PowerShell
 Set-MailboxSearch "Hold-CaseId012" -InPlaceHoldEnabled $false
Remove-MailboxSearch "Hold-CaseId012"

For detailed syntax and parameter information, see Set-MailboxSearch.

How do you know this worked?

To verify that you have successfully removed an In-Place Hold, do one of the following:

Use the EAC to verify that the In-Place Hold doesn't appear in the list view of the
In-place eDiscovery & hold tab.

Use the Get-MailboxSearch cmdlet to retrieve all mailbox searches and check that
the search you removed is no longer listed. For an example of how to retrieve a
mailbox search, see the examples in Get-MailboxSearch.
In-Place eDiscovery in Exchange Online
Article • 02/22/2023

） Important

As we continue to invest in different ways to search for mailbox content, we're

announcing the retirement of In-Place eDiscovery in the Exchange admin center
(EAC) in Exchange Online. Starting July 1, 2020, you won't be able to create new In-
Place eDiscovery searches. But you'll still be able to manage In-Place eDiscovery
searches in the EAC or by using the Set-MailboxSearch cmdlet in Exchange Online
PowerShell. However, starting October 1, 2020, you won't be able to manage In-
Place eDiscovery searches. You'll only be able to remove them in the EAC or by
using the Remove-MailboxSearch cmdlet. Using In-Place eDiscovery in Exchange
Server and Exchange hybrid deployments will still be supported. For more
information about the retirement of In-Place eDiscovery in Exchange Online, see
Retirement of legacy eDiscovery tools.

If your organization adheres to legal discovery requirements (related to organizational

policy, compliance, or lawsuits), In-Place eDiscovery in Exchange Online can help you
perform discovery searches for relevant content within mailboxes. You can also use In-
Place eDiscovery in an Exchange hybrid environment to search on-premises and cloud-
based mailboxes in the same search.

） Important

In-Place eDiscovery is a powerful feature that allows a user with the correct
permissions to potentially gain access to all messaging records stored throughout
the Exchange Online organization. It's important to control and monitor discovery
activities, including addition of members to the Discovery Management role group,
assignment of the Mailbox Search management role, and assignment of mailbox
access permission to discovery mailboxes.

How In-Place eDiscovery works

In-Place eDiscovery uses the content indexes created by Exchange Search. Role Based
Access Control (RBAC) provides the Discovery Management role group to delegate
discovery tasks to non-technical personnel, without the need to provide elevated
privileges that may allow a user to make any operational changes to Exchange
configuration. The Exchange admin center (EAC) provides an easy-to-use search
interface for non-technical personnel such as legal and compliance officers, records
managers, and human resources (HR) professionals.

Authorized users can perform an In-Place eDiscovery search by selecting the mailboxes,
and then specifying search criteria such as keywords, start and end dates, sender and
recipient addresses, and message types. After the search is complete, authorized users
can then select one of the following actions:

Estimate search results: This option returns an estimate of the total size and
number of items that will be returned by the search based on the criteria you
specified.

Preview search results: This option provides a preview of the results. Messages
returned from each mailbox searched are displayed.

Copy search results: This option lets you copy messages to a discovery mailbox.

Export search results: After search results are copied to a discovery mailbox, you
can export them to a PST file.

Exchange Search
In-Place eDiscovery uses the content indexes created by Exchange Search. Exchange
Search has been retooled to use Microsoft Search Foundation, a rich search platform
that comes with significantly improved indexing and querying performance and
improved search functionality. Because the Microsoft Search Foundation is also used by
other Office products, including SharePoint 2013, it offers greater interoperability and
similar query syntax across these products.

With a single content indexing engine, no additional resources are used to crawl and
index mailbox databases for In-Place eDiscovery when eDiscovery requests are received
by IT departments.

In-Place eDiscovery uses Keyword Query Language (KQL), a querying syntax similar to
the Advanced Query Syntax (AQS) used by Instant Search in Microsoft Outlook and
Outlook on the web. Users familiar with KQL can easily construct powerful search
queries to search content indexes.

For more information about the file formats indexed by Exchange search, see File
Formats Indexed By Exchange Search.

Discovery Management role group and

management roles
For authorized users to perform In-Place eDiscovery searches, you must add them to the
Discovery Management role group. This role group consists of two management roles:
the Mailbox Search role, which allows a user to perform an In-Place eDiscovery search,
and the Legal Hold role, which allows a user to place a mailbox on In-Place Hold or
litigation hold. For more information about roles and role groups, see Permissions in
Exchange Online.

By default, permissions to perform In-Place eDiscovery-related tasks aren't assigned to

any user or Exchange administrators. Exchange administrators who are members of the
Organization Management role group can add users to the Discovery Management role
group and create custom role groups to narrow the scope of a discovery manager to a
subset of users. To learn more about adding users to the Discovery Management role
group, see Assign eDiscovery permissions in Exchange.

） Important

If a user hasn't been added to the Discovery Management role group or isn't
assigned the Mailbox Search role, the In-Place eDiscovery & Hold user interface
isn't displayed in the EAC, and the In-Place eDiscovery cmdlets aren't available in
Exchange Online PowerShell.

Auditing of RBAC role changes, which is enabled by default, makes sure that adequate
records are kept to track assignment of the Discovery Management role group. You can
use the administrator role group report to search for changes made to administrator
role groups. For more information, see Search the role group changes or administrator
audit logs.

Custom management scopes for In-Place

eDiscovery
You can use a custom management scope to let specific people or groups use In-Place
eDiscovery to search a subset of mailboxes in your Exchange Online organization. For
example, you might want to let a discovery manager search only the mailboxes of users
in a specific location or department. You do this by creating a custom management
scope that uses a custom recipient filter to control which mailboxes can be searched.
Recipient filter scopes use filters to target specific recipients based on recipient type or
other recipient properties.

For In-Place eDiscovery, the only property on a user mailbox that you can use to create
a recipient filter for a custom scope is distribution group membership. If you use other
properties, such as CustomAttributeN, Department, or PostalCode, the search fails when
it's run by a member of the role group that's assigned the custom scope. For more
information, see Create a custom management scope for In-Place eDiscovery searches.

eDiscovery in an Exchange hybrid deployment

To successfully perform cross-premises eDiscovery searches in an Exchange Server
hybrid organization, you will have to configure OAuth (Open Authorization)
authentication between your Exchange on-premises and Exchange Online organizations
so that you can use In-Place eDiscovery to search on-premises and cloud-based
mailboxes. OAuth authentication is a server-to-server authentication protocol that
allows applications to authenticate to each other.

OAuth authentication supports the following eDiscovery scenarios in an Exchange

hybrid deployment:

Search on-premises mailboxes that use Exchange Online Archiving for cloud-based
archive mailboxes.

Search on-premises and cloud-based mailboxes in the same eDiscovery search.

Search on-premises mailboxes by using the eDiscovery Center in SharePoint

Online.
For more information about the eDiscovery scenarios that require OAuth authentication
to be configured in an Exchange hybrid deployment, see Using Oauth Authentication to
Support eDiscovery in an Exchange Hybrid Deployment. For step-by-step instructions
for configuring OAuth authentication to support eDiscovery, see Configure OAuth
Authentication Between Exchange and Exchange Online Organizations.

For information about running an In-Place eDiscovery search in Exchange Server, see
Create an In-Place eDiscovery search in Exchange Server.

Discovery mailboxes
After you create an In-Place eDiscovery search, you can copy the search results to a
target mailbox. The EAC allows you to select a discovery mailbox as the target mailbox.
A discovery mailbox is a special type of mailbox that provides the following
functionality:

Easier and secure target mailbox selection: When you use the EAC to copy In-
Place eDiscovery search results, only discovery mailboxes are made available as a
repository in which to store search results. You don't need to sort through a
potentially long list of mailboxes available in the organization. This also eliminates
the possibility of a discovery manager accidentally selecting another user's mailbox
or an unsecured mailbox in which to store potentially sensitive messages.

Large mailbox storage quota: The target mailbox should be able to store a large
amount of message data that may be returned by an In-Place eDiscovery search.
By default, discovery mailboxes have a mailbox storage quota of 50 gigabytes (GB).
This storage quota can't be increased.

More secure by default: Like all mailbox types, a discovery mailbox has an
associated Active Directory user account. However, this account is disabled by
default. Only users explicitly authorized to access a discovery mailbox have access
to it. Members of the Discovery Management role group are assigned Full Access
permissions to the default discovery mailbox. Any additional discovery mailboxes
you create don't have mailbox access permissions assigned to any user.

Email delivery disabled: Although visible in Exchange address lists, users can't
send email to a discovery mailbox. Email delivery to discovery mailboxes is
prohibited by using delivery restrictions. This preserves the integrity of search
results copied to a discovery mailbox.

Exchange Setup creates one discovery mailbox with the display name Discovery Search
Mailbox. You can use Exchange Online PowerShell to create additional discovery
mailboxes. By default, the discovery mailboxes you create won't have any mailbox access
permissions assigned. You can assign Full Access permissions for a discovery manager to
access messages copied to a discovery mailbox. For details, see Create a discovery
mailbox.

In-Place eDiscovery also uses a system mailbox with the display name
SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9} to hold In-Place eDiscovery
metadata. System mailboxes aren't visible in the EAC or in Exchange address lists. In on-
premises organizations, before removing a mailbox database where the In-Place
eDiscovery system mailbox is located, you must move the mailbox to another mailbox
database. If the mailbox is removed or corrupted, your discovery managers are unable
to perform eDiscovery searches until you re-create the mailbox. For details, see Delete
and re-create the default discovery mailbox in Exchange.

Estimate, preview, and copy search results

After an In-Place eDiscovery search is completed, you can view search result estimates in
the Details pane in the EAC. The estimate includes number of items returned and total
size of those items. You can also view keyword statistics, which returns details about
number of items returned for each keyword used in the search query. This information is
helpful in determining query effectiveness. If the query is too broad, it may return a
much bigger data set, which could require more resources to review and raise
eDiscovery costs. If the query is too narrow, it may significantly reduce the number of
records returned or return no records at all. You can use the estimates and keyword
statistics to fine-tune the query to meet your requirements.

７ Note

Keyword statistics also include statistics for non-keyword properties such as dates,
message types, and senders/recipients specified in a search query.

You can also preview the search results to further ensure that messages returned
contain the content you're searching for and further fine-tune the query if required.
eDiscovery Search Preview displays the number of messages returned from each
mailbox searched and the total number of messages returned by the search. The
preview is generated quickly without requiring you to copy messages to a discovery
mailbox.

After you're satisfied with the quantity and quality of search results, you can copy them
to a discovery mailbox. When copying messages, you have the following options:
 Include unsearchable items: For details about the types of items that are
considered unsearchable, see the eDiscovery search considerations in the previous
section.

Enable de-duplication: De-duplication reduces the dataset by only including a

single instance of a unique record if multiple instances are found in one or more
mailboxes searched.

Enable full logging: By default, only basic logging is enabled when copying items.
You can select full logging to include information about all records returned by the
search.

Send me mail when the copy is completed: An In-Place eDiscovery search can
potentially return a large number of records. Copying the messages returned to a
discovery mailbox can take a long time. Use this option to get an email notification
when the copying process is completed. For easier access using Outlook on the
web, the notification includes a link to the location in a discovery mailbox where
the messages are copied.

Export search results to a PST file

After search results are copied to a discovery mailbox, you can export the search results
to a PST file.

After search results are exported to a PST file, you or other users can open them in
Outlook to review or print messages returned in the search results. For more
information, see Export eDiscovery search results to a PST file.

Different search results

Because In-Place eDiscovery performs searches on live data, it's possible that two
searches of the same content sources and using the same search query can return
different results. Estimated search results can also be different from the actual search
results that are copied to a discovery mailbox. This can happen even when rerunning the
same search within a short amount of time. There are several factors that can affect the
consistency of search results:

The continual indexing of incoming email because Exchange Search continuously

crawls and indexes your organization's mailbox databases and transport pipeline.

Deletion of email by users or automated processes.

Bulk importing large amounts of email, which takes time to index.

If you do experience dissimilar results for the same search, consider placing mailboxes
on hold to preserve content, running searches during off-peak hours, and allowing time
for indexing after importing large amounts of email.

Logging for In-Place eDiscovery searches

There are two types of logging available for In-Place eDiscovery searches:

Basic logging: Basic logging is enabled by default for all In-Place eDiscovery
searches. It includes information about the search and who performed it.
Information captured about basic logging appears in the body of the email
message sent to the mailbox where the search results are stored. The message is
located in the folder created to store search results.

Full logging: Full logging includes information about all messages returned by the
search. This information is provided in a comma-separated value (.csv) file attached
to the email message that contains the basic logging information. The name of the
search is used for the .csv file name. This information may be required for
compliance or record-keeping purposes. To enable full logging, you must select
the Enable full logging option when copying search results to a discovery mailbox
in the EAC. If you're using Exchange Online PowerShell, specify the full logging
option using the LogLevel parameter.

７ Note

When using Exchange Online PowerShell to create or modify an In-Place

eDiscovery search, you can also disable logging.

Besides the search log included when copying search results to a discovery mailbox,
Exchange also logs cmdlets used by the EAC or Exchange Online PowerShell to create,
modify or remove In-Place eDiscovery searches. This information is logged in the admin
audit log entries. For details, see View the administrator audit log.

In-Place eDiscovery and In-Place Hold

As part of eDiscovery requests, you may be required to preserve mailbox content until a
lawsuit or investigation is disposed. Messages deleted or altered by the mailbox user or
any processes must also be preserved. This is accomplished by using In-Place Hold. For
details, see In-Place Hold and Litigation Hold.

Be aware of the following:

You can't use the option to search all mailboxes. You must select the mailboxes or
distribution groups.

You can't remove an In-Place eDiscovery search if the search is also used for In-
Place Hold. You must first disable the In-Place Hold option in a search and then
remove the search.

Preserving mailboxes for In-Place eDiscovery

When an employee leaves an organization, it's a common practice to disable or remove
the mailbox. After you disable a mailbox, it is disconnected from the user account but
remains in the mailbox for a certain period, 30 days by default. The Managed Folder
Assistant does not process disconnected mailboxes and any retention policies are not
applied during this period. You can't search content of a disconnected mailbox. Upon
reaching the deleted mailbox retention period configured for the mailbox database, the
mailbox is purged from the mailbox database.

） Important

In Exchange Online, In-Place eDiscovery can search content in inactive mailboxes.

Inactive mailboxes are mailboxes that are placed on In-Place Hold or litigation hold
and then removed. Inactive mailboxes are preserved as long as they're placed on
hold. When an inactive mailbox is removed from In-Place Hold or when litigation
hold is disabled, it is permanently deleted. For details, see Create and manage
inactive mailboxes.

In on-premises deployments, if your organization requires that retention settings be

applied to messages of employees who are no longer in the organization or if you may
need to retain an ex-employee's mailbox for an ongoing or future eDiscovery search, do
not disable or remove the mailbox. You can take the following steps to ensure the
mailbox can't be accessed and no new messages are delivered to it.

1. Disable the Active Directory user account using Active Directory Users &
Computers or other Active Directory or account provisioning tools or scripts. This
prevents mailbox logon using the associated user account.

） Important

Users with Full Access mailbox permission will still be able to access the
mailbox. To prevent access by others, you must remove their Full Access
permission from the mailbox. For information about how to remove Full
Access mailbox permissions on a mailbox, see Manage permissions for
recipients.

2. Set the message size limit for messages that can be sent from or received by the
mailbox user to a very low value, 1 KB for example. This prevents delivery of new
mail to and from the mailbox.

3. Configure delivery restrictions for the mailbox so nobody can send messages to it.
For details, see Configure message delivery restrictions for a mailbox.

） Important

You must take the above steps along with any other account management
processes required by your organization, but without disabling or removing the
mailbox or removing the associated user account.

When planning to implement mailbox retention for messaging retention management

(MRM) or In-Place eDiscovery, you must take employee turnover into consideration.
Long-term retention of ex-employee mailboxes will require additional storage on
Mailbox servers and also result in an increase in Active Directory database because it
requires that the associated user account be retained for the same duration.
Additionally, it may also require changes to your organization's account provisioning
and management processes.

In-Place eDiscovery documentation

The following table contains links to topics that will help you learn about and manage
In-Place eDiscovery.
Topic Description

Assign eDiscovery Learn how to give a user access to use In-Place eDiscovery in the EAC to
permissions in search Exchange mailboxes. Adding a user to the Discovery Management
Exchange role group also allows the person to use the eDiscovery Center in
SharePoint 2013 and SharePoint Online to search Exchange mailboxes.

Create a discovery Learn how to use Exchange Online PowerShell to create a discovery mailbox
mailbox and assign access permissions.

Message Learn which email message properties can be searched using In-Place
properties and eDiscovery. The topic provides syntax examples for each property,
search operators information about search operators such as AND and OR, and information
for In-Place about other search query techniques such as using double quotation marks
eDiscovery (" ") and prefix wildcards.

Search limits for Learn In-Place eDiscovery limits in Exchange Online that help maintain the
In-Place health and quality of eDiscovery services for Microsoft 365 or Office 365
eDiscovery organizations.

Export eDiscovery Learn how to export the results of an eDiscovery search to a PST file.
search results to a
PST file

Create a custom Learn how to use custom management scopes to limit the mailboxes that a
management discovery manager can search.
scope for In-Place
eDiscovery
searches

Search for and Learn how to use Content Search to search for and then delete email
delete email messages.
messages

Reduce the size of Use this process to reduce the size of a discovery mailbox that's larger than
a discovery 50 GB.
mailbox in
Exchange

Delete and re- Learn how to delete the default discovery mailbox, re-create it, and then
create the default reassign permissions to it. Use this procedure if this mailbox has exceeded
discovery mailbox the 50 GB limit and you don't need the search results.
in Exchange

Using Oauth Learn about the eDiscovery scenarios in an Exchange hybrid deployment
Authentication to that require you to configure OAuth authentication.
Support
eDiscovery in an
Exchange Hybrid
Deployment
For more information about eDiscovery in Microsoft Purview, see the Get started with
eDiscovery (Standard).
Assign eDiscovery permissions in
Exchange Online
Article • 02/22/2023

If you want users to be able to use Microsoft Exchange Server In-Place eDiscovery, you
must first authorize them by adding them to the Discovery Management role group.
Members of the Discovery Management role group have Full Access mailbox
permissions for the Discovery mailbox that's created by Exchange Setup.

Ｕ Caution

Members of the Discovery Management role group can access sensitive message
content. Specifically, these members can use In-Place eDiscovery to search all
mailboxes in your Exchange organization, preview messages (and other mailbox
items), copy them to a Discovery mailbox and export the copied messages to a .pst
file. In most organizations, this permission is granted to legal, compliance, or
Human Resources personnel. >

To learn more about the Discovery Management role group and role based access
control (RBAC), see Permissions in Exchange Online.

Interested in scenarios where this procedure is used? See the following topics:

Create an In-Place eDiscovery search

Create or remove an In-Place Hold

What do you need to know before you begin?

Estimated time to complete: 1 minute.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Role assignments" entry in
the Feature permissions in Exchange Online topic.

By default, the Discovery Management role group doesn't contain any members.
Administrators with the Organization Management role are also unable to create
or manage discovery searches without being added to the Discovery Management
role group.
 In Exchange Server, members of the Organization Management role group can
create an In-Place Hold and Litigation Hold to place all mailbox content on hold.
However, to create a query-based In-Place Hold, the user must be a member of the
Discovery Management role group or have the Mailbox Search role assigned.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

Use the EAC to add a user to the Discovery

Management role group
1. Go to Permissions > Admin roles.

2. In the list view, select Discovery Management and then click Edit

3. In Role Group, under Members, click Add .

4. In Select Members, select one or more users, click Add, and then click OK.

5. In Role Group, click Save.

Use Exchange Online PowerShell to add a user

to the Discovery Management role group
This example adds the user Bsuneja to the Discovery Management role group.

PowerShell

Add-RoleGroupMember -Identity "Discovery Management" -Member Bsuneja

For detailed syntax and parameter information, see Add-RoleGroupMember.

How do you know this worked?

To verify that you've added the user to the Discovery Management role group, do the
following:

1. In the EAC, go to Permissions > Admin roles.

2. In the list view, select Discovery Management.

3. In the details pane, verify that the user is listed under Members.
You can also run this command to list the members of the Discovery Management role
group.

PowerShell

Get-RoleGroupMember -Identity "Discovery Management"

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
Export eDiscovery search results to a
PST file in the Exchange admin center in
Exchange Online
Article • 02/22/2023

） Important

As we continue to invest in different ways to search for mailbox content, we're

announcing the retirement of In-Place eDiscovery in the Exchange admin center
(EAC) in Exchange Online. Starting July 1, 2020, you won't be able to create new In-
Place eDiscovery searches. But you'll still be able to manage In-Place eDiscovery
searches in the EAC or by using the Set-MailboxSearch cmdlet in Exchange Online
PowerShell. However, starting October 1, 2020, you won't be able to manage In-
Place eDiscovery searches. You'll only be able to remove them in the EAC or by
using the Remove-MailboxSearch cmdlet. Using In-Place eDiscovery in Exchange
Server and Exchange hybrid deployments will still be supported. For more
information about the retirement of In-Place eDiscovery in Exchange Online, see
Retirement of legacy eDiscovery tools.

You can use the eDiscovery Export tool in the Exchange admin center (EAC) to export
the results of an In-Place eDiscovery search to an Outlook Data File, which is also called
a PST file. Administrators can distribute the results of the search to other people within
your organization, such as a human resources manager or records manager, or to
opposing counsel in a legal case. After search results are exported to a PST file, you or
other users can open them in Outlook to review or print messages returned in the
search results. PST files can also be opened in third-party eDiscovery and reporting
applications. This topic shows you how to do this, as well as troubleshoot any issues you
might have.

What do you need to know before you begin?

Estimated time to complete: Time will vary based on the amount and size of the
search results that will be exported.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "In-Place eDiscovery" entry
in the Feature permissions in Exchange Online topic.
 The computer you use to export search results to a PST file must meet the
following system requirements:

32- or 64-bit versions of Windows 7 and later versions

Microsoft .NET Framework 4.7

A supported browser:
Internet Explorer 10 and later versions

OR
Mozilla Firefox or Google Chrome. If you use either of these browsers, be
sure you install the ClickOnce extension. To install the ClickOnce add-in, see
Mozilla ClickOnce add-ons or ClickOnce for Google Chrome .

You need an active mailbox attached to the account you wish to export.

Ensure that the local Intranet settings are setup correctly in Internet Explorer. Make
sure that https://*.outlook.com is added to the Local intranet zone.

Make sure the following URLS are not listed in the Trusted sites zone:
https://*.outlook.com

https://r4.res.outlook.com

https://*.res.outlook.com

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the Exchange admin center to export In-

Place eDiscovery search results to a PST
1. Go to Compliance management > In-place eDiscovery & hold.

2. In the list view, select the In-Place eDiscovery search you want to export the results
of, and then click Export to a PST file.
 3. In the eDiscovery PST Export Tool window, do the following:

Click Browse to specify the location where you want to download the PST file.

Click the Enable deduplication checkbox to exclude duplicate messages. Only

a single instance of a message will be included in the PST file.

Click the Include unsearchable items checkbox to include mailbox items that
couldn't be searched (for example, messages with attachments of file types
that couldn't be indexed by Exchange Search). Unsearchable items are
exported to a separate PST file.

） Important

Including unsearchable items when you export eDiscovery search results

takes longer when mailboxes contain a lot of unsearchable items. To
reduce the time it takes to export search results and prevent large PST
export files, consider the following recommendations:
Create multiple eDiscovery searches that each search a fewer number
of source mailboxes.
If you're exporting all mailbox content within a specific date range (by
not specifying any keywords in the search criteria), then all
unsearchable items within that date range will be automatically
included in the search results. Therefore, don't select the Include
unsearchable items checkbox.

4. Click Start to export the search results to a PST file.

A window is displayed that contains status information about the export process.

More information
 You can reduce the size of the PST export fileby exporting only the unsearchable
items. To do this, create or edit a search, specify a start date in the future, and then
remove any keywords from the Keywords box. This will result in no search results
being returned. When you copy or export the search results and select the Include
unsearchable items checkbox, only the unsearchable items will be copied to the
discovery mailbox or exported to a PST file.

If you enable de-duplication, all search results are exported in a single PST file. If
you don't enable de-duplication, a separate PST file is exported for each mailbox
included in the search. And as previously stated, unsearchable items are exported
to a separate PST file.

In addition to the PST files that contain the search results, two other files are also
exported:

A configuration file (.txt file format) that contains information about the PST
export request, such as the name of the eDiscovery search that was exported,
the date and time of the export, whether de-duplication and unsearchable items
were enabled, the search query, and the source mailboxes that were searched.

A search results log (.csv file format) that contains an entry for each message
returned in the search results. Each entry identifies the source mailbox where
the message is located. If you've enabled de-duplication, this helps you identify
all mailboxes that contain a duplicate message.

The name of the search is the first part of the filename for each file that is
exported. Also, the date and time of the export request is appended to the
filename of each PST file and the results log.

For more information about de-duplication and unsearchable items, see Estimate,
preview, and copy search results.

To export eDiscovery search results from the eDiscovery Center in SharePoint or

SharePoint Online, see Export eDiscovery content and create reports.

Troubleshooting
Symptom Possible cause
Symptom Possible cause

Cannot export to a PST file. There is no active mailbox attached to the account. To export the
PST, you must have an active account.
Your version of Internet Explorer is out of date. Try updating IE to
version 10 or later. Or try a different browser.

Search criteria entered in the Filter based on criteria query is

incorrect. For example, a username is entered instead of an email
address. For more information about how to filter based on criteria,
see Modify an In-Place eDiscovery search.

Unable to export search The wrong Windows credentials were saved in the Credential
results on a specific Manager. Clear your credentials and log in again.
machine. Export works as
expected on a different
machine.

eDiscovery PST Export Tool Local intranet zone settings aren't set up correctly in Internet
won't start. Explorer. Make sure that *.outlook.com, *.office365.com,
*.sharepoint.com and *.onmicrosoft.com are added to the Local
intranet zone trusted sites.
To add these sites to the Trusted zone in IE, see Security zones:
adding or removing websites .
Message properties and search
operators for In-Place eDiscovery in
Exchange Online
Article • 02/22/2023

This topic describes the properties of Exchange email messages that you can search by
using In-Place eDiscovery & Hold in Exchange Server and Exchange Online. The topic
also describes Boolean search operators and other search query techniques that you can
use to refine eDiscovery search results.

In-Place eDiscovery uses Keyword Query Language (KQL). For more details, see Keyword
Query Language syntax reference.

Searchable properties in Exchange

The following table lists email message properties that can be searched using an In-
Place eDiscovery search or by using the New-MailboxSearch or the Set-MailboxSearch
cmdlet. The table includes an example of the property:value syntax for each property
and a description of the search results returned by the examples.

Property Property description Examples Search results

returned by the
examples

Attachment The names of files attachment:annualreport.ppt Messages that have

attached to an email attachment:annual* an attached file
message. named
annualreport.ppt.
In the second
example, using the
wildcard returns
messages with the
word "annual" in the
file name of an
attachment.

Bcc The BCC field of an bcc:pilarp@contoso.com All examples return

email message.1 bcc:pilarp messages with Pilar
Pinilla included in the
bcc:"Pilar Pinilla" Bcc field.
Property Property description Examples Search results
returned by the
examples

Category The categories to category:"Red Category" Messages that have

search. Categories can been assigned the
be defined by users by red category in the
using Outlook or source mailboxes.
Outlook on the web
(formerly known as
Outlook Web App). The
possible values are:
blue
green
orange
purple
red
yellow

Cc The CC field of an cc:pilarp@contoso.com In both examples,

email message.1 cc:"Pilar Pinilla" messages with Pilar
Pinilla specified in the
CC field.

From The sender of an email from:pilarp@contoso.com Messages sent by the

message.1 from:contoso.com specified user or sent
from a specified
domain.

Importance The importance of an importance:high Messages that are

email message, which a importance:medium marked as high
sender can specify importance, medium
when sending a importance:low importance, or low
message. By default, importance.
messages are sent with
normal importance,
unless the sender sets
the importance as high
or low.
Property Property description Examples Search results
returned by the
examples

Kind The message type to kind:email Email messages that

search. Possible values: kind:email OR kind:im OR meet the search
contacts kind:voicemail criteria. The second
docs example returns
email email messages,
faxes instant messaging
im conversations, and
journals voice messages that
meetings meet the search
notes criteria.
posts
rssfeeds
tasks
voicemail

Participants All the people fields in participants:garthf@contoso.com Messages sent by or

an email message; participants:contoso.com sent to
these fields are From, garthf@contoso.com.
To, CC, and BCC.1 The second example
returns all messages
sent by or sent to a
user in the
contoso.com domain.

Received The date that an email received:04/15/2014 Messages that were

message was received received>=01/01/2014 AND received on April 15,
by a recipient. received<=03/31/2014 2014. The second
example returns all
messages received
between January 1,
2014 and March 31,
2014.

Recipients All recipient fields in an recipients:garthf@contoso.com Messages sent to

email message; these recipients:contoso.com garthf@contoso.com.
fields are To, CC, and The second example
BCC.1 returns messages
sent to any recipient
in the contoso.com
domain.
Property Property description Examples Search results
returned by the
examples

Sent The date that an email sent:07/01/2014 Messages that were

message was sent by sent>=06/01/2014 AND sent on July 01, 2014.
the sender. sent<=07/01/2014 The second example
returns all messages
sent between June
01, 2014 and July 01,
2014.

Size The size of an item, in size>26214400 Messages larger than

bytes. size:1..1048576 25 MB.
The second example
returns messages
from 1 through
1,048,576 bytes (1
MB) in size.

Subject The text in the subject subject:"Quarterly Financials" Messages that

line of an email subject:northwind contain the exact
message. phrase "Quarterly
Financials" anywhere
in the text of the
subject line.
The second example
returns all messages
that contain the word
northwind in the
subject line.

To The To field of an email to:annb@contoso.com All examples return

message.1 to:annb messages where Ann
Beebe is specified in
to:"Ann Beebe" the To: line.

７ Note

1 For the value of a recipient property, you can use the SMTP address, display
name, or alias to specify a user. For example, you can use annb@contoso.com,
annb, or "Ann Beebe" to specify the user Ann Beebe.

Supported search operators

Boolean search operators, such as AND, OR, help you define more-precise mailbox
searches by including or excluding specific words in the search query. Other techniques,
such as using property operators (such as >= or ..), quotation marks, parentheses, and
wildcards, help you refine eDiscovery search queries. The following table lists the
operators that you can use to narrow or broaden search results.

） Important

You must use uppercase Boolean operators in a search query. For example, use
AND; don't use and. Using lowercase operators in search queries will return an
error.

Operator Usage Description

AND keyword1 AND Returns messages that include all of the specified keywords
keyword2 or property:value expressions.

+ keyword1 +keyword2 Returns items that contain either keyword2 or keyword3 and
+keyword3 that also contain keyword1 . Therefore, this example is
equivalent to the query (keyword2 OR keyword3) AND
keyword1 .
Note that the query keyword1 + keyword2 (with a space
after the + symbol) isn't the same as using the AND
operator. This query would be equivalent to "keyword1 +
keyword2" and return items with the exact phase "keyword1
+ keyword2" .

OR keyword1 OR Returns messages that include one or more of the specified

keyword2 keywords or property:value expressions.

NOT keyword1 NOT Excludes messages specified by a keyword or a

keyword2 property:value expression. For example, NOT from:"Ann
NOT from:"Ann Beebe" Beebe" excludes messages sent by Ann Beebe.

- keyword1 -keyword2 The same as the NOT operator. This query returns items
that contain keyword1 and excludes items that contain
keyword2 .

NEAR keyword1 NEAR(n) Returns messages with words that are near each other,
keyword2 where n equals the number of words apart. For example,
best NEAR(5) worst returns messages where the word
"worst" is within five words of "best". If no number is
specified, the default distance is eight words.
Operator Usage Description

: property:value The colon (:) in the property:value syntax specifies that the
property value being searched for equals the specified
value. For example, recipients:garthf@contoso.com returns
any message sent to garthf@contoso.com.

< property<value Denotes that the property being searched is less than the
specified value. 1

> property>value Denotes that the property being searched is greater than
the specified value.1

<= property<=value Denotes that the property being searched is less than or
equal to a specific value.1

>= property>=value Denotes that the property being searched is greater than or
equal to a specific value.1

.. property:value1..value2 Denotes that the property being searched is greater than or

equal to value1 and less than or equal to value2.1

"" "fair value" Use double quotation marks (" ") to search for an exact
subject:"Quarterly phrase or term in keyword and property:value search
Financials" queries.

* cat* Prefix wildcard searches (where the asterisk is placed at the

subject:set* end of a word) match for zero or more characters in
keywords or property:value queries. For example,
subject:set* returns messages that contain the word set,
setup, and setting (and other words that start with "set") in
the subject line.

() (fair OR free) AND Parentheses group together Boolean phrases,

from:contoso.com property:value items, and keywords. For example,
(IPO OR initial) AND (quarterly financials) returns items that contain the
(stock OR shares) words quarterly and financials.

(quarterly financials)

７ Note

1
Use this operator for properties that have date or numeric values.

Unsupported characters in search queries

Unsupported characters in a search query typically cause a search error or return
unintended results. Unsupported characters are often hidden and they're typically
added to a query when you copy the query or parts of the query from other applications
(such as Microsoft Word or Microsoft Excel) and copy them to the keyword box on the
query page of In-Place eDiscovery search.

Here's a list of the unsupported characters for an In-Place eDiscovery search query.

Smart quotation marks: Smart single and double quotation marks (also called
curly quotes) aren't supported. Only straight quotation marks can be used in a
search query.

Non-printable and control characters: Non-printable and control characters don't

represent a written symbol, such as a alpha-numeric character. Examples of non-
printable and control characters include characters that format text or separate
lines of text.

Left-to-right and right-to-left marks: These are control characters used to indicate
text direction for left-to-right languages (such as English and Spanish) and right-
to-left languages (such as Arabic and Hebrew).

Lowercase Boolean operators: As previous explained, you have to use uppercase

Boolean operators, such as AND and OR, in a search query. Note that the query
syntax will often indicate that a Boolean operator is being used even though
lowercase operators might be used; for example, (WordA or WordB) and (WordC or
WordD) .

How to prevent unsupported characters in your search queries? The best way to
prevent unsupported characters is to just type the query in the keyword box.
Alternatively, you can copy a query from Word or Excel and then paste it to file in a plain
text editor, such as Microsoft Notepad. Then save the text file and select ANSI in the
Encoding drop-down list. This will remove any formatting and unsupported characters.
Then you can copy and paste the query from the text file to the keyword query box.

Search tips and tricks

Keyword searches are not case sensitive. For example, cat and CAT return the same
results.

A space between two keywords or two property:value expressions is the same as

using AND. For example, from:"Sara Davis" subject:reorganization returns all
messages sent by Sara Davis that contain the word reorganization in the subject
line.

Use syntax that matches the property:value format. Values are not case-sensitive,
and they can't have a space after the operator. If there is a space, your intended
value will just be full-text searched. For example to: pilarp searches for "pilarp" as a
keyword, rather than for messages that were sent to pilarp.

When searching a recipient property, such as To, From, Cc, or Recipients, you can
use an SMTP address, alias, or display name to denote a recipient. For example,
you can use pilarp@contoso.com, pilarp, or "Pilar Pinilla".

You can use only prefix wildcard searches (for example, cat* or set*). Suffix
wildcard searches (*cat) or substring wildcard searches (*cat*) aren't supported.

When searching a property, use double quotation marks (" ") if the search value
consists of multiple words. For example subject:budget Q1 returns messages that
contain budget in the in the subject line and that contain Q1 anywhere in the
message or in any of the message properties. Using subject:"budget Q1" returns
all messages that contain budget Q1 anywhere in the subject line.
Search limits for In-Place eDiscovery in
Exchange Online
Article • 02/22/2023

Various types of limits are applied to In-Place eDiscovery searches in Exchange Online.
These limits help to maintain the health and quality of services provided to Exchange
Online organizations. In most cases, you can't modify these limits, but you should be
aware of them so that you can take these limits into consideration when planning,
running, and troubleshooting eDiscovery searches.

Source mailbox limits

In-Place eDiscovery has limits on the number of source mailboxes that can be searched
in a single search. The following table describes these limits and suggests alternative
ways to work around them. These limits apply to eDiscovery searches created by using
the Exchange admin center (EAC) or Remote Windows PowerShell.

Description of Limit More information and suggested workarounds

limit

The maximum 10,000 If you have more than 10,000 mailboxes in your organization, you
number of won't be able to use the Search all mailboxes option on the
mailboxes that can Mailboxes page in the EAC. To search large numbers of
be searched in a mailboxes (up to 10,000 mailboxes total), you can organize users
single In-Place into distribution groups or dynamic distribution groups and then
eDiscovery search. specify a group on the Mailboxes page in the EAC. 1

The maximum 100 After you run an eDiscovery search estimate, you can view
number of keyword statistics. These statistics show details about the number
mailboxes that can of items returned for each keyword used in the search query. If
be searched in a more than 100 source mailboxes are included in the search, an
single In-Place error will be returned if you try to view keyword statistics.
eDiscovery search To view keyword statistics, reduce the number of source
that still allows you mailboxes to 100 or fewer, and then rerun the search estimate.
to view keyword When you're satisfied with the search query, you can add
statistics. additional source mailboxes to the search and then copy or
export the search results.
 Description of Limit More information and suggested workarounds
limit

The maximum 10,000 You can place up to 10,000 mailboxes on In-Place Hold by using a
number of single eDiscovery search. However, if you select the Search all
mailboxes that can mailboxes option on the Sources page, you won't be able to
be placed on In- enable an In-Place Hold for that search. To place a large number
Place Hold in a of mailboxes on hold using a single In-Place Hold, use
single In-Place distribution groups or dynamic distribution groups to group
eDiscovery search. mailboxes together, and then specify one of those groups on the
Mailboxes page in the EAC. 1
A better option for placing a hold on a large number of
mailboxes is to use a Litigation Hold. Using lots of single In-Place
eDiscovery searches to place mailboxes on hold isn't
recommended.

７ Note

1
Group membership is calculated only when the search or a hold is created. If a
user gets added to the group after the search is created, the user's mailbox won't
be added automatically as a source mailbox. You'll have to edit the search and add
the mailbox. The same thing applies when a user is removed from a group that is
used to create a search or hold. You'll have to edit the search to remove the
mailbox.

Exchange admin center limits

There are also limits when you use the EAC to create and run In-Place eDiscovery
searches. These limits are primarily related to the number of source mailboxes that are
displayed in the EAC when you select source mailboxes to search. The following table
describes these limits and suggests alternative ways to work around them.

Description of Limit More information and suggested workarounds

limit
Description of Limit More information and suggested workarounds
limit

The maximum 500 Only 500 mailboxes, distribution groups, and dynamic distribution
number of groups are listed in the mailbox picker to select source mailboxes from
mailboxes that when you create a new search. A message is displayed saying that there
are displayed are more recipients than the ones displayed. Here are some
in the mailbox workarounds for this limit:
picker for Use the search box to find a mailbox that isn't listed in the mailbox
selecting picker.
source Use distribution groups or dynamic distribution groups to group large
mailboxes numbers of mailboxes together. Then pick the group from the mailbox
when creating list or search for it using the search box. Groups are expanded into
a new In-Place source mailboxes when you create an eDiscovery search.
eDiscovery or Select Search all mailboxes on the Mailbox page if your organization
In-Place Hold has less than 10,000 mailboxes and you're not going to place mailboxes
search. on hold.
Use distribution groups or dynamic distribution groups to group users
if you want to place more than 500 mailboxes on In-Place Hold.
 Description of Limit More information and suggested workarounds
limit

The maximum 3,000 Up to 3,000 mailboxes are displayed on the Sources page in the EAC
number of when you edit an In-Place eDiscovery search or hold. To add a mailbox
mailboxes that to the list of sources, you can use the search box to find a mailbox that
are displayed isn't listed in the mailbox picker (a maximum of 500 recipients are listed
when editing in the mailbox picker). To remove a mailbox that's listed, you can select
an In-Place it and then click Remove. To remove a mailbox that isn't listed, you have
eDiscovery or to use Exchange Online PowerShell to remove it. For example, the
In-Place Hold following commands are run to remove the user Ann Beebe from an In-
search. Place Hold named ContosoHold.
$SourceMailboxes = Get-MailboxSearch "ContosoHold"
$SourceMailboxes.Sources.Remove("/o=contoso/ou=Exchange
Administrative Group
(FYDIBOHF23SPDLT)/cn=Recipients/cn=28e3edb87e29422998ec8f3a946dd1e5-
annb")
Set-MailboxSearch "ContosoHold" -SourceMailboxes
$SourceMailboxes.Sources
The first command creates a variable that contains the properties of
ContosoHold. The second command removes the user Ann Beebe (by
specifying the value of the LegacyExchangeDN property) from the list
of source mailboxes. The third command edits ContosoHold with the
updated list of source mailboxes.
To add a user to an In-Place Hold, use the following syntax in the
second command in the previous example.
$SourceMailboxes.Sources.Add("<LegacyExchangeDN of the user>")
Note: The Sources property of an In-Place eDiscovery search or an In-
Place Hold identifies the source mailboxes by their LegacyExchangeDN
property. Because this property uniquely identifies a user mailbox, using
the Sources property helps prevent adding or removing the wrong
mailbox. This also helps to avoid issues if two mailboxes have the same
alias or primary SMTP address.

Other limits
The following table describes other limits that affect In-Place eDiscovery searches.

Description of Limit More information

limit
Description of Limit More information
limit

The maximum 2 If an eDiscovery search is started while two previous searches are
number of In- still running, the third search won't be queued and will instead fail.
Place eDiscovery You have to wait until one of the running searches is completed
searches that can before you can successfully start a new search.
run at the same Also, estimate-only and copy searches are both considered In-Place
time in your eDiscovery searches. So, if you are running an estimate-only search
organization. and a copy search at the same time, you can't start another search
until one of the running searches is completed. However, you can
preview or export the search results from another search while two
searches are running.

The maximum 500 Boolean operators, such as AND and OR aren't counted against the
number of total number of keywords. For example, the keyword query cat AND
keywords that can dog AND bird AND fish consists of four keywords.
be specified in a
single In-Place
eDiscovery search
query.

The maximum 200 When you preview search results, the mailboxes that were searched
number of items are listed in the right pane on the eDiscovery search preview page.
displayed on the For each mailbox, the number of items returned and the total size
search preview of these items are also displayed. Items returned by the search are
page when listed in the right pane. Up to 200 items are displayed on the
previewing In- preview page.
Place eDiscovery Note: Items from each mailbox can't be displayed in the right pane
search results. by clicking a mailbox in the left pane. To view the items returned
from a specific mailbox, you can copy the search results and view
the items in the discovery mailbox.

The maximum 500 If multiple In-Place Holds are placed on a user's mailbox, the
number of maximum number of keywords in all search queries is 500. That's
keywords that can because Exchange Online combines all the keyword search
be specified in all parameters from of all In-Place Holds by using the OR operator. If
In-Place Holds there are more than 500 keywords in the hold queries, then all
placed on a single content in the mailbox is placed on hold (and not just that content
mailbox. that matches the search criteria of any query-based hold). All
content is held until the total number of keywords in all In-Place
Holds is reduced to 500 or less. Holding all mailbox content is
similar in functionality to a Litigation Hold.
Description of Limit More information
limit

Maximum number 10,000 For non-phrase queries we use a special prefix index. This only tells
of variants us that a word occurs in a document, not where in the document it
returned when occurs. To do a phrase query we need to compare the position
using a prefix within the document for the words in the phrase. This means that
wildcard to search we cannot use the prefix index for phrase queries. In this case we
for an exact are internally expanding the query with all possible words that the
phrase in a prefix expands to (i.e. "time*" can expand to "time OR timer OR
keyword search times OR timex OR timeboxed OR ..."). 10,000 is the maximum
query or when number of variants the word can expand to, not the number of
using a prefix documents matching the query. For non-phrase terms there are no
wildcard and the upper limit.
NEAR operator.
Create a discovery mailbox in Exchange
Online
Article • 02/22/2023

Microsoft Exchange Server Setup creates a discovery mailbox by default. In Exchange

Online, a discovery mailbox is also created by default. Discovery mailboxes are used as
target mailboxes for In-Place eDiscovery searches in the Exchange admin center (EAC).
You can create additional discovery mailboxes as required. After you create a new
discovery mailbox, you will have to assign Full Access permissions to the appropriate
users so they can access eDiscovery search results that are copied to the discovery
mailbox.

Ｕ Caution

After a discovery manager copies the results of an eDiscovery search to a discovery

mailbox, the mailbox can potentially contain sensitive information. You should
control access to discovery mailboxes and make sure only authorized users can
access them.

For more information, see Discovery mailboxes.

What do you need to know before you begin?

Estimated time to complete: 3 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Discovery mailboxes -
create" entry in Feature permissions in Exchange Online topic.

Discovery mailboxes have a mailbox storage quota of 50 gigabytes (GB). This

storage quota can't be increased.

You can't use the EAC to create a discovery mailbox or assign permissions to
access it. You have to use Exchange Online PowerShell.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip
 Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Step 1: Connect to Exchange Online PowerShell

For instructions, see Connect to Exchange Online PowerShell.

Step 2: Create a discovery mailbox

This example creates a discovery mailbox named SearchResults.

PowerShell

New-Mailbox -Name SearchResults -Discovery

） Important

The 'Name' parameter must not contain any spaces.

For detailed syntax and parameter information, see new-Mailbox.

To display a list of all discovery mailboxes in an Exchange organization, run the following
command:

PowerShell

Get-Mailbox -Resultsize unlimited -Filter "RecipientTypeDetails -eq

'DiscoveryMailbox'"

For detailed syntax and parameter information, see Get-Mailbox.

Step 3: Assign permissions to a discovery

mailbox
You have to explicitly assign users or groups the necessary permissions to open a
discovery mailbox that you've created. Use the following syntax to assign a user or
group permissions to open a discovery mailbox and view search results:

PowerShell
 Add-MailboxPermission <Name of the discovery mailbox> -User <Name of user or
group> -AccessRights FullAccess -InheritanceType all

For example, the following command assigns the Full Access permission to the Litigation
Managers group, so members of the group can open the Fabrikam Litigation discovery
mailbox.

PowerShell

Add-MailboxPermission "Fabrikam Litigation" -User "Litigation Managers" -

AccessRights FullAccess -InheritanceType all

For detailed syntax and parameter information, see Add-MailboxPermission.

More information
By default, members of the Discovery Management role group only have Full
Access permission to the default Discovery Search Mailbox. You will have to
explicitly assign the Full Access permission to the Discovery Management role
group if you want members to open a discovery mailbox that you've created.

Although visible in Exchange address lists, users can't send email to a discovery
mailbox. Email delivery to discovery mailboxes is prohibited with delivery
restrictions. This preserves the integrity of search results copied to a discovery
mailbox.

A discovery mailbox can't be repurposed or converted to another type of mailbox.

You can remove a discovery mailbox as you would any other type of mailbox.
Create a custom management scope for
In-Place eDiscovery searches in
Exchange Online
Article • 02/22/2023

You can use a custom management scope to let specific people or groups use In-Place
eDiscovery to search a subset of mailboxes in your Exchange Online organization. For
example, you might want to let a discovery manager search only the mailboxes of users
in a specific location or department. You can do this by creating a custom management
scope. This custom management scope uses a recipient filter to control which mailboxes
can be searched. Recipient filter scopes use filters to target specific recipients based on
recipient type or other recipient properties.

For In-Place eDiscovery, the only property on a user mailbox that you can use to create
a recipient filter for a custom scope is distribution group membership (the actual
property name is MemberOfGroup). If you use other properties, such as
CustomAttributeN, Department, or PostalCode, the search fails when it's run by a
member of the role group that's assigned the custom scope.

To learn more about management scopes, see:

Understanding management role scopes

Understanding management role scope filters

What do you need to know before you begin?

Estimated time to complete: 15 minutes

As previously stated, you can only use group membership as the recipient filter to
create a custom recipient filter scope that is intended to be used for eDiscovery.
Any other recipient properties can't be used to create a custom scope for
eDiscovery searches. Note that membership in a dynamic distribution group can't
be used either.

Perform steps 1 through 3 to let a discovery manager export the search results for
an eDiscovery search that uses a custom management scope.

If your discovery manager doesn't need to preview the search results, you can skip
step 4.
 If your discovery manager doesn't need to copy the search results, you can skip
step 5.

Step 1: Organize users into distribution groups

for eDiscovery
To search a subset of mailboxes in your organization or to narrow the scope of source
mailboxes that a discovery manager can search, you'll need to group the subset of
mailboxes into one or more distribution groups. When you create a custom
management scope in step 2, you'll use these distribution groups as the recipient filter
to create a custom management scope. This allows a discovery manager to search only
the mailboxes of the users who are members of a specified group.

You might be able to use existing distribution groups for eDiscovery purposes, or you
can create new ones. See More information at the end of this topic for tips on how to
create distribution groups that can be used to scope eDiscovery searches.

Step 2: Create a custom management scope

Now you'll create a custom management scope that's defined by the membership of a
distribution group (using the MemberOfGroup recipient filter). When this scope is
applied to a role group used for eDiscovery, members of the role group can search the
mailboxes of users who are members of the distribution group that was used to create
the custom management scope.

This procedure uses Exchange Online PowerShell commands to create a custom scope
named Ottawa Users eDiscovery Scope. It specifies the distribution group named
Ottawa Users for the recipient filter of the custom scope.

1. Run this command to get and save the properties of the Ottawa Users group to a
variable, which is used in the next command.

PowerShell

$DG = Get-DistributionGroup -Identity "Ottawa Users"

2. Run this command to create a custom management scope based on the

membership of the Ottawa Users distribution group.

PowerShell
 New-ManagementScope "Ottawa Users eDiscovery Scope" -
RecipientRestrictionFilter "MemberOfGroup -eq
'$($DG.DistinguishedName)'"

The distinguished name of the distribution group, which is contained in the variable
$DG, is used to create the recipient filter for the new management scope.

Step 3: Create a management role group

In this step, you create a new management role group and assign the custom scope that
you created in step 2. Add the Legal Hold and Mailbox Search roles so that role group
members can perform In-Place eDiscovery searches and place mailboxes on In-Place
Hold or Litigation Hold. You can also add members to this role group so they can search
the mailboxes of the members of the distribution group used to create the custom
scope in step 2.

In the following examples, the Ottawa Users eDiscovery Managers security group will be
added as members this role group. You can use either Exchange Online PowerShell or
the EAC for this step.

Use Exchange Online PowerShell to create a management

role group
Run this command to create a new role group that uses the custom scope created in
step 2. The command also adds the Legal Hold and Mailbox Search roles, and adds the
Ottawa Users eDiscovery Managers security group as members of the new role group.

PowerShell

New-RoleGroup "Ottawa Discovery Management" -Roles "Mailbox Search","Legal

Hold" -CustomRecipientWriteScope "Ottawa Users eDiscovery Scope" -Members
"Ottawa Users eDiscovery Managers"

Use the EAC to create a management role group

1. In the EAC, go to Permissions > Admin roles, and then click New .

2. In New role group, provide the following information:

Name: Provide a descriptive name for the new role group. For this example,
you'd use Ottawa Discovery Management.
 Write scope: Select the custom management scope that you created in step
2. This scope will be applied to the new role group.

Roles: Click Add , and add the Legal Hold and Mailbox Search roles to the
new role group.

Members: Click Add , and select the users, security group, or role groups
that you want add as members of the new role group. For this example, the
members of the Ottawa Users eDiscovery Managers security group will be
able to search only the mailboxes of users who are members of the Ottawa
Users distribution group.

3. Click Save to create the role group.

Here's an example of what the New role group window will look like when you're
done.
(Optional) Step 4: Add discovery managers as
members of the distribution group used to
create the custom management scope
You only need to perform this step if you want to let a discovery manager preview
eDiscovery search results.

Run this command to add the Ottawa Users eDiscovery Managers security group as a
member of the Ottawa Users distribution group.
 PowerShell

Add-DistributionGroupMember -Identity "Ottawa Users" -Member "Ottawa Users

eDiscovery Managers"

７ Note

For Exchange on-premises, the discovery managers will have to be added directly
to the distribution group used to create the management scope. Nested groups
will not work.

You can also use the EAC to add members to a distribution group. For more information,
see Create and manage distribution groups.

(Optional) Step 5: Add a discovery mailbox as a

member of the distribution group used to
create the custom management scope
You only need to perform this step if you want to let a discovery manager copy
eDiscovery search results.

Run this command to add a discovery mailbox named Ottawa Discovery Mailbox as a
member of the Ottawa Users distribution group.

PowerShell

Add-DistributionGroupMember -Identity "Ottawa Users" -Member "Ottawa

Discovery Mailbox"

７ Note

To open a discovery mailbox and view the search results, discovery managers must
be assigned Full Access permissions for the discovery mailbox. For more
information, see Create a discovery mailbox.

How do you know this worked?

Here are some ways to verify if you've successfully implemented custom management
scopes for eDiscovery. When you verify, be sure that the user running the eDiscovery
searches is a member of the role group that uses the custom management scope.

Create an eDiscovery search, and select the distribution group that was used to
create the custom management scope as the source of mailboxes to be searched.
All mailboxes should be successfully searched.

Create an eDiscovery search, and search the mailboxes of any users who aren't
members of the distribution group that was used to create the custom
management scope. The search should fail because the discovery manager can
only search mailboxes for users who are members of the distribution group that
was used to create the custom management scope. In this case, an error such as
"Unable to search mailbox <name of mailbox> because the current user does not
have permissions to access the mailbox" will be returned.

Create an eDiscovery search, and search the mailboxes of users who are members
of the distribution group that was used to create the custom management scope.
In the same search, include the mailboxes of users who aren't members. The search
should partially succeed. The mailboxes of members of the distribution group used
to create the custom management scope should be successfully searched. The
search of mailboxes for users who aren't members of the group should fail.

More information
Because distribution groups are used in this scenario to scope eDiscovery searches
and not for message delivery, consider the following when you create and
configure distribution groups for eDiscovery:

Create distribution groups with a closed membership so that members can be

added to or removed from the group only by the group owners. If you're
creating the group in Exchange Online PowerShell, use the syntax
MemberJoinRestriction closed and MemberDepartRestriction closed .

Enable group moderation so that any message sent to the group is first sent to
the group moderators who can approve or reject the message accordingly. If
you're creating the group in Exchange Online PowerShell, use the syntax
ModerationEnabled $true . If you're using the EAC, you can enable moderation
after the group is created.

Hide the distribution group from the organization's shared address book. Use
the EAC or the Set-DistributionGroup cmdlet after the group is created. If
you're using Exchange Online PowerShell, use the syntax
HiddenFromAddressListsEnabled $true .
 In the following example, the first command creates a distribution group with
closed membership and moderation enabled. The second command hides the
group from the shared address book.

PowerShell

New-DistributionGroup -Name "Vancouver Users eDiscovery Scope" -

Alias VancouverUserseDiscovery -MemberJoinRestriction closed -
MemberDepartRestriction closed -ModerationEnabled $true

PowerShell

Set-DistributionGroup "Vancouver Users eDiscovery Scope" -

HiddenFromAddressListsEnabled $true

For more information about creating and managing distribution groups, see
Create and manage distribution groups.

Though you can use only distribution group membership as the recipient filter for
a custom management scope used for eDiscovery, you can use other recipient
properties to add users to that distribution group. Here are some examples of
using the Get-Mailbox and Get-Recipient cmdlets to return a specific group of
users based on common user or mailbox attributes.

PowerShell

Get-Recipient -RecipientTypeDetails UserMailbox -ResultSize unlimited -

Filter 'Department -eq "HR"'

PowerShell

Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize unlimited -

Filter 'CustomAttribute15 -eq "VancouverSubsidiary"'

PowerShell

Get-Recipient -RecipientTypeDetails UserMailbox -ResultSize unlimited -

Filter 'PostalCode -eq "98052"'

PowerShell

Get-Recipient -RecipientTypeDetails UserMailbox -ResultSize unlimited -

Filter 'StateOrProvince -eq "WA"'
 PowerShell

Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize unlimited -

OrganizationalUnit "namsr01a002.sdf.exchangelabs.com/Microsoft Exchange
Hosted Organizations/contoso.onmicrosoft.com"

You can then use the examples from the previous bullet to create a variable that
can be used with the Add-DistributionGroupMember cmdlet to add a group of
users to a distribution group. In the following example, the first command creates
a variable that contains all user mailboxes that have the value Vancouver for the
Department property in their user account. The second command adds these users
to the Vancouver Users distribution group.

PowerShell

$members = Get-Recipient -RecipientTypeDetails UserMailbox -ResultSize

unlimited -Filter 'Department -eq "Vancouver"'

PowerShell

$members | ForEach {Add-DistributionGroupMember "Ottawa Users" -Member

$_.Name}

You can use the Add-RoleGroupMember cmdlet to add a member to an existing

role group that's used to scope eDiscovery searches. For example, the following
command adds the user admin@ottawa.contoso.com to the Ottawa Discovery
Management role group.

PowerShell

Add-RoleGroupMember "Vancouver Discovery Management" -Member

paralegal@vancouver.contoso.com

You can also use the EAC to add members to a role group. For more information,
see the "Modify role groups" section in Manage role groups in Exchange Online.

In Exchange Online, a custom management scope used for eDiscovery can't be

used to search inactive mailboxes. This is because an inactive mailbox can't be a
member of a distribution group. For example, let's say that a user is a member of a
distribution group that was used to create a custom management scope for
eDiscovery. Then that user leaves the organization and their mailbox is made
inactive (by placing a Litigation Hold or In-Place hold on the mailbox and then
deleting the corresponding user account). The result is that the user is removed as
a member from any distribution group, including the group that was used to
create the custom management scope used for eDiscovery. If a discovery manager
(who is a member of the role group that's assigned the custom management
scope) tries to search the inactive mailbox, the search will fail. To search inactive
mailboxes, a discover manager must be a member of the Discovery Management
role group or any role group that has permissions to search the entire
organization.

For more information about inactive mailboxes, see Create and manage inactive
mailboxes.
Reduce the size of a discovery mailbox
in Exchange Online
Article • 02/22/2023

Have a discovery mailbox that's exceeded the 50 GB limit? You can fix this issue by
creating new discovery mailboxes and copying the search results from the large
discovery mailbox to the new ones.

Why would I want to do this?

In Exchange Server and Exchange Online, the maximum size of discovery mailboxes,
which are used to store In-Place eDiscovery search results, is 50 GB. Prior to the current
size limit, you were able to increase the storage quota to more than 50 GB, which
resulted in having discovery mailboxes much larger than 50 GB. There are three issues
with discovery mailboxes that are larger than 50 GB:

They're not supported.

They can't be migrated to Microsoft 365 or Office 365.

If they're discovery mailboxes in Exchange Server 2010, they can't be upgraded to

later versions.

The process at a glance

Here's a quick look at what you'll need to do to reduce the size of a discovery mailbox
that's exceeded the 50 GB limit:

1. Step 1: Create discovery mailboxes additional discovery mailboxes to distribute the

search results to.

2. Step 2: Copy search results to a discovery mailbox the search results from the
existing discovery mailbox to one or more of the new discovery mailboxes.

3. Step 3: Delete eDiscovery searches eDiscovery searches from the original discovery
mailbox to reduce its size.

The strategy presented here groups the search results from the original discovery
mailbox into separate eDiscovery searches that are based on date ranges. This is a quick
way to copy many search results to a new discovery mailbox. The following graphic
illustrates this approach.
What do you need to know before you begin?
Estimated time to complete this task: Time will vary based on the amount and size
of the search results that will be copied to different discovery mailboxes.

Run the following command to determine the size of the discovery mailboxes in
your organization.

PowerShell

Get-Mailbox -RecipientTypeDetails DiscoveryMailbox | Get-

MailboxStatistics | Format-List DisplayName,TotalItemSize

Determine if you need to keep some or all of the search results from the discovery
mailbox that's exceeded the 50 GB limit. Follow the steps in this topic to retain
search results by copying them to a different discovery mailbox. If you don't need
to keep the results of a specific eDiscovery search, you can delete the search, as
explained in step 3. Deleting a search will delete the search results from the
discovery mailbox.

If you don't need any of the search results from a discovery mailbox that's
exceeded the 50 GB limit, you can delete it. If this is the default discovery mailbox
that was created when your Exchange organization was provisioned, you can re-
 create it. For more information, see Delete and re-create the default discovery
mailbox in Exchange.

For current legal cases, you might want to export the results of selected eDiscovery
searches to .pst files. Doing this keeps the results from a specific search intact. In
addition to the .pst files that contain the search results, a search results log (.csv
file format) that contains an entry for each message returned in the search results
is also exported. Each entry in this file identifies the source mailbox where the
message is located. For more information, see Export eDiscovery search results to a
PST file.

After you export search results to .pst files, you'll need to use Outlook if you want
to import them to a new discovery mailbox.

Step 1: Create discovery mailboxes

The first step is to create additional discovery mailboxes so that you can copy the search
results from the discovery mailbox that's exceeded the size limit. Based on the 50 GB
size limit for discovery mailboxes, determine how many additional discovery mailboxes
you'll need and create them. You'll then need to assign users or groups the necessary
permissions to open these new discovery mailboxes.

1. Run the following command to create a new discovery mailbox.

PowerShell

New-Mailbox -Name <discovery mailbox name> -Discovery

2. Run the following command to assign a user or group permissions to open the
discovery mailbox and view search results.

PowerShell

Add-MailboxPermission <discovery mailbox name> -User <name of user or

group> -AccessRights FullAccess -InheritanceType all

Step 2: Copy search results to a discovery

mailbox
The next step is to use the New-MailboxSearch cmdlet to copy the search results from
the existing discovery mailbox to a new discovery mailbox that you created in the
previous step. This procedure uses the StartDate and EndDate parameters to scope the
search results into batches that are no larger than 50 GB. This may require some testing
(by estimating the search results) to size the search results appropriately.

1. Run the following command to create a new eDiscovery search.

PowerShell

New-MailboxSearch -Name "Search results from 2010" -SourceMailboxes

"Discovery Search Mailbox" -StartDate "01/01/2010" -EndDate
"12/31/2010" -TargetMailbox "Discovery Mailbox Backup 01" -EstimateOnly
-StatusMailRecipients admin@contoso.com

This example uses the following parameters:

Name: This parameter specifies the name of the new eDiscovery search.
Because the search is scoped by sent and received dates, it's useful that the
name of the search includes the date range.

SourceMailboxes: This parameter specifies the default discovery mailbox. You

can also specify the name of another discovery mailbox that's exceeded the
size limit.

StartDate and EndDate: These parameters specify the date range of the
search results in the default discovery mailbox to include in the search results.

７ Note

For dates, use the short date format, mm/dd/yyyy, even if the Regional
Options settings on the local computer are configured with a different
format, such as dd/mm/yyyy. For example, use 03/01/2014 to specify
March 1, 2014.

TargetMailbox: This parameter specifies that search results should be copied

to the discovery mailbox named "Discovery Mailbox Backup 01".

EstimateOnly: This switch specifies that only an estimate of the number of

items that will be returned is provided when the search is started. If you don't
include this switch, messages are copied to the target mailbox when the
search is started. Using this switch lets you adjust the date ranges if necessary
to increase or decrease the number of search results.

StatusMailRecipients: This parameter specifies that the status message should

be sent to the specified recipient.
2. After the search is created, start it by using Exchange Online PowerShell or the
Exchange admin center (EAC).

Using Exchange Online PowerShell: Run the following command to start the
search created in the previous step. Because the EstimateOnly switch was
included when the search was created, the search results won't be copied to
the target discovery mailbox.

PowerShell

Start-MailboxSearch "Search results from 2010"

Using the EAC: Go to Compliance management > In-Place eDiscovery &

hold. Select the search created in the previous step, click Search , and then
click Estimate search results.

3. If necessary, adjust the date range to increase or decrease the amount of search
results that are returned. If you change the date range, run the search again to get
a new estimate of the results. Consider changing the name of the search to reflect
the new date range.

4. When you're finished testing the search, use Exchange Online PowerShell or the
EAC to copy the search results to the target discovery mailbox.

Using Exchange Online PowerShell: Run the following commands to copy

the search results. You have to remove the EstimateOnly switch before you
can copy the search results.

PowerShell

Set-MailboxSearch "Search results from 2010" -EstimateOnly $false

PowerShell

Start-MailboxSearch "Search results from 2010"

Using the EAC: Go to Compliance management > In-Place eDiscovery &

hold. Select the search, click Search , and then click Copy search results.

5. Repeat steps 1 through 4 to create new searches for additional date ranges.
Include the date range in the name of the new search to indicate the range of the
results. To make sure none of the discovery mailboxes exceeds the 50 GB limit, use
different discovery mailboxes as the target mailbox.
Step 3: Delete eDiscovery searches
After you've copied search results from the original discovery mailbox to another
discovery mailbox, you can delete the original eDiscovery searches. Deleting an
eDiscovery search will delete the search results from the discovery mailbox where those
search results are stored.

Before deleting a search, you can run the following command to identify the size of the
search results that have been copied to a discovery mailbox for all searches in your
organization.

PowerShell

Get-MailboxSearch | Format-List Name,TargetMailbox,ResultSizeCopied

You can use Exchange Online PowerShell or the EAC to delete an eDiscovery search.

Using Exchange Online PowerShell: Run the following command.

PowerShell

Remove-MailboxSearch -Identity <name of search>

Using the EAC: Go to Compliance management > In-Place eDiscovery & hold.
Select the search that you want to delete, and then click Delete .

How do you know this worked?

After you've deleted the eDiscovery searches to remove the results from the discovery
mailbox where they were stored, run the following command to display the size of a
selected discovery mailbox.

PowerShell

Get-Mailbox <name of discovery mailbox> | Get-MailboxStatistics | Format-

List TotalItemSize
Delete and re-create the default
discovery mailbox in Exchange Online
Article • 02/22/2023

You can use Exchange Online PowerShell to delete the default discovery mailbox, re-
create it, and then assign permissions to it.

Why would I want to do this?

In Exchange Online, the maximum size of the default discovery mailbox is 50 GB. It's
used to store In-Place eDiscovery search results. Before the size limit was changed,
organizations could increase the storage quota to more than 50 GB. As a result,
discovery mailboxes could grow to more than 50 GB. Discovery mailboxes that are larger
than 50 GB are no longer supported.

How you resolve this issue depends on whether you want to save the search results
from a default discovery mailbox that's exceeded 50 GB.

Do you want to save the Do this

search results?

No Follow the steps in this topic to delete, and then re-create the
default discovery mailbox.

Yes Follow the steps in Reduce the size of a discovery mailbox in

Exchange.

Use Exchange Online PowerShell to delete and

re-create the default discovery mailbox

７ Note

You can't use the Exchange admin center (EAC) because discovery mailboxes aren't
displayed in the EAC.

1. Run the following command to delete the default discovery mailbox.

PowerShell
 Remove-Mailbox "DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-
7E09334BB852}"

2. In the message asking you to confirm that you want to delete the mailbox and the
corresponding Active Directory user object, type Y, and then press Enter.

A new user object is created in Active Directory when you create the discovery
mailbox in the next step.

3. Run the following command to re-create the default discovery mailbox.

PowerShell

New-Mailbox -Name "DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-

7E09334BB852}" -Alias "DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-
7E09334BB852}" -DisplayName "Discovery Search Mailbox" -Discovery

4. Run the following command to assign the Discovery Management role group
permissions to open the default discovery mailbox and view search results.

PowerShell

Add-MailboxPermission "DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-
7E09334BB852}" -User "Discovery Management" -AccessRights FullAccess -
InheritanceType all

5. Run the following command to reset mailbox settings.

PowerShell

Set-Mailbox -Identity "DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-

7E09334BB852}" -HiddenFromAddressListsEnabled $true -ProhibitSendQuota
50GB -ProhibitSendReceiveQuota 50GB -RecoverableItemsQuota 50GB
Data loss prevention in Exchange Online
Article • 02/22/2023

７ Note

Legacy Exchange Online data loss prevention in the Exchange admin center is in
the process of being deprecated. We recommend that you create DLP policies in
the Microsoft Purview compliance portal. For more information about this DLP, see
Learn about data loss prevention.

Starting April 1, 2022, admins will no longer be able to make configuration

changes to DLP policies in the classic Exchange admin center. Existing rules
will continue to work as-is.
Starting August 1, 2022, the DLP policy management experience in the classic
Exchange admin center will be retired. Admins will still be able to view the
associated rules in read-only mode using the mail flow rule (transport rule)
experience.

You can easily migrate your legacy Exchange Online DLP policies using the
migration wizard. For more information, see Migrate Exchange Online data loss
prevention policies to the Microsoft Purview compliance portal.

Detailed timelines for GCC-H and DoD special clouds will be communicated
separately.

Learn about DLP policies in Exchange Online, including what they contain and how to
test them. You'll also learn about a new feature in Exchange DLP.

Data loss prevention (DLP) is an important issue for enterprise message systems
because of the extensive use of email for business critical communication that includes
sensitive data. In order to enforce compliance requirements for such data, and manage
its use in email, without hindering the productivity of workers, DLP features make
managing sensitive data easier than ever before. For a conceptual overview of DLP,
watch the following video.
https://www.microsoft.com/en-us/videoplayer/embed/31f2b48e-93ed-4be3-b46d-
e7230c0fed8f?autoplay=false&postJsllMsg=true

DLP policies are simple packages that contain sets of conditions, which are made up of
mail flow rule (also known as transport rule) conditions, exceptions, and actions that you
create in the Exchange admin center (EAC) and then activate to filter email messages
and attachments. You can create a DLP policy, but choose to not activate it. This allows
you to test your policies without affecting mail flow. DLP policies can use the full power
of existing mail flow rules. In fact, a number of new types of mail flow rules have been
created in Exchange Online in order to accomplish new DLP capability. One important
new feature of mail flow rules is a new approach to classifying sensitive information that
can be incorporated into mail flow processing. This new DLP feature performs deep
content analysis through keyword matches, dictionary matches, regular expression
evaluation, and other content examination to detect content that violates organizational
DLP policies. For more information about mail flow rules, see Mail flow rules (transport
rules) in Exchange Online, and Integrating sensitive information rules with mail flow
rules in Exchange Online. You can also manage your DLP policies by using Exchange
Online PowerShell cmdlets at Exchange PowerShell.

In addition to the customizable DLP policies themselves, you can also inform email
senders that they may be about to violate one of your policies, even before they send an
offending message. You can accomplish this by configuring Policy Tips. Policy Tips are
similar to MailTips, and can be configured to present a brief note in the Microsoft
Outlook 2013 client that provides information about possible policy violations to a
person creating a message. In Exchange Online, Policy Tips are also displayed in Outlook
on the web (formerly known as Outlook Web App) and OWA for Devices. For more
information, see Policy Tips.

７ Note

Exchange Online DLP is a premium feature. For more information, see Exchange
Online Licensing , Exchange Online Service Description, and Exchange Online
Protection Service Description.

Messages sent between on-premises users in a hybrid deployment do not have

Exchange Online DLP policies applied because the messages do not leave the on-
premises infrastructure.

Establish policies to protect sensitive data

The data loss prevention features can help you identify and monitor many categories of
sensitive information that you have defined within the conditions of your policies, such
as private identification numbers or credit card numbers. You have the option of
defining your own custom policies and mail flow rules or using the pre-defined DLP
policy templates provided by Microsoft in order to get started quickly. For more
information about the policy templates that are included, see DLP policy templates
supplied in Exchange. A policy template includes a range of conditions, rules, and
actions that you can choose from in order to create and save an actual DLP policy that
will help you inspect messages. The policy templates are models from which you can
select or build your own specific rules to create a policy that meets your needs for data
loss prevention.

Three different methods exist for you to begin using DLP:

1. Apply an out-of-the-box template supplied by Microsoft: The quickest way to

start using DLP policies is to create and implement a new policy using a template.
This saves you the effort of building a new set of rules from nothing. You will need
to know what type of data you want to check for or which compliance regulation
you are attempting to address. You will also need to know your organizations
expectations for processing such data. More information at DLP policy templates
supplied in Exchange and Create a DLP policy from a template.

2. Import a pre-built policy file from outside your organization: You can import
policies that have already been created outside of your messaging environment by
independent software vendors. In this way you can extend the DLP solutions to suit
your business requirements.

3. Create a custom policy without any pre-existing conditions: Your enterprise may
have its own requirements for monitoring certain types of data known to exist
within a messaging system. You can create a custom policy entirely on your own in
order to start checking and acting upon your own unique message data. You will
need to know the requirements and constraints of the environment in which the
DLP policy will be enforced in order to create such a custom policy. More
information at Create a custom DLP policy.

After you have added a policy, you can review and change its rules, make the policy
inactive, or remove it completely.

Sensitive information types in DLP policies

When you create or change DLP policies, you can include rules that include checks for
sensitive information. The sensitive information types listed in the Sensitive information
type entity definitions topic are available to be used in your policies. The conditions that
you establish within a policy, such as how many times something has to be found before
an action is taken or exactly what that action is can be customized within your new
custom policies in order to meet your specific policy requirements. For more
information about creating DLP policies, see Create a custom DLP policy. For more
information about the full suite mail flow rules, see Mail flow rules (transport rules) in
Exchange Online.

To make it easy for you to make use of the sensitive information-related rules, Microsoft
has supplied policy templates that already include some of the sensitive information
types. You cannot add conditions for all of the sensitive information types listed here to
policy templates however, because the templates are designed to help you focus on the
most common types of compliance-related data within your organization. For more
information about the pre-built templates, see DLP policy templates supplied in
Exchange. You can create numerous DLP policies for your organization and have them
all enabled so that many disparate types of information are examined. You can also
create a DLP policy that is not based on an existing template. To begin creating such a
policy, see Create a custom DLP policy. For more information about sensitive
information types, see Sensitive information type entity definitions.

Policy Tips notify users about sensitive content

expectations
You can use Policy Tip notification messages to inform email senders about possible
compliance issues while they are composing an email message. When you configure a
Policy Tip in a DLP policy, the notification message will only show up if something in the
sender's email message meets the conditions described in your policy. Policy Tips are
similar to MailTips that were introduced in Microsoft Exchange 2010. For more
information, see Policy Tips.

Detecting sensitive information along with

traditional message classification
Exchange Online presents a new method of helping you manage message and
attachment data when compared with traditional message classification. A key factor in
the strength of a DLP solution is the ability to correctly identify confidential or sensitive
content that may be unique to the organization, regulatory needs, geography, or other
business needs. Exchange Online can achieve this by using a new architecture for deep
content analysis coupled with detection criteria that you establish through rules in your
DLP policies. Helping prevent data loss in Exchange Online relies on configuring the
correct set of sensitive information rules so that they provide a high degree of
protection while minimizing inappropriate mail flow disruption with false positives and
negatives. These types of rules, referred to throughout the DLP information as sensitive
information detection, function within the framework offered by mail flow rules in order
to enable DLP capabilities.

To learn more about these new features, see Integrating sensitive information rules with
mail flow rules in Exchange Online. The traditional message classification fields can still
be applied to messages in Exchange and these can be combined with the new sensitive
information detection either together within a single DLP policy or running concurrently
so they are evaluated independently within Exchange. To learn more about the legacy
Exchange 2010 message classifications, see Understanding Message Classifications.

Installation prerequisites
In order to make use of DLP features, you must have at least one mailbox with an
Exchange Online Plan 2 license configured. For more information, see Exchange Online
service description.

For more information

Exchange Online

Security and compliance for Exchange Online

How DLP rules are applied to evaluate
messages in Exchange Online
Article • 02/22/2023

You can set up sensitive information rules within your Microsoft Exchange data loss
prevention (DLP) policies to detect specific data in email messages. This article will help
you understand how these rules are applied and how messages are evaluated. You can
avoid workflow disruptions for your email users and achieve a high degree of accuracy
with your DLP detections if you know how your rules are enforced. Let's use the
Microsoft-supplied credit card information rule as an example. When you activate a mail
flow rule (also known as a transport rule) or DLP policy, all messages that your users
send are compared with the rule sets that you create.

Get precise about your needs

Suppose you need to act on credit card information in messages. The actions you take
once it's found aren't the subject of this article, but you can learn more about that in
Mail flow rule actions in Exchange Online. With as most certainty as possible, you need
to ensure that what is detected in a message is truly credit card data and not something
else that could be a legitimate use of groups of numbers that merely resemble credit
card data; for example, a reservation code or a vehicle identification number.

To meet this need, let's make it clear that the following information should be classified
as a credit card:

Margie's Travel,
I have received updated credit card information for Spencer.
Spencer Badillo
Visa: 4111 1111 1111 1111
Expires: 2/2012
Please update his travel profile.

Let's also make it clear that the following information shouldn't be classified as a credit
card.

Hi Alex,
I expect to be in Hawaii too. My booking code is 1234 1234 1234 1234 and I'll be
there on 3/2018.
Regards, Lisa
The following XML snippet shows how the needs expressed earlier are currently defined
in a sensitive information rule that is provided with Exchange and it's embedded within
one of the supplied DLP policy templates.

XML

<Entity id="50842eb7-edc8-4019-85dd-5a5c1f2bb085" patternsProximity="300"

recommendedConfidence="85">
<Pattern confidenceLevel="85">
<IdMatch idRef="Func_credit_card" />
<Any minMatches="1">
<Match idRef="Keyword_cc_verification" />
<Match idRef="Keyword_cc_name" />
<Match idRef="Func_expiration_date" />
</Any>
</Pattern>
</Entity>

Pattern-matching in your solution

The XML rule definition shown earlier includes pattern-matching, which improves the
likelihood that the rule will detect only the important information and not detect vague,
related information.

In the credit card rule, there's a section of XML code for patterns, which includes a
primary identifier match and some additional corroborative evidence. All three of these
requirements are explained here:

1. <IdMatch idRef="Func_credit_card" /> : This requires a match of a function, titled

credit card, that is internally defined. This function includes a couple of validations
as follows:

2. It matches a regular expression (in this instance for 16 digits) that could also
include variations like a space delimiter so that it also matches 4111 1111 1111 1111 or
a hyphen delimiter so that it also matches 4111-1111-1111-1111.

3. It evaluates the Lhun's checksum algorithm against the 16-digit number in order to
ensure the likelihood of this being a credit card number is high.

4. It requires a mandatory match, after which corroborative evidence is evaluated.

5. <Any minMatches="1"> : This section indicates that the presence of at least one of
the following items of evidence is required.

6. The corroborative evidence can be a match of one of these three:

 <Match idRef="Keyword_cc_verification">

<Match idRef="Keyword_cc_name">

<Match idRef="Func_expiration_date">

These three simply mean a list of keywords for credit cards, the names of the credit
cards, or an expiration date is required. The expiration date is defined and
evaluated internally as another function.

The process of evaluating content against rules

The five steps here represent actions that Exchange takes to compare your rule with
email messages. For our credit card rule example, the following steps are taken.

Step Action

1. Get Content Spencer Badillo p> Visa: 4111

1111 1111 1111
Expires: 2/2012

2. Regular Expression Analysis 4111 1111 1111 1111 -> a 16-

digit number is detected

3. Function Analysis 4111 1111 1111 1111 -> matches

checksum
1234 1234 1234 1234 -> doesn't
match

4. Additional Evidence

Keyword Visa is near the number. A regular expression for a

date (2/2012) is near the number.

5. Verdict

There's a regular expression that matches a checksum.

Additional evidence increases confidence.

The way this rule is set up by Microsoft makes it mandatory that corroborating evidence
such as keywords are a part of the email message content in order to match the rule. So
the following email content wouldn't be detected as containing a credit card:

Margie's Travel,
I have received updated information for Spencer.
Spencer Badillo
 4111 1111 1111 1111
Please update his travel profile.

You can use a custom rule that defines a pattern without extra evidence, as shown in the
next example. This would detect messages with only credit card number and no
corroborating evidence.

XML

<Pattern confidenceLevel="85">
<IdMatch idRef="Func_credit_card" />
</Pattern>
</Entity>

The illustration of credit cards in this article can be extended to other sensitive
information rules as well. To see the complete list of the Microsoft-supplied rules in
Exchange, use the Get-ClassificationRuleCollection cmdlet in Exchange Online
PowerShell in the following manner:

PowerShell

$rule_collection = Get-ClassificationRuleCollection
$rule_collection[0].SerializedClassificationRuleCollection |
[System.IO.File]::WriteAllBytes('oob_classifications.xml', $file.FileData)

For more information

Data loss prevention

Mail flow rules (transport rules) in Exchange Online

Exchange Online PowerShell

Integrating sensitive information rules
with mail flow rules in Exchange Online
Article • 02/22/2023

In Exchange Online, you can create DLP policies that contain rules for not only
traditional message classifications and existing mail flow rules (also known as transport
rules) but also combine these with rules for sensitive information found within
messages. The existing mail flow rules framework offers rich capabilities to define
messaging policies, covering the entire spectrum of soft to hard controls. Examples
include:

Limiting the interaction between recipients and senders, including interactions

between departmental groups inside an organization.
Applying separate policies for communications within and outside of an
organization.
Preventing inappropriate content from entering or leaving an organization.
Filtering confidential information.
Tracking or archiving messages that are sent to or received from specific
individuals.
Redirecting inbound and outbound messages for inspection before delivery.
Applying disclaimers to messages as they pass through the organization.

Mail flow rules allow you to apply messaging policies to email messages that flow
through the mail flow pipeline in the Transport service on Mailbox servers and on Edge
Transport servers. These rules allow system administrators to enforce messaging
policies, help keep messages more secure, help to protect messaging systems, and help
prevent accidental information loss. For more information about mail flow rules, see
Mail flow rules (transport rules) in Exchange Online.

Sensitive information rules within the mail flow

rule framework
Sensitive information rules are integrated with the mail flow rules framework by
introduction of a condition that you can customize: If the message contains...Sensitive
Information. This condition can be configured with one or more sensitive information
types that are contained within the messages. When multiple DLP policies or rules within
a policy are configured with this condition, the policy or rule is satisfied when any of the
conditions match. Exchange policy rules examine the subject, body and any attachments
of a message. If the rule matches any of these message components, the rule actions
will be applied.

The sensitive information condition may be combined with any of the already existing
mail flow rules to define messaging policies. If combined, the condition works in
conjunction with other rules and provides the AND semantics. For example, two
different conditions are added together with an AND statement such that both need to
match for the action to be applied. Any of the mail flow rule actions can be configured
as result of rules containing the sensitive information type matching. Many different file
types can be scanned by the mail flow rules agent, which scans messages to enforce
mail flow rules. To learn more about the supported file types, see Use mail flow rules to
inspect message attachments in Exchange Online.

The rules can also be used in the exception part of a rule definition. Their use in the
exception definition is independent of their use as a condition within the rule. This
provides the flexibility to define rules that have the condition specifying multiple
information types to be applied as part of the condition and also differing information
types in the condition. This would allow policies such as matching specific traditional
message-classification rules, but not matching other sensitive information types before
performing actions that you define within a policy.

For more information

Data loss prevention

Sensitive information type entity definitions

Mail flow rules (transport rules) in Exchange Online

Create a custom DLP policy

DLP policy templates supplied in
Exchange Online
Article • 02/22/2023

In Microsoft Exchange Server and Exchange Online, you can use data loss prevention
(DLP) policy templates as a starting point for building DLP policies that help you meet
your specific regulatory and business policy needs. You can modify the templates to
meet the specific needs of your organization.

Ｕ Caution

You should enable your DLP policies in test mode before running them in your
production environment. During such tests, it is recommended that you configure
sample user mailboxes and send test messages that invoke your test policies in
order to confirm the results. > Use of these policies does not ensure compliance
with any regulation. After your testing is complete, make the necessary
configuration changes in Exchange so the transmission of information complies
with your organization's policies. For example, you might need to configure TLS
with known business partners or add more restrictive mail flow rule (also known as
transport rule) actions, such as adding rights protection to messages that contain a
certain type of data.

Templates available for DLP

The following table lists the DLP policy templates in Exchange.

Template Description

Australia Financial Helps detect the presence of information commonly considered to be

Data financial data in Australia, including credit cards, and SWIFT codes.

Australia Health Helps detect the presence of information commonly considered to be

Records Act (HRIP subject to the Health Records and Information Privacy (HRIP) act in
Act) Australia, like medical account number and tax file number.

Australia Personally Helps detect the presence of information commonly considered to be

Identifiable personally identifiable information (PII) in Australia, like tax file number and
Information (PII) driver's license.
Data
Template Description

Australia Privacy Helps detect the presence of information commonly considered to be

Act subject to the privacy act in Australia, like driver's license and passport
number.

Canada Financial Helps detect the presence of information commonly considered to be

Data financial data in Canada, including bank account numbers and credit cards.

Canada Health Helps detect the presence of information subject to Canada Health
Information Act Information Act (HIA) for Alberta, including data like passport numbers and
(HIA) health information.

Canada Personal Helps detect the presence of information subject to Canada Personal
Health Act (PHIPA) - Health Information Protection Act (PHIPA) for Ontario, including data like
Ontario passport numbers and health information.

Canada Personal Helps detect the presence of information subject to Canada Personal
Health Information Health Information Act (PHIA) for Manitoba, including data like health
Act (PHIA) - information.
Manitoba

Canada Personal Helps detect the presence of information subject to Canada Personal
Information Information Protection Act (PIPA) for British Columbia, including data like
Protection Act passport numbers and health information.
(PIPA)

Canada Personal Helps detect the presence of information subject to Canada Personal
Information Information Protection and Electronic Documents Act (PIPEDA), including
Protection Act data like passport numbers and health information.
(PIPEDA)

Canada Personally Helps detect the presence of information commonly considered to be

Identifiable personally identifiable information (PII) in Canada, like health ID number
Information (PII) and social insurance number.
Data

France Data Helps detect the presence of information commonly considered to be

Protection Act subject to the Data Protection Act in France, like the health insurance card
number.

France Financial Helps detect the presence of information commonly considered to be

Data financial information in France, including information like credit card,
account information, and debit card numbers.

France Personally Helps detect the presence of information commonly considered to be

Identifiable personally identifiable information (PII) in France, including information like
Information (PII) passport numbers.
Data
Template Description

Germany Financial Helps detect the presence of information commonly considered to be

Data financial data in Germany like EU debit card numbers.

Germany Personally Helps detect the presence of information commonly considered to be

Identifiable personally identifiable information (PII) in Germany, including information
Information (PII) like driver's license and passport numbers.
Data

Israel Financial Data Helps detect the presence of information commonly considered to be
financial data in Israel, including bank account numbers and SWIFT codes.

Israel Personally Helps detect the presence of information commonly considered to be

Identifiable personally identifiable information (PII) in Israel, like national ID number.
Information (PII)
Data

Israel Protection of Helps detect the presence of information commonly considered to be

Privacy subject to the Protection of Privacy in Israel, including information like bank
account numbers or national ID.

Japan Financial Helps detect the presence of information commonly considered to be

Data financial information in Japan, including information like credit card,
account information, and debit card numbers.

Japan Personally Helps detect the presence of information commonly considered to be

Identifiable personally identifiable information (PII) in Japan, including information like
Information (PII) driver's license and passport numbers.
Data

Japan Protection of Helps detect the presence of information subject to Japan Protection of
Personal Personal Information, including data like resident registration numbers.
Information

PCI Data Security Helps detect the presence of information subject to PCI Data Security
Standard (PCI DSS) Standard (PCI DSS), including information like credit card or debit card
numbers.

Saudi Arabia - Anti- Helps detect the presence of information commonly considered to be
Cyber Crime Law subject to the Anti-Cyber Crime Law in Saudi Arabia, including international
bank account numbers and SWIFT codes.

Saudi Arabia Helps detect the presence of information commonly considered to be

Financial Data financial data in Saudi Arabia, including international bank account
numbers and SWIFT codes.
Template Description

Saudi Arabia Helps detect the presence of information commonly considered to be

Personally personally identifiable information (PII) in Saudi Arabia, like national ID
Identifiable number.
Information (PII)
Data

U.K. Access to Helps detect the presence of information subject to United Kingdom
Medical Reports Act Access to Medical Reports Act, including data like National Health Service
numbers.

U.K. Data Protection Helps detect the presence of information subject to United Kingdom Data
Act Protection Act, including data like national insurance numbers.

U.K. Financial Data Helps detect the presence of information commonly considered to be
financial information in United Kingdom, including information like credit
card, account information, and debit card numbers.

U.K. Personal Helps detect the presence of information subject to United Kingdom
Information Online Personal Information Online Code of Practice, including data like health
Code of Practice information.
(PIOCP)

U.K. Personally Helps detect the presence of information commonly considered to be

Identifiable personally identifiable information (PII) in United Kingdom, including
Information (PII) information like driver's license and passport numbers.
Data

U.K. Privacy and Helps detect the presence of information subject to United Kingdom
Electronic Privacy and Electronic Communications Regulations, including data like
Communications financial information.
Regulations

U.S. Federal Trade Helps detect the presence of information subject to U.S. Federal Trade
Commission (FTC) Commission (FTC) Consumer Rules, including data like credit card numbers.
Consumer Rules

U.S. Financial Data Helps detect the presence of information commonly considered to be
financial information in United States, including information like credit card,
account information, and debit card numbers.

U.S. Gramm-Leach- Helps detect the presence of information subject to Gramm-Leach-Bliley

Bliley Act (GLBA) Act (GLBA), including information like social security numbers or credit card
numbers.

U.S. Health Helps detect the presence of information subject to United States Health
Insurance Act Insurance Portability and Accountability Act (HIPAA),including data like
(HIPAA) social security numbers and health information.
 Template Description

U.S. Patriot Act Helps detect the presence of information commonly subject to U.S. Patriot
Act, including information like credit card numbers or tax identification
numbers.

U.S. Personally Helps detect the presence of information commonly considered to be

Identifiable personally identifiable information (PII) in the United States, including
Information (PII) information like social security numbers or driver's license numbers.
Data

U.S. State Breach Helps detect the presence of information subject to U.S. State Breach
Notification Laws Notification Laws, including data like social security and credit card
numbers.

U.S. State Social Helps detect the presence of information subject to U.S. State Social
Security Number Security Number Confidentiality Laws, including data like social security
Confidentiality Laws numbers.

For more information

Data loss prevention

Create a DLP policy from a template

Sensitive information types in Exchange Server

Create a DLP policy from a template in
Exchange Online
Article • 02/22/2023

In Microsoft Exchange, you can use data loss prevention (DLP) policy templates to help
meet the messaging policy and compliance needs of your organization. These templates
contain pre-built sets of rules that can help you manage message data that is associated
with several common legal and regulatory requirements. To see a list of all the templates
supplied by Microsoft, see DLP policy templates supplied in Exchange. Example DLP
templates that are supplied can help you manage:

Gramm-Leach-Bliley Act (GLBA) data

Payment Card Industry Data Security Standard (PCI-DSS)

United States Personally Identifiable Information (U.S. PII)

You can customize any of these DLP templates or use them as-is. DLP policy templates
are built on top of mail flow rules (also known as transport rules) that include new
conditions or predicates and actions. DLP policies support the full range of traditional
mail flow rules, and you can add the additional rules after a DLP policy has been
established. For more information about policy templates, see What the DLP policy
templates include. To learn more about mail flow rule capabilities, see Mail flow rules
(transport rules) in Exchange Online. Once you have started enforcing a policy, you can
learn about how to observe the results by reviewing the Exchange Online: View the
reports for data loss prevention.

Ｕ Caution

You should enable your DLP policies in test mode before running them in your
production environment. During such tests, it is recommended that you configure
sample user mailboxes and send test messages that invoke your test policies in
order to confirm the results.

What do you need to know before you begin?

Estimated time to complete: 30 minutes

Configure both administrator and user accounts within your organization and
validate basic mail flow.
 You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Data loss prevention
(DLP)" entry in the Feature permissions in Exchange Online topic.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the EAC to configure a DLP policy from a

template
1. In the EAC, navigate to Compliance management > Data loss prevention, and
then click Add .

７ Note

You can also select this action if you click the arrow next to the Add icon
and select New DLP policy from template from the drop down menu.

2. On the Create a new DLP policy from a template page, complete the following
fields:

3. Name: Add a name that will distinguish this policy from others.

4. Description: Add an optional description that summarizes this policy.

5. Choose a template: Select the appropriate template to begin creating a new

policy.

6. More options: Select the mode or state. The new policy is not fully enabled until
you specify that it should be. The default mode for a policy is test without
notifications.

7. Click Save to finish creating the policy.

７ Note
 In addition to the rules within a specific template, your organization may have
additional expectations or company policies that apply to regulated data within
your messaging environment. Exchange Server makes it easy for you to change the
basic template in order to add actions so that your Exchange messaging
environment complies with your own requirements.

You can modify policies by editing the rules within them once the policy has been saved
in your Exchange Server environment. An example rule change might include making
specific people exempt from a policy or sending a notice and blocking message delivery
if a message is found to have sensitive content.

You have to navigate to the specific policy's rule set on the Edit DLP policy page and
use the tools available on that page in order to change a DLP policy you have already
created in Exchange Server.

Some policies allow the addition of rules that invoke RMS for messages. You must have
RMS configured on the Exchange server before adding the actions to make use of these
types of rules.

For any of the DLP policies, you can change the rules, actions, exceptions, enforcement
time period or whether other rules within the policy are enforced and you can add your
own custom conditions for each.

For more information

Data loss prevention
Create a custom DLP policy in Exchange
Online
Article • 02/22/2023

A custom data loss prevention (DLP) policy allows you to establish conditions, rules, and
actions that can help meet the specific needs of your organization, and which may not
be covered in one of the pre-existing DLP templates.

The rule conditions that are available to you in a single policy include all the traditional
mail flow rules (also known as transport rules) in addition to the sensitive information
types presented in Sensitive information types in Exchange Server. For more information
about mail flow rules, see Mail flow rules (transport rules) in Exchange Online.

Ｕ Caution

You should enable your DLP policies in test mode before running them in your
production environment. During such tests, it is recommended that you configure
sample user mailboxes and send test messages that invoke your test policies in
order to confirm the results. for more information about testing, see Test mail flow
rules in Exchange Online.

What do you need to know before you begin?

Estimated time to complete: 60 minutes

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Data loss prevention
(DLP)" entry in the Feature permissions in Exchange Online topic.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

７ Note

Due to the variances in customer environments and content match requirements,

Microsoft Support cannot assist in providing custom content matching definitions;
for example, defining Custom Classifications and/or Regular Expression patterns
("RegEx"). For custom content matching development, testing, and debugging,
customers will need to rely upon internal IT resources, or use an external consulting
 resource such as Microsoft Consulting Services (MCS). Support engineers can
provide limited support for the feature, but cannot provide assurances that any
custom content matching development will fulfill the customer's requirements or
obligations. As an example of the type of support which can be provided, sample
regular expression patterns may be provided for testing purposes, or support can
assist with troubleshooting an existing RegEx pattern which is not triggering as
expected with a single specific content example.

For additional information on the .NET regex engine which is used for processing the
text, see /dotnet/standard/base-types/regular-expressions.

Create custom DLP policies

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the EAC to create a custom DLP policy

without any existing rules
1. In the EAC, navigate to Compliance management > Data loss prevention. Any
existing policies that you have configured are shown in a list.

2. Click the arrow that is beside the Add icon, and select New custom policy.

） Important

If you click Add icon instead of the arrow, you will create a new policy
based on a template. For more information about using templates, see Create
a DLP policy from a template.

3. On the New custom policy page, complete the following fields:

a. Name: Add a name that will distinguish this policy from others.

b. Description: Add an optional description that summarizes this policy.

 c. Choose a state: Select the mode or state for this policy. The new policy is not
fully enabled until you specify that it should be. The default mode for a policy is
test without notifications.

4. Click Save to finish creating the new policy reference information. The policy is
added to the list of all policies that you have configured, although there are not
yet any rules or actions associated with this new custom policy.

5. Double-click the policy that you just created or select it and click Edit .

6. On the Edit DLP policy page, click Rules.

Click Add to add a new blank rule. You can establish conditions using all the
traditional mail flow rules in addition to the sensitive information types.

In order to avoid confusion, supply a unique name for each part of your policy or
rule. You can provide this unique name when you have the option to provide your
own character string. There are more options available to you:

a. Click the arrow that is beside the Add icon to add a rule about sender
notification or allowing overrides.

b. To remove a rule, highlight the rule and click Delete .

c. Click More options to add more conditions and actions for this rule including
time-bound limits of enforcement or effects on other rules in this policy.

7. Click Save to finish modifying the policy and save your changes.

DLP policy templates are one type of feature Exchange Online that can help you design
and apply a robust policy and compliance system for your messaging environment. For
more information about compliance features, see Security and compliance for Exchange
Online.

For more information

Data loss prevention

Mail flow rules (transport rules) in Exchange Online Exchange Online

Integrating sensitive information rules with mail flow rules

Policy Tips in Exchange Online
Article • 02/22/2023

You can help to prevent your organization's Outlook, Outlook on the web (formerly
known as Outlook Web App), and OWA for Devices email users from inappropriately
sending sensitive information by creating data loss prevention (DLP) policies that
include Policy Tip notification messages. Similar to MailTips that were introduced in
Exchange Server 2010, Policy Tip notification messages are displayed to users in Outlook
while they are composing an email message. Policy Tip notification messages only show
up if something about the sender's email message seems to violate a DLP policy that
you have in place and that policy includes a rule to notify the sender when the
conditions that you establish are met. Watch this video to learn more.
https://www.microsoft.com/en-us/videoplayer/embed/dd629bb7-063d-49f3-b7e1-
8f2e0aa4de13?autoplay=false&postJsllMsg=true

In order to show Policy Tips to your email senders, your rules must include the Notify
the sender with a Policy Tip action. You can add this in the rules editor from the
Exchange admin center. For more information, see Manage policy tips.

DLP policies do not differentiate between email message attachments, body text, or
subject lines while evaluating messages and the conditions within your policies. For
example, if a user creates an email message that includes a credit card number in the
body of the message and then attempts to address the message to a recipient outside
your organization, then a Policy Tip notification message can be shown to that user in
Outlook or Outlook on the web reminding them of your enterprise's expectations for
such information. However, this type of notification will only show up if you have
configured a DLP policy that restricts the example actions described; in this case adding
an external email alias to the header of a message with credit card data. There is a great
variety of conditions, actions, and exceptions you can choose from while creating DLP
policies. This variety allows you to tailor your data loss prevention efforts in a way that
meets your specific organization's needs.

Any time you use either the notify sender action or an override action within a rule, we
recommend that you also include the condition that the message was sent from within
your organization. You can do this by using the policy rules editor to add the following
condition: The sender is located... > inside the organization. This is a best practice
recommendation because the notify sender action is applied as part of your company's
message creation experience. The senders referred to by the action are the authors of
messages within your company. The user interaction presented by Policy Tips cannot be
acted upon by your users for incoming messages and will be ignored when the sender is
located outside your organization. You can apply DLP policies to scan incoming
messages and take a variety of actions, but when you do this, don't add the notify
sender action.

If email senders in your organization who are in the act of composing a message are
made aware of your organizational expectations and standards in real time through
Policy Tip notifications, then they are less likely to violate standards that your
organization wants to enforce.

７ Note

DLP is a premium feature that requires an Exchange Online Plan 2 subscription. For
more information, see Compare Exchange Online Licensing plans .

Default text for Policy Tips and rule options

You have a range of possible options when you add sender notification rules to DLP
policies. When you add a rule to notify the sender by using the Notify the sender with a
Policy Tip action within a DLP policy, you can choose how restrictive to be. The
notification options in the following table are available. For specific information about
creating Policy Tips, see Manage policy tips.

Notification Meaning Default Policy Tip

rule notification message
that Outlook users
will see

Notify only Similar to MailTips, this causes an informative Policy Tip This message may
notification message about a policy violation. A sender contain sensitive
can prevent this type of tip from showing up by using a content. All recipients
Policy Tip options dialog box that can be accessed in must be authorized to
Outlook. receive this content.

Reject The message will not be delivered until the condition is This message may
message no longer present. The sender is provided with an contain sensitive
option to indicate that their email message does not content. Your
contain sensitive content. This is also known as a false- organization won't
positive override. If the sender indicates this, then allow this message to
Outlook will allow the message to leave the outbox so be sent until that
that the user's report may be audited, but Exchange will content is removed.
block the message from being sent.
Notification Meaning Default Policy Tip
rule notification message
that Outlook users
will see

Reject The result with this notification rule is similar to the Before the sender
unless false Reject message notification rule. However, if you select selects an option to
positive this then Exchange will allow the message to be sent to override: This message
override the intended recipient, instead of blocking the message. may contain sensitive
content. Your
organization won't
allow this message to
be sent until that
content is removed.
After the sender
selects an option
override: Your
feedback will be
submitted to your
administrator when the
message is sent.

Reject The message will not be delivered until the condition is Before the sender
unless silent no longer present or the sender indicates an override. selects an option to
override The sender is provided with an option to indicate that override: This message
they wish to override the policy. may contain sensitive
content. Your
organization won't
allow this message to
be sent until that
content is removed.
After the sender
selects an option
override: You have
overridden your
organization's policy
for sensitive content in
this message. Your
action will be audited
by your organization.
 Notification Meaning Default Policy Tip
rule notification message
that Outlook users
will see

Reject The result with this notification rule is similar to the Before the sender
unless Reject unless silent override notification rule, except selects an option to
explicit that in this case when the sender attempts to override override: This message
override the policy, they are required to provide a justification for may contain sensitive
overriding the policy. content. Your
organization won't
allow this message to
be sent until that
content is removed.
After the sender
selects an option
override: You have
overridden your
organization's policy
for sensitive content in
this message. Your
action will be audited
by your organization.

Customize your Policy Tip notification

messages
To customize the text of a Policy Tip notification that email senders see in their email
program, select Manage Policy Tips on the Data Loss Prevention page. In order for any
of your custom text to appear, a DLP policy rule must include the Notify the sender
with a Policy Tip action. Add the action to a rule by using the DLP rules editor.

For procedures that explain how to create your own Policy Tips, see Manage policy tips.
The custom text that you create can replace the default text shown in the previous table.

Policy Tip Meaning

Notification
Actions and
Settings

Notify the sender Your text only appears when a Notify the sender, but allow them to send
action is initiated.

Allow the sender Your text only appears when the following actions are initiated: Block the
to override message unless it's a false positive, Block the message, but allow the
sender to override and send.
 Policy Tip Meaning
Notification
Actions and
Settings

Block the Your text only appears when a Block the message action is initiated.
message

Link to The compliance URL is a link to a web page where you can explain your
compliance URL compliance and override policies. This link is displayed in the Policy Tip when
a user clicks the More details link.

For more information

Data loss prevention

Manage policy tips

Manage policy tips in Exchange Online
Article • 02/22/2023

Policy Tips are informative notices that are displayed to email senders while they're
composing a message. The purpose of the Policy Tip is to educate users that they might
be violating the business practices or policies that you are enforcing with the data loss
prevention (DLP) policies that you have established. The following procedures will help
you begin using Policy Tips. Watch this video to learn more.
https://www.microsoft.com/en-us/videoplayer/embed/dd629bb7-063d-49f3-b7e1-
8f2e0aa4de13?autoplay=false&postJsllMsg=true

What do you need to know before you begin?

Estimated time to complete each procedure: 30 minutes

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Data loss prevention
(DLP)" entry in the Feature permissions in Exchange Online topic.

Policy Tips will only show up for email senders when the following conditions are
met:

1. Sender's message client program is Microsoft Outlook 2013 or later. (For a list of
the Outlook client versions/licenses that support DLP Policy Tips, see Outlook
license requirements for Exchange features .) If your organization has deployed
Exchange 2013 SP1 or later, or is using Exchange Online, Policy Tips also show up
in Outlook on the web (formerly known as Outlook Web App) and OWA for
Devices.

2. A mail flow rule (also known as a transport rule) exists that invokes Policy Tip
notifications. You can create such a mail flow rule by configuring a DLP policy that
includes the action Notify the sender with a Policy Tip.

3. The content of a message header, message body, or message attachment meets

the conditions established within the DLP policies or rules that also include Policy
Tip notification rules. Put another way, the Policy Tip only shows up for end-users if
they do something that causes the associated rule to take action.

The default Policy Tip notification text that is built into the system will be
shown if you don't use the Policy Tip settings feature to customize your Policy
Tip text. To learn more about the default text, see Policy Tips.
 For information about keyboard shortcuts that may apply to the procedures
in this topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Create or modify a notify-only Policy Tip

This procedure results in an informational Policy Tip being shown to an email sender
when the conditions of a specific rule are met. In Microsoft Outlook, the sender can
prevent this tip from showing up by using a Policy Tip options dialog box. To configure
custom Policy Tip text, see the Create custom Policy Tip notification text section later in
this topic

Use the EAC to configure notify-only Policy Tips

1. In the EAC, go to Compliance management > Data loss prevention.

2. Double-click one of the policies that appear in your list of policies or highlight one
item and select Edit .

3. On the Edit DLP policy page, select Rules.

4. To add Policy Tips to an existing rule, highlight the rule and select Edit .

To add a new blank rule that you can fully customize, select Add and then select
Create a new rule.

5. In Apply this rule if, select, The message contains sensitive information. This
condition is required.

6. Select Add , select the sensitive information types, select Add, select OK, and
then select OK.

7. In the Do the following box, select Notify the sender with a Policy Tip, and select
an option in the Choose whether the message is blocked or can be sent drop-
down list, and then select OK.

8. If you want to add additional conditions or actions, at the bottom of the window,
select More options.
 Note:

You can only use the following conditions:

The recipient is (SentTo)

The recipient is located (SentToScope)

The sender is (From)

The sender is a member of (FromMemberOf)

The sender is located (FromScope)

You can't use the following actions:

Reject the message and include an explanation (RejectMessageReasonText)

Reject the message with the enhanced status code of

(RejectMessageEnhancedStatusCode)

Delete the message without notifying anyone (DeleteMessage)

9. In the Choose a mode for this rule list, select whether you want the rule to be
enforced. We recommend testing the rule first.

10. Select Save to finish modifying the rule and save your changes.

How do you know this worked?

To verify that you have successfully created a Policy Tip that will only notify a sender, do
the following:

1. In the EAC, go to Compliance management > Data loss prevention.

2. Select the policy that you expect to contain a notification message.

3. Select Edit and then select Rules.

4. Select the specific rule that you expect to contain a notification message.

5. Confirm that your Notify the sender action appears in the lower portion of the rule
summary.

Create or modify a block-message Policy Tip

This procedure results in a Policy Tip being shown to an email sender that indicates a
message is rejected and it will not be delivered until the problematic condition is no
longer present. The sender is provided with an option to indicate that their email
message does not contain the problematic condition. This is also known as a false-
positive override. If the sender indicates this, then the message can leave the outbox
and the user's report may be audited. However, Exchange will block the message from
being sent.

Use the EAC to configure block-message Policy Tips

1. In the EAC, go to Compliance management > Data loss prevention.

2. Double-click one of the policies that appear in your list of policies or highlight one
item and select Edit .

3. On the Edit DLP policy page, select Rules.

4. To add Policy Tips to an existing rule, highlight the rule and select Edit .

5. To add a new blank rule that you can fully customize, select Add .

6. To add an action that will reveal a Policy Tip, select More options... and then select
the Add action button.

7. From the drop down list, select Notify the sender with a Policy Tip and then select
Block the message.

8. Select OK, then select Save to finish modifying the rule and save your changes.

How do you know this worked?

To verify that you have successfully created a reject message Policy Tip, do the following:

1. In the EAC, go to Compliance management > Data loss prevention.

2. Select one time to highlight the policy that you expect to contain a notification
message.

3. Select Edit and then select Rules.

4. Select one time to highlight the specific rule that you expect to contain a
notification message.

5. Confirm that your Notify the sender that the message can't be sent action
appears in the lower portion of the rule summary.
Create or modify a block-unless-override Policy
Tip
There are four options for Policy Tips that can reject messages or prevent messages
from leaving the sender's outbox. To learn more about these options, see Policy Tips.

Use the EAC to configure block-unless override Policy

Tips
1. In the EAC, go to Compliance management > Data loss prevention.

2. Double-select one of the policies that appear in your list of policies or highlight
one item and select Edit .

3. On the edit DLP policy page, select Rules.

4. To add Policy Tips to an existing rule, highlight the rule and select Edit .

To add a new blank rule that you can fully customize, select Add and then select
More options....

5. To add the action that will reveal a Policy Tip, Select the Add action button.

6. From the drop down list, select Notify the sender with a Policy Tip and then select
Block the message, but allow the sender to override and send.

7. Select OK, then select Save to finish modifying the rule and save your changes.

How do you know this worked?

To verify that you have successfully created a reject unless override Policy Tip, do the
following:

1. In the EAC, go to Compliance management > Data loss prevention.

2. Select one time to highlight the policy that you expect to contain a notification
message.

3. Select Edit and then select Rules.

4. Select one time to highlight the specific rule that you expect to contain a
notification message.
 5. Confirm that your Block the message, but allow the sender to override and send
action appears in the lower portion of the rule summary.

Create custom Policy Tip notification text

This optional procedure will help you to customize the Policy Tip notification text that
email senders see in their email program. If you do this, your custom Policy Tip
notification text will not appear unless you also configure a DLP policy rule with an
action that will cause the notification to appear. Keep in mind that there are default
system Policy Tip notifications that can be shown if you do not customize your Policy Tip
notification text. To learn more about the default text, see Policy Tips.

Use the EAC to create and manage custom Policy Tip

notification text
1. In the EAC, go to Compliance management > Data loss prevention.

2. Select Policy Tip settings .

3. To add a new Policy Tip with your own customized message, select Add . For
more information about the action choices available, see Policy Tips.

To modify an existing Policy Tip, highlight the tip and select Edit .

To delete an existing Policy Tip, highlight it and select Delete and then confirm
your action.

4. Select Save to finish modifying the Policy Tip and save your changes.

5. Select Close to finish managing your Policy Tips and save your changes.

Use Exchange Online PowerShell to create custom Policy

Tip notification text
The following example creates a new English-language Policy Tip that will block a
message from being sent. The text of this custom Policy Tip is changed to the following
value: "This message appears to contain restricted content and will not be delivered."

New-PolicyTipConfig -Name en\Reject -Value "This message appears to contain

restricted content and will not be delivered."
For detailed syntax and parameter information, see New-PolicyTipConfig.

Use Exchange Online PowerShell to modify custom Policy

Tip notification text
The following example modifies an existing English-language, notify-only Policy Tip. The
text of this custom Policy Tip is changed to "Sending bank account numbers in email is
not recommended."

Set-PolicyTipConfig en\NotifyOnly "Sending bank account numbers in email is

not recommended."

For detailed syntax and parameter information, see Set-PolicyTipConfig.

How do you know this worked?

To verify that you have successfully created custom Policy Tip text, do the following:

1. In the EAC, go to Compliance management > Data loss prevention.

2. Select Policy Tip settings .

3. Select Refresh .

4. Confirm that your action, locale and text for that locale appear in the list.

For more information

Data loss prevention

Policy Tips

Mail flow rules (transport rules) in Exchange Online

Exchange 2010 MailTips

Using PowerShell for Auditing reports in
Exchange Online
Article • 05/26/2023

７ Note

Classic Exchange admin center is in the process of being deprecated in worldwide

deployment and the UI support for auditing will be discontinued in the new
Exchange admin center. Instead, administrators can utilize the PowerShell
commandlets (cmdlets) mentioned in this article to fulfill their auditing
requirements.

Legacy Exchange Online data loss prevention in the Exchange admin center is in the
process of being deprecated.

Use audit logging to troubleshoot configuration issues by tracking specific changes

made by admins and to help you meet regulatory, compliance, and litigation
requirements. Exchange Online or standalone Exchange Online Protection (EOP) without
Exchange Online mailboxes provides two types of audit logging:

Management audit logging: Records any action, based on an Exchange Online

PowerShell or standalone Exchange Online Protection PowerShell cmdlet,
performed by an admin. These records can help you troubleshoot configuration
issues or identify the cause of security-related or compliance-related problems.
Actions performed by Microsoft datacenter administrators and delegated admins,
are also recorded in Exchange Online.

Mailbox audit logging (Exchange Online only): Records when a mailbox is

accessed by an admin, a delegated user, or the person who owns the mailbox. This
can help you determine who has accessed a mailbox and what they've done.

Export audit logs

Comprehensive auditing capabilities will be discontinued in the new Exchange admin
center, but you can still export the management log and the mailbox audit log using the
PowerShell cmdlets.

７ Note
Mailbox audit logging is not available in standalone EOP. Management log export
from the EAC is not available in standalone EOP, but is available in PowerShell by
using the New-AdminAuditLogSearch cmdlet. For instructions, see Use PowerShell
to search for audit log entries and send results to a recipient.

Export management audit log: Any action performed by an admin that's based on
an Exchange Online PowerShell or standalone Exchange Online Protection
PowerShell cmdlet that doesn't begin with the verbs Get, Search, or Test is logged
in the management log. Audit log entries include the cmdlet that was run, the
parameter and values used with the cmdlet, and when the operation was
successful. You can export records of configuration changes in your organization
from management logs. The log entries are saved in an XML file and the file is sent
as an attachment to specified users within 24 hours via email. For more
information, see:

Search the role group changes or management logs

View and export the external management log (Exchange Online only)

７ Note

By default, management log entries are kept for 90 days. When an entry is
older than 90 days, it's deleted. This setting can't be changed in a cloud-
based organization. However, it can be changed in an on-premises
Exchange organization by using the Set-AdminAuditLog cmdlet.

To export the management log, run the following cmdlet:

PowerShell

Get-MailboxRegionalConfiguration; Get the list of configuration

changes: Search-AdminAuditLog -StartDate <DateTime> -EndDate <DateTime>
-ExternalAccess:$false -ResultSize 500; Get details about each change:
Search-AdminAuditLog -StartDate <DateTime> -Cmdlets <cmdlet Name> -
ObjectIds <ObjectId

Export mailbox audit logs: When mailbox audit logging is enabled for a mailbox,
Exchange Online stores a record of actions performed on mailbox data by
nonowners in the mailbox audit log, which is stored in a hidden folder in the
mailbox being audited. Entries in this log indicate who accessed the mailbox and
when the action's been performed, and whether the action was successful. You can
export nonowner access entries from mailbox logs. Log entries are saved in an
 XML file and are attached to an email message, and sent to specified users within
24 hours. For more information, see Export mailbox audit logs.

To export the mailbox audit log, use the following cmdlet:

PowerShell

Get-MailboxRegionalConfiguration; New-MailboxAuditLogSearch -StartDate

'<DateTime>' -EndDate '<dateTime>' -Mailboxes @(<MailIds of enquired
mailboxes>) -LogonTypes @(<List of Strings>) -StatusMailRecipients
@(<MailIds of Recipients>) -ShowDetails 'True'

Configure Outlook on the web to allow XML attachments

When you export the mailbox audit log or management log, the log is attached as an
XML file in an email message. However, Outlook on the web (formerly known as Outlook
Web App) blocks XML attachments by default. If you want to use Outlook on the web to
access exported audit logs, you need to configure Outlook on the web to allow XML
attachments.

In Exchange Online PowerShell or standalone Exchange Online Protection PowerShell,

run the following command to allow XML attachments in Outlook on the web:

PowerShell

Set-OwaMailboxPolicy -Identity Default -AllowedFileTypes @{Add=".xml"}

For detailed syntax and parameter information, see Set-OwaMailboxPolicy

Run auditing reports

Administrators can effectively manage and monitor system activities, and ensure
compliance and security standards are upheld by using specific cmdlets. These cmdlets
provide necessary control and visibility to admins enabling them to effectively track and
manage user actions within the system.

Run a non-owner mailbox access report: Use this report to search the
administrative logs for mailboxes that have been opened by someone other than
the mailbox owner. For more information, see Run a nonowner mailbox access
report.

） Important
 You must enable auditing for each mailbox for which you want to report non-
owner opening. When you run the report, you won't be able to see results for
mailboxes that don't have logging enabled.

Use the following cmdlet to run a nonowner mailbox access report:

PowerShell

Search-MailboxAuditLog -StartDate '<DateTime>' -EndDate '<DateTime>' -

LogonTypes @(<List of Types>) -identity 'sharedmailbox' -
showDetails:$true -resultSize 501

Run an administrator role group report: Use this report to find changes made to
role groups in the administration log (role groups are used to assign administrative
permissions to users). For more information, see Search the role group changes.

Use the following cmdlet to run an administrator role group report:

PowerShell

Search-AdminAuditLog -IsSuccess:$true -Cmdlets @('Add-

RoleGroupMember','Remove-RoleGroupMember','Update-
RoleGroupMember','New-RoleGroup','Remove-RoleGroup') -StartDate
'<DateTime>' -EndDate '<DateTime>' -ObjectIds @(<ObjectIds of Role
Groups>) -resultSize 501

Run a local eDiscovery and retention report: Use this report to search the
management log for local discovery searches and changes to in-place hold. For
more information, see:
In-Place Hold and Litigation Hold
In-Place eDiscovery

Use the following cmdlet to run a local eDiscovery and retention report:

PowerShell

Search-AdminAuditLog -Cmdlets @('New-MailboxSearch', 'Start-

MailboxSearch', 'Get-MailboxSearch', 'Stop-MailboxSearch', 'Remove-
MailboxSearch', 'Set-MailboxSearch') -StartDate '<DateTime>' -EndDate
'<DateTime>' -UserIds <UserIds> -IsSuccess $true

Run a mailbox broken procedural hold report:: Use this report to determine
whether procedural hold is enabled or not for a user's mailbox from the
 management log. For more information, see Run a mailbox broken procedural
hold report.

Use the following cmdlet to run a mailbox broken procedural hold report:

PowerShell

Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters

LitigationHoldEnabled -StartDate <DateTime> -EndDate <DateTime> -
UserIds <UserIds> -IsSuccess $true

Run the management log report: Use this report to view entries in the
management log that shows what changes your organization's admins have made
to the configuration. For more information, see View the management log.

Use the following cmdlet to run the management log report:

PowerShell

Get-MailboxRegionalConfiguration; Get the list of configuration

changes: Search-AdminAuditLog -StartDate <DateTime> -EndDate <DateTime>
-ExternalAccess:$false -ResultSize 500; Get details about each change:
Search-AdminAuditLog -StartDate <DateTime> -Cmdlets <cmdlet Name> -
ObjectIds <ObjectId>

Run the external management log report: Use this report to view entries in the
administration log that shows changes that Microsoft or a delegated administrator
have made to the configuration of Exchange Online services. For more information,
see View and export the external management log.

Use the following cmdlet to run the external management log report:

PowerShell

Search-AdminAuditLog -IsSuccess:$true -StartDate <DateTime> -EndDate

<DateTime> -ExternalAccess:$true -ObjectIds <ObjectId> -Cmdlets <Cmdlet
Name> -resultSize 501

*
This report is available in standalone EOP organizations.

Configure mailbox audit logging

７ Note
 Mailbox audit logging is not available in standalone EOP.

As of January 2019, mailbox audit logging on by default is enabled for all Exchange
Online organizations. For more information, see Manage mailbox auditing.

Give users access to Auditing reports

By default, admins can access and run any of the auditing reports using the above
mentioned cmdlets . However, other users, such as a records manager or legal staff,
have to be assigned the necessary permissions.

The Auditing Logs role allows users to view the Auditing page to run any of the
available reports, export the mailbox audit log, and export and view the
management log. By default, this role is assigned to the Organization
Management, Compliance Management, and Records Management role groups.
The View-Only Audit Logs role allows user to run auditing reports, but not to
export audit logs. By default, this role is assigned to the Organization
Management and Compliance Management role groups.

The easiest way to give users access to the reports is to add them to the Records
Management role group, which has the Auditing Logs role assigned.

Use the EAC to add users to the Records Management

role group
1. On the new EAC homepage, select Roles to expand and then click Admin Roles.

2. In the list of role groups, click Records Management. This will open Records
Management details pane.

3. Click Assigned and then click Add to add new members.

4. In the Select Members dialog box, select the user. You can search for a user by
typing all or part of a display name, and then clicking Search . You can also sort
the list by clicking the Name or Display Name column headings.

5. Click Add and then click OK to return to the role group page.

6. Click Save to save the change to the role group.

Use PowerShell to add users to the Records Management

role group
In Exchange Online PowerShell or standalone Exchange Online Protection PowerShell,
replace <Identity> with the name, alias, email address, or account name of the user or
group, and then run the following command to assign the Audit Logs role to the user:

PowerShell

Add-RoleGroupMember -Identity "Records Management" -Member <Identity>

For detailed syntax and parameter information, see Add-RoleGroupMember.

Export mailbox audit logs in Exchange
Online
Article • 02/22/2023

７ Note

Classic Exchange admin center is in the process of being deprecated in worldwide

deployment. We recommend that you search the audit log in the Microsoft Purview
compliance portal. For more information, see Deprecation of the classic Exchange
admin center in WW service and Search the audit log in the compliance portal.

When mailbox auditing is enabled for a mailbox, Exchange Online logs information in
the mailbox audit log whenever a user other than the owner accesses the mailbox. Each
log entry includes information about who accessed the mailbox and when, the actions
performed by the non-owner, and whether the action was successful. Entries in the
mailbox audit log are retained for 90 days by default. You can use the mailbox audit log
to determine if a user other than the owner has accessed a mailbox.

When you export entries from mailbox audit logs, Exchange Online saves the entries in
an XML file and attaches it to an email message sent to the specified recipients.

Before you begin

Estimated time to complete each procedure: varies. The mailbox audit log is sent
within a few days after you export it.

As of January 2019, mailbox audit logging on by default is enabled for all Exchange
Online organizations. For more information, see Manage mailbox auditing.

If you're going to use Outlook on the web (formerly known as Outlook Web App)
to view the exported entries, you need to enable .xml attachments in Outlook on
the web. For details, see Configure Outlook on the web to allow XML attachments.

To find and open the Exchange admin center (EAC), see, Exchange admin center in
Exchange Online.

You need to be assigned permissions before you can perform this procedure. To
see what permissions you need, see the "View reports" entry in the Feature
permissions in Exchange Online topic.
 For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange Online forum.

Export the mailbox audit log

1. In the EAC, go to Compliance Management > Auditing.

2. Click Export mailbox audit logs.

3. Configure the following search criteria for exporting the entries from the mailbox
audit log:

Start and end dates: Select the date range for the entries to include in the
exported file.
Mailboxes to search audit log for: Select the mailboxes to retrieve audit log
entries for.
Type of non-owner access: Select one of the following options to define the
type of non-owner access to retrieve entries for:
All non-owners: Search for access by admins and delegated users inside
your organization, and by Microsoft datacenter administrators in Exchange
Online.
External users: Search for access by Microsoft datacenter administrators.
Administrators and delegated users: Search for access by admins and
delegated users inside your organization.
Administrators: Search for access by admins in your organization.
Recipients: Select the users to send the mailbox audit log to.

4. Click Export.

Exchange Online retrieves entries in the mailbox audit log that meet your search criteria,
saves them to a file named SearchResult.xml, and then attaches the XML file to an email
message sent to the recipients that you specified.

How do you know this worked?

Sign in to the mailbox where the mailbox audit log was sent. If you've successfully
exported the audit log, you'll receive a message sent from Exchange. It might take a few
days to receive this message. The mailbox audit log (named SearchResult.xml) will be
attached to this message. If you've correctly configured Outlook on the web to allow
XML attachments, you can download the attached XML file.

View the mailbox audit log

To save and view the SearchResult.xml file:

1. Sign in to the mailbox where the mailbox audit log was sent.
2. In the Inbox, open the message with the XML file attachment sent by Exchange
Online. Notice that the body of the email message contains the search criteria.
3. Click the attachment and select to download the XML file.
4. Open the SearchResult.xml in Microsoft Excel.

More information

Entries in the mailbox audit log

The following example shows an entry from the mailbox audit log contained in the
SearchResult.xml file. Each entry is preceded by the <Event> XML tag and ends with the
</Event> XML tag. This entry shows that the admin purged the message with the
subject, "Notification of litigation hold" from the Recoverable Items folder in David's
mailbox on April 30, 2021.

XML

<Event MailboxGuid="6d4fbdae-e3ae-4530-8d0b-f62a14687939"
Owner="PPLNSL-dom\david50001-1363917750"
LastAccessed="2021-04-30T11:01:55.140625-07:00"
Operation="HardDelete"
OperationResult="Succeeded"
LogonType="Admin"
FolderId="0000000073098C3277988F4CB882F5B82EBF64610100A7C317F68C24304BBD18A
BE1F185E79B00000026BD4F0000"
FolderPathName="\Recoverable Items\Deletions"
ClientInfoString="Client=OWA;Action=ViaProxy"
ClientIPAddress="10.196.241.168"
InternalLogonType="Owner"
MailboxOwnerUPN="david@contoso.com"
MailboxOwnerSid="S-1-5-21-290112810-296651436-1966561949-1151"
CrossMailboxOperation="false"
LogonUserDN="Administraor"
LogonUserSid="S-1-5-21-290112810-296651436-1966561949-1149">
<SourceItems>
<ItemId="0000000073098C3277988F4CB882F5B82EBF64610700A7C317F68C24304BBD18ABE
 1F185E79B00000026BD4F0000A7C317F68C24304BBD18ABE1F185E79B00000026BD540"
Subject="Notification of litigation hold"
FolderPathName="\Recoverable Items\Deletions" />
</SourceItems>
</Event>

Useful fields in the mailbox audit log

Here's a description of useful fields in the mailbox audit log. They can help you identify
specific information about each instance of non-owner access of a mailbox.

Field Description

Owner The owner of the mailbox that was accessed by a non-owner.

LastAccessed The date and time when the mailbox was accessed.

Operation The action that was performed by the non-owner. For more information, see
the "What gets logged in the mailbox audit log?" section in Run a non-
owner mailbox access report in Exchange Online.

OperationResult Whether the action performed by the non-owner succeeded or failed.

LogonType The type of non-owner access. These include admin, delegate, and external.

FolderPathName The name of the folder that contained the message that was affected by the
non-owner.

ClientInfoString Information about the mail client used by the non-owner to access the
mailbox.

ClientIPAddress The IP address of the computer used by the non-owner to access the
mailbox.

InternalLogonType The logon type of the account used by the non-owner to access this
mailbox.

MailboxOwnerUPN The email address of the mailbox owner.

LogonUserDN The display name of the non-owner.

Subject The subject line of the email message that was affected by the non-owner.
Run a per-mailbox litigation hold report
in Exchange Online
Article • 02/22/2023

７ Note

Classic Exchange admin center is in the process of being deprecated in worldwide

deployment. We recommend that you search the audit log in the Microsoft Purview
compliance portal. For more information, see Deprecation of the classic Exchange
admin center in WW service and Search the audit log in the compliance portal.

If your Exchange Online organization is involved in a legal action, you may have to take
steps to preserve relevant data, such as email messages, that may be used as evidence.
In situations like this, you can use litigation hold to retain all email sent and received by
specific people or retain all email sent and received in your organization for a specific
time period. For more information about what happens when a mailbox is on litigation
hold and how to enable and disable it, see the "Mailbox Features" section in Manage
user mailboxes.

Use the litigation hold report to keep track of the following types of changes made to a
mailbox in a given time period:

Litigation hold was enabled.

Litigation hold was disabled.

For each of these change types, the report includes the user who made the change and
the time and date the change was made.

What do you need to know before you begin?

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "View reports" entry in the
Feature permissions in Exchange Online topic.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip
 Having problems? Ask for help in the Exchange Online forum.

Use the classic EAC to run a litigation hold

report
1. In the EAC, navigate to Compliance Management > Auditing.

2. Click Run a per-mailbox litigation hold report.

Microsoft Exchange runs the report for litigation hold changes made to any
mailbox in the past two weeks.

3. To view the changes for a specific mailbox, in the search results pane, select the
mailbox. View the search results in the details pane.

 Tip

Want to narrow the search results? Select the start date, end date, or both, and
select specific mailboxes to search. Click Search to re-run the report.

How do you know this worked?

To verify that you've successfully run a litigation hold report, mailboxes that had
litigation hold changes within the date range are displayed in the search results pane. If
there are no results, then no changes to litigation hold have taken place within the date
range or recent changes haven't taken effect yet.

７ Note

When a mailbox is put on litigation hold, it can take up to 240 minutes for the hold
to take effect.
Search for role group changes or admin
audit logs in Exchange Online
Article • 02/22/2023

７ Note

Classic Exchange admin center is in the process of being deprecated in worldwide

deployment. We recommend that you search the audit log in the Microsoft Purview
compliance portal. For more information, see Deprecation of the classic Exchange
admin center in WW service and Search the audit log in the compliance portal.

In Exchange Online organizations or standalone Exchange Online Protection (EOP)

organizations without Exchange Online mailboxes, you can use the following options to
search the admin audit logs to discover who made changes to the organization and
recipient configuration:

Run an administrator role group report in the Exchange admin center (EAC).
Use PowerShell to search for admin audit log entries and send the results to a
recipient.

These options can be helpful when you're trying to track the cause of unexpected
behavior, to identify a malicious administrator, or to verify that compliance requirements
are being met. Both of these options are described in this article.

 Tip

You can also use the EAC to view entries in the admin audit log. For more
information, see View the admin audit log.

What do you need to know before you begin?

Estimated time to complete each procedure: less than 5 minutes

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "View-only administrator
audit logging" entry in the Feature permissions in Exchange Online topic.

To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online.
 To connect to Exchange Online PowerShell, see Connect to Exchange Online
PowerShell. To connect to standalone Exchange Online Protection PowerShell see
Connect to Exchange Online Protection PowerShell.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the EAC to run an administrator role group

report
Use the administrator role group report to see the changes in membership that have
been made to management roles.

1. In the EAC, go to Compliance management > Auditing, and then choose Run an
administrator role group report.

2. In the Search for changes to administrator role groups page that opens,
configure the following settings:

Start date and End date: Enter a date range. By default, the report searches
for changes made to administrator role groups in the past two weeks.

Select role groups: By default, all role groups are searched. To filter the
results by specific role groups, click Select role groups. In the dialog that
appears, select a role group and click add ->. Repeat this step as many times
as necessary, and then click OK when you're finished.

3. When you're finished, click Search.

If any changes are found using the specified criteria, they will appear in the results pane.
Click a role group in the search results to see the changes in the details pane.

Monitor changes to role group membership

When members are added to or removed from a role group, the search results
displayed in the details pane indicate that the role group membership was updated and
lists the current members. The results don't explicitly state which user was added or
removed.

To determine if a user was added or removed, you have to compare two separate entries
in the report. For example, let's look at the following log entries for the HelpDesk role
group:

1/27/2021 4:43 PM
Administrator
Updated members: Administrator;annb,florencef;pilarp
2/06/2018 10:09 AM
Administrator
Updated members: Administrator;annb;florencef;pilarp;tonip
2/19/2021 2:12 PM
Administrator
Updated members: Administrator;annb;florencef;tonip

In this example, the Administrator user account made the following changes:

On 2/06/2021, they added the user tonip.

On 2/19/2021, they removed the user pilarp.

Use the EAC to export the admin audit log

７ Note

In standalone EOP, you can't export the admin audit log from the EAC. But, you can
Use PowerShell to search for audit log entries and send results to a recipient

If you're going to use Outlook on the web (formerly known as Outlook Web App)
to view the exported entries, you need to enable .xml attachments in Outlook on
the web. For details, see Configure Outlook on the web to allow XML
attachments.

Exporting the admin audit log writes the information to an XML file and sends it to you
as an attachment in an email message. The maximum size of the XML file is 10
megabytes (MB).

1. In the EAC, select Compliance management > Auditing, and then click Export the
admin audit log.
2. Select a date range using the Start date and End date fields.
 3. In the Send the auditing report to field, click Select users and then select the
recipient you want to send the report to.
4. Click Export.

If any log entries are found using the criteria you specified, an XML file will be created
and sent as an email attachment to the recipient you specified.

Use PowerShell to search for audit log entries

You can use Exchange Online PowerShell or standalone Exchange Online Protection
PowerShell to search for audit log entries that meet the criteria you specify. For a list of
search criteria, see Search-AdminAuditLog cmdlet. This procedure uses the Search-
AdminAuditLog cmdlet and displays search results in PowerShell. You can use this
cmdlet when you need to return a set of results that exceeds the limits defined on the
New-AdminAuditLogSearch cmdlet or in the EAC auditing reports.

To search the audit log for criteria you specify, use the following syntax.

PowerShell

Search-AdminAuditLog - Cmdlets <cmdlet 1, cmdlet 2, ...> -Parameters

<parameter 1, parameter 2, ...> -StartDate <start date> -EndDate <end date>
-UserIds <user IDs> -ObjectIds <object IDs> -IsSuccess <$True | $False >

７ Note

The Search-AdminAuditLog cmdlet returns a maximum of 1,000 log entries by

default. Use the ResultSize parameter to specify up to 250,000 log entries. Or, use
the value Unlimited to return all entries.

This example performs a search for all audit log entries with the following criteria:

Start date: 08/04/2020

End date: 10/03/2020
User IDs: davids , chrisd , kima
Cmdlets: Set-Mailbox
Parameters: ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota,
MaxSendSize, MaxReceiveSize

PowerShell
 Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters
ProhibitSendQuota,ProhibitSendReceiveQuota,IssueWarningQuota,MaxSendSize,Max
ReceiveSize -StartDate 08/04/2020 -EndDate 10/03/2020 -UserIds
davids,chrisd,kima

This example searches for changes made to a specific mailbox. This is useful if you're
troubleshooting or you need to provide information for an investigation. The following
criteria are used:

Start date: 05/01/2020

End date: 10/03/2020
Object ID: contoso.com/Users/DavidS

PowerShell

Search-AdminAuditLog -StartDate 05/01/2020 -EndDate 10/03/2020 -ObjectID

contoso.com/Users/DavidS

If your searches return many log entries, we recommend that you use the procedure
provided in Use PowerShell to search for audit log entries and send results to a recipient
later in this article. The procedure in that section sends an XML file as an email
attachment to the recipients you specify, enabling you to more easily extract the data
you're interested in.

For detailed syntax and parameter information, see Search-AdminAuditLog.

View details of audit log entries

The Search-AdminAuditLog cmdlet returns the fields described in Audit log contents.
Of the fields returned by the cmdlet, two fields, CmdletParameters and
ModifiedProperties, contain additional information that isn't viewable by default.

To view the contents of the CmdletParameters and ModifiedProperties fields, use the
following steps. Or, you can use the procedure in Use PowerShell to search for audit log
entries and send results to a recipient later in this article to create an XML file.

This procedure uses the following concepts:

PowerShell arrays
PowerShell variables

1. Decide the criteria you want to search for, run the Search-AdminAuditLog cmdlet,
and store the results in a variable using the following command.
 PowerShell

$Results = Search-AdminAuditLog <search criteria>

2. Each audit log entry is stored as an array element in the variable $Results . You can
select an array element by specifying its array element index. Array element
indexes start at zero (0) for the first array element. For example, to retrieve the 5th
array element, which has an index of 4, use the following command.

PowerShell

$Results[4]

3. The previous command returns the log entry stored in array element 4. To see the
contents of the CmdletParameters and ModifiedProperties fields for this log
entry, use the following commands.

PowerShell

$Results[4].CmdletParameters
$Results[4].ModifiedProperties

4. To view the contents of the CmdletParameters or ModifiedParameters fields in

another log entry, change the array element index.

Use PowerShell to search for audit log entries

and send results to a recipient

７ Note

The report that the New-AdminAuditLogSearch cmdlet generates can be a

maximum of 10 MB in size. If your search returns a report larger than 10 MB,
change the search criteria you specified. For example, reduce the date range and
run multiple reports to cover the original date range.

If you're going to use Outlook on the web (formerly known as Outlook Web App)
to view the exported entries, you need to enable .xml attachments in Outlook on
the web. For details, see Configure Outlook on the web to allow XML
attachments.
You can use Exchange Online PowerShell or standalone Exchange Online Protection
PowerShell to search for audit log entries that meet the criteria you specify, and then
send those results to a recipient you specify as an XML file attachment. The results are
sent to the recipient within 15 minutes. For a list of search criteria, see Search-
AdminAuditLog cmdlet criteria.

To search the audit log for criteria you specify, use the following syntax.

PowerShell

New-AdminAuditLogSearch -Cmdlets <cmdlet1, cmdlet2, ...> -Parameters

<parameter1, parameter2, ...> -StartDate <start date> -EndDate <end date> -
UserIds <user IDs> -ObjectIds <object IDs> -IsSuccess <$true | $false > -
StatusMailRecipients <recipient1, recipient2, ...> -Name <string to include
in subject>

This example performs a search for all audit log entries with the following criteria:

Start date: 08/04/2020

End date: 10/03/2020
User IDs davids, chrisd, kima
Cmdlets: Set-Mailbox
Parameters: ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota,
MaxSendSize, MaxReceiveSize

The command sends the results to the davids@contoso.com SMTP address with
"Mailbox limit changes" included in the subject line of the message.

PowerShell

New-AdminAuditLogSearch -Cmdlets Set-Mailbox -Parameters

ProhibitSendQuota,ProhibitSendReceiveQuota,IssueWarningQuota,MaxSendSize,Max
ReceiveSize -StartDate 08/04/2020 -EndDate 10/03/2020 -UserIds
davids,chrisd,kima -StatusMailRecipients davids@contoso.com -Name "Mailbox
limit changes"

For more information about the format of the XML file, see admin audit log structure.

For detailed syntax and parameter information, see New-AdminAuditLogSearch.

View the admin audit log in Exchange
Online
Article • 02/22/2023

７ Note

Classic Exchange admin center is in the process of being deprecated in worldwide

deployment. We recommend that you search the audit log in the Microsoft Purview
compliance portal. For more information, see Deprecation of the classic Exchange
admin center in WW service and Search the audit log in the compliance portal.

In Exchange Online organizations or standalone Exchange Online Protection (EOP)

organizations without Exchange Online mailboxes, you can use the Exchange admin
center (EAC) or PowerShell to search for and view entries in the admin audit log.

The admin audit log records specific actions, based on Exchange Online PowerShell or
standalone Exchange Online Protection PowerShell cmdlets, done by admins and users
who have been assigned administrative privileges. Entries in the admin audit log provide
you with information about what cmdlet was run, which parameters were used, who ran
the cmdlet, and what objects were affected.

Notes:

Admin auditing logging is enabled by default, and you can't disable it.
The admin audit log doesn't record actions based on cmdlets that begins with the
verbs Get, Search, or Test.
When a change is made in your organization, it may take up to 15 minutes to
appear in audit log search results. If a change doesn't appear in the admin audit
log, wait a few minutes and run the search again.
Audit log entries are kept for 90 days. When an entry is older than 90 days, it's
deleted.

What do you need to know before you begin?

To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online.

To connect to Exchange Online PowerShell, see Connect to Exchange Online

PowerShell. To connect to standalone Exchange Online Protection PowerShell see
 Connect to Exchange Online Protection PowerShell.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "View-only administrator
audit logging" entry in the Feature permissions in Exchange Online topic.

For information about keyboard shortcuts that may apply to the procedures in this
article, see Keyboard shortcuts for the Exchange admin center in Exchange Online.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the EAC to view the admin audit log

1. In the EAC, go to Compliance management > Auditing, and then choose Run the
admin audit log report.

2. In the Search for changes to administrator role groups page that opens, choose a
Start date and End date (the default range is the past two weeks), and then choose
Search. All configuration changes made during the specified time period are
displayed, and can be sorted, using the following information:

Date: The date and time that the configuration change was made. The date
and time are stored in Coordinated Universal Time (UTC) format.

Cmdlet: The name of the cmdlet that was used to make the configuration
change.

User: The name of the user account of the user who made the configuration
change.

Up to 5000 entries will be displayed on multiple pages. Specify a smaller date

range if you need to narrow your results. If you select an individual search
result, the following additional information is displayed in the details pane:

Object modified: The object that was modified by the cmdlet.

Parameters (Parameter:Value): The cmdlet parameters that were used, and

any value specified with the parameter.
 3. If you want to print a specific audit log entry, choose the Print button in the details
pane.

Use PowerShell to view the admin audit log

You can use Exchange Online PowerShell or standalone Exchange Online Protection
PowerShell to search for audit log entries that meet the criteria you specify. Use the
following syntax:

PowerShell

Search-AdminAuditLog [-Cmdlets <Cmdlet1,Cmdlet2,...CmdletN>] [-Parameters

<Parameter1,Parameter2,...ParameterN>] [-StartDate <UTCDateTime>] [-EndDate
<UTCDateTime>] [-UserIds <"User1","User2",..."UserN">] [-ObjectIds
<"Object1","Object2",..."ObjectN">] [-IsSuccess <$true | $false>]

Notes:

You can only use the Parameters parameter together with the Cmdlets parameter.

The ObjectIds parameter filters the results by the object that was modified by the
cmdlet. A valid value depends on how the object is represented in the audit log.
For example:
Name
Canonical distinguished name (for example, contoso.com/Users/Akia Al-Zuhairi)

You'll likely need to use other filtering parameters on this cmdlet to narrow down
the results and identify the types of objects that you're interested in.

The UserIds parameter filters the results by the user who made the change (who
ran the cmdlet).

For the StartDate and EndDate parameters, if you specify a date/time value without
a time zone, the value is in Coordinated Universal Time (UTC). To specify a
date/time value for this parameter, use either of the following options:
Specify the date/time value in UTC: For example, "2016-05-06 14:30:00z".
Specify the date/time value as a formula that converts the date/time in your
local time zone to UTC: For example, (Get-Date "5/6/2016 9:30
AM").ToUniversalTime() . For more information, see Get-Date.

The cmdlet returns a maximum of 1,000 log entries by default. Use the ResultSize
parameter to specify up to 250,000 log entries. Or, use the value Unlimited to
return all entries.
This example performs a search for all audit log entries with the following criteria:

Start date: August 4, 2019

End date: October 3, 2019
Cmdlets: Update-RoleGroupMember

PowerShell

Search-AdminAuditLog -Cmdlets Update-RoleGroupMember -StartDate (Get-Date

"08/04/2019").ToUniversalTime() -EndDate (Get-Date
"10/03/2019").ToUniversalTime()

For detailed syntax and parameter information, see Search-AdminAuditLog.

View details of audit log entries

The Search-AdminAuditLog cmdlet returns the fields described in the Audit log
contents section later in this article. Of the fields returned by the cmdlet, two fields,
CmdletParameters and ModifiedProperties, contain additional information that isn't
returned by default.

To view the contents of the CmdletParameters and ModifiedProperties fields, use the
following steps.

1. Decide the criteria you want to search for, run the Search-AdminAuditLog cmdlet,
and store the results in a variable using the following command.

PowerShell

$Results = Search-AdminAuditLog <search criteria>

2. Each audit log entry is stored as an array element in the variable $Results . You can
select an array element by specifying its array element index. Array element
indexes start at zero (0) for the first array element. For example, to retrieve the 5th
array element, which has an index of 4, use the following command.

PowerShell

$Results[4]

3. The previous command returns the log entry stored in array element 4. To see the
contents of the CmdletParameters and ModifiedProperties fields for this log
entry, use the following commands.
 PowerShell

$Results[4].CmdletParameters
$Results[4].ModifiedProperties

4. To view the contents of the CmdletParameters or ModifiedParameters fields in

another log entry, change the array element index.

Audit log contents

Each audit log entry contains the information described in the following table. The audit
log contains one or more audit log entries.

Field Description

RunspaceId This field is used internally.

ObjectModified This field contains the object that was modified by the cmdlet specified in
the CmdletName field.

CmdletName This field contains the name of the cmdlet that was run by the user in the
Caller field.

CmdletParameters This field contains the parameters that were specified when the cmdlet in
the CmdletName field was run. Also stored in this field, but not visible in the
default output, is the value specified with the parameter, if any.

ModifiedProperties This field contains the properties that were modified on the object in the
ObjectModified field. Also stored in this field, but not visible in the default
output, are the old value of the property and the new value that was
stored.

Caller This field contains the user account of the user who ran the cmdlet in the
CmdletName field.

ExternalAccess This field is used internally.

Succeeded This field specifies whether the cmdlet in the CmdletName field ran
successfully. The value is either True or False .

Error This field contains the error message generated if the cmdlet in the
CmdletName field failed to complete successfully.

RunDate This field contains the date and time when the cmdlet in the CmdletName
field was run. The date and time are stored in Coordinated Universal Time
(UTC) format.
Field Description

OriginatingServer This field indicates the server on which the cmdlet specified in the
CmdletName field was run.

ClientIP This field is used internally.

SessionId This field is used internally.

AppId This field is used internally.

ClientAppId This field is used internally.

Identity This field is used internally.

IsValid This field is used internally.

ObjectState This field is used internally.

View and export the external admin
audit log in Exchange Online
Article • 02/22/2023

７ Note

Classic Exchange admin center is in the process of being deprecated in worldwide

deployment. We recommend that you search the audit log in the Microsoft Purview
compliance portal. For more information, see Deprecation of the classic Exchange
admin center in WW service and Search the audit log in the compliance portal.

In Exchange Online, actions performed by Microsoft and delegated administrators are

logged in the admin audit log. You can use the Exchange admin center (EAC) or
Exchange Online PowerShell to search for and view audit log entries to determine if
external administrators performed any actions on or changed the configuration of your
Exchange Online organization. You can also use Exchange Online PowerShell to export
these audit log entries.

What do you need to know before you begin?

Estimated time to complete: This will vary based on whether you view or export
entries from the admin audit log. See each procedure for its estimated time to
complete.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "View-only administrator
audit logging" entry in the Feature permissions in Exchange Online topic.

If you're going to use Outlook on the web (formerly known as Outlook Web App)
to view the exported entries, you need to enable .xml attachments in Outlook on
the web. For details, see Configure Outlook on the web to allow XML attachments.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange Online forum.

Use the EAC to view the external admin audit
log report
Estimated time to complete: 3 minutes

1. Go to Compliance management > Auditing and click View the external admin
audit log report. All configuration changes made by Microsoft datacenter
administrators and delegated administrators during the specified time period are
displayed, and can be sorted, using the following information:

Date: The date and time that the configuration change was made. The date
and time are stored in Coordinated Universal Time (UTC) format.

Cmdlet: The name of the cmdlet that was used to make the configuration
change.

If you select an individual search result, the following information is displayed

in the details pane:

The date and time that the cmdlet was run.

The user who ran the cmdlet. For all entries in the external admin audit log
report, the user is identified as Administrator, which indicates a Microsoft
datacenter administrator or an external administrator.

The cmdlet parameters that were used, and any value specified with the
parameter, in the format Parameter:Value.

2. If you want to print a specific audit log entry, select it in the search results pane
and then click Print in the details pane.

3. To narrow the search, choose dates in the Start date and End date drop-down
menus, and then click Search.

Use Exchange Online PowerShell to view

entries in the external admin audit log report
Estimated time to complete: 3 minutes

You can use the Search-AdminAuditLog cmdlet with the ExternalAccess parameter to
view entries from the admin audit log for actions performed by Microsoft datacenter
administrators and delegated administrators.
This command returns all entries in the admin audit log for cmdlets run by external
administrators.

PowerShell

Search-AdminAuditLog -ExternalAccess $true

This command returns entries in the admin audit log for cmdlets run by external
administrators between September 17, 2013 and October 2, 2013.

PowerShell

Search-AdminAuditLog -ExternalAccess $true -StartDate 09/17/2013 -EndDate

10/02/2013

For more information, see Search-AdminAuditLog.

Use Exchange Online PowerShell to export the

admin audit log
Estimated time to complete: Approximately 24 hours

You can use the New-AdminAuditLogSearch cmdlet with the ExternalAccess parameter
to export entries from the admin audit log for actions performed by Microsoft
datacenter administrators or delegated administrators. Microsoft Exchange retrieves
entries in the admin audit log that were performed by external administrators and saves
them to a file named SearchResult.xml. This XML file is attached to an email message
that is sent to the specified recipients within 24 hours.

The following command returns entries in the admin audit log for cmdlets run by
external administrators between September 25, 2013 and October 24, 2013. The search
results are sent to the admin@contoso.com and pilarp@contoso.com SMTP addresses
and the text "External admin audit log" is added to the subject line of the message.

PowerShell

New-AdminAuditLogSearch -ExternalAccess $true -EndDate 10/24/2013 -StartDate

07/25/2013 -StatusMailRecipients admin@contoso.com,pilarp@contoso.com -Name
"External admin audit log"

７ Note
 When you include the ExternalAccess parameter, only entries for actions performed
by Microsoft datacenter administrator or delegated administrators are included in
the audit log that is exported. If you don't include the ExternalAccess parameter, the
audit log will contain entries for actions performed by the administrators in your
organization and by external administrators.

To verify that the command to export the admin audit log entries performed by external
administrators was successful, and to display information about current admin audit log
searches, run the following command:

PowerShell

Get-AuditLogSearch | Format-List

More information
In Microsoft 365 and Office 365, you can delegate the ability to perform certain
administrative tasks to an authorized partner of Microsoft. These admin tasks
include creating or editing users, resetting user passwords, managing user licenses,
managing domains, and assigning admin permissions to other users in your
organization. When you authorize a partner to take on this role, the partner is
referred to as a delegated admin. The tasks performed by a delegated admin are
logged in the admin audit log. As previously described, actions performed by
delegated admins can be viewed by running the external admin audit log report or
exported by using the New-AdminAuditLogSearch cmdlet with the ExternalAccess
parameter.

The admin audit log records specific actions, based on Exchange Online PowerShell
cmdlets, performed by administrators and users who have been assigned
administrative privileges. Actions performed by external administrators are also
logged. Entries in the admin audit log provide you with information about the
cmdlet that was run, which parameters were used, and what objects were affected.

The admin audit log doesn't record any action that is based on an Exchange Online
PowerShell cmdlet that begins with the verbs Get, Search, or Test.

Audit log entries are kept for 90 days. When an entry is older than 90 days, it's
deleted.
Messaging records management in
Exchange Online
Article • 02/22/2023

７ Note

To proactively retain or delete mailbox content for information governance in

Microsoft 365, we recommend that you use retention policies and retention labels
from the Microsoft Purview compliance portal , instead of messaging records
management that's described on this page. However, you should continue using
messaging records management to move messages to archive mailboxes.

If you currently use messaging records management, this older feature will
continue to work side-by-side with retention policies and retention labels. However,
we recommend that going forward, you use retention policies and retention labels
instead. They provide you with a single mechanism to centrally manage both
retention and deletion of content across Microsoft 365.

Users send and receive email every day. If left unmanaged, the volume of email
generated and received each day can inundate users, impact user productivity, and
expose your organization to risks. As a result, email lifecycle management is a critical
component for most organizations.

Messaging records management (MRM) is the records management technology in

Exchange Server and Exchange Online that helps organizations manage email lifecycle
and reduce the legal risks associated with email. Deploying MRM can help your
organization in several ways:

Meet business requirements: Depending on your organization's messaging

policies, you may need to retain important email messages for a certain period. For
example, a user's mailbox may contain critical messages related to business
strategy, transactions, product development, or customer interactions.

Meet legal and regulatory requirements: Many organizations have a legal or

regulatory requirement to store messages for a designated period and remove
messages older than that period. Storing messages longer than necessary may
increase your organization's legal or financial risks.

Increase user productivity: If left unmanaged, the ever-increasing volume of email

in your users' mailboxes can also impact their productivity. For example, although
 newsletter subscriptions and automated notifications may have informational value
when they're received, users may not remove them after reading (often they're
never read). Many of these types of messages don't have a retention value beyond
a few days. Using MRM to remove such messages can help reduce information
clutter in users' mailboxes, thereby increasing productivity.

Improve storage management: Due to expectations driven by free consumer

email services, many users keep old messages for a long period or never remove
them. Maintaining large mailboxes is increasingly becoming a standard practice,
and users shouldn't be forced to change their work habits based on restrictive
mailbox quotas. However, retaining messages beyond the period that's necessary
for business, legal, or regulatory reasons also increases storage costs.

MRM provides the flexibility to implement the records management policy that best
meets your organization's requirements. With a good understanding of MRM, In-Place
Archiving, and In-Place Hold, you can help meet your goals of managing mailbox
storage and meeting regulatory retention requirements.

Looking for management tasks related to MRM? See Messaging Records Management
Procedures.

MRM in Exchange Server and Exchange Online

In Exchange Server and Exchange Online, MRM is accomplished through the use of
retention tags and retention policies. Retention tags are used to apply retention settings
to an entire mailbox and default mailbox folders such as Inbox and Deleted Items. You
can also create and deploy retention tags that Outlook 2010 and later and Outlook on
the web (formerly known as Outlook Web App) users can use to apply to folders or
individual messages. After they're created, you add retention tags to a retention policy
and then apply the policy to users. The Managed Folder Assistant processes mailboxes
and applies retention settings in the user's retention policy. To learn more about
retention policies, see Retention tags and retention policies.

When a message reaches its retention age specified in the applicable retention tag, the
Managed Folder Assistant takes the retention action specified by the tag. Messages can
then be deleted permanently or deleted with the ability to recover them. If an archive
has been provisioned for the user, you can also use retention tags to move items to the
user's In-Place Archive.

MRM strategies
You can use retention policies to enforce basic message retention for an entire mailbox
or for specific default folders. Although there are several strategies for deploying MRM,
here are some of the most common:

Remove all messages after a specified period: In this strategy, you implement a single
MRM policy that removes all messages after a certain period. In this strategy, there's no
classification of messages. You can implement this policy by creating a single default
policy tag (DPT) for the mailbox. However, this doesn't ensure that messages are
retained for the specified period. Users can still delete messages before retention period
is reached.

Move messages to archive mailboxes: In this strategy, you implement MRM policies
that move items to the user's archive mailbox. An archive mailbox provides additional
storage for users to maintain old and infrequently accessed content. Retention tags that
move items are also known as archive policies. Within the same retention policy, you can
combine a DPT and personal tags to move items, and a DPT, RPTs, and personal tags to
delete items. To learn more about archiving policies, see:

Exchange Server 2016: In-Place Archiving

Exchange Online: Archive Mailboxes in Exchange Online

７ Note

In an Exchange hybrid deployment, you can enable a cloud-based archive mailbox

for an on-premises primary mailbox. If you assign an archive policy to an on-
premises mailbox, items are moved to the cloud-based archive. If an item is moved
to the archive mailbox, a copy of it isn't retained in the on-premises mailbox. If the
on-premises mailbox is placed on hold, an archive policy will still move items to the
cloud-based archive mailbox where they are preserved for the duration specified by
the hold.

Remove messages based on folder location: In this strategy, you implement MRM
policies based on email location. For example, you can specify that messages in the
Inbox are retained for one year and messages in the Junk Email folder are retained for
60 days. You can implement this policy by using a combination of retention policy tags
(RPTs) for each default folder you want to configure and a DPT for the entire mailbox.
The DPT applies to all custom folders and all default folders that don't have an RPT
applied.

７ Note
 In Exchange Server, you can create RPTs for the Calendar and Tasks folders. If you
don't want items in these folders or other default folders to expire, you can create a
disabled retention tag for that default folder.

Allow users to classify messages: In this strategy, you implement MRM policies that
include a baseline retention setting for all messages but allow users to classify messages
based on business or regulatory requirements. In this case, users become an important
part of your records management strategy - often they have the best understanding of
a message's retention value.

Users can apply different retention settings to messages that need to be retained for a
longer or shorter period. You can implement this policy using a combination of the
following:

A DPT for the mailbox

Personal tags that users can apply to custom folders or individual messages

(Optional) Additional RPTs to expire items in specific default folders

For example, you can use a retention policy with personal tags that have a shorter
retention period (such as two days, one week, or one month), as well as personal tags
that have a longer retention period (such as one, two, or five years). Users can apply
personal tags with the shorter retention periods for items such as newsletter
subscriptions that may lose their value within days of receiving them, and apply the tags
with longer periods to preserve items that have a high business value. They can also
automate the process by using Inbox rules in Outlook to apply a personal tag to
messages that match rule conditions.

Retain messages for eDiscovery purposes: In this strategy, you implement MRM
policies that remove messages from mailboxes after a specified period but also retain
them in the Recoverable Items folder for In-Place eDiscovery purposes, even if the
messages were deleted by the user or another process.

You can meet this requirement by using a combination of retention policies and In-Place
Hold and Litigation Hold or Litigation Hold. Retention policies remove messages from
the mailbox after the specified period. A time-based In-Place Hold or Litigation Hold
preserves messages that were deleted or modified before that period. For example, to
retain messages for seven years, you can create a retention policy with a DPT that
deletes messages in seven years and Litigation Hold to hold messages for seven years.
Messages that aren't removed by users will be deleted after seven years; messages
deleted by users before the seven year period will be retained in the Recoverable Items
folder for seven years. To learn more about this folder, see Recoverable Items folder in
Exchange Online.

Optionally, you can use RPTs and personal tags to allow users to clean up their
mailboxes. However, In-Place Hold and Litigation Hold continues to retain the deleted
messages until the hold period expires.

７ Note

A time-based In-Place Hold or Litigation Hold is similar to what was informally

referred to as a rolling legal hold in Exchange 2010. Rolling legal hold was
implemented by configuring the deleted item retention period for a mailbox
database or individual mailbox. However, deleted item retention retains deleted
and modified items based on the date deleted. In-Place Hold and Litigation Hold
preserves items based on the date they're received or created. This ensures that
messages are preserved for at least the specified period.

For more information

Messaging Records Management Terminology in Exchange 2013

Retention tags and retention policies

Retention tags and retention policies in
Exchange Online
Article • 02/22/2023

） Important

Please refer to the Microsoft 365 security center and the Microsoft Purview
compliance portal for Exchange security and compliance features. They are no
longer available in the new Exchange admin center .

７ Note

To proactively retain or delete mailbox content for information governance in

Microsoft 365, we recommend that you use retention policies and retention labels
from the Microsoft Purview compliance portal , instead of messaging records
management that's described on this page. However, you should continue using
messaging records management to move messages to archive mailboxes.

If you currently use messaging records management, this older feature will
continue to work side-by-side with retention policies and retention labels. However,
we recommend that going forward, you use retention policies and retention labels
instead. They provide you with a single mechanism to centrally manage both
retention and deletion of content across Microsoft 365.

In Microsoft Exchange Server and Exchange Online, Messaging records management

(MRM) helps organizations to manage email lifecycle and reduce legal risks associated
with e-mail and other communications. MRM makes it easier to keep messages needed
to comply with company policy, government regulations, or legal needs, and to remove
content that has no legal or business value.

Watch this video for a quick overview of how to apply retention tags and a retention
policy to a mailbox in Exchange Online.

Messaging Records Management strategy

MRM in Exchange Server and Exchange Online is accomplished by using retention tags
and retention policies. Before discussing the details about each of these retention
features, it's important to learn how the features are used in the overall MRM strategy.
This strategy is based on:

Assigning retention policy tags (RPTs) to default folders, such as the Inbox and
Deleted Items.

Applying default policy tags (DPTs) to mailboxes to manage the retention of all
untagged items.

Allowing the user to assign personal tags to custom folders and individual items.

Separating MRM functionality from users' Inbox management and filing habits.
Users aren't required to file messages in managed folders based on retention
requirements. Individual messages can have a different retention tag than the one
applied to the folder in which they're located.

The following figure illustrates the tasks involved in implementing this strategy.
Retention tags
As illustrated in the preceding figure, retention tags are used to apply retention settings
to folders and individual items such as e-mail messages and voice mail. These settings
specify how long a message remains in a mailbox and the action to be taken when the
message reaches the specified retention age. When a message reaches its retention age,
it's moved to the user's archive mailbox or deleted.

The following example picture is for Exchange Server, although you can configure the
same settings for Exchange Online:

Retention tags allow users to tag their own mailbox folders and individual items for
retention. Users no longer have to file items in managed folders provisioned by an
administrator based on message retention requirements.

Types of retention tags

Retention tags are classified into the following three types based on who can apply
them and where in a mailbox they can be applied.
 Type of Applied... Applied by... Available Details
retention actions...
tag

Default Automatically to entire Administrator Move to Users can't change

policy tag mailbox archive DPTs applied to a
(DPT) A DPT applies to untagged Delete and mailbox.
items, which are mailbox allow
items that don't have a recovery
retention tag applied directly Permanently
or by inheritance from the delete
folder.

Retention Automatically to a default Administrator Delete and Users can't change

policy tag folder allow the RPT applied to a
(RPT) Default folders are folders recovery default folder.
created automatically in all Permanently
mailboxes, for example: Inbox, delete
Deleted Items, and Sent
Items. See the list of
supported default folders in
Default folders that support
Retention Policy Tags.

Personal Manually to items and folders Users Move to Personal tags allow
tag Users can automate tagging archive your users to
by using Inbox rules to either Delete and determine how long
move a message to a folder allow an item should be
that has a particular tag or to recovery retained. For
apply a personal tag to the Permanently example, the
message. delete mailbox can have a
DPT to delete items
in seven years, but a
user can create an
exception for items
such as newsletters
and automated
notifications by
applying a personal
tag to delete them
in three days.

More about personal tags

Personal tags are available to Outlook and Outlook on the web (formerly known as
Outlook Web App) users as part of their retention policy. In Outlook and Outlook on the
web, personal tags with the Move to Archive action appear as Archive Policy, and
personal tags with the Delete and Allow Recovery or Permanently Delete actions
appear as Retention Policy, as shown in the following figure.

Users can apply personal tags to folders they create or to individual items. Messages
that have a personal tag applied are always processed based on the personal tag's
settings. Users can apply a personal tag to a message so that it's moved or deleted
sooner or later than the settings specified in the DPT or RPTs applied to that user's
mailbox. You can also create personal tags with retention disabled. This allows users to
tag items so they're never moved to an archive or never expire.

７ Note

Users can apply archive policies to default folders, user-created folders or

subfolders, and individual items. Users can apply a retention policy to user-created
folders or subfolders and individual items (including subfolders and items in a
default folder), but not to default folders.

Users can also use the OWA settings dialog to select additional personal tags that
aren't linked to their retention policy. The selected tags then become available in
Outlook and Outlook on the web. To enable users to select additional tags via OWA, you
must add the MyRetentionPolicies Role to the user's role assignment policy. To learn
more about role assignment policies for users, see Role assignment policies in Exchange
Online. If you allow users to select additional personal tags, all personal tags in your
Exchange organization become available to them.

７ Note

Personal tags are a premium feature. Mailboxes with policies that contain these
tags (or as a result of users adding the tags to their mailbox) require an Exchange
Enterprise client access license (CAL).

Retention age
When you enable a retention tag, you must specify a retention age for the tag. This age
indicates the number of days to retain a message after it arrives in the user's mailbox.

The retention age for non-recurring items (such as email messages) is calculated
differently than items that have an end date or recurring items (such as meetings and
tasks). To learn how retention age is calculated for different types of items, see How
retention age is calculated.

You can also create retention tags with retention disabled or disable tags after they're
created. Because messages that have a disabled tag applied aren't processed, no
retention action is taken. As a result, users can use a disabled personal tag as a Never
Move tag or a Never Delete tag to override a DPT or RPT that would otherwise apply to
the message.

Retention actions
When creating or configuring a retention tag, you can select one of the following
retention actions to be taken when an item reaches its retention age:

Retention Action taken... Except...

action

Move to Moves the message to the user's archive If the user doesn't have an archive
Archive1,2 mailbox mailbox, no action is taken.
Only available for DPTs and personal tags
For details about archiving, see In-Place
Archiving
 Retention Action taken... Except...
action

Delete and Emulates the behavior when the user If you've set the deleted item
Allow empties the Deleted Items folder. retention period to zero days,
Recovery Items are moved to the Recoverable Items items are permanently deleted. For
folder in Exchange Online in the mailbox and details, see Change how long
preserved until the deleted item retention permanently deleted items are
period. kept for an Exchange Online
Provides the user a second chance to mailbox.
recover the item using the Recover Deleted
Items dialog box in Outlook or Outlook on
the web

Permanently Permanently deletes messages. If mailbox is placed on In-Place

Delete You can't recover messages after they're Hold and Litigation Hold or
permanently deleted. Litigation Hold, items are
preserved in the Recoverable
Items folder based on hold
parameters. In-Place eDiscovery
will still return these items in
search results.

Mark as Past Marks a message as expired. In Outlook N. A.

Retention 2010 or later, and Outlook on the web,
Limit expired items are displayed with the
notification stating 'This item has expired'
and 'This item will expire in 0 days'. In
Outlook 2007, items marked as expired are
displayed by using strikethrough text.

７ Note

1
In an Exchange hybrid deployment, you can enable a cloud-based archive mailbox
for an on-premises primary mailbox. If you assign an archive policy to an on-
premises mailbox, items are moved to the cloud-based archive. If an item is moved
to the archive mailbox, a copy of it isn't retained in the on-premises mailbox. If the
on-premises mailbox is placed on hold, an archive policy will still move items to the
cloud-based archive mailbox where they are preserved for the duration specified by
the hold.
2
To move Calendar items from Primary to Online Archive mailbox, create a Default
Policy Tag and apply it to the mailbox. In Exchange Online, Personal Tags cannot be
applied to the Calendar folder in Outlook or OWA.

For details about how to create retention tags, see Create a Retention Policy.
Retention policies
To apply one or more retention tags to a mailbox, you must add them to a retention
policy and then apply the policy to mailboxes. A mailbox can't have more than one
retention policy. Retention tags can be linked to or unlinked from a retention policy at
any time, and the changes automatically take effect for all mailboxes that have the
policy applied.

A retention policy can have the following retention tags:

Retention tag Tags in a policy

type

Default policy One DPT with the Move to Archive action

tag (DPT) One DPT with the Delete and Allow Recovery or Permanently Delete actions
One DPT for voice mail messages with the Delete and Allow Recovery or
Permanently Delete action

Retention One RPT for each supported default folder

policy tags > Note: You can't link more than one RPT for a particular default folder (such as
(RPTs) Deleted Items) to the same retention policy.

Personal tags Any number of personal tags

> Tip: **Many personal tags in a policy can confuse users. We recommend
adding no more than 10 personal tags to a retention policy.

７ Note

Although a retention policy doesn't need to have any retention tags linked to it, we
don't recommend using this scenario. If mailboxes with retention policies don't
have retention tags linked to them, this may cause mailbox items to never expire.

A retention policy can contain both archive tags (tags that move items to the personal
archive mailbox) and deletion tags (tags that delete items). A mailbox item can also have
both types of tags applied. From a retention perspective, the primary mailbox and
online archive should not be looked at as separate entities. Retention settings are
applied to the primary mailbox, and by design, extend to the online archive. The online
archive is an extension of the primary mailbox.

When planning to create retention policies, you must consider whether they'll include
both archive and deletion tags. As mentioned earlier, a retention policy can have one
DPT that uses the Move to Archive action and one DPT that uses either the Delete and
Allow Recovery or Permanently Delete action. The DPT with the Move to Archive
action must have a lower retention age than the DPT with a deletion action. For
example, you can use a DPT with the Move to Archive action to move items to the
archive mailbox in two years, and a DPT with a deletion action to remove items from the
mailbox in seven years. Items in both primary and archive mailboxes will be deleted after
seven years.

For a list of management tasks related to retention policies, see Messaging Records
Management Procedures.

Default retention policy

Exchange Setup creates the retention policy Default MRM Policy. The Default MRM
Policy is applied automatically to new mailboxes in Exchange Online. In Exchange Server,
the policy is applied automatically if you create an archive for the new user and don't
specify a retention policy

You can modify tags included in the Default MRM Policy, for example by changing the
retention age or retention action, disable a tag or modify the policy by adding or
removing tags from it. The updated policy is applied to mailboxes the next time they're
processed by the Managed Folder Assistant.

For more information, including a list of retention tags linked to the policy, see Default
Retention Policy in Exchange Online and Exchange Server.

Managed Folder Assistant

The Managed Folder Assistant, a mailbox assistant that runs on Mailbox servers,
processes mailboxes that have a retention policy applied.

The Managed Folder Assistant applies the retention policy by inspecting items in the
mailbox and determining whether they're subject to retention. It then stamps items
subject to retention with the appropriate retention tags and takes the specified
retention action on items past their retention age.

The Managed Folder Assistant is a throttle-based assistant. Throttle-based assistants are

always running and don't need to be scheduled. The system resources they can
consume are throttled. You can configure the Managed Folder Assistant to process all
mailboxes on a Mailbox server within a certain period (known as a work cycle).
Additionally, at a specified interval (known as the work cycle checkpoint), the assistant
refreshes the list of mailboxes to be processed. During the refresh, the assistant adds
newly created or moved mailboxes to the queue. It also reprioritizes existing mailboxes
that haven't been processed successfully due to failures and moves them higher in the
queue so they can be processed during the same work cycle.
You can also use the Start-ManagedFolderAssistant cmdlet to manually trigger the
assistant to process a specified mailbox.

７ Note

The Managed Folder Assistant doesn't take any action on messages that aren't
subject to retention, specified by disabling the retention tag. You can also disable a
retention tag to temporarily suspend items with that tag from being processed.

MRM won't move items larger than the values of MaxSendSize and MaxReceiveSize
set on the mailbox.

Moving items between folders

A mailbox item moved from one folder to another inherits any tags applied to the folder
to which it's moved. If an item is moved to a folder that doesn't have a tag assigned, the
DPT is applied to it. If the item has a tag explicitly assigned to it, the tag always takes
precedence over any folder-level tags or the default tag.

Applying a retention tag to a folder in the archive

When a user applies a personal tag to a folder in the archive mailbox, if a folder with the
same name exists in the primary mailbox and has a different tag, the tag on that folder
in the archive mailbox will be reset to match the one in the primary mailbox as soon as
the Managed Folder Assistant (MFA) processes the mailbox. This is by design to avoid
any confusion about items in a folder in the archive mailbox having a different expiry
behavior than the same folder in the user's primary mailbox.

Example: A user has a folder named Project Contoso in the primary mailbox with a
Delete - three years personal tag and a Project Contoso folder also exists in the

archive mailbox. The user applies a Delete - one year personal tag to delete items in
the Project Contoso folder in archive mailbox. The next time the mailbox is processed
by MFA, the folder reverts back to the Delete - three years personal tag, based on the
applied tag in primary mailbox. This behavior occurs for any folder for which a folder
with an identical folder path exists in the primary mailbox. It doesn't matter if it is a user
created folder or a default folder (e.g., Inbox or Deleted Items).

Removing or deleting a retention tag from a retention

policy
When a retention tag is removed from the retention policy applied to a mailbox, the tag
is no longer available to the user and can't be applied to items in the mailbox.

Existing items that have been stamped with that tag continue to be processed by the
Managed Folder Assistant based on those settings and any retention action specified in
the tag is applied to those messages.

However, if you delete the tag, the tag definition stored in Active Directory is removed.
This causes the Managed Folder Assistant to process all items in a mailbox and restamp
the ones that have the removed tag applied. Depending on the number of mailboxes
and messages, this process may significantly consume resources on all Mailbox servers
that contain mailboxes with retention policies that include the removed tag.

） Important

If a retention tag is removed from a retention policy, any existing mailbox items
with the tag applied will continue to expire based on the tag's settings. To prevent
the tag's settings from being applied to any items, you should delete the tag.
Deleting a tag removes it from any retention policies in which it's included.

Disabling a retention tag

If you disable a retention tag, the Managed Folder Assistant ignores items that have that
tag applied. Items that have a retention tag for which retention is disabled are either
never moved or never deleted, depending on the specified retention action. Because
these items are still considered tagged items, the DPT doesn't apply to them. For
example, if you want to troubleshoot retention tag settings, you can temporarily disable
a retention tag to stop the Managed Folder Assistant from processing messages with
that tag.

７ Note

The retention period for a disabled retention tag is displayed to the user as Never.
If a user tags an item believing it will never be deleted, enabling the tag later may
result in unintentional deletion of items the user didn't want to delete. The same is
true for tags with the Move to Archive action.

Retention hold
When users are temporarily away from work and don't have access to their e-mail,
retention settings can be applied to new messages before they return to work or access
their e-mail. Depending on the retention policy, messages may be deleted or moved to
the user's personal archive. You can temporarily suspend retention policies from
processing a mailbox for a specified period by placing the mailbox on retention hold.
When you place a mailbox on retention hold, you can also specify a retention comment
that informs the mailbox user (or another user authorized to access the mailbox) about
the retention hold, including when the hold is scheduled to begin and end. Retention
comments are displayed in supported Outlook clients. You can also localize the
retention hold comment in the user's preferred language.

７ Note

Placing a mailbox on retention hold doesn't affect how mailbox storage quotas are
processed. Depending on the mailbox usage and applicable mailbox quotas,
consider temporarily increasing the mailbox storage quota for users when they're
on vacation or don't have access to e-mail for an extended period. For more
information about mailbox storage quotas, see Mailbox storage limits.

During long absences from work, users may accrue a large amount of e-mail. Depending
on the volume of e-mail and the length of absence, it may take these users several
weeks to sort through their messages. In these cases, consider the additional time it may
take the users to catch up on their mail before removing them from retention hold.

If your organization has never implemented MRM, and your users aren't familiar with its
features, you can also use retention holds during the initial warm up and training phase
of your MRM deployment. You can create and deploy retention policies and educate
users about the policies without the risk of having items moved or deleted before users
can tag them. A few days before the warm up and training period ends, you should
remind users of the warm-up deadline. After the deadline, you can remove the retention
hold from user mailboxes, allowing the Managed Folder Assistant to process mailbox
items and take the specified retention action.

For details about how to place a mailbox on retention hold, see Place a mailbox on
retention hold.

Run diagnostics to check retention policy

settings

７ Note
 This feature requires a Microsoft 365 administrator account. This feature isn't
available for Microsoft 365 Government, Microsoft 365 operated by 21Vianet, or
Microsoft 365 Germany.

You can run an automated diagnostic check on a user's mailbox to check and validate
the retention policy settings configured for the user.

To run the diagnostic check, click the button below.

Run Tests: Retention Policy

A flyout page opens in the Microsoft 365 admin center. Enter the email address of the
mailbox you want to check and click Run Tests.
Default Retention Policy in Exchange
Online
Article • 02/22/2023

） Important

Please refer to the Microsoft 365 security center and the Microsoft Purview
compliance portal for Exchange security and compliance features. They are no
longer available in the new Exchange admin center .

７ Note

To proactively retain or delete mailbox content for information governance in

Microsoft 365, we recommend that you use retention policies and retention labels
from the Microsoft Purview compliance portal , instead of messaging records
management that's described on this page. However, you should continue using
messaging records management to move messages to archive mailboxes.

If you currently use messaging records management, this older feature will
continue to work side-by-side with retention policies and retention labels. However,
we recommend that going forward, you use retention policies and retention labels
instead. They provide you with a single mechanism to centrally manage both
retention and deletion of content across Microsoft 365.

Exchange creates the retention policy Default MRM Policy in your Exchange Online and
on-premises Exchange organization. The policy is automatically applied to new users in
Exchange Online. In on-premises organizations, the policy is applied when you create an
archive for the mailbox. You can change the retention policy applied to a user at any
time.

You can modify tags included in the Default MRM Policy, for example by changing the
retention age or retention actions, disable a tag, or modify the policy by adding or
removing tags from it. The updated policy is applied to mailboxes the next time they're
processed by the Managed Folder Assistant

[NOTE] The Default MRM Policy doesn't include a default tag to automatically delete
content from the Deleted items folder as per Extended email retention for deleted
items in Office 365 . If you want to apply the 30-day retention or set a custom
 retention period, that can be done by adding an appropriate retention tag for
deleted items folder to the Default MRM Policy.

Retention tags linked to the Default MRM

Policy
The following table lists the default retention tags linked to the Default MRM Policy.

Name Type Retention age Retention action

(days)

Default 2 years move to archive Default Policy Tag 730 Move to Archive
(DPT)

Recoverable Items 14 days move Recoverable Items 14 Move to Archive

to archive folder

Personal 1 year move to archive Personal tag 365 Move to Archive

Personal 5 year move to archive Personal tag 1,825 Move to Archive

Personal never move to archive Personal tag Not applicable Move to Archive

1 Week Delete Personal tag 7 Delete and Allow

Recovery

1 Month Delete Personal tag 30 Delete and Allow

Recovery

6 Month Delete Personal tag 180 Delete and Allow

Recovery

1 Year Delete Personal tag 365 Delete and Allow

Recovery

5 Year Delete Personal tag 1,825 Delete and Allow

Recovery

Never Delete Personal tag Not applicable Delete and Allow

Recovery

What you can do with the Default MRM Policy

You can... In Exchange In Exchange Server...
Online...
You can... In Exchange In Exchange Server...
Online...

Apply the Default MRM Policy Yes, applied Yes, applied by default if you also create an
automatically to new users by default. No archive for the new user.
action is If you create an archive for the user later, the
required. policy is applied automatically only if the user
doesn't have an existing Retention Policy.

Modify the retention age or Yes Yes

retention action of a retention
tag linked to the policy

Disable a retention tag linked Yes Yes

to the policy

Add a retention tag to the Yes Yes

policy

Remove a retention tag from Yes Yes

the policy

Set another policy as the No No

default retention policy to be
applied automatically to new
users

More information
A Retention Tag can be linked to more than one Retention Policy. For details about
managing Retention tags and retention policies, see Messaging Records
Management Procedures.
The Default MRM Policy doesn't include a DPT to automatically delete items (but it
does contain personal tags with the delete retention action that users can apply to
mailbox items). If you want to automatically delete items after a specified period,
you can create a DPT with the required delete action and add it to the policy. For
details, see Create a Retention Policy and Add retention tags to or remove
retention tags from a retention policy.
Retention policies are applied to mailbox users. The same policy applies to the
user's mailbox and archive.
Default folders that support Retention
Policy Tags in Exchange Online
Article • 02/22/2023

７ Note

To proactively retain or delete mailbox content for information governance in

Microsoft 365, we recommend that you use retention policies and retention labels
from the Microsoft Purview compliance portal , instead of messaging records
management that's described on this page. However, you should continue using
messaging records management to move messages to archive mailboxes.

If you currently use messaging records management, this older feature will
continue to work side-by-side with retention policies and retention labels. However,
we recommend that going forward, you use retention policies and retention labels
instead. They provide you with a single mechanism to centrally manage both
retention and deletion of content across Microsoft 365.

You can use Retention tags and retention policies to manage email lifecycle. Retention
Policies contain Retention Tags, which are settings you can use to specify when a
message should be automatically moved to the archive or when it should be deleted.

A Retention Policy Tag (RPT) is a type of retention tag that you can apply to default
folders in a mailbox, such as Inbox and Deleted Items.
Supported default folders
You can create RPTs for the default folders shown in the following table.

Folder name Details

Archive This folder is the default destination for messages archived with the Archive
button in Outlook. The Archive feature provides a fast way for users to remove
messages from their Inbox without deleting them.
This RPT is available only in Exchange Online.

Calendar This default folder is used to store meetings and appointments.

Folder name Details

Clutter This folder contains email messages that are low priority. Clutter looks at what
you've done in the past to determine the messages you're most likely to ignore. It
then moves those messages to the Clutter folder.

Conversation This folder is created by Microsoft Lync (previously Microsoft Office

History Communicator). Although not treated as a default folder by Outlook, it's treated
as a special folder by Exchange and can have RPTs applied.

Deleted This default folder is used to store items deleted from other folders in the
Items mailbox. Outlook and Outlook on the web (formerly known as Outlook Web App)
users can manually empty this folder. Users can also configure Outlook to empty
the folder upon closing Outlook.

Drafts This default folder is used to store draft messages that haven't been sent by the
user. Outlook on the web also uses this folder to save messages that were sent by
the user but not submitted to the Hub Transport server.

Inbox This default folder is used to store messages delivered to a mailbox.

Journal This default folder contains actions selected by the user. These actions are
automatically recorded by Outlook and placed in a timeline view.

Junk E-mail This default folder is used to save messages marked as junk e-mail by the content
filter on an Exchange server or by the anti-spam filter in Outlook.

Notes This folder contains notes created by users in Outlook. These notes are also visible
in Outlook on the web.

Outbox This default folder is used to temporarily store messages sent by the user until
they're submitted to a Hub Transport server. A copy of sent messages is saved in
the Sent Items default folder. Because messages usually remain in this folder for a
brief period, it isn't necessary to create an RPT for this folder.

RSS Feeds This default folder contains RSS feeds.

Recoverable This is a hidden folder in the Non-IPM sub-tree. It contains the Deletions,
Items Versions, Purges, DiscoveryHolds, and Audits sub-folders. Retention tags for this
folder move items from the Recoverable Items folder in the user's primary mailbox
to the Recoverable Items folder in the user's archive mailbox. You can assign only
the Move To Archive retention action to tags for this folder. To learn more, see
Recoverable Items folder in Exchange Online.

Sent Items This default folder is used to store messages that have been submitted to a Hub
Transport server.

Sync Issues This folder contains synchronization logs.

Folder name Details

Tasks This default folder is used to store tasks. To create an RPT for the Tasks folder, you
have to use Exchange Online PowerShell. For more information, see New-
RetentionPolicyTag. After the RPT for the Tasks folder is created, you can manage
it by using the Exchange admin center.

More Info
RPTs are retention tags for default folders. You can only select a delete action for
RPTs - either delete and allow recovery or permanently delete.

You can't create an RPT to move messages to the archive. To move old items to
archive, you can create a Default Policy Tag (DPT), which applies to the entire
mailbox, or Personal Tags, which are displayed in Outlook and Outlook on the web
as Archive Policies. Your users can apply them to folders or individual messages.

You can't apply RPTs to the Contacts folder.

You can only add one RPT for a particular default folder to a Retention Policy. For
example, if a retention policy has an Inbox tag, you can't add another RPT of type
Inbox to that retention policy.

To learn how to create RPTs or other types of retention tags and add them to a
retention policy, see Create a Retention Policy.

In Exchange Server and Exchange Online, a DPT also applies to the Calendar and
Tasks default folders. This may result in items being deleted or moved to the
archive based on the DPT settings. To prevent the DPT settings from deleting items
in these folders , create RPTs with retention disabled. To prevent the DPT settings
from moving items in a default folder, you can create a disabled Personal Tag with
the move to archive action, add it to the retention policy, and then have users
apply it to the default folder. For details, see Prevent archiving of items in a default
folder in Exchange 2010 .
How retention age is calculated in
Exchange Online
Article • 02/22/2023

７ Note

To proactively retain or delete mailbox content for information governance in

Microsoft 365, we recommend that you use retention policies and retention labels
from the Microsoft Purview compliance portal , instead of messaging records
management that's described on this page. However, you should continue using
messaging records management to move messages to archive mailboxes.

If you currently use messaging records management, this older feature will
continue to work side-by-side with retention policies and retention labels. However,
we recommend that going forward, you use retention policies and retention labels
instead. They provide you with a single mechanism to centrally manage both
retention and deletion of content across Microsoft 365.

The Managed Folder Assistant (MFA) is one of many mailbox assistant processes that
runs in Exchange Online. Its job is to process mailboxes that have a Retention Policy
applied, add the Retention Tags included in the policy to the mailbox, and process items
in the mailbox. If the items have a retention tag, the assistant tests the age of those
items. If an item has exceeded its retention age, it takes the specified retention action.
Retention actions include moving an item to the user's archive, deleting the item and
allowing recovery, or deleting the item permanently.

See Retention tags and retention policies for more information.

Determining the age of different types of items

The retention age of mailbox items is calculated from the date of delivery or in the case
of items like drafts that aren't delivered but created by the user, the date an item was
created. When the Managed Folder Assistant processes items in a mailbox, it stamps a
start date and an expiration date for all items that have retention tags with the Delete
and Allow Recovery or Permanently Delete retention action. Items that have an archive
tag are also stamped with a move date.

Items in the Deleted Items folder and items which may have a start and end date, such
as calendar items (meetings and appointments) and tasks, are handled differently as
shown in this table.

If the item And The retention age is calculated based on...

type is... the
item
is...

Email Not in Delivery date or date of creation

message the
Document Deleted
Items
Fax folder

Journal
item

Meeting
request,
response,
or
cancellation

Missed call

Notes

Email In the Date of delivery or creation unless the item was deleted from a folder
message Deleted that does not have an inherited or implicit retention tag.
Document Items If an item is in a folder that doesn't have an inherited or implicit
folder retention tag applied, the item isn't processed by the MFA and therefore
Fax doesn't have a start date stamped by it. When the user deletes such an
item, and the MFA processes it for the first time in the Deleted Items
Journal
folder, it stamps the current date as the start date.
item

Meeting
request,
response,
or
cancellation

Missed call

Notes

Calendar Not in Non-recurring calendar items expire according to their end date.
the Recurring calendar items expire according to the end date of their last
Deleted occurrence. Recurring calendar items with no end date don't expire.
Items
folder
If the item And The retention age is calculated based on...
type is... the
item
is...

Calendar In the A calendar item expires according to its message-received date, if one
Deleted exists. If a calendar item doesn't have a message-received date, it expires
Items according to its message-creation date. If a calendar item has neither a
folder message-received date nor a message-creation date, it doesn't expire.

Task Not in Non-recurring tasks:

the A non-recurring task expires according to its message-received date , if
Deleted one exists.
Items
folder If a non-recurring task doesn't have a message-received date , it expires
according to its message-creation date .

If a non-recurring task has neither a message-received date nor a

message-creation date , it doesn't expire.

A recurring task expires according to the end date of its last occurrence.
If a recurring task doesn't have an end date , it doesn't expire.

A regenerating task (which is a recurring task that regenerates a

specified time after the preceding instance of the task is completed)
doesn't expire.

Task In the A task expires according to its message-received date, if one exists. If a
Deleted task doesn't have a message-received date, it expires according to its
Items message-creation date. If a task has neither a message-received date nor
folder a message-creation date, it doesn't expire.

Contact In any Contacts aren't stamped with a start date or an expiration date, so
folder they're skipped by the Managed Folder Assistant and don't expire.

Corrupted In any Corrupted items are skipped by the Managed Folder Assistant and don't
folder expire.

Examples
If the user... The The Managed Folder Assistant...
retention
tags on
folder...
If the user... The The Managed Folder Assistant...
retention
tags on
folder...

Receives a message in Inbox: Processes the message in the Inbox on 1/26/2019; stamps it
the Inbox on Delete in with a start date of 01/26/2019 and an expiration date of
01/26/2019. Deletes 365 days 01/26/2020.
the message on Deleted Processes the message again in the Deleted Items folder on
2/27/2019. Items: 2/27/2019. It recalculates the expiration date based on the
Delete in same start date (01/26/2019). Because the item is older
30 days than 30 days, it is expired immediately.

Receives a message in Inbox: Processes the message in the Deleted Items folder on
the Inbox on None 02/27/2019 and determines the item doesn't have a start
01/26/2019. Deletes (inherited date.
the message on or It stamps the current date as the start date, and 03/27/2019
2/27/2019. implicit) as the expiration date. The item is expired on 3/27/2019,
Deleted which is 30 days after the user deleted or moved it to the
Items: Deleted Items folder.
Delete in
30 days

More Info
In Exchange Online, the Managed Folder Assistant processes a mailbox once in
seven days. This might result in items being expired up to seven days after the
expiration date stamped on the item.

Items in mailboxes placed on Retention Hold aren't processed by the Managed

Folder Assistant until the Retention Hold is removed.

If a mailbox is placed on In-Place Hold or Litigation Hold, expiring items are

removed from the Inbox but preserved in the Recoverable Items folder until the
mailbox is removed from In-Place Hold and Litigation Hold.

In hybrid deployments, the same retention tags and retention policies must exist in
your on-premises and Exchange Online organizations in order to consistently
move and expire items across both organizations. See Export and Import Retention
Tags for more information.
Create a retention policy for Exchange
Online
Article • 02/22/2023

７ Note

To proactively retain or delete mailbox content for data lifecycle management in

Microsoft 365, we recommend that you use Microsoft 365 retention policies and
retention labels from the Microsoft Purview compliance portal , instead of
messaging records management that's described on this page. However, you
should continue using messaging records management to move messages to
archive mailboxes.

If you currently use messaging records management (MRM), this older feature will
continue to work side-by-side with Microsoft 365 retention policies and retention
labels. However, we recommend that going forward, you use Microsoft 365
retention policies and retention labels instead. They provide you with a single
mechanism to centrally manage both retention and deletion of content across
Microsoft 365.

In Exchange Online, you can use messaging records management (MRM) retention
policies to manage email lifecycle. Retention policies are applied by creating retention
tags, adding them to a retention policy, and applying the policy to mailbox users.

For additional management tasks related to retention policies, see Messaging Records
Management Procedures.

What do you need to know before you begin?

Estimated time to complete this task: 30 minutes.

Procedures in this topic require specific permissions. See each procedure for its
permissions information.

Configuration for the MRM retention policies and tags is in the Microsoft Purview
compliance portal.

Mailboxes to which you apply these retention policies must reside in Microsoft
365.
Step 1: Create a retention tag
You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Messaging records
management" entry in the Feature permissions in Exchange Online topic.

Use the Purview compliance portal to create a retention

tag
1. Sign in to the Microsoft Purview compliance portal and navigate to Solutions >
Data lifecycle management > Exchange (legacy) > MRM Retention tags, and
then select + New tag.

2. On the Define how the tag will be applied page, select one of the following
options, and then select Next:

Automatically to entire mailbox (default): Select this option to create a

default policy tag (DPT). You can use DPTs to create a default deletion policy
and a default archive policy, which applies to all items in the mailbox.

You can't use this configuration to create a DPT to delete voice mail items.
For details about how to create a DPT to delete voice mail items, see the
Exchange Online PowerShell example on this page.

Automatically to default folder: Select this option to create a retention policy

tag (RPT) for a default folder such as Inbox or Deleted Items, and then select
the folder.

You can create RPTs only with the Delete and allow recovery or Permanently
delete retention actions.

By users to items and folders (personal): Select this option to create

personal tags. These tags allow Outlook and Outlook on the web (formerly
known as Outlook Web App. or OWA) users to apply archive or deletion
settings to a message or folders that are different from the settings applied
to the parent folder or the entire mailbox.

3. On the Define retention settings page title and options will vary depending on the
type of tag you selected. Complete the following fields, and then select Next:

Retention Period: Select one of the following options:

 When the item reaches the following age (in days): Select this option and
specify the number of days to retain items before they're moved or
deleted. The retention age for all supported items except Calendar and
Tasks is calculated from the date an item is received or created. Retention
age for Calendar and Tasks items is calculated from the end date.

Never: Select this option to specify that items should never be deleted or
moved to the archive.

Retention Action: Select one of the following actions to be taken after the
item reaches its retention period:

Delete and allow recovery: Select this action to delete items but allow
users to recover them using the Recover Deleted Items option in Outlook
or Outlook on the web. Items are retained until the deleted item retention
period configured for the mailbox database or the mailbox user is reached.

Permanently delete: Select this option to permanently delete the item

from the mailbox database.

） Important

While mailboxes or items are subject to holds such as Microsoft 365

retention policies or retention labels, or litigation hold, they won't be
permanently deleted and will continue to be returned in eDiscovery
searches.

Move item to archive: This action is available only if you're creating a DPT
or a personal tag. Select this action to move items to the user's archive
mailbox.

4. On the Name your tag page, enter a name and optional description, and then
select Next:

Name: Enter a name for the retention tag. The tag name is for display
purposes and doesn't have any impact on the folder or item a tag is applied
to. Consider that the personal tags you provision for users are available in
Outlook and Outlook on the web.

Description: User this optional field to enter any administrative notes or

comments. The field isn't displayed to users.

5. Review and submit to create the tag with your chosen configuration.
Use Exchange Online PowerShell to create a retention tag
Use the New-RetentionPolicyTag cmdlet to create a retention tag. Different options
available in the cmdlet allow you to create different types of retention tags. Use the Type
parameter to create a DPT (value of All), RPT (specify a default folder type, such as
Inbox) or a personal tag (value of Personal).

The following example creates a DPT to delete all messages in the mailbox after 7 years
(2,556 days):

PowerShell

New-RetentionPolicyTag -Name "DPT-Corp-Delete" -Type All -

AgeLimitForRetention 2556 -RetentionAction DeleteAndAllowRecovery

The following example creates a DPT to move all messages to the In-Place Archive in 2
years (730 days):

PowerShell

New-RetentionPolicyTag -Name "DPT-Corp-Move" -Type All -AgeLimitForRetention

730 -RetentionAction MoveToArchive

The following example creates a DPT to delete voice mail messages after 20 days:

PowerShell

New-RetentionPolicyTag -Name "DPT-Corp-Voicemail" -Type All -MessageClass

Voicemail -AgeLimitForRetention 20 -RetentionAction DeleteAndAllowRecovery

The following example creates an RPT to permanently delete messages in the Junk EMail
folder after 30 days:

PowerShell

New-RetentionPolicyTag -Name "RPT-Corp-JunkMail" -Type JunkEmail -

AgeLimitForRetention 30 -RetentionAction PermanentlyDelete

The following example creates a personal tag to never delete a message:

PowerShell

New-RetentionPolicyTag -Name "Never Delete" -Type Personal -RetentionAction

DeleteAndAllowRecovery -RetentionEnabled $false
Step 2: Create a retention policy
You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Messaging records
management" entry in the Feature permissions in Exchange Online topic.

Use the Microsoft Purview compliance portal to create a

retention policy
1. Sign in to the Microsoft Purview compliance portal and navigate to Solutions >
Data lifecycle management > Exchange (legacy) > MRM Retention policies, and
then select New policy.

2. On the Configure your policy page, enter a name for the retention policy, and
then select + Add tag to select the tags you want to add to this retention policy.

You can create a retention policy without adding any retention tags to it, but items
in the mailbox to which the policy is applied won't be moved or deleted. You can
also add and remove retention tags from a retention policy after it's created.

3. On the Choose retention tags page, select the tags you want, and then select Add.

A retention policy can contain the following tags:

One DPT with the Move item to archive action.

One DPT with the Delete and allow recovery or Permanently delete actions.

One DPT for voice mail messages with the Delete and allow recovery or
Permanently delete actions.

One RPT per default folder such as Inbox to delete items.

Any number of personal tags.

７ Note

Although you can add any number of personal tags to a retention policy,
having many personal tags with different retention settings can confuse users.
We recommend linking no more than ten personal tags to a retention policy.

4. Review and submit to create your retention policy with your configurations.
You can create a retention policy without adding any retention tags to it, but items in
the mailbox to which the policy is applied won't be moved or deleted. You can also add
and remove retention tags from a retention policy after it's created.

Use Exchange Online PowerShell to create a retention

policy
The following example creates the retention policy RetentionPolicy-Corp and uses the
RetentionPolicyTagLinks parameter to associate five retention tags to the policy:

PowerShell

New-RetentionPolicy "RetentionPolicy-Corp" -RetentionPolicyTagLinks "DPT-

Corp-Delete","DPT-Corp-Move","DPT-Corp-Voicemail","RPT-Corp-JunkMail","Never
Delete"

For detailed syntax and parameter information, see New-RetentionPolicy.

Step 3: Apply a retention policy to mailbox

users
After you create a retention policy, you must apply it to mailbox users. You can apply
different retention policies to different set of users. For detailed instructions, see Apply a
retention policy to mailboxes.

How do you know this worked?

After you create retention tags, add them to a retention policy, and apply the policy to a
mailbox user, the next time the MRM mailbox assistant processes the mailbox, messages
are moved or deleted based on settings you configured in the retention tags.

To verify that you have applied the retention policy, do the following:

1. Replace <Mailbox Identity> with the name, email address, or alias of the mailbox,
and run the following command in Exchange Online PowerShell command to run
the MRM assistant manually against a single mailbox:

PowerShell

Start-ManagedFolderAssistant -Identity "<Mailbox Identity>"

2. Log on to the mailbox using Outlook or Outlook on the web and verify that
messages are deleted or moved to an archive in accordance with the policy
configuration.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
Add retention tags to or remove
retention tags from a retention policy in
Exchange Online
Article • 02/22/2023

） Important

Please refer to the Microsoft 365 security center and the Microsoft Purview
compliance portal for Exchange security and compliance features. They are no
longer available in the new Exchange admin center .

７ Note

To proactively retain or delete mailbox content for information governance in

Microsoft 365, we recommend that you use Microsoft 365 retention policies and
retention labels from the Microsoft Purview compliance portal , instead of
messaging records management that's described on this page. However, you
should continue using messaging records management to move messages to
archive mailboxes.

If you currently use messaging records management, this older feature will
continue to work side-by-side with retention policies and retention labels. However,
we recommend that going forward, you use Microsoft 365 retention policies and
retention labels instead. They provide you with a single mechanism to centrally
manage both retention and deletion of content across Microsoft 365.

You can add retention tags to a retention policy when the policy is created or anytime
thereafter. For details about how to create a retention policy, including how to
simultaneously add retention tags, see Create a Retention Policy.

A retention policy can contain the following retention tags:

One or more retention policy tags (RPTs) for supported default folders

One default policy tag (DPT) with the Move item to archive (compliance portal) or
Move to Archive (Classic EAC) action

One DPT with the Delete and allow recovery or Permanently delete actions
 One DPT for voice mail

Any number of personal tags

For more information about retention tags, see Retention tags and retention policies.

What do you need to know before you begin?

Estimated time to completion: 10 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Messaging records
management" entry in the Feature permissions in Exchange Online topic.

Configuration to add or remove retention tags is in the Microsoft Purview

compliance portal .

Retention tags aren't applied to a mailbox until they're linked to a retention policy
and the Managed Folder Assistant processes the mailbox. Use the Start-
ManagedFolderAssistant cmdlet to manually trigger the assistant to process a
specified mailbox.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the Microsoft Purview compliance portal

to add or remove retention tags
1. Sign in to the Microsoft Purview compliance portal and navigate to Solutions >
Data lifecycle management > Exchange (legacy) > MRM Retention policies.

2. In the list view, select the retention policy to which you want to add retention tags,
and then select Edit.

3. On the Configure your policy page, use the following options:

To add and remove retention tags to and from the retention policy: Select +
Add tag, and on the Choose retention tags pane, you can select new
retention tags and remove already selected retention tags. When the
required retention tags are selected, select Add.
 To just remove retention tags: In the view list of retention tags, use the Delete
icon for a retention tag that you want to remove.

Use Exchange Online PowerShell to add or

remove retention tags
The following example adds the retention tags VPs-Default, VPs-Inbox, and VPs-
DeletedItems to the retention policy RetPolicy-VPs, which doesn't already have retention
tags linked to it:

Ｕ Caution

If the policy has retention tags linked to it, this command replaces the existing tags.

PowerShell

Set-RetentionPolicy -Identity "RetPolicy-VPs" -RetentionPolicyTagLinks "VPs-

Default","VPs-Inbox","VPs-DeletedItems"

The following example adds the retention tag VPs-DeletedItems to the retention policy
RetPolicy-VPs, which already has other retention tags linked to it:

PowerShell

$TagList = (Get-RetentionPolicy "RetPolicy-VPs").RetentionPolicyTagLinks

$TagList.Add((Get-RetentionPolicyTag 'VPs-DeletedItems').DistinguishedName)
Set-RetentionPolicy "RetPolicy-VPs" -RetentionPolicyTagLinks $TagList

The following example removes the retention tag VPs-Inbox from the retention policy
RetPolicy-VPs:

PowerShell

$TagList = (Get-RetentionPolicy "RetPolicy-VPs").RetentionPolicyTagLinks

$TagList.Remove((Get-RetentionPolicyTag 'VPs-Inbox').DistinguishedName)
Set-RetentionPolicy "RetPolicy-VPs" -RetentionPolicyTagLinks $TagList

For detailed syntax and parameter information, see set-RetentionPolicy and get-
RetentionPolicy.

How do you know this worked?

To verify that you have successfully added or removed a retention tag from a retention
policy, use the get-RetentionPolicy cmdlet to verify the RetentionPolicyTagLinks property.

This example uses the Get-RetentionPolicy cmdlet to retrieve retention tags added to
the Default MRM Policy and pipes them to the Format-Table cmdlet to output only the
name property of each tag.

PowerShell

(Get-RetentionPolicy "Default MRM Policy").RetentionPolicyTagLinks | Format-

Table name
Apply a retention policy to mailboxes in
Exchange Online
Article • 02/22/2023

７ Note

To proactively retain or delete mailbox content for data lifecycle management in

Microsoft 365, we recommend that you use retention policies and retention labels
from the Microsoft Purview compliance portal , instead of messaging records
management that's described on this page. However, you should continue using
messaging records management to move messages to archive mailboxes.

If you currently use messaging records management, this older feature will
continue to work side-by-side with retention policies and retention labels. However,
we recommend that going forward, you use retention policies and retention labels
instead. They provide you with a single mechanism to centrally manage both
retention and deletion of content across Microsoft 365.

You can use retention policies to group one or more retention tags and apply them to
mailboxes to enforce message retention settings. A mailbox can't have more than one
retention policy.

Ｕ Caution

Messages are expired based on settings defined in the retention tags linked to the
policy. These settings include actions such moving messages to the archive or
permanently deleting them. Before applying a retention policy to one or more
mailboxes, we recommended that you test the policy and inspect each retention
tag associated with it.

For additional management tasks related to messaging records management (MRM),

see Messaging Records Management Procedures.

What do you need to know before you begin?

Estimated time to complete: 5 minutes.
 You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Retention policies" entry
in the Feature permissions in Exchange Online topic.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the new EAC to apply a retention policy to

a single mailbox
1. Sign in to the new Exchange admin center and navigate to Recipients >
Mailboxes.

2. In the list view, select the mailbox to which you want to apply the retention policy.

3. In the details panes for that mailbox, select Mailbox, and then for the Retention
policy section, select Manage mailbox policies.

4. In the Mailbox policies pane, use the dropdown list box for Retention policy to
select the policy you want to apply to the mailbox, and then select Save.

Use the new EAC to apply a retention policy to

multiple mailboxes
1. Sign in to the new Exchange admin center and navigate to Recipients >
Mailboxes.

2. In the list view, select the multiple mailboxes to apply the same retention policy.

3. Above the list view, select ... for more options, and select Mailbox policies.

4. In the Mailbox policies pane, use the dropdown list box for Retention policy to
select the policy you want to apply to the multiple mailboxes, and then select Save.

Use Exchange Online PowerShell to apply a

retention policy to a single mailbox
The following example applies the retention policy RP-Finance to Morris's mailbox:
 PowerShell

Set-Mailbox "Morris" -RetentionPolicy "RP-Finance"

For detailed syntax and parameter information, see Set-Mailbox.

Use Exchange Online PowerShell to apply a

retention policy to multiple mailboxes
The following example applies the new retention policy New-Retention-Policy to all
mailboxes that have the old policy Old-Retention-Policy:

PowerShell

$OldPolicy=(Get-RetentionPolicy "Old-Retention-Policy").distinguishedName
Get-Mailbox -Filter "RetentionPolicy -eq '$OldPolicy'" -Resultsize Unlimited
| Set-Mailbox -RetentionPolicy "New-Retention-Policy"

The following example applies the retention policy RetentionPolicy-Corp to all

mailboxes in the Exchange organization:

PowerShell

Get-Mailbox -ResultSize unlimited | Set-Mailbox -RetentionPolicy

"RetentionPolicy-Corp"

The following example applies the retention policy RetentionPolicy-Finance to all

mailboxes in the Finance organizational unit:

PowerShell

Get-Mailbox -OrganizationalUnit "Finance" -ResultSize Unlimited | Set-

Mailbox -RetentionPolicy "RetentionPolicy-Finance"

For detailed syntax and parameter information, see Get-Mailbox and Set-Mailbox.

How do you know this worked?

To verify that you have applied the retention policy, run the Get-Mailbox cmdlet to
retrieve the retention policy for the mailbox or mailboxes.

The following example retrieves the retention policy for Morris's mailbox:
 PowerShell

Get-Mailbox Morris | Select RetentionPolicy

The following command retrieves all mailboxes that have the retention policy RP-
Finance applied:

PowerShell

Get-Mailbox -ResultSize unlimited | Where-Object {$_.RetentionPolicy -eq

"RP-Finance"} | Format-Table Name,RetentionPolicy -Auto
Place a mailbox on retention hold in
Exchange Online
Article • 02/22/2023

Placing a mailbox on retention hold suspends the processing of an MRM retention

policy by the Managed Folder Assistant for that mailbox. Retention hold is designed for
situations such as a user being on vacation or away temporarily.

During retention hold, users can log on to their mailbox and change or delete items.
When you perform a mailbox search, deleted items that are past the deleted item
retention period aren't returned in search results. To make sure items changed or
deleted by users are preserved in legal hold scenarios, you must place a mailbox on
legal hold. For more information, see Create or remove an In-Place Hold.

You can also include retention comments for mailboxes you place on retention hold. The
comments are displayed in supported versions of Microsoft Outlook.

For additional management tasks related to messaging records management (MRM),

see Messaging Records Management Procedures.

What do you need to know before you begin?

Estimated time to complete: 1 minute.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Messaging records
management" entry in the Feature permissions in Exchange Online topic.

You can't use the Exchange admin center (EAC) to place a mailbox on retention
hold. You must use Exchange Online PowerShell.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
Use Exchange Online PowerShell to place a
mailbox on retention hold
This example places Michael Allen's mailbox on retention hold.

PowerShell

Set-Mailbox "Michael Allen" -RetentionHoldEnabled $true

For detailed syntax and parameter information, see Set-Mailbox.

Use Exchange Online PowerShell to remove

retention hold for a mailbox
This example removes the retention hold from Michael Allen's mailbox.

PowerShell

Set-Mailbox "Michael Allen" -RetentionHoldEnabled $false

For detailed syntax and parameter information, see Set-Mailbox.

How do you know this worked?

To verify that you have successfully placed a mailbox on retention hold, use the Get-
Mailbox cmdlet to retrieve the RetentionHoldEnabled property of the mailbox.

This command retrieves the RetentionHoldEnabled property for Michael Allen's mailbox.

PowerShell

Get-Mailbox "Michael Allen" | Select RetentionHoldEnabled

This command retrieves all mailboxes in the Exchange organization, filters the mailboxes
that are placed on retention hold, and lists them along with the retention policy applied
to each.

） Important
 Because RetentionHoldEnabled isn't a filterable property in Exchange Server, you
can't use the Filter parameter with the Get-Mailbox cmdlet to filter mailboxes that
are placed on retention hold on the server-side. This command retrieves a list of all
mailboxes and filters on the client running Exchange Online PowerShell session. In
large environments with thousands of mailboxes, this command may take a long
time to complete.

PowerShell

Get-Mailbox -ResultSize unlimited | Where-Object {$_.RetentionHoldEnabled -

eq $true} | Format-Table Name,RetentionPolicy,RetentionHoldEnabled -Auto

Difference between ElcProcessingDisabled and

RetentionHoldEnabled
ElcProcessingDisabled is another mailbox property that's related to the processing of a
mailbox by the Managed Folder Assistant (the default value for this property is False).
When the ElcProcessingDisabled property is set to True (by using the Set-Mailbox -
ElcProcessingDisabled $true command), it prevents the Managed Folder Assistant from

processing the mailbox at all. So in addition to not processing the MRM retention policy,
other functions performed by the Managed Folder assistant, such as expiring items in
the Recoverable Items folder by marking them for permanent removal, won't be
performed. For more information, see Set-OrganizationConfig.

In contrast, when RetentionHoldEnabled is set to True, the Managed Folder Assistant will
continue to process the MRM retention policy on the mailbox (including applying
retention tags to items), but it will not expire items in folders that are visible to the user
(that is, in folders in the IPM subtree of the mailbox). However, the Managed Folder
Assistant will continue to process items in the Recoverable Items folder, including
purging expired items. So setting ElcProcessingDisabled to True is more restrictive and
has more consequences than setting the RetentionHoldEnabled property to True.

Another significant difference between these two mailbox properties is that the
ElcProcessingDisabled property can be set at the organizational level with the Set-
OrganizationConfig -ElcProcessingDisabled $true command (the default setting is
False). This means that you could prevent the Managed Folder Assistant from
processing all mailboxes in your organization. In contrast, you can only set the
RetentionHoldEnabled property on a per mailbox basis.
Keep the following things in mind when managing the ElcProcessingDisabled property
for a mailbox:

If the ElcProcessingDisabled property is set to False on a mailbox, but the

organizational setting is set to True, the organizational setting overrides the
mailbox setting and the Managed Folder Assistant won't process the mailbox.

If the ElcProcessingDisabled property is set to True on a mailbox, but the

organizational setting is set to False, the Managed Folder Assistant won't process
the mailbox.

If an Office 365 or Microsoft 365 retention policy with a Preservation Lock is

applied to a mailbox, then the setting of the ElcProcessingDisabled property (at
both the mailbox and organizational level) will be ignored. In other words, the
Managed Folder Assistant can't be disabled for any mailbox that's been assigned a
retention policy that's been locked. For more information, see Locking a retention
policy.
Journaling in Exchange Online
Article • 01/26/2023

） Important

Please refer to the Microsoft 365 security center and the Microsoft Purview
compliance portal for Exchange security and compliance features. They are no
longer available in the new Exchange admin center .

When possible, we recommend that you use Microsoft 365 retention to archive and
manage data in-place to meet your compliance requirements. However, some
organizations might need to use a third-party solution to receive a copy of emails for
storage or other scenarios. Configure journaling to store that data outside Exchange.

Considerations for journaling

Journaling is an older feature from Exchange that moves data outside Microsoft 365, so
you must take extra precautions to secure it and also resolve any duplication that might
result from this solution. It will be your responsibility to monitor and follow up on any
non-delivery receipts to the journaling mailbox that can occur because of external and
dependent services.

You don't have these additional administrative overheads when you use Microsoft 365
retention and other Microsoft Purview compliance solutions that keep the data within
your tenant. As a more modern compliance solution, they aren't restricted to just email
but can also manage today's array of communication and productivity apps, such as
Microsoft Teams.

Journal rules
The following are key aspects of journal rules:

Journal rule scope: Defines which messages are journaled by the Journaling agent.
Journal recipient: Specifies the SMTP address of the recipient you want to journal.
Journaling mailbox: Specifies one or more mailboxes used for collecting journal
reports.

In Exchange Online, there's a limit to the number of journal rules that you can create.
For details, see Journal, Transport, and Inbox rule limits.
Journal rule scope
You can use a journal rule to journal only internal messages, only external messages, or
both. The following list describes these scopes:

Internal messages only: Journal rules with the scope set to journal internal
messages sent between the recipients inside your Exchange organization.
External messages only1: Journal rules with the scope set to journal external
messages sent to recipients or received from senders outside your Exchange
organization.
All messages: Journal rules with the scope set to journal all messages that pass
through your organization regardless of origin or destination. These include
messages that may have already been processed by journal rules in the Internal
and External scopes.

1
If the sender and recipients are both in accepted domains of the same organization, the
messages are not honored as external, even if the x-ms-exchange-crosstenant-authas
header in the messages has the value anonymous . Accordingly, these messages are not
journaled as external.

Journal recipient
You can implement targeted journaling rules by specifying the SMTP address of the
recipient you want to journal. The recipient can be a mailbox, distribution group,
dynamic distribution group, mail user, or contact. These recipients may be subject to
regulatory requirements, or they may be involved in legal proceedings where email
messages or other communications are collected as evidence. By targeting specific
recipients or groups of recipients, you can easily configure a journaling environment
that matches your organization's processes and meets regulatory and legal
requirements. Targeting only the specific recipients that need to be journaled also
minimizes storage and other costs associated with retention of large amounts of data.

All messages sent to or from the journaling recipients you specify in a journaling rule are
journaled. If you specify a distribution group as the journaling recipient, all messages
sent to or from members of the distribution group are journaled. If you don't specify a
journaling recipient, all messages sent to or from recipients that match the journal rule
scope are journaled.

７ Note
 The SMTP address specified for the journaling recipient cannot contain a wildcard
character. For example, the SMTP address cannot be listed as *@contoso.com .

Journaling mailbox
The journaling mailbox is used to collect journal reports. How you configure the
journaling mailbox depends on your organization's policies, regulatory requirements,
and legal requirements. You can specify one journaling mailbox to collect messages for
all the journal rules configured in the organization, or you can use different journaling
mailboxes for different journal rules or sets of journal rules.

You can't designate an Exchange Online mailbox as a journaling mailbox. You can deliver
journal reports to an on-premises archiving system or a third-party archiving service. If
you're running an Exchange hybrid deployment with your mailboxes split between on-
premises servers and Exchange Online, you can designate an on-premises mailbox as
the journaling mailbox for your Exchange Online and on-premises mailboxes.

Journaling mailboxes contain sensitive information. You must secure journaling

mailboxes because they collect messages that are sent to and from recipients in your
organization. These messages may be part of legal proceedings or may be subject to
regulatory requirements. Various laws require that messages remain tamper-free before
they're submitted to an investigatory authority. We recommend that you create policies
that govern who can access the journaling mailboxes in your organization, limiting
access to only those individuals who have a direct need to access them. Speak with your
legal representatives to make sure that your journaling solution complies with all the
laws and regulations that apply to your organization.

） Important

If you've configured a journaling rule to send the journal reports to a journaling

mailbox that doesn't exist or is an invalid destination, the journal report remains in
the transport queue on Microsoft datacenter servers. If this happens, Microsoft
datacenter personnel will attempt to contact your organization and ask you to fix
the problem so that the journal reports can be successfully delivered to a journaling
mailbox. If you haven't resolved the issue after two days of being contacted,
Microsoft will disable the problematic journaling rule.

Alternate journaling mailbox

When the journaling mailbox is unavailable, you may not want the undeliverable journal
reports to collect in mail queues on Mailbox servers. Instead, you can configure an
alternate journaling mailbox to store those journal reports. The alternate journaling
mailbox receives the journal reports as attachments in the non-delivery reports (also
known as NDRs or bounce messages) generated when the journaling mailbox or the
server on which it's located refuses delivery of the journal report or becomes
unavailable. As with the journaling mailbox, you can't designate an Exchange Online
mailbox as an alternate journaling mailbox.

When the journaling mailbox becomes available again, you can use the Send Again
feature in Outlook to submit journal reports for delivery to the journaling mailbox.

When you configure an alternate journaling mailbox, all the journal reports that are
rejected or can't be delivered across your entire Exchange organization are delivered to
the alternate journaling mailbox. Therefore, it's important to make sure that the
alternate journaling mailbox and the Mailbox server where it's located can support many
journal reports.

Ｕ Caution

If you configure an alternate journaling mailbox, you must monitor the mailbox to
make sure that it doesn't become unavailable at the same time as the journal
mailboxes. If the alternate journaling mailbox also becomes unavailable or rejects
journal reports at the same time, the rejected journal reports are lost and can't be
retrieved. Due to existing limits on receiving email for Exchange Online
mailboxes, configuring the alternate journaling mailbox to be an Exchange Online
mailbox is not supported.

Because the alternate journaling mailbox collects all the rejected journal reports for the
entire Exchange Online organization, you must make sure that this doesn't violate any
laws or regulations that apply to your organization. If laws or regulations prohibit your
organization from allowing journal reports sent to different journaling mailboxes from
being stored in the same alternate journaling mailbox, you may be unable to configure
an alternate journaling mailbox. Discuss this with your legal representatives to
determine whether you can use an alternate journaling mailbox.

When you configure an alternate journaling mailbox, you should use the same criteria
that you used when you configured the journaling mailbox.

） Important
 The alternate journaling mailbox should be treated as a special dedicated mailbox.
Any messages addressed directly to the alternate journaling mailbox aren't
journaled.

Journal reports
A journal report is the message that the Journaling agent generates when a message
matches a journal rule and is to be submitted to the journaling mailbox. The original
message that matches the journal rule is included unaltered as an attachment to the
journal report. The body of a journal report contains information from the original
message such as the sender email address, message subject, message-ID, and recipient
email addresses. This is also referred to as envelope journaling, and is the only
journaling method supported by Microsoft 365 and Office 365.

Journal reports and IRM-protected messages

When implementing journaling, you must consider journaling reports and IRM-
protected messages. IRM-protected messages will affect the search and discovery
capabilities of third-party archiving systems that don't have RMS support built in. In
Microsoft 365 and Office 365, you can configure journal report decryption to save a
clear-text copy of the message in a journal report. The messages and attachments are
decrypted if the encryption originates from the organization. Journaling doesn't decrypt
items that are encrypted by external organizations.

To enable journal report decryption for the organization, complete these steps.

1. On your local computer, using a work or school account that has global
administrator or compliance admin permissions in your organization, connect to
Exchange Online PowerShell.

2. Run the Set-IRMConfiguration cmdlet to enable journal report decryption.

PowerShell

Set-IRMConfiguration -JournalReportDecryptionEnabled $true

Set the JournalReportDecryptionEnabled parameter to true to enable decryption. Set

the parameter to false to disable decryption.

） Important
 Journal report decryption doesn't currently support the explicit use of OME
branding templates. If you use a mail flow rule (also known as a transport rule) to
apply an OME branding template, the journal report won't contain a decrypted
copy of the message. Currently, journal report decryption only works with the
default OME branding template that's applied without a mail flow rule by Exchange
Online. In other words, the branding template applied by OME implicitly on
messages.

Troubleshooting
When a message matches the scope of multiple journal rules, all matching rules will be
triggered.

If the matching rules are configured with different journal mailboxes, a journal
report will be sent to each journal mailbox.
If the matching rules are all configured with the same journal mailbox, only one
journal report is sent to the journal mailbox.

Journaling always identifies messages as internal if the email address in the SMTP MAIL
FROM command is in a domain that's configured as an accepted domain in Exchange
Online. These messages include spoofed messages from external sources (messages
where the X-MS-Exchange-Organization-AuthAs header value is also Anonymous).
Therefore, journal rules that are scoped to external messages won't be triggered by
spoofed messages with SMTP MAIL FROM email addresses in accepted domains.

Duplicate journal report scenarios in a hybrid Exchange

environment
In a hybrid Exchange environment, the following scenarios are known to result in
duplicate journal reports and these are considered by design:

1. Cloud to cloud: Any situations where email is forked will lead to duplicate
journaling, such as:

Transport chipping (too many recipients on the message).

Internal and external recipients exist on the same message – two forks are
created for spam/phishing purposes (one in which internal recipients exist,
and one in which external recipients exist).
Any future needs where the cloud needs to fork the message.
 2. On-premises to cloud: Once when on-premises journals and once when the cloud
journals. This can be prevented by implementing the PreventDupJournaling flight
in an Exchange Online tenant. To enable this flight, you need to open a support
ticket with Microsoft.

Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange
Online or Exchange Online Protection .

If you're having trouble with the JournalingReportDNRTo mailbox, see Transport and
Mailbox Rules in Exchange Online don't work as expected .
Manage journaling in Exchange Online
Article • 02/22/2023

This article shows you how to perform basic tasks related to managing the older
compliance feature of journaling in Exchange Online. They're necessary only if you have
to store email outside Exchange Online. Make sure you're aware of the limitations and
considerations of this older feature before you configure any new journaling rules.

What do you need to know before you begin?

Estimated time to complete each procedure: 5 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Journaling" entry in the
Feature permissions in Exchange Online article.

Currently, you can use either the Microsoft Purview compliance portal or the
Classic Exchange admin center (EAC) to manage journaling in Exchange Online.

You need to have a journaling mailbox and an alternate journaling mailbox

configured. For more information, see Configure Journaling in Exchange Online.

In Exchange Online, there's a limit to the number of journal rules that you can
create. For details, see Journal, Transport, and Inbox rule limits.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection . If you're having trouble with
the JournalingReportDNRTo mailbox, see Transport and Mailbox Rules in
Exchange Online don't work as expected .

Create a journal rule

） Important

If your organization is set up in a hybrid deployment, you must configure any

journaling rules twice; once in on-premises Exchange Server and an identical rule in
Exchange Online. If you don't, some messages might not be journaled.
Use the Purview compliance portal to create a journal
rule
1. In the Microsoft Purview compliance portal , navigate to Solutions > Data
lifecycle management > Exchange (legacy) > Journal rules, and then select +
New rule.

2. On the Define journal rule settings page, provide a name for the journal rule and
then complete the following fields:

Send journal reports to: Type the address of the journaling mailbox that will
receive all the journal reports.

７ Note

You can also type the display name or alias of a mail user or a mail
contact as the journal mailbox. In this case, journal reports will be sent to
the external email address of the mail user or mail contact. But as
previously explained, the external email address of a mail user or mail
contact can't be the address of an Exchange Online mailbox.

Journal rule name: Enter the name of this new journal rule.

Journal messages sent or received from: Specify the recipient that the rule
will target. You can either apply the rule to all messages, or select a specific
recipient.

Type of message to journal: Specify the scope of the journal rule. You can
journal all messages regardless of origin or destination, internal messages
only, or external messages only.

3. Select Next, review the settings, and then Submit to create the journal rule.

Use the classic EAC to create a journal rule

1. In the Classic EAC, navigate to Compliance management > Journal rules, and then
click Add .

2. In Journal rule, provide a name for the journal rule and then complete the
following fields:

If the message is sent to or received from: Specify the recipient that the rule
will target. You can either select a specific recipient or apply the rule to all
 messages.

Journal the following messages: Specify the scope of the journal rule. You
can journal only the internal messages, only the external messages, or all
messages regardless of origin or destination.

Send journal reports to: Type the address of the journaling mailbox that will
receive all the journal reports.

７ Note

You can also type the display name or alias of a mail user or a mail
contact as the journal mailbox. In this case, journal reports will be sent to
the external email address of the mail user or mail contact. But as
previously explained, the external email address of a mail user or mail
contact can't be the address of an Exchange Online mailbox.

3. Click Save to create the journal rule.

Use Exchange Online PowerShell to create a journal rule

This example creates the journal rule Discovery Journal Recipients to journal all
messages sent from and received by the recipient user1@contoso.com.

PowerShell

New-JournalRule -Name "Discovery Journal Recipients" -Recipient

user1@contoso.com -JournalEmailAddress "Journal Mailbox" -Scope Global -
Enabled $True

How do you know this worked?

To verify that you have successfully created the journal rule, do one of the following:

From the admin portal you used to create the journaling rule, verify that the new
journal rule you created is listed on the Journal rules tab.

From Exchange Online PowerShell, verify that the new journal rule exists by
running the following command (the example below verifies the rule created in
Exchange Online PowerShell example above):

PowerShell
 Get-JournalRule -Identity "Discovery Journal Recipients"

View or modify a journal rule

Use the Purview compliance portal to view or modify a

journal rule
1. In the Microsoft Purview compliance portal , navigate to Solutions > Data
lifecycle management > Exchange (legacy) > Journal rules.

2. In the list view, you'll see all the journal rules in your organization.

3. Select the rule you want to view or modify, and select Edit.

4. On the Define journal rule settings page, modify the settings you want, select
Next, and Submit. For more information about the settings, see the previous
procedure to create a journal rule.

Use the classic EAC to view or modify a journal rule

1. Sign in to the Classic EAC and navigate to Compliance management > Journal
rules.

2. In the list view, you'll see all the journal rules in your organization.

3. Double-click the rule you want to view or modify.

4. In Journal Rule, modify the settings you want. For more information about the
settings in this dialog box, see the previous procedure to create a journal rule.

Use Exchange Online PowerShell to view or modify a

journal rule
This example displays a summary list of all journal rules in the Exchange organization:

PowerShell

Get-JournalRule

This example retrieves the journal rule Brokerage Journal Rule, and pipes the output to
the Format-List command to display rule properties in a list format:
 PowerShell

Get-JournalRule -Identity "Brokerage Journal Rule" | Format-List

If you want to modify the properties of a specific rule, you need to use the Set-
JournalRule cmdlet. This example changes the name of the journal rule JR-Sales to
TraderVault . The following rule settings are also changed:

Recipient

JournalEmailAddress

Scope

PowerShell

Set-JournalRule -Identity "JR-Sales" -Name TraderVault -Recipient

traders@woodgrovebank.com -JournalEmailAddress tradervault@woodgrovebank.com
-Scope Internal

How do you know this worked?

To verify that you have successfully modified a journal rule, do one of the following:

From the admin portal where you modified the journal rule, on the Journal rules
tab, double-click the rule you modified and verify your changes were saved.

From Exchange Online PowerShell, verify that you modified the journal rule
successfully by running the following command. This command will list the
properties you modified along with the name of the rule (the example below
verifies the rule modified in Exchange Online PowerShell example above):

PowerShell

Get-JournalRule -Identity "TraderVault" | Format-List

Name,Recipient,JournalEmailAddress,Scope

Enable or disable a journal rule

） Important
 When you disable a journal rule, the journaling agent will stop journaling messages
targeted by that rule. While a journal rule is disabled, any messages that would
have normally been journaled by the rule aren't journaled. Make sure that you
don't compromise the regulatory or compliance requirements of your organization
by disabling a journaling rule.

Use the Microsoft Purview compliance portal to enable or

disable a journal rule
1. In the Microsoft Purview compliance portal , navigate to Solutions > Data
lifecycle management > Exchange (legacy) > Journal rules.

2. In the list view, next to the rule's name, select the check box and then select
Disable or Enable to enable the rule or disable the rule.

Use the classic EAC to enable or disable a journal rule

1. In the Classic EAC, navigate to Compliance management > Journal rules.

2. In the list view, in the On column next to the rule's name, select the check box to
enable the rule or clear it to disable the rule.

Use Exchange Online PowerShell to enable or disable a

journal rule
This example enables the rule Contoso.

PowerShell

Enable-JournalRule -Identity "Contoso Journal Rule"

This example disables the rule Contoso.

PowerShell

Disable-JournalRule -Identity "Contoso Journal Rule"

How do you know this worked?

To verify that you have successfully enabled or disabled a journal rule, do one of the
following:

From the Microsoft Purview compliance portal, view the list of journal rules and
use the Status column to confirm whether the rule is enabled (On) or disabled
(Off).

From the Classic EAC, view the list of journal rules check the status of the check
box in the On column.

From Exchange Online PowerShell, run the following command to return a list of
all journal rules in your organization along, including their status:

PowerShell

Get-JournalRule | Format-Table Name,Enabled

Remove a journal rule

Use the Microsoft Purview compliance center to remove a

journal rule
1. In the Microsoft Purview compliance portal , navigate to Solutions > Data
lifecycle management > Exchange (legacy) > Journal rules.

2. In the list view, select the rule you want to remove, and then select Delete.

Use the classic EAC to remove a journal rule

1. In the Classic EAC, navigate to Compliance management > Journal rules.

2. In the list view, select the rule you want to remove, and then click Delete .

Use Exchange Online PowerShell to remove a journal rule

This example removes the rule Brokerage Journal Rule.

PowerShell

Remove-JournalRule -Identity "Brokerage Journal Rule"

How do you know this worked?
To verify that you have successfully removed the journal rule, do one of the following:

From the admin portal you used, verify that the rule you removed is no longer
listed on the Journal rules tab after you've refreshed the page.

From Exchange Online PowerShell, run the following command to verify that the
rule you removed is no longer listed:

PowerShell

Get-JournalRule

For more information

New-JournalRule

Get-JournalRule

Set-JournalRule

Enable-JournalRule

Disable-JournalRule

Remove-JournalRule
Configure Journaling in Exchange
Online
Article • 02/22/2023

Journaling is an older compliance feature of Exchange that allows you to meet your
organization's archiving requirements when you must store emails outside Exchange
Online.

You can create journal rules and have messages matching the rule's conditions delivered
to the journaling address specified in the rule. For more information about journaling,
including the limitations and considerations for using this older feature, see Journaling
in Exchange Online.

Here are two things you need to know before you start creating journal rules.

Specify a journaling mailbox

A journaling mailbox is the mailbox or recipient that receives journal reports for
messages that match a journal rule's conditions. You can specify different journaling
mailboxes for different journal rules. For example, you can create a journal rule to
journal messages sent or received by users in Europe and another one to journal
messages sent or received by users in North America, and configures each rule to
deliver journal reports to an address in their own geography. Or configure different
journal rules for users in the Finance and Legal departments and similarly, have the
journal reports delivered to different addresses.

Exchange Online doesn't support delivering journal reports to an Exchange Online

mailbox. You must specify the email address of an on-premises archiving system or a
third-party archiving service as the journaling mailbox.

） Important

If you've configured a journaling rule to send the journal reports to a journaling

mailbox that doesn't exist or is an invalid destination, the journal report remains in
the transport queue on Microsoft datacenter servers; delivery of queued items is
periodically retried. If this happens, Microsoft datacenter personnel will attempt to
contact your organization and ask you to fix the problem so that the journal reports
can be successfully delivered to a journaling mailbox. If you haven't resolved the
issue after two days of being contacted, Microsoft will disable the problematic
journaling rule.
Specify an alternate journaling mailbox for
undeliverable journal reports
As previously explained, undeliverable journal reports are queued on Microsoft
datacenter servers and will be retried periodically until the MessageExpirationTimeout.
After expiration, undeliverable journal reports can't be returned to the sender in a non-
delivery report (also known as an NDR or bounce message) because the sender is the
Exchange Online service. To handle the NDRs for undelivered journal reports, you must
specify an alternate journaling mailbox that accepts the NDRs for all undeliverable
journal reports. Like the journaling mailbox, the alternate journaling mailbox can't be an
Exchange Online mailbox.

The original journal report is an attachment in the NDR. When the journaling mailbox
for an undelivered journal report becomes available again, you can use the Send Again
feature in Outlook on the NDRs in the alternate journaling mailbox to send the
unaltered delivery report to the journaling mailbox.
Enable or disable journaling of voice
mail and missed call notifications in
Exchange Online
Article • 02/22/2023

In Exchange Online, when you create a journal rule to journal email messages sent to or
from recipients or senders in an Exchange organization, voice mail and missed call
notifications generated by the Unified Messaging (UM) service are included. Use the
procedures in this topic to turn this feature on or off for your entire organization.

） Important

When voice mail journaling is disabled, the following messages classes won't be
journaled. It's important to be aware that messages that are "spoofed" using these
message classes will not be journaled.

text

"IPM.Note.Microsoft.Voicemail.UM"
"IPM.Note.Microsoft.Voicemail.UM.CA"
"IPM.Note.Microsoft.Missed.Voice"
"IPM.Note.rpmsg.Microsoft.Voicemail.UM.CA"
"IPM.Note.rpmsg.Microsoft.Voicemail.UM"

What do you need to know before you begin?

Estimated time to complete: 5 minutes.

Use PowerShell to disable or enable journaling of voice mail and missed call
notifications. For information about how to connect to Exchange Online PowerShell, see
Connect to Exchange Online PowerShell.

The following command disables journaling of voice mail and missed call notifications
by setting the VoicemailJournalingEnabled parameter to $false .

PowerShell

Set-TransportConfig -VoicemailJournalingEnabled $false

The following command enables the journaling of voice mail and missed call
notifications by setting the VoicemailJournalingEnabled parameter to $true .

PowerShell

Set-TransportConfig -VoicemailJournalingEnabled $true

For detailed syntax and parameter information, see Set-TransportConfig.

S/MIME for message signing and
encryption in Exchange Online
Article • 02/22/2023

S/MIME (Secure/Multipurpose internet Mail Extensions) is a widely accepted protocol

for sending digitally signed and encrypted messages. S/MIME in Exchange Online
provides the following services for email messages:

Encryption: Protects the content of email messages.

Digital signatures: Verifies the identity of the sender of an email message.

The rest of this article generally describes S/MIME and how these services work.

To configure S/MIME in Exchange Online, see the following topics:

Configure S/MIME in Exchange Online

S/MIME for Outlook for iOS and Android

S/MIME digital signatures

Digital signatures are the more commonly used service of S/MIME. As the name
suggests, digital signatures are the digital counterpart to the traditional, legal signature
on a paper document. As with a legal signature, digital signatures provide the following
security capabilities:

Authentication: A signature serves to validate an identity. It verifies the answer to

"who are you" by providing a means of differentiating that entity from all others
and proving its uniqueness. Because there is no authentication in SMTP email,
there is no way to know who sent a message. Authentication in a digital signature
solves this problem by allowing a recipient to know that a message was sent by the
person or organization who claims to have sent the message.

Nonrepudiation: The uniqueness of a signature prevents the owner of the

signature from disowning the signature. This capability is called nonrepudiation.
Thus, the authentication that a signature provides gives the means to enforce
nonrepudiation. The concept of nonrepudiation is most familiar in the context of
paper contracts: a signed contract is a legally binding document, and it is
impossible to disown an authenticated signature. Digital signatures provide the
same function and, increasingly in some areas, are recognized as legally binding,
similar to a signature on paper. Because SMTP email does not provide a means of
 authentication, it cannot provide nonrepudiation. It is easy for a sender to disavow
ownership of an SMTP email message.

Data integrity: An additional security service that digital signatures provide is data
integrity. Data integrity is a result of the specific operations that make digital
signatures possible. With data integrity services, when the recipient of a digitally
signed email message validates the digital signature, the recipient is assured that
the email message that is received is, in fact, the same message that was signed
and sent, and has not been altered while in transit. Any alteration of the message
while in transit after it has been signed invalidates the signature. In this way, digital
signatures provide an assurance that signatures on paper cannot, because it is
possible for a paper document to be altered after it has been signed.

） Important

Although digital signatures provide data integrity, they don't provide

confidentiality. Messages with only a digital signature are sent in clear text, like
SMTP messages and can be read by others. In the case where the message is
opaque-signed, a level of obfuscation is achieved because the message is base64-
encoded, but it is still clear text. To protect the contents of email messages,
encryption must be used.

S/MIME encryption
Message encryption provides a solution to information disclosure. SMTP-based internet
email does not secure messages. An SMTP internet email message can be read by
anyone who sees it as it travels or views it where it is stored. These problems are
addressed by S/MIME using encryption. Encryption is a way to change information so
that it cannot be read or understood until it is changed back into a readable and
understandable form. Message encryption provides two specific security services:

Confidentiality: Message encryption serves to protect the contents of an email

message. Only the intended recipient can view the contents, and the contents
remain confidential and cannot be known by anyone else who might receive or
view the message. Encryption provides confidentiality while the message is in
transit and in storage.

Data integrity: As with digital signatures, message encryption provides data

integrity services as a result of the specific operations that make encryption
possible.
 ） Important

Although message encryption provides confidentiality, it doesn't authenticate the

message sender in any way. An unsigned, encrypted message is as susceptible to
sender impersonation as a message that isn't encrypted. Because nonrepudiation is
a direct result of authentication, message encryption also doesn't provide
nonrepudiation. Although encryption does provide data integrity, an encrypted
message can show only that the message hasn't been altered since it was sent. No
information about who sent the message is provided. To prove the identity of the
sender, the message must use a digital signature.

Related message encryption technologies

Other encryption technologies work together to provide protection for messages at rest
and in-transit. S/MIME can work simultaneously with the technologies in the following
list, but is not dependent on them:

Transport Layer Security (TLS) which replaces Secure Sockets Layer (SSL):
Encrypts the tunnel or the route between email servers in order to help prevent
snooping and eavesdropping.
Encrypts the connection between email clients and email servers.
BitLocker: Encrypts data on hard drives in client computers and servers. If an
unauthorized party somehow gains access, they can't read the data on the drives.

Microsoft Purview Message Encryption is a direct competitor to S/MIME, and has the
following advantages over S/MIME:

It's a policy-based encryption service that's configured by an admin to encrypt

messages that are sent to anyone inside or outside of the organization. In contrast,
users are required to decide whether to apply or not apply S/MIME to messages
that they send.
It's an online service that's built on Azure Rights Management (Azure RMS) and
does not rely on a public key infrastructure. In contrast, S/MIME requires a
certificate and certificate publishing infrastructure.
Microsoft Purview Message Encryption provides additional capabilities. For
example, you can customize messages with your organization's brand.
Configure S/MIME in Exchange Online
Article • 05/23/2023

S/MIME (Secure/Multipurpose Internet Mail Extensions) is a widely accepted protocol

for sending digitally signed and encrypted messages. For more information, see S/MIME
for message signing and encryption in Exchange Online.

S/MIME is available in Exchange Online with the following types of email clients:

Supported versions of Outlook.

Outlook on the web (formerly known as Outlook Web App) on Windows clients.
For more information, see Encrypt messages by using S/MIME in Outlook on the
web .

７ Note

Sensitive policy actions are applied on the server backend, while S/MIME
signing and/or encryption is done in the Outlook on the web client. Because
of this architectural constraint, S/MIME is disabled in Outlook on the web in
messages where there are sensitivity labels with protection actions.

Mobile devices (for example, Outlook for iOS and Android, Exchange ActiveSync
apps or native email apps).

As an Exchange Online admin, you can enable S/MIME-based security for the mailboxes
in your organization. The high-level steps are described in the following list and are
expanded upon in this article:

1. Set up and publish S/MIME certificates.

2. Set up a virtual certificate collection in Exchange Online.
3. Sync user certificates for S/MIME into Microsoft 365.
4. Configure policies to install S/MIME extensions in web browsers for Outlook on the
web.
5. Configure email clients to use S/MIME.

For end-to-end S/MIME configuration instructions for Outlook for iOS and Android, see
S/MIME for Outlook for iOS and Android.

Step 1: Set up and publish S/MIME certificates

Each user in your organization requires their own certificate that's issued for the
purposes of signing and encryption. You publish these certificates to your on-premises
Active Directory for distribution. Your Active Directory must be located on computers at
a physical location that you control and not at a remote facility or cloud-based service
on the internet.

For more information about Active Directory, see Active Directory Domain Services
Overview.

1. Install a Windows-based Certification Authority (CA) and set up a public key

infrastructure to issue S/MIME certificates. Certificates issued by third-party
certificate providers are also supported. For details, see Active Directory Certificate
Services Overview.

Notes:

Certificates issued by a third-party CA have the advantage of being

automatically trusted by all clients and devices. Certificates that are issued by
an internal, private CA aren't automatically trusted by clients and devices, and
not all devices (for example, phones) can be configured to trust private
certificates.
Consider using an intermediate certificate instead of the root certificate to
issue certificates to users. That way, if you ever need to revoke and reissue
certificates, the root certificate is still intact.
The certificate must have a private key and the X509 extension "Subject Key
Identifier" must be populated.

2. Publish the user's certificate in their on-premises Active Directory account in the
UserSMIMECertificate and/or UserCertificate attributes.

Step 2: Set up a virtual certificate collection in Exchange

Online
The virtual certificate collection is responsible for validating S/MIME certificates. Set up
the virtual certificate collection by using the following steps:

1. Export the root and intermediate certificates that are required to validate user
S/MIME certificates from a trusted machine to a serialized certificate store (SST) file
in Windows PowerShell. For example:

PowerShell
 Get-ChildItem -Path cert:\<StoreCertPath> | Export-Certificate -
FilePath "C:\My Documents\Exported Certificate Store.sst" -Type SST

For detailed syntax and parameter information, see Export-Certificate.

2. Import the certificates from the SST file into Exchange Online by running the
following command in Exchange Online PowerShell:

PowerShell

Set-SmimeConfig -SMIMECertificateIssuingCA
([System.IO.File]::ReadAllBytes('C:\My Documents\Exported Certificate
Store.sst'))

For detailed syntax and parameter information, see Set-SmimeConfig.

Step 3: Sync user certificates for S/MIME into

Microsoft 365
Before anyone can send S/MIME-protected messages in Exchange Online, you need to
set up and configure the appropriate certificates for each user and publish their public
X.509 certificates to Microsoft 365. The sender's email client uses the recipient's public
certificate to encrypt the message.

1. Issue certificates and publish them in your local Active Directory. For more
information, see Active Directory Certificate Services Overview.

2. After your certificates are published, use Azure AD Connect to synchronize user
data from your on-premises Exchange environment to Microsoft 365. For more
information on this process, see Azure AD Connect sync: Understand and
customize synchronization.

Along with synchronizing other directory data, Azure AD Connect synchronizes the
userCertificate and userSMIMECertificate attributes for each user object for S/MIME
signing and encryption of email messages. For more information about Azure AD
Connect, see What is Azure AD Connect?.

Step 4: Configure policies to install the S/MIME

extensions in web browsers
 ７ Note

This step is required only for Outlook on the web clients.

S/MIME in Outlook on the web in the Chromium-based Microsoft Edge or in Google

Chrome requires specific policy settings that are configured by an admin.

Specifically, you need to set and configure the policy named ExtensionInstallForcelist to
install the S/MIME extension in the browser. The policy value is
maafgiompdekodanheihhgilkjchcakm;https://outlook.office.com/owa/SmimeCrxUpdate.ash
x . Applying this policy requires domain-joined or Azure AD-joined devices, so using

S/MIME in Edge or Chrome effectively requires domain-joined or Azure AD-joined

devices.

For details about the policies, see the following topics:

ExtensionInstallForcelist - Edge
ExtensionInstallForcelist - Chrome

The policy is a prerequisite for using S/MIME in Outlook on the web. It does not replace
the S/MIME control that's installed by users. Users are prompted to download and
install the S/MIME control in Outlook on the web during their first use of S/MIME. Or,
users can proactively go to S/MIME in their Outlook on the web settings to get the
download link for the control.

Step 5: Configure email clients to use S/MIME

If an email client supports S/MIME, the next consideration is access to the user's S/MIME
certificate by that email client. The S/MIME certificate needs to be installed on the user's
computer or device. You can distribute S/MIME certificates automatically (for example,
using Microsoft Endpoint Manager) or manually (for example, the user can export the
certificate from their computer and import it on their mobile device). After the certificate
is available locally, you can enable and configure S/MIME in the settings of the email
client.

For more information about S/MIME in email clients, see the following topics:

Outlook: See the "Encrypting with S/MIME" section in Encrypt email messages .
Outlook for iOS and Android: Enabling S/MIME in the client
Mail in iOS: Use S/MIME to send encrypted messages in an Exchange environment
in iOS
You can also use the following parameters on the New-MobileDeviceMailboxPolicy and
Set-MobileDeviceMailboxPolicy cmdlets in Exchange Online PowerShell to configure
S/MIME settings for mobile devices:

AllowSMIMEEncryptionAlgorithmNegotiation
AllowSMIMESoftCerts
RequireEncryptedSMIMEMessages
RequireEncryptionSMIMEAlgorithm
RequireSignedSMIMEAlgorithm
RequireSignedSMIMEMessages
S/MIME for Outlook for iOS and
Android in Exchange Online
Article • 02/22/2023

S/MIME (Secure/Multipurpose Internet Mail Extensions) is a widely accepted protocol

for sending digitally signed and encrypted messages. For more information, see S/MIME
for message signing and encryption in Exchange Online.

To leverage S/MIME in Outlook for iOS and Android, you need to configure specific
S/MIME prerequisite in Exchange Online. After you have completed those steps, you can
deploy S/MIME certificates to Outlook for iOS and Android using the following
methods:

Manual certificate delivery

Automated certificate delivery

This article describes how to configure Exchange Online for S/MIME using Outlook for
iOS and Android, and how to use S/MIME in Outlook for iOS and Android.

S/MIME prerequisites
Ensure S/MIME has been properly configured in Exchange Online by following the steps
outlined in Configure S/MIME in Exchange Online. Specifically, this includes:

1. Setting up the virtual certificate collection.

2. Publishing the certificate revocation list to the internet.

In manual and automated certificate delivery solutions, it's expected that the certificate's
trusted root chain is available and discoverable within your Exchange Online tenant's
virtual certificate collection. Trust verification is performed on all digital certificates.
Exchange Online validates the certificate by validating each certificate in the certificate
chain until it reaches a trusted root certificate. This verification is done by obtaining the
intermediate certificates through the authority information access attribute in the
certificate until a trusted root certificate is located. Intermediate certificates can also be
included with digitally signed email messages. If Exchange Online locates a trusted root
certificate and can query the certificate revocation list for the certificate authority, the
digital certificate's chain for that digital certificate is considered valid and trusted and
can be used. If Exchange Online fails to locate a trusted root certificate or fails to contact
the certificate revocation list for the certificate authority, that certificate is considered
invalid and is not trusted.
Outlook for iOS and Android leverages the user's primary SMTP address for mail flow
activities, which is configured during account profile setup. The S/MIME certificate used
by Outlook for iOS and Android is calculated by comparing the user's primary SMTP
address as defined in the account profile with the certificate's subject value or the
subject alternative name value; if these do not match, then Outlook for iOS and Android
will report that a certificate is not available (see Figure 7) and will not allow the user to
sign and/or encrypt messages.

Manual certificate delivery

Outlook for iOS and Outlook for Android both support manual certificate delivery, which
is when the certificate is emailed to the user and the user taps on the certificate
attachment within the app to initiate the certificate's installation. The following image
shows how manual certificate delivery works in iOS.

A user can export their own certificate and mail it to themselves using Outlook. For
more information, see Exporting a digital certificate .

） Important

When exporting the certificate, ensure that the exported certificate is password-
protected with a strong password.

Automated certificate delivery

 ） Important

Outlook for iOS and Android only supports automated certificate delivery
when Microsoft Endpoint Manager is the enrollment provider.

For Outlook for iOS, this is due to the iOS keychain architecture. iOS offers a
system keychain and publisher keychains. iOS prevents third-party apps from
accessing the system keychain (only first-party apps and the Safari webview
controller can access the system keychain). In order to deliver certificates that
can be accessed by Outlook for iOS, the certificates must reside in the
Microsoft publisher keychain to which Outlook for iOS has access. Only
Microsoft published apps, like the Company Portal, can place certificates into
the Microsoft publisher keychain.

Outlook for Android relies on Endpoint Manager to deliver and approve the
S/MIME certificates. Automatic certificate delivery is supported with Android
enrollment scenarios: device administrator, Android Enterprise work profile,
and Android Enterprise fully managed.

With Endpoint Manager, organizations can import encryption certificate histories from
any Certification Authority. Endpoint Manager will then automatically deliver those
certificates to any device that the user enrolls. Generally, Simple Certificate Enrollment
Protocol (SCEP) is used for signing certificates. With SCEP, the private key is generated
and stored on the enrolled device and a unique certificate is delivered to each device
that a user enrolls, which can be used for non-repudiation. Lastly, Endpoint Manager
supports derived credentials for customers who need support for the NIST 800-157
standard. The Company Portal is used to retrieve signing and encryption certificates
from Intune.

In order to deliver certificates to Outlook for iOS and Android, you must complete the
following prerequisites:

Deploy trusted root certificates via Endpoint Manager. For more information, see
Create trusted certificate profiles.
Encryption certificates must be imported into Endpoint Manager. For more
information, see Configure and use imported PKCS certificates with Intune.
Install and Configure the PFX Connector for Microsoft Intune. For more
information, see Download, install, and configure the PFX Certificate Connector for
Microsoft Intune.
 Devices must be enrolled to receive trusted root and S/MIME certificates
automatically from Endpoint Manager.

Outlook for iOS automated certificate delivery

Use the following steps to create and configure the Outlook for iOS S/MIME policy in
Endpoint Manager. These settings provide automated delivery of the signing and
encryption certificates.

1. Sign into Microsoft Endpoint Manager .

2. Select Apps and then select App configuration policies.

3. On the App Configuration policies blade, choose Add and select Managed
devices to start the app configuration policy creation flow.

4. On the Basics section, enter a Name, and optional Description for the app
configuration settings.

5. For Platform, choose iOS/iPadOS.

6. For Targeted app, choose Select app, and then, on the Associated app blade,
choose Microsoft Outlook. Click OK.

７ Note

If Outlook is not listed as an available app, then you must add it by following
the instructions in Assign apps to Android work profile devices with Intune
and Add iOS store apps to Microsoft Intune.

7. Click Configuration settings to add configuration settings.

Select Use configuration designer next to Configuration settings format and

accept or modify the default settings. For more information, see Deploying
Outlook for iOS and Android app configuration settings.
 8. Click S/MIME to display the Outlook S/MIME settings.

9. Set Enable S/MIME to Yes. When selecting Yes or No, administrators can choose to
allow the user to change the app setting's value. Select Yes (app default) to allow
the user to change the setting or choose No if you want to prevent the user from
changing the setting's value.

10. Choose whether to Encrypt all emails by selecting Yes or No. When selecting Yes
or No, administrators can choose to allow the user to change the app setting's
value. Select Yes (app default) to allow the user to change the setting or choose
No if you want to prevent the user from changing the setting's value.

11. Choose whether to Sign all emails by selecting Yes or No. When selecting Yes or
No, administrators can choose to allow the user to change the app setting's value.
Select Yes (app default) to allow the user to change the setting or choose No if you
want to prevent the user from changing the setting's value.

12. If needed, deploy a LDAP URL for recipient certificate lookup. For more
information on the URL format, see LDAP support for certificate lookup.

13. Set Deploy S/MIME certificates from Intune to Yes.

14. Under Signing certificates next to Certificate profile type, choose one of the
following options:

SCEP: Creates a certificate that is unique for the device and user that can be
used by Microsoft Outlook for signing. For information on what is required to
use SCEP certificate profiles, see Configure infrastructure to support SCEP
with Intune.
PKCS imported certificates: Uses a certificate that is unique to the user, but
may be shared across devices and has been imported to Endpoint Manager
by the administrator on behalf of the user. The certificate is delivered to any
device that a user enrolls. Endpoint Manager will automatically pick the
imported certificate that supports signing to deliver to the device that
corresponds to the enrolled user. For information on what is required to use
PKCS imported certificates, see Configure and use PKCS certificates with
Intune.
Derived credentials: Uses a certificate that is already on the device that can
be used for signing. The certificate must be retrieved on the device using the
derived credentials flows in Intune.

15. Under Encryption certificates next to Certificate profile type, choose one of the
following options:

PKCS imported certificates: Delivers any encryption certificates that have

been imported to Endpoint Manager by the administrator across any device a
user enrolls. Endpoint Manager will automatically pick the imported
certificate or certificates that support encryption and deliver to the enrolled
user's devices.
Derived credentials: Uses a certificate that is already on the device that can
be used for signing. The certificate must be retrieved on the device using the
derived credentials flows in Intune.

16. Next to End-user notifications, choose how to notify end users to retrieve the
certificates by selecting Company Portal or Email.

On iOS, users must use the Company Portal app to retrieve their S/MIME
certificates. Endpoint Manager will inform the user that they need to launch the
Company Portal to retrieve their S/MIME certificates via the Notifications section of
Company Portal, a push notification, and/or an email. Clicking one of the
notifications will take the user to a landing page that informs them of progress
retrieving the certificates. Once the certificates are retrieved, the user can use
S/MIME from within Microsoft Outlook for iOS to sign and encrypt email.

The end-user notifications include the following options:

 Company Portal: If selected, users will receive a push notification on their
device, which will take them to the landing page in Company Portal where
S/MIME certificates will be retrieved.
Email: Sends an email to the end user informing them that they need to
launch Company Portal to retrieve their S/MIME certificates. If the user is on
their enrolled iOS device when they click the link in the email, they will be
redirected to the Company Portal to retrieve their certificates.

End-users will see an experience similar to the following for automated certificate
delivery:

17. Select Assignments to assign the app configuration policy to the Azure AD groups.
For more information, see Assign apps to groups with Microsoft Intune.

Outlook for Android automated certificate delivery

Use the following steps to create and configure the Outlook for iOS and Android
S/MIME policy in Endpoint Manager. These settings provide automated delivery of the
signing and encryption certificates.

1. Sign into Microsoft Endpoint Manager .

2. Create a SCEP certificate profile or PKCS certificate profile and assign it to your
mobile users.

3. Select Apps and then select App configuration policies.

4. On the App Configuration policies blade, choose Add and select Managed
devices to start the app configuration policy creation flow.
 5. On the Basics section, enter a Name, and optional Description for the app
configuration settings.

6. For Platform, choose Android Enterprise and for Profile Type, choose All Profile
Types.

7. For Targeted app, choose Select app, and then, on the Associated app blade,
choose Microsoft Outlook. Click OK.

７ Note

If Outlook is not listed as an available app, then you must add it by following
the instructions in Assign apps to Android work profile devices with Intune
and Add iOS store apps to Microsoft Intune.

8. Click Configuration settings to add configuration settings.

Select Use configuration designer next to Configuration settings format and

accept or modify the default settings. For more information, see Deploying
Outlook for iOS and Android app configuration settings.

9. Click S/MIME to display the Outlook S/MIME settings.

10. Set Enable S/MIME to Yes. When selecting Yes or No, administrators can choose to
allow the user to change the app setting's value. Select Yes (app default) to allow
the user to change the setting or choose No if you want to prevent the user from
changing the setting's value.

11. Choose whether to Encrypt all emails by selecting Yes or No. When selecting Yes
or No, administrators can choose to allow the user to change the app setting's
value. Select Yes (app default) to allow the user to change the setting or choose
No if you want to prevent the user from changing the setting's value.

12. Choose whether to Sign all emails by selecting Yes or No. When selecting Yes or
No, administrators can choose to allow the user to change the app setting's value.
Select Yes (app default) to allow the user to change the setting or choose No if you
want to prevent the user from changing the setting's value.

13. Select Assignments to assign the app configuration policy to the Azure AD groups.
For more information, see Assign apps to groups with Microsoft Intune.

Enabling S/MIME in the client

S/MIME must be enabled for Outlook for iOS and Android to view or create S/MIME-
related content.

End users will need to enable S/MIME functionality manually by accessing their account
settings, tapping Security, and tapping the S/MIME control, which is off by default. The
Outlook for iOS S/MIME security setting looks like the following:

When the S/MIME setting is enabled, Outlook for iOS and Android will automatically
disable the Organize By Thread setting. This is because S/MIME encryption becomes
more complex as a conversation thread grows. By removing the threaded conversation
view, Outlook for iOS and Android reduces the opportunity for issues with certificates
across recipients during signing and encryption. As this is an app-level setting, this
change affects all accounts added to the app. This threaded conversation dialog is
rendered in iOS as follows:
Once S/MIME is enabled and the S/MIME certificates are installed, users can view the
installed certificates by accessing their account settings and tapping Security.
Furthermore, users can tap on each individual S/MIME certificate and view the
certificate's details, including information like key usage and the validity period.
Users can configure Outlook to automatically sign or encrypt messages. This allows
users to save time sending email while being confident that their emails are being
signed/encrypted.

LDAP support for certificate lookup

Outlook for iOS and Android supports accessing public user certificate keys from secure
LDAP directory endpoints during recipient resolution. In order to utilize an LDAP
endpoint, the following requirements must be met:

The LDAP endpoint does not require authentication.

The LDAP endpoint configuration is delivered to Outlook for iOS and ANdroid
through an app configuration policy. For more information, see S/MIME settings.
The LDAP endpoint configuration is supported using the following formats:
 ldaps://contoso.com

ldap://contoso.com
ldap://contoso.com:389

ldaps://contoso.com:636
contoso.com

contoso.com:389

contoso.com:636

When Outlook for iOS and Android performs a certificate lookup for a recipient, the app
will search the local device first, then query Azure Active Directory, and then evaluate
any LDAP directory endpoint. When Outlook for iOS and Android connects to the LDAP
directory endpoint to search for a recipient's public certificate, certificate validation is
performed to ensure that the certificate is not revoked. The certificate is only considered
valid by the app if certificate validation completes successfully.

Using S/MIME in Outlook for iOS and Android

After the certificates have been deployed and S/MIME has been enabled in the app,
users can consume S/MIME related content and compose content using S/MIME
certificates. If the S/MIME setting is not enabled, then users will not be able to consume
S/MIME content.

View S/MIME messages

In the message view, users can view messages that are S/MIME signed or encrypted. In
addition, users can tap the S/MIME status bar to view more information about the
message's S/MIME status. The following screenshots show examples of how S/MIME
messages are consumed in Android.

） Important

In order to read an encrypted message, the recipient's private certificate key must
be available on the device.
Users can install a sender's public certificate key by tapping the S/MIME status bar. The
certificate will be installed on the user's device, specifically in the Microsoft publisher
keychain in iOS or the system KeyStore in Android . The Android version appears
similar to the following:
If there are certificate errors, Outlook for iOS and Android will warn the user. The user
can tap the S/MIME status bar notification to view more information about the
certificate error, such as in the following example.

Create S/MIME messages

Before a user can send a signed and/or encrypted message, Outlook for iOS and
Android performs a validity check on the certificate to ensure it's valid for signing or
encryption operations. If the certificate is near expiration, Outlook for iOS and Android
will alert the user to obtain a new certificate when the user attempts to sign or encrypt a
message, beginning 30 days before expiration.
When composing an email in Outlook for iOS and Android, the sender can choose to
encrypt and/or sign the message. By tapping on the ellipses and then Sign and Encrypt,
the various S/MIME options are presented. Selecting an S/MIME option enables the
respective encoding on the email as soon as the message is saved or sent, assuming the
sender has a valid certificate.

Outlook for iOS and Android can send S/MIME signed and encrypted messages to
distribution groups. Outlook for iOS and Android enumerates the certificates for the
users defined in the distribution group, including those in nested distribution groups,
though care should be taken on limiting the number of nested distribution groups to
minimize the processing impact.

） Important

Outlook for iOS and Android only supports sending clear-signed messages.
In order to compose an encrypted message, the target recipient's public
certificate key must be available either in the Global Address List or stored on
the local device. In order to compose a signed message, the sender's private
certificate key must be available on the device.

Here is how S/MIME options appear in Outlook for Android:

Outlook for iOS and Android will evaluate all recipients prior to sending an encrypted
message and confirm that a valid public certificate key exists for each recipient. The
Global Address List (GAL) is checked first; if a certificate for the recipient does not exist
in the GAL, Outlook queries the Microsoft publisher keychain in iOS or the system
KeyStore in Android to locate the recipient's public certificate key. For recipients without
a public certificate key (or an invalid key), Outlook will prompt for their removal. The
message will not be sent without encryption to any recipient unless the encryption
option is disabled by the sender during composition.
Interoperability, connectivity, and
compatibility
Article • 01/27/2023

Interoperability with other Microsoft products

Skype for Business Online

For customers who have deployed Microsoft Lync Server 2010, Lync Server 2013 or
Microsoft Office Communications Server 2007 R2 on-premises, Microsoft Office
Communicator can connect to Microsoft Exchange Online by using Exchange Web
Services to access out-of-office messages and calendar data.

On-premises Lync Server 2010 and Lync Server 2013 can interoperate with Exchange
Online in two additional ways:

IM and presence interoperability in Outlook on the web

Voice mail interoperability

For more information about how to configure Skype for Business Server 2015 with
Exchange Online, see Configuring On-premises Skype for Business Server 2015
Integration with Exchange Online. For hybrid configurations, see Supported Skype for
Business Server 2015 hybrid configurations.

Features for external connectivity

Exchange Online offers the following features for connecting with external applications
and devices:

Through messaging protocols such as MAPI over HTTP, SMTP, POP3, IMAP4, or
Exchange Web Services External applications that are running on-premises, in
Azure, or in other hosted services can access data stored with Exchange Online by
using messaging protocols such as MAPI over HTTP, SMTP, POP3, and IMAPv4.
Exchange Web Services or the Exchange Web Services Managed API is
recommended for application development.

As an SMTP relay Exchange Online can be set up as an SMTP delivery service to

relay email messages sent from fax gateways, network appliances, and custom
applications.
Exchange Web Services
Exchange Web Services (EWS) is the preferred development API for Exchange Server and
Exchange Online. Using EWS or the EWS Managed API, administrators can access data
stored with Exchange Online from applications that are running on-premises, in Azure,
or in other hosted services. EWS lets administrators perform specialized actions, such as
querying the contents of a mailbox, posting a calendar event, creating a task, or
triggering a specific action based on the content of an email message. Exchange Online
enables EWS functionality by granting application permissions to customer accounts.
These permissions allow the customer application to access the application mailbox and
add content. Exchange Impersonation is one method used to grant application
permissions. For details about how to use Exchange Web Services with Exchange Online,
refer to the technical articles at the Exchange Online Developer Center.

SMTP relay
Exchange Online can be used as an SMTP delivery service to relay email messages sent
from fax gateways, network appliances, and custom applications. For example, if a line-
of-business application sends email alerts to users, it can be configured to use Exchange
Online as the mail delivery system. The application or service must authenticate with the
username and password of a valid, licensed Exchange Online mailbox, and connect by
using Transport Layer Security (TLS).

Feature availability
To view feature availability across plans, standalone options, and on-premises solutions,
see Exchange Online service description.
Mail flow rules (transport rules) in
Exchange Online
Article • 02/22/2023

） Important

Effective from December 2022, the classic Exchange Admin Center will be
deprecated for worldwide customers. Microsoft recommends using the new
Exchange Admin Center , if not already doing so.

While most of the features have been migrated to new EAC, some have been
migrated to other admin centers and remaining ones will soon be migrated to New
EAC. Find features that are not yet there in new EAC at Other Features or use
Global Search that will help you navigate across new EAC.

In Exchange Online organizations or standalone Exchange Online Protection (EOP)

organizations without Exchange Online mailboxes, you can use mail flow rules (also
known as transport rules) to identify and take action on messages that flow through
your organization.

７ Note

System-generated messages do not get processed by your organization's mail flow

rules (or transport rules). Some of the messages that are not processed by Mail flow
rules are:

Non-Delivery report (NDR) generated by Exchange. The NDRs created by

non-Exchange service will not be detected as NDR by Exchange Mail flow
rules and the coresponding Mail flow rules conditions/exceptions will not be
matched.
Messages sent to the arbitration mailbox (like approval request notification).
Recall messages.
Journal report.

Mail flow rules are similar to the Inbox rules that are available in Outlook and Outlook
on the web (formerly known as Outlook Web App). The main difference is mail flow rules
take action on messages while they're in transit, not after the message is delivered to
the mailbox. Mail flow rules contain a richer set of conditions, exceptions, and actions,
which provides you with the flexibility to implement many types of messaging policies.

This article explains the components of mail flow rules, and how they work.

For steps to create, copy, and manage mail flow rules, see Manage mail flow rules. For
each rule, you have the option of enforcing it, testing it, or testing it and notifying the
sender. To learn more about the testing options, see Test mail flow rules in Exchange
Online and Policy Tips (policy tips aren't available in standalone EOP).

For summary and detail reports about messages that matched mail flow rules, see Use
mail protection reports to view data about malware, spam, and rule detections.

To implement specific messaging policies by using mail flow rules, see Mail flow rule
procedures in Exchange Online.

Mail flow rule components

A mail flow rule is made of conditions, exceptions, actions, and properties:

Conditions: Identify the messages that you want to apply the actions to. Some
conditions examine message header fields (for example, the To, From, or Cc fields).
Other conditions examine message properties (for example, the message subject,
body, attachments, message size, or message classification). Most conditions
require you to specify a comparison operator (for example, equals, doesn't equal,
or contains) and a value to match.

７ Note

If you create a rule without conditions and exceptions, the rule action is applied to
all messages. This can have unintended consequences. For example, if the rule
action is to delete the message, removing the conditions and exceptions could
cause the rule to delete all inbound and outbound messages for the entire
organization.

For more information about mail flow rule conditions in Exchange Online, see Mail flow
rule conditions and exceptions (predicates) in Exchange Online.

Exceptions: Optionally identify the messages that the actions shouldn't apply to.
The same message identifiers that are available in conditions are also available in
exceptions. Exceptions override conditions and prevent the rule actions from being
 applied to a message, even if the message matches all of the configured
conditions.

Actions: Specify what to do to messages that match the conditions in the rule, and
don't match any of the exceptions. There are many actions available, such as
rejecting, deleting, or redirecting messages, adding additional recipients, adding
prefixes in the message subject, or inserting disclaimers in the message body.

For more information about mail flow rule actions that are available in Exchange
Online, see Mail flow rule actions in Exchange Online.

Properties: Specify other rules settings that aren't conditions, exceptions or

actions. For example, when the rule should be applied, whether to enforce or test
the rule, and the time period when the rule is active.

For more information, see the Mail flow rule properties section in this article.

Multiple conditions, exceptions, and actions

The following table shows how multiple conditions, condition values, exceptions, and
actions are handled in a rule.

Component Logic Comments

Multiple AND A message must match all the conditions in the rule. If you need to match
conditions one condition or another, use separate rules for each condition. For
example, if you want to add the same disclaimer to messages with
attachments and messages that contain specific text, create one rule for
each condition. In the EAC, you can easily copy a rule.

One OR Some conditions allow you to specify more than one value. The message
condition must match any one (not all) of the specified values. For example, if an
with email message has the subject Stock price information, and the The
multiple subject includes any of these words condition is configured to match the
values words Contoso or stock, the condition is satisfied because the subject
contains at least one of the specified values.

Multiple OR If a message matches any one of the exceptions, the actions are not
exceptions applied to the message. The message doesn't have to match all the
exceptions.
 Component Logic Comments

Multiple AND Messages that match a rule's conditions get all the actions that are
actions specified in the rule. For example, if the actions Prepend the subject of
the message with and Add recipients to the Bcc box are selected, both
actions are applied to the message.

Keep in mind that some actions (for example, the Delete the message
without notifying anyone action) prevent subsequent rules from being
applied to a message. Other actions (for example, the Forward the
message) don't allow additional actions.

You can also set an action on a rule so that when that rule is applied,
subsequent rules are not applied to the message.

Mail flow rule properties

The following table describes the rule properties that are available in mail flow rules.

Property Parameter name in Description

name in the PowerShell
EAC

Priority Priority Indicates the order that the rules are applied to
messages. The default priority is based on when the rule
is created (older rules have a higher priority than newer
rules, and higher priority rules are processed before
lower priority rules).
You change the rule priority in the EAC by moving the
rule up or down in the list of rules. In the PowerShell, you
set the priority number (0 is the highest priority).

For example, if you have one rule to reject messages that

include a credit card number, and another one requiring
approval, you'll want the reject rule to happen first, and
stop applying other rules.

For more information, see Set the priority of a mail flow

rule.

Audit this SetAuditSeverity Sets the severity level of the incident report and the
rule with corresponding entry that's written to the message
severity tracking log when messages violate DLP policies. Valid
level values are DoNotAudit, Low, Medium, and High.
Property Parameter name in Description
name in the PowerShell
EAC

Mode Mode You can specify whether you want the rule to start
processing messages immediately, or whether you want
to test rules without affecting the delivery of the
message (with or without Data Loss Prevention or DLP
Policy Tips).
Policy Tips present a brief note in Outlook or Outlook on
the web that provides information about possible policy
violations to the person that's creating the message. For
more information, see Policy Tips.

For more information about the modes, see Test mail

flow rules in Exchange Online.

Activate this ActivationDate Specifies the date range when the rule is active.
rule on the ExpiryDate
following
date

Deactivate
this rule on
the
following
date

On check New rules:Enabled You can create a disabled rule, and enable it when you're
box selected parameter on the ready to test it. Or, you can disable a rule without
or not New-TransportRule deleting it to preserve the settings.
selected cmdlet.
Existing rules: Use the
Enable-TransportRule
or Disable-
TransportRule
cmdlets.

The value is displayed

in the State property
of the rule.

Defer the RuleErrorAction You can specify how the message should be handled if
message if the rule processing can't be completed. By default, the
rule rule will be ignored, but you can choose to resubmit the
processing message for processing.
doesn't
complete
 Property Parameter name in Description
name in the PowerShell
EAC

Match SenderAddressLocation If the rule uses conditions or exceptions that examine the
sender sender's email address, you can look for the value in the
address in message header, the message envelope, or both.
message

Stop StopRuleProcessing This is an action for the rule, but it looks like a property
processing in the EAC. You can choose to stop applying additional
more rules rules to a message after a rule processes a message.

Comments Comments You can enter descriptive comments about the rule.

How mail flow rules are applied to messages

All messages (except NDRs) that flow through your organization are evaluated against
the enabled mail flow rules in your organization. Rules are processed in the order listed
on the Mail flow > Rules page in EAC, or based on the corresponding Priority parameter
value in the PowerShell.

Each rule also offers the option of stopping processing more rules when the rule is
matched. This setting is important for messages that match the conditions in multiple
mail flow rules (which rule do you want applied to the message? All? Just one?).

Differences in processing based on message type

There are several types of messages that pass through an organization. The following
table shows which messages types can be processed by mail flow rules.

Type of message Can a rule be applied?

Regular messages: Messages that Yes

contain a single rich text format (RTF),
HTML, or plain text message body or a
multipart or alternative set of message
bodies.
Type of message Can a rule be applied?

Message Encryption: Messages Rules can always access envelope headers and process
encrypted by Message Encryption in messages based on conditions that inspect those
Microsoft 365 or Office 365. For more headers.
information, see Encryption. For a rule to inspect or modify the contents of an
encrypted message, you need to verify that transport
decryption is enabled (Mandatory or Optional; the
default is Optional). For more information, see Enable or
disable transport decryption.

You can also create a rule that automatically decrypts

encrypted messages. For more information, see Define
rules to encrypt email messages.

S/MIME encrypted messages Rules can only access envelope headers and process
messages based on conditions that inspect those
headers.
Rules with conditions that require inspection of the
message's content, or actions that modify the message's
content can't be processed.

RMS protected messages: Messages Rules can always access envelope headers and process
that had an Active Directory Rights messages based on conditions that inspect those
Management Services (AD RMS) or headers.
Azure Rights Management (RMS) For a rule to inspect or modify the contents of an RMS
policy applied. protected message, you need to verify that transport
decryption is enabled (Mandatory or Optional; the
default is Optional). For more information, see Enable or
disable transport decryption.

Clear-signed messages: Messages that Yes

have been signed but not encrypted.

Anonymous messages: Messages sent Yes

by anonymous senders.

Read reports: Reports that are Yes

generated in response to read receipt
requests by senders. Read reports have
a message class of IPM.Note*.MdnRead
or IPM.Note*.MdnNotRead .

What else should I know?

The Version or RuleVersion property value for a rule isn't important in Exchange
Online.
 After you create or modify a mail flow rule, it can take up to 30 minutes for the
new or updated rule to be applied to messages.
You can create a transport rule to bypass EOP and allow mail to flow without delay
from internal senders such as scanners, faxes, and other trusted sources that send
attachments that are known to be safe. Do not bypass filtering for all internal
messages; in this situation, a compromised account could send malicious content.
History and changes to mail flow rules are not maintained, so you can't revert mail
flow rules back to previous states.

For more information

Manage mail flow rules

Mail flow rule procedures in Exchange Online

Journal, transport, and inbox rule limits

New mail flow rules UX in new Exchange
Admin Center
Article • 03/21/2023

The mail flow rules UX in the new EAC has been enhanced and modernized. This
updated experience is consistent with the new EAC design and will enable easier rule
management. The new Mail Flow Rules landing page now exposes more rule details;
therefore, you can immediately get more insight into your rule configurations. The new
UX also walks you through the process of creating a rule to simplify the rule creation
experience. You'll find that most of the functionality remains the same, so these Updates
in UX don't interrupt your workflow and allow for a smoother transition.

Updates in UX
The following updates have taken place in the mail flow rules section in the new EAC:

1. Rule creation wizard: This new wizard experience will be used to create new rules.
The wizard walks you through configuration of all your rule conditions and settings
with a step-by-step approach to help avoid misconfiguring the rules.
2. Rules will be disabled upon creation: If you want the rule to be turned on, enable
it from the Details panel by selecting and enabling the rule.
3. The status of the Stop rule processing setting is displayed on the landing page.
Use this setting to avoid applying more rules once this rule (the created rule)
processes a message. The display of this setting on the landing page enables you
to know when this setting is turned on for a rule as this setting can affect more
rules from processing.

Use the new Rule Creation wizard to create a

mail flow rule
The new EAC allows you to create mail flow rules by using a template, copying an
existing rule, or from scratch.

1. Go to Mail flow > Rules.

2. Create the rule by using one of the following options:

From a template: Select Add + and select a template.

Copying a rule: Select the rule and then select Duplicate.
 From scratch: Select Add + and then select Create a new rule, and use the
Rule Creation wizard.

3. In the Rule Creation wizard, enter a name for the new rule in the Name dialog box,
and then select the conditions and actions for this rule.

From the See the rule if dropdown list (in which you'll see all the possible
conditions you can set for your rule), select the condition you want.

７ Note

In the new Rule Creation wizard, conditions are constructed in the same
way as the "More options" conditions in the classic EAC.]

Most conditions will require you to make a selection using both the side-
by-side dropdown lists. Select the rule condition subject from the first
dropdown list and you'll be able to see all your possible rule options in the
second dropdown list. For example, if you select The sender is.. from the
first dropdown list, then you'll have a list of options in the second
dropdown list from which you select one to complete the condition, as
shown in the preceding screenshot. Furthermore, some conditions will
require you to specify values. For example, if you select the The sender is
 this person... condition, you'll need to select a recipient in your
organization.
If you don't want to specify a condition and want this rule to apply to
every message in your organization, select the Apply to all messages
condition.
As you configure your conditions, the description below the dropdown
lists will update as well.
From the Do the following dropdown list, select the action you want the rule
to take on messages matching the criteria.
Most of the actions follow the same structure as the conditions. There are
two dropdown lists, so you can select from the variety of actions available.
Some of the actions will require you to specify values. For example, if you
select the Forward the message for approval to these people action,
you'll need to select a recipient in your organization.
To add more conditions, select + beside the dropdown lists. You can remove
any one of them by selecting the trash bin icon next to it.
To add more actions, select Add action. You can remove any one of them by
selecting the trash bin icon next to it.
From the Except if dropdown list, select the exceptions you want the rule to
take on.You can remove any exceptions from the rule by selecting the trash
bin icon next to it.

７ Note

Selection of exceptions isn't a requirement to create a rule. You can

create a rule without any exceptions configured.

4. After you're done configuring your rule conditions, select Next to configure your
rule settings.
Specify how the rule-match data for this rule is displayed in the Data Loss
Prevention (DLP) reports and the Mail protection reports.
Under Audit this rule with severity level, select a level to specify the
severity for this rule. The activity reports for mail flow rules group the rule-
matches by severity level. The severity level is just a filter to make the
reports easier to use. The severity level has no impact on the priority in
which the rule is processed.

７ Note

If you uncheck the Audit this rule with severity level checkbox, rule-
matches will not show up in the rule reports.

Set the mode for the rule. You can use one of the two test modes to test the
rule without impacting mail flow. In both test modes, when the conditions are
met, an entry is added to the message trace.
Enforce: This mode turns on the rule and it starts processing messages
immediately. All actions on the rule will be performed.
Test with Policy Tips: This mode turns on the rule, and any Policy Tip
actions (Notify the sender with a Policy Tip) will be sent, but no actions
related to message delivery will be performed. Data loss prevention (DLP)
is required to use this mode. For more information, see Policy Tips.
Test without Policy Tips: Only the "Generate incident report" action will be
enforced. No actions related to message delivery are performed.
If you want to be deactivated only on a specific date:
Select Activate this rule on the following date: and specify a date. The
rule will still be enabled prior to that date, but it won't be processed.
 Similarly, you can have the rule stopped from being processed on a certain
date. To do so, select Deactivate this rule on the following date: and
specify a date. The rule will remain enabled, but it won't be processed.
You can choose to avoid applying more rules once this rule processes a
message. To do so, select Stop processing more rules. If you select this
option, and a message is processed by this rule, no subsequent rules are
processed for that message.
You can specify how the message should be handled if the rule processing
can't be completed. By default, the rule will be ignored, and the message will
be processed regularly, but you can choose to resubmit the message for
processing. To do so, check the Defer the message if rule processing doesn't
complete checkbox.
If your rule analyzes the sender's address, it only examines the message
headers by default. However, you can configure your rule to also examine
the SMTP message envelope. To specify what is to be examined, select one
of the following values for the Match sender address parameter in
message:
Header: Only the message headers will be examined.
Envelope: Only the SMTP message envelope will be examined.
Header or envelope: Both the message headers and SMTP message
envelope will be examined.
You can add comments to this rule in the Comments box.

5. Select Next if you're satisfied with the rule settings that have been configured.

For the final step of the rule creation process, look over the description to see
all the conditions, actions, exceptions, and settings that you've configured for
the rule.
Once you're satisfied with all your selections, select Finish.

All rules will be defaulted to Off upon creation. If you wish to enable your rule, then
select the rule from the mail flow rules landing page and turn on your rule from the
Details panel.
Mail flow rule conditions and exceptions
(predicates) in Exchange Online
Article • 05/31/2023

Conditions and exceptions in mail flow rules (also known as transport rules) identify the messages that the
rule is applied to or not applied to. For example, if the rule adds a disclaimer to messages, you can configure
the rule to only apply to messages that contain specific words, messages sent by specific users, or to all
messages except those sent by the members of a specific distribution group. Collectively, the conditions and
exceptions in mail flow rules are also known as predicates, because for every condition, there's a
corresponding exception that uses the exact same settings and syntax. The only difference is conditions
specify messages to include, while exceptions specify messages to exclude.

Most conditions and exceptions have one property that requires one or more values. For example, the The
sender is condition requires the sender of the message. Some conditions have two properties. For example,
the A message header includes any of these words condition requires one property to specify the message
header field, and a second property to specify the text to look for in the header field. Some conditions or
exceptions don't have any properties. For example, the Any attachment has executable content condition
simply looks for attachments in messages that have executable content.

For more information about mail flow rules in Exchange Online, including how multiple
conditions/exceptions or multi-valued conditions/exceptions are handled, see Mail flow rules (transport
rules) in Exchange Online.

Conditions and exceptions for mail flow rules in Exchange

Online
The tables in the following sections describe the conditions and exceptions that are available in mail flow
rules in Exchange Online. The property types are described in the Property types section.

Senders

Recipients

Message subject or body

Attachments

Any recipients

Message sensitive information types, To and Cc values, size, and character sets

Sender and recipient

Message properties

Message headers

Notes:

After you select a condition or exception in the Exchange admin center (EAC), the value that's
ultimately shown in the Apply this rule if or Except if field is often different (shorter) than the click
 path value you selected. Also, when you create new rules based on a template (a filtered list of
scenarios), you can often select a short condition name instead of following the complete click path.
The short names and full click path values are shown in the EAC column in the tables.

If you select [Apply to all messages] in the EAC, you can't specify any other conditions. The equivalent
in PowerShell is to create a rule without specifying any condition parameters.

The settings and properties are the same in conditions and exceptions, so the output of the Get-
TransportRulePredicate cmdlet doesn't list exceptions separately. Also, the names of some of the
predicates that are returned by this cmdlet are different than the corresponding parameter names, and
a predicate might require multiple parameters.

Senders
For conditions and exceptions that examine the sender's address, you can specify where rule looks for the
sender's address.

In the EAC, in the Properties of this rule section, click Match sender address in message. Note that you
might need to click More options to see this setting. In PowerShell, the parameter is SenderAddressLocation.
The available values are:

Header: Only examine senders in the message headers (From field). This is the default value.

Envelope: Only examine senders from the message envelope (the MAIL FROM value that was used in
the SMTP transmission, which is typically stored in the Return-Path field). Note that message envelope
searching is only available for the following conditions (and the corresponding exceptions):
The sender is (From)
The sender is a member of (FromMemberOf)
The sender address includes (FromAddressContainsWords)
The sender address matches (FromAddressMatchesPatterns)
The sender's domain is (SenderDomainIs)

Header or envelope ( HeaderOrEnvelope ) Examine senders in the message header and the message
envelope.

７ Note

In the automatic-forwarding scenario the sender address for forwarded mail is the original sender and
not the forwarder. To learn more, see A transport rule doesn't match if user mailbox rules
automatically forward messages

In the Auto-Reply scenario, sender is determined by checking the SenderAddressLocation.

If you set -Headers, the sender will be user generated Auto-Reply message.
If you set -Envelope, the sender will be user who sent original message.

Condition or Condition and exception parameters in Property type Description

exception in the Exchange Online PowerShell
EAC

The sender is From Addresses Messages that are sent by the

ExceptIfFrom specified mailboxes, mail users,
Condition or Condition and exception parameters in Property type Description
exception in the Exchange Online PowerShell
EAC

The sender > is mail contacts, or Microsoft 365

this person groups in the organization.
For more information about using
Microsoft 365 groups with this
condition, see the Addresses entry
in the Property types section.

The sender is FromScope UserScopeFrom Messages that are sent by either

located ExceptIfFromScope internal senders or external
senders.
The sender > is
external/internal

The sender is a FromMemberOf Addresses Messages that are sent by a

member of ExceptIfFromMemberOf member of the specified
distribution group, mail-enabled
The sender > is a security group, or Microsoft 365
member of this group.
group For more information about using
Microsoft 365 groups with this
condition, see the Addresses entry
in the Property types section.

The sender FromAddressContainsWords Words Messages that contain the

address includes ExceptIfFromAddressContainsWords specified words in the sender's
email address.
The sender >
address includes
any of these
words

The sender FromAddressMatchesPatterns Patterns Messages where the sender's

address matches ExceptIfFromAddressMatchesPatterns email address contains text
patterns that match the specified
The sender > regular expressions.
address matches For more information about
any of these text regular expressions, see Regular
patterns expressions to be used in
transport rules.

The sender is on a SenderInRecipientList SupervisionList Messages where the sender is on

recipient's list ExceptIfSenderInRecipientList the recipient's Allow list or Block
list.
The sender > is on
a recipient's
supervision list

The sender's SenderADAttributeContainsWords First property: Messages where the specified

specified ExceptIfSenderADAttributeContainsWords ADAttribute Active Directory attribute of the
properties include sender contains any of the
any of these Second specified words.
words property: Words Note that the Country attribute
requires the two-letter country
The sender > has code value (for example, DE for
specific properties Germany).
including any of
these words
 Condition or Condition and exception parameters in Property type Description
exception in the Exchange Online PowerShell
EAC

The sender's SenderADAttributeMatchesPatterns First property: Messages where the specified

specified ExceptIfSenderADAttributeMatchesPatterns ADAttribute Active Directory attribute of the
properties match sender contains text patterns that
these text Second match the specified regular
patterns property: expressions.
Patterns
The sender > has
specific properties
matching these
text patterns

The sender has HasSenderOverride n/a Messages where the sender has
overridden the ExceptIfHasSenderOverride chosen to override a data loss
Policy Tip prevention (DLP) policy. For more
information about DLP policies,
The sender > has see Data loss prevention.
overridden the
Policy Tip Note: This condition/exception
isn't available in standalone
Exchange Online Protection (EOP)
environments.

Sender's IP SenderIPRanges IPAddressRanges Messages where the sender's IP

address is in the ExceptIfSenderIPRanges address matches the specified IP
range address, or falls within the
specified IP address range.
The sender > IP The IP address that's used during
address is in any evaluation of this condition is the
of these ranges or address of the last hop before
exactly matches reaching the service. This IP
address is not guaranteed to be
the original sender's IP address,
especially if third-party software is
used during message transport.

The sender's SenderDomainIs DomainName Messages where the domain of

domain is ExceptIfSenderDomainIs the sender's email address
matches the specified value.
The sender > This predicate will match domains
domain is as well as subdomains with
domain provided. For example:

For the value "domain.com" both

domain "domain.com" and
subdomain
"subdomain.domain.com" will be
matched.

Recipients
For conditions and exceptions that examine the recipient's address, you can specify where rule looks for the
recipient's address by using the RecipientAddressType parameter in PowerShell. Valid values are:

Original: Only examine the recipient's primary SMTP email address.

 Resolved: Examine the recipient's primary SMTP email address and all proxy addresses. This is the
default value

７ Note

If the Mail flow rule is configured to check for the recipient where the recipient is a distribution group,
the rule will not be matched. When the message is sent to a distribution group, the group will be
resolved to distinct users of that group before reaching Mail flow rules and instead check every
member of a group.

Condition or Condition and exception parameters in Property type Description

exception in the Exchange Online PowerShell
EAC

The recipient is SentTo Addresses Messages where one of the

ExceptIfSentTo recipients is the specified
The recipient > is mailbox, mail user, or mail
this person contact in the organization. The
recipients can be in the To, Cc,
or Bcc fields of the message.

Note: You can't specify

distribution groups, mail-
enabled security groups, or
Microsoft 365 groups. If you
need to take action on
messages that are sent to a
group, use the To box
contains(AnyOfToHeader)
condition instead.

The recipient is SentToScope UserScopeTo Messages that are sent to

located ExceptIfSentToScope internal or external recipients.

The recipient > is

external/external

The recipient is a SentToMemberOf Addresses Messages that contain

member of ExceptIfSentToMemberOf recipients who are members of
the specified distribution group,
The recipient > is mail-enabled security group, or
a member of this Microsoft 365 group. The group
group can be in the To, Cc, or Bcc
fields of the message.

For more information about

using Microsoft 365 groups
with this condition, see the
Addresses entry in the Property
types section.

The recipient RecipientAddressContainsWords Words Messages that contain the

address includes ExceptIfRecipientAddressContainsWords specified words in the
recipient's email address.
The recipient > Note: This condition doesn't
address includes consider messages that are sent
any of these to recipient proxy addresses. It
words only matches messages that are
Condition or Condition and exception parameters in Property type Description
exception in the Exchange Online PowerShell
EAC

sent to the recipient's primary

email address.

The recipient RecipientAddressMatchesPatterns Patterns Messages where a recipient's

address matches ExceptIfRecipientAddressMatchesPatterns email address contains text
patterns that match the
The recipient > specified regular expressions.
address matches Note: This condition doesn't
any of these text consider messages that are sent
patterns to recipient proxy addresses. It
only matches messages that are
sent to the recipient's primary
email address.

The recipient is on RecipientInSenderList SupervisionList Messages where the recipient is

the sender's list ExceptIfRecipientInSenderList on the sender's Allow list or
Block list.
The recipient > is
on the sender's
supervision list

The recipient's RecipientADAttributeContainsWords First property: Messages where the specified

specified ExceptIfRecipientADAttributeContainsWords ADAttribute Active Directory attribute of a
properties include recipient contains any of the
any of these Second specified words.
words property: Words Note that the Country attribute
requires the two-letter country
The recipient > code value (for example, DE for
has specific Germany).
properties
including any of
these words

The recipient's RecipientADAttributeMatchesPatterns First property: Messages where the specified

specified ExceptIfRecipientADAttributeMatchesPatterns ADAttribute Active Directory attribute of a
properties match recipient contains text patterns
these text Second that match the specified regular
patterns property: expressions.
Patterns
The recipient >
has specific
properties
matching these
text patterns

A recipient's RecipientDomainIs DomainName Messages where the domain of

domain is ExceptIfRecipientDomainIs a recipient's email address
matches the specified value.
The recipient > This predicate will match
domain is domains as well as subdomains
with domain provided. For
example:

For the value "domain.com"

both domain "domain.com" and
subdomain
 Condition or Condition and exception parameters in Property type Description
exception in the Exchange Online PowerShell
EAC

"subdomain.domain.com" will
be matched.

Message subject or body

７ Note

The search for words or text patterns in the subject or other header fields in the message occurs after
the message has been decoded from the MIME content transfer encoding method that was used to
transmit the binary message between SMTP servers in ASCII text. You can't use conditions or exceptions
to search for the raw (typically, Base64) encoded values of the subject or other header fields in
messages.

Condition or Condition and exception parameters in Property Description

exception in the EAC Exchange Online PowerShell type

The subject or body SubjectOrBodyContainsWords Words Messages that have the specified
includes ExceptIfSubjectOrBodyContainsWords words in the Subject field or
message body.
The subject or body >
subject or body
includes any of these
words

The subject or body SubjectOrBodyMatchesPatterns Patterns Messages where the Subject field
matches ExceptIfSubjectOrBodyMatchesPatterns or message body contain text
patterns that match the specified
The subject or body > regular expressions.
subject or body
matches these text
patterns

The subject includes SubjectContainsWords Words Messages that have the specified
ExceptIfSubjectContainsWords words in the Subject field.
The subject or body >
subject includes any
of these words

The subject matches SubjectMatchesPatterns Patterns Messages where the Subject field
ExceptIfSubjectMatchesPatterns contains text patterns that match
The subject or body > the specified regular expressions.
subject matches these
text patterns

Attachments
For more information about how mail flow rules inspect message attachments, see Use mail flow rules to
inspect message attachments in Exchange Online.

 Tip
 If you suspect that your rule is not working properly, first check which attachments the message
contains. To inspect which attachment/s the message contained during Mail flow rule evaluation, see
Test-TextExtraction.

Condition or Condition and exception parameters in Property type Description

exception in Exchange Online PowerShell
the EAC

Any AttachmentContainsWords Words Messages where an attachment

attachment's ExceptIfAttachmentContainsWords contains the specified words.
content
includes

Any
attachment >
content
includes any
of these
words

Any AttachmentMatchesPatterns Patterns Messages where an attachment

attachments ExceptIfAttachmentMatchesPatterns contains text patterns that match
content the specified regular expressions.
matches Note: Only the first 150 kilobytes
(KB) of the attachments are
Any scanned.
attachment >
content
matches these
text patterns

Any AttachmentIsUnsupported n/a Mail flow rules only can inspect

attachment's ExceptIfAttachmentIsUnsupported the content of supported file
content can't types. If the mail flow rule finds an
be inspected attachment file type that isn't
supported, the
Any AttachmentIsUnsupported
attachment > condition is triggered. Supported
content can't file types for an attachment are
be inspected listed here Use mail flow rules to
inspect message attachments in
Exchange Online

Any AttachmentNameMatchesPatterns Patterns Messages where an attachment's

attachment's ExceptIfAttachmentNameMatchesPatterns file name contains text patterns
file name that match the specified regular
matches expressions.

Any
attachment >
file name
matches these
text patterns

Any AttachmentExtensionMatchesWords Words Messages where an attachment's

attachment's ExceptIfAttachmentExtensionMatchesWords file extension matches any of the
file extension specified words.
matches
Condition or Condition and exception parameters in Property type Description
exception in Exchange Online PowerShell
the EAC

Any
attachment >
file extension
includes these
words

Any AttachmentSizeOver Size Messages where any attachment

attachment is ExceptIfAttachmentSizeOver is greater than or equal to the
greater than specified value.
or equal to In the EAC, you can only specify
the size in kilobytes (KB).
Any
attachment >
size is greater
than or equal
to

The message AttachmentProcessingLimitExceeded n/a Messages where the rules engine

didn't ExceptIfAttachmentProcessingLimitExceeded couldn't complete the scanning of
complete the attachments. You can use this
scanning condition to create rules that work
together to identify and process
Any messages where the content
attachment > couldn't be fully scanned.
didn't
complete
scanning

Any AttachmentHasExecutableContent n/a Messages where an attachment is

attachment ExceptIfAttachmentHasExecutableContent an executable file. The system
has inspects the file's properties rather
executable than relying on the file's
content extension. To understand better
this condition/exception, see Use
Any mail flow rules to inspect message
attachment > attachments in Exchange Online
has
executable
content

Any AttachmentIsPasswordProtected n/a Messages where an attachment is

attachment is ExceptIfAttachmentIsPasswordProtected password protected (and
password therefore can't be scanned).
protected Password detection works for
Office documents, archive
Any documents (.zip, .7z) and .pdf files.
attachment >
is password
protected

has these AttachmentPropertyContainsWords First property: Messages where the specified

properties, ExceptIfAttachmentPropertyContainsWords DocumentProperties property of an attached Office
including any document contains the specified
of these Second property: words.
words Words This condition helps you integrate
mail flow rules with SharePoint,
Any File Classification Infrastructure
attachment >
 Condition or Condition and exception parameters in Property type Description
exception in Exchange Online PowerShell
the EAC

has these (FCI) in Windows Server 2012 R2

properties, or later, or a third-party
including any classification system.
of these
words You can select from a list of built-
in properties, or specify a custom
property.

Any recipients
The conditions and exceptions in this section provide a unique capability that affects all recipients when the
message contains at least one of the specified recipients. For example, let's say you have a rule that rejects
messages. If you use a recipient condition from the Recipients section, the message is only rejected for those
specified recipients. For example, if the rule finds the specified recipient in a message, but the message
contains five other recipients. The message is rejected for that one recipient, and is delivered to the five
other recipients.

If you add a recipient condition from this section, that same message is rejected for the detected recipient
and the five other recipients.

Conversely, a recipient exception from this section prevents the rule action from being applied to all
recipients of the message, not just for the detected recipients.

７ Note

These conditions don't consider messages that are sent to recipient proxy addresses. They only match
messages that are sent to the recipient's primary email address.

These conditions are applied to all recipients in the current fork of the message only. If the message
was bifurcated by any other action (for example, anti-malware or an erlier mail flow rule), the action will
be applied on the matching fork only.

Condition or Condition and exception parameters in Property Description

exception in the Exchange Online PowerShell type
EAC

Any recipient AnyOfRecipientAddressContainsWords Words Messages that contain the

address includes ExceptIfAnyOfRecipientAddressContainsWords specified words in the To, Cc,
or Bcc fields of the message.
Any recipient >
address includes
any of these words

Any recipient AnyOfRecipientAddressMatchesPatterns Patterns Messages where the To, Cc, or

address matches ExceptIfAnyOfRecipientAddressMatchesPatterns Bcc fields contain text patterns
that match the specified
Any recipient > regular expressions.
address matches
any of these text
patterns
Message sensitive information types, To and Cc values, size, and
character sets
The conditions in this section that look for values in the To and Cc fields behave like the conditions in the
Any recipients section (all recipients of the message are affected by the rule, not just the detected
recipients).

Notes:

The recipient conditions in this section do not consider messages that are sent to recipient proxy
addresses. They only match messages that are sent to the recipient's primary email address.
For more information about using Microsoft 365 groups with the recipient conditions in this section,
see the Addresses entry in the Property types section.

Condition or Condition and exception parameters in Property type Description

exception in Exchange Online PowerShell
the EAC

The message MessageContainsDataClassifications SensitiveInformationTypes Messages that contain

contains ExceptIfMessageContainsDataClassifications sensitive information as
sensitive defined by data loss
information prevention (DLP) policies.
This condition is required
The message for rules that use the
> contains Notify the sender with a
any of these Policy Tip (NotifySender)
types of action.
sensitive
information Note: This
condition/exception isn't
available in standalone
EOP environments.

The To box AnyOfToHeader Addresses Messages where the To

contains ExceptIfAnyOfToHeader field includes any of the
specified recipients.
The message
> To box
contains this
person

The To box AnyOfToHeaderMemberOf Addresses Messages where the To

contains a ExceptIfAnyOfToHeaderMemberOf field contains a recipient
member of who is a member of the
specified distribution
The message group, mail-enabled
> To box security group, or
contains a Microsoft 365 group.
member of
this group

The Cc box AnyOfCcHeader Addresses Messages where the Cc

contains ExceptIfAnyOfCcHeader field includes any of the
specified recipients.
The message
> Cc box
contains this
person
Condition or Condition and exception parameters in Property type Description
exception in Exchange Online PowerShell
the EAC

The Cc box AnyOfCcHeaderMemberOf Addresses Messages where the Cc

contains a ExceptIfAnyOfCcHeaderMemberOf field contains a recipient
member of who is a member of the
specified distribution
The message group or mail-enabled
> contains a security group.
member of
this group

The To or Cc AnyOfToCcHeader Addresses Messages where the To or

box contains ExceptIfAnyOfToCcHeader Cc fields contain any of the
specified recipients.
The message
> To or Cc
box contains
this person

The To or Cc AnyOfToCcHeaderMemberOf Addresses Messages where the To or

box contains ExceptIfAnyOfToCcHeaderMemberOf Cc fields contain a
a member of recipient who is a member
of the specified
The message distribution group or mail-
> To or Cc enabled security group.
box contains
a member of
this group

The message MessageSizeOver Size Messages where the total

size is greater ExceptIfMessageSizeOver size (message plus
than or equal attachments) is greater
to than or equal to the
specified value.
The message In the EAC, you can only
> size is specify the size in kilobytes
greater than (KB).
or equal to
Note: Message size limits
on mailboxes are evaluated
before mail flow rules. A
message that's too large
for a mailbox will be
rejected before a rule with
this condition is able to act
on the message.

The message ContentCharacterSetContainsWords CharacterSets Messages that have any of

character set ExceptIfContentCharacterSetContainsWords the specified character set
name names.
includes any
of these
words

The message
> character
set name
includes any
Condition or Condition and exception parameters in Property type Description
exception in Exchange Online PowerShell
the EAC

of these
words

Sender and recipient

Condition or Condition and exception parameters in Property type Description

exception in the Exchange Online PowerShell
EAC

The sender is one SenderManagementRelationship ManagementRelationship Messages where either

of the recipient's ExceptIfSenderManagementRelationship the sender is the
manager of a recipient,
The sender and the or the sender is
recipient > the managed by a recipient.
sender's
relationship to a
recipient is

The message is BetweenMemberOf1 and Addresses Messages that are sent

between members BetweenMemberOf2 between members of
of these groups ExceptIfBetweenMemberOf1 and the specified distribution
ExceptIfBetweenMemberOf2 groups or mail-enabled
The sender and the security groups.
recipient > the For more information
message is about using Microsoft
between members 365 groups with this
of these groups condition, see the
Addresses entry in the
Property types section.

The manager of the ManagerForEvaluatedUser and First property: Messages where either a
sender or recipient ManagerAddress EvaluatedUser specified user is the
is ExceptIfManagerForEvaluatedUser and manager of the sender,
ExceptIfManagerAddress Second property: or a specified user is the
The sender and the Addresses manager of a recipient.
recipient > the
manager of the
sender or recipient
is this person

The sender's and ADAttributeComparisonAttribute and First property: Messages where the
any recipient's ADComparisonOperator ADAttribute specified Active
property compares ExceptIfADAttributeComparisonAttribute Directory attribute for
as and ExceptIfADComparisonOperator Second property: the sender and recipient
Evaluation either match or don't
The sender and the match.
recipient > the
sender and
recipient property
compares as

Message properties
Condition or Condition and exception Property type Description
exception in parameters in Exchange
the EAC Online PowerShell

The message MessageTypeMatches MessageType Messages of the specified type.

type is ExceptIfMessageTypeMatches Note: When Outlook or Outlook on the
web (formerly known as Outlook Web
The message App) is configured to forward a message,
properties > the ForwardingSmtpAddress property is
include the added to the message. In thin clients like
message type Outlook on the web, encryption as a
message type is currently not supported.
If the message has been forwarded using
mailbox forwarding (also known as SMTP
Forwarding) this condition/exception will
not match during mail flow rule
evaluation.

The message is HasClassification MessageClassification Messages that have the specified

classified as ExceptIfHasClassification message classification. This is a custom
message classification that you can create
The message in your organization by using the New-
properties > MessageClassification cmdlet.
include this
classification Note: This condition/exception isn't
available in standalone EOP
environments.

The message HasNoClassification n/a Messages that don't have a message

isn't marked ExceptIfHasNoClassification classification.
with any Note: This condition/exception isn't
classifications available in standalone EOP
environments.
The message
properties >
don't include
any
classification

The message WithImportance Importance Messages that are marked with the
importance is ExceptIfWithImportance specified Importance level.
set to

The message
properties >
include the
importance
level

Message headers

７ Note

The search for words or text patterns in the subject or other header fields in the message occurs after
the message has been decoded from the MIME content transfer encoding method that was used to
transmit the binary message between SMTP servers in ASCII text. You can't use conditions or exceptions
 to search for the raw (typically, Base64) encoded values of the subject or other header fields in
messages.

Condition or Condition and exception parameters in Property type Description

exception in Exchange Online PowerShell
the EAC

A message HeaderContainsMessageHeader and First property: Messages that contain the

header includes HeaderContainsWords MessageHeaderField specified header field, and the
ExceptIfHeaderContainsMessageHeader and value of that header field
A message ExceptIfHeaderContainsWords Second property: contains the specified words.
header > Words The name of the header field
includes any of and the value of the header
these words field are always used
together.

A message HeaderMatchesMessageHeader and First property: Messages that contain the

header matches HeaderMatchesPatterns MessageHeaderField specified header field, and the
ExceptIfHeaderMatchesMessageHeader and value of that header field
A message ExceptIfHeaderMatchesPatterns Second property: contains the specified regular
header > Patterns expressions.
matches these The name of the header field
text patterns and the value of the header
field are always used
together.

Property types
The property types that are used in conditions and exceptions are described in the following table.

７ Note

If the property is a string, trailing spaces are not allowed.

Property type Valid values Description

ADAttribute Select from a predefined You can check against any of the following Active Directory attributes:
list of Active Directory City
attributes Company
Country
CustomAttribute1 - CustomAttribute15
Department
DisplayName
Email
FaxNumber
FirstName
HomePhoneNumber
Initials
LastName
Manager
MobileNumber
Notes
Office
OtherFaxNumber
OtherHomePhoneNumber
Property type Valid values Description

OtherPhoneNumber
PagerNumber
PhoneNumber
POBox
State
Street
Title
UserLogonName
ZipCode

In the EAC, to specify multiple words or text patterns for the same
attribute, separate the values with commas. For example, the value
San Francisco,Palo Alto for the City attribute looks for "City equals
San Francisco" or City equals Palo Alto".

In Exchange Online PowerShell, use the syntax

"AttributeName1:Value1,Value 2 with
spaces,Value3...","AttributeName2:Word4,Value 5 with
spaces,Value6..." , where Value is the word or text pattern that you
want to match. For example, "City:San Francisco,Palo Alto" or
"City:San Francisco,Palo Alto" , "Department:Sales,Finance" .

When you specify multiple attributes, or multiple values for the same
attribute, the or operator is used. Don't use values with leading or
trailing spaces.

Note that the Country attribute requires the two-letter ISO 3166-1
country code value (for example, DE for Germany). For more
information, see Country Codes - ISO 3166 .

Addresses Exchange Online Depending on the nature of the condition or exception, you might be
recipients able to specify any mail-enabled object in the organization (for
example, recipient-related conditions), or you might be limited to a
specific object type (for example, groups for group membership
conditions). And, the condition or exception might require one value,
or allow multiple values.
In Exchange Online PowerShell, separate multiple values by commas.

This condition doesn't consider messages that are sent to recipient

proxy addresses. It only matches messages that are sent to the
recipient's primary email address.

The recipient picker in the EAC doesn't allow you to select Microsoft
365 groups from the list of recipients. But, you can enter the email
address of a Microsoft 365 group in the box next to Check names,
and then validate the email address by clicking Check names, which
will add the group to the add box.

CharacterSets Array of character set One or more content character sets that exist in a message. For
names example:
Arabic/iso-8859-6
Chinese/big5
Chinese/euc-cn
Chinese/euc-tw
Chinese/gb2312
Chinese/iso-2022-cn
Cyrillic/iso-8859-5
Cyrillic/koi8-r
Cyrillic/windows-1251
Property type Valid values Description

Greek/iso-8859-7
Hebrew/iso-8859-8
Japanese/euc-jp
Japanese/iso-022-jp
Japanese/shift-jis
Korean/euc-kr
Korean/johab
Korean/ks_c_5601-1987
Turkish/windows-1254
Turkish/iso-8859-9
Vietnamese/tcvn

DomainName Array of SMTP domains For example, contoso.com or eu.contoso.com .

In Exchange Online PowerShell, you can specify multiple domains

separated by commas.

EvaluatedUser Single value of Sender or Specifies whether the rule is looking for the manager of the sender or
Recipient the manager of the recipient.

Evaluation Single value of Equal or When comparing the Active Directory attribute of the sender and
Not equal ( NotEqual ) recipients, this specifies whether the values should match, or not
match.

Importance Single value of Low, The Importance level that was assigned to the message by the sender
Normal, or High in Outlook or Outlook on the web.

IPAddressRanges Array of IP addresses or You enter the IPv4 addresses using the following syntax:
address ranges Single IP address: For example, 192.168.1.1 .
IP address range: For example, 192.168.0.1-192.168.0.254 .
Classless InterDomain Routing (CIDR) IP address range: For
example, 192.168.0.1/25 .

In Exchange Online PowerShell, you can specify multiple IP addresses

or ranges separated by commas.

ManagementRelationship Single value of Manager Specifies the relationship between the sender and any of the
or Direct report recipients. The rule checks the Manager attribute in Active Directory
( DirectReport ) to see if the sender is the manager of a recipient, or if the sender is
managed by a recipient.

MessageClassification Single message In the EAC, you select from the list of message classifications that
classification you've created.
In Exchange Online PowerShell, you use the Get-
MessageClassification cmdlet to identify the message classification.

For example, use the following command to search for messages with
the Company Internal classification and prepend the message subject
with the value CompanyInternal : New-TransportRule "Rule Name" -
HasClassification @(Get-MessageClassification "Company
Internal").Identity -PrependSubject "CompanyInternal"

MessageHeaderField Single string Specifies the name of the header field. The name of the header field is
always paired with the value in the header field (word or text pattern
match).The message header is a collection of required and optional
header fields in the message. Examples of header fields are To, From,
Received, and Content-Type. Official header fields are defined in RFC
Property type Valid values Description

5322. Unofficial header fields start with X- and are known as X-

headers.

MessageType Single message type Specifies one of the following message types:
value Automatic reply ( OOF )
Auto-forward ( AutoForward )
Encrypted
Calendaring
Permission controlled ( PermissionControlled )
Voicemail
Signed
Approval request ( ApprovalRequest )
Read receipt ( ReadReceipt )

Note: When Outlook or Outlook on the web is configured to forward

a message, the ForwardingSmtpAddress property is added to the
message.

Patterns Array of regular Specifies one or more regular expressions that are used to identify
expressions text patterns in values. For more information, see Regular Expression
Syntax.

In Exchange Online PowerShell, you specify multiple regular

expressions separated by commas, and you enclose each regular
expression in quotation marks (").

SCLValue One of the following Specifies the spam confidence level (SCL) that's assigned to a
values: message. A higher SCL value indicates that a message is more likely to
Bypass spam be spam.
filtering ( -1 )
Integers 0 through
9

SensitiveInformationTypes Array of sensitive Specifies one or more sensitive information types that are defined in
information types your organization. For a list of built-in sensitive information types, see
Sensitive information types in Exchange Server.

In Exchange Online PowerShell, use the syntax

@{<SensitiveInformationType1>},@{<SensitiveInformationType2>},... .
For example, to look for content that contains at least two credit card
numbers, and at least one ABA routing number, use the value
@{Name="Credit Card Number"; minCount="2"},@{Name="ABA Routing
Number"; minCount="1"} .

Size Single size value Specifies the size of an attachment or the whole message.
In the EAC, you can only specify the size in kilobytes (KB).

In Exchange Online PowerShell, when you enter a value, qualify the

value with one of the following units:

B (bytes)
KB (kilobytes)
MB (megabytes)
GB (gigabytes)

For example, 20 MB . Unqualified values are typically treated as bytes,

but small values may be rounded up to the nearest kilobyte.
Property type Valid values Description

SupervisionList Single value of Allow or Supervision policies were a feature in Live@edu that allowed you to
Block control who could send mail to and receive mail from users in your
organization (for example, the closed campus and anti-bullying
policies). In Microsoft 365 and Office 365, you can't configure
supervision list entries on mailboxes.

UserScopeFrom Single value of Inside the A sender is considered to be inside the organization if either of the
organization following conditions is true:
( InOrganization ) or The sender is a mailbox, mail user, group, or mail-enabled
Outside the organization public folder that exists inside the organization.
( NotInOrganization ) The sender's email address is in an accepted domain that's
configured as an authoritative domain or an internal relay
domain, and the message was sent or received over an
authenticated connection. For more information about
accepted domains, see Manage accepted domains in Exchange
Online.

A sender is considered to be outside the organization if either of the

following conditions is true:

The sender's email address isn't in an accepted domain.

The sender's email address is in an accepted domain that's
configured as an external relay domain.

Note: To determine whether mail contacts are considered to be inside

or outside the organization, the sender's address is compared with
the organization's accepted domains.

UserScopeTo One of the following A recipient is considered to be inside the organization if any of the
values: following conditions are true:
Inside the The recipient is a mailbox, mail user, group, or mail-enabled
organization public folder that exists inside the organization.
( InOrganization ) The recipient's email address is in an accepted domain that's
Outside the configured as an authoritative domain or an internal relay
organization domain, and the message was sent or received over an
( NotInOrganization ) authenticated connection.
The recipient's domain is in a remote domain with the IsInternal
parameter is set to the value $true .

A recipient is considered to be outside the organization if either of

the following conditions is true:

The recipient's email address isn't in an accepted domain.

The recipient's email address is in an accepted domain that's
configured as an external relay domain.

Words Array of strings Specifies one or more words to look for. The words aren't case-
sensitive, and can be surrounded by spaces and punctuation marks.
Wildcards and partial matches aren't supported. For example,
"contoso" matches " Contoso".
However, if the text is surrounded by other characters, it isn't
considered a match. For example, "contoso" doesn't match the
following values:

Acontoso
Contosoa
Acontosob
 Property type Valid values Description

The asterisk (*) is treated as a literal character, and isn't used as a

wildcard character.

The at sign (@) is also treated as a literal character. Therefore if it is

used when searching Recipient Addresses it will not match. For
example:

@contoso.com will not match user@contoso.com

contoso.com will match user@contoso.com

In this scenario, the correct way to setup matching patterns is to use

either ExceptIfRecipientDomainIs or
ExceptIfRecipientAddressMatchesPatterns

For more information

Mail flow rules (transport rules) in Exchange Online

Mail flow rule actions in Exchange Online

Mail flow rule procedures in Exchange Online

New-TransportRule
Mail flow rule actions in Exchange Online
Article • 02/22/2023

In Exchange Online organizations or standalone Exchange Online Protection (EOP) organizations

without Exchange Online mailboxes, actions in mail flow rules (also known as transport rules)
specify what you want to do to messages that match conditions of the rule. For example, you can
create a rule that forwards message from specific senders to a moderator, or adds a disclaimer or
personalized signature to all outbound messages.

Actions typically require additional properties. For example, when the rule redirects a message, you
need to specify where to redirect the message. Some actions have multiple properties that are
available or required. For example, when the rule adds a header field to the message header, you
need to specify both the name and value of the header. When the rule adds a disclaimer to
messages, you need to specify the disclaimer text, but you can also specify where to insert the text,
or what to do if the disclaimer can't be added to the message. Typically, you can configure
multiple actions in a rule, but some actions are exclusive. For example, one rule can't reject and
redirect the same message.

For more information about mail flow rules, including how multiple actions are handled, see Mail
flow rules (transport rules) in Exchange Online.

For more information about conditions and exceptions in mail flow rules, see Mail flow rule
conditions and exceptions (predicates) in Exchange Online.

For more information about actions in mail flow rules in Exchange Server, see or Mail flow rule
actions in Exchange Server.

Actions for mail flow rules in Exchange Online

The actions that are available in mail flow rules in Exchange Online and standalone EOP are
described in the following table. Valid values for each property are described in the Property values
section.

Notes:

After you select an action in the Exchange admin center (EAC), the value that's ultimately
shown in the Do the following field is often different from the click path you selected. Also,
when you create new rules, you can sometimes (depending on the selections you make)
select a short action name from a template (a filtered list of actions) instead of following the
complete click path. The short names and full click path values are shown in the EAC column
in the table.

The names of some of the actions that are returned by the Get-TransportRuleAction cmdlet
are different than the corresponding parameter names, and multiple parameters might be
required for an action.
Action in Action parameter in PowerShell Property Description
the EAC

Forward the ModerateMessageByUser Addresses Forwards the message to the

message for specified moderators as an
approval to attachment wrapped in an
approval request. For more
Forward the information, see Use mail flow
message for rules for message approval
approval > scenarios in Exchange Online. You
to these can't use a distribution group as a
people moderator.

Note: This action isn't available in

standalone Exchange Online
Protection (EOP) environments.

Forward the ModerateMessageByManager n/a Forwards the message to the

message for sender's manager for approval.
approval to This action only works if the
the sender's sender's Manager attribute is
manager defined. Otherwise, the message is
delivered to the recipients without
Forward the moderation.
message for
approval > Note: This action isn't available in
to the standalone EOP environments.
sender's
manager

Redirect the RedirectMessageTo Addresses Redirects the message to the

message to specified recipients. The message
isn't delivered to the original
Redirect the recipients, and no notification is
message to sent to the sender or the original
> these recipients.
recipients

Deliver the Quarantine n/a Delivers the message to the

message to quarantine in EOP. For more
the hosted information, see Quarantined email
quarantine messages in EOP.

Redirect the
message to
> hosted
quarantine
Action in Action parameter in PowerShell Property Description
the EAC

Use the RouteMessageOutboundConnector OutboundConnector Uses the specified outbound

following connector to deliver the message.
connector For more information about
connectors, see Configure mail
Redirect the flow using connectors.
message to
> the
following
connector

Reject the RejectMessageReasonText String Returns the message to the sender

message in a non-delivery report (also
with the known as an NDR or bounce
explanation message) with the specified text as
the rejection reason. The recipient
Block the doesn't receive the original
message > message or notification.
reject the The default enhanced status code
message that's used is 5.7.1 .
and include
an When you create or modify the
explanation rule in PowerShell, you can specify
the DSN code by using the
RejectMessageEnhancedStatusCode
parameter.

Reject the RejectMessageEnhancedStatusCode DSNEnhancedStatusCode Returns the message to the sender

message in an NDR with the specified
with the enhanced delivery status
enhanced notification (DSN) code. The
status code recipient doesn't receive the
original message or notification.
Block the Valid DSN codes are 5.7.1 or
message > 5.7.900 through 5.7.999 .
reject the
message The default reason text that's used
with the is Delivery not authorized,
enhanced message refused .
status code
of When you create or modify the
rule in PowerShell, you can specify
the rejection reason text by using
the RejectMessageReasonText
parameter.
Action in Action parameter in PowerShell Property Description
the EAC

Delete the DeleteMessage n/a Silently drops the message without

message sending a notification to the
without recipient or the sender.
notifying
anyone

Block the
message >
delete the
message
without
notifying
anyone

Add BlindCopyTo Addresses Adds one or more recipients to the

recipients to Bcc field of the message. The
the Bcc box original recipients aren't notified,
and they can't see the additional
Add addresses.
recipients >
to the Bcc Note: In Exchange Online, you
box can't add a distribution group as a
recipient.

Add AddToRecipients Addresses Adds one or more recipients to the

recipients to To field of the message. The
the To box original recipients can see the
additional addresses.
Add
recipients > Note: In Exchange Online, you
to the To can't add a distribution group as a
box recipient.

Add CopyTo Addresses Adds one or more recipients to the

recipients to Cc field of the message. The
the Cc box original recipients can see the
additional address.
Add
recipients > Note: In Exchange Online, you
to the Cc can't add a distribution group as a
box recipient.

Add the AddManagerAsRecipientType AddedManagerAction Adds the sender's manager to the

sender's message as the specified recipient
manager as type (To, Cc, Bcc), or redirects the
a recipient message to the sender's manager
without notifying the sender or the
Add recipient.
recipients >
add the This action only works if the
sender's sender's Manager attribute is
manager as defined in Active Directory.
a recipient
Action in Action parameter in PowerShell Property Description
the EAC

Append the ApplyHtmlDisclaimerText First property: Applies the specified HTML

disclaimer ApplyHtmlDisclaimerFallbackAction DisclaimerText disclaimer to the end of the
ApplyHtmlDisclaimerLocation Second property: message.
Apply a DisclaimerFallbackAction When you create or modify the
disclaimer rule in PowerShell, use the
Third property
to the (PowerShell only): ApplyHtmlDisclaimerLocation
message > parameter with the value Append .
DisclaimerTextLocation
append a
disclaimer

Prepend the ApplyHtmlDisclaimerText First property: Applies the specified HTML

disclaimer ApplyHtmlDisclaimerFallbackAction DisclaimerText disclaimer to the beginning of the
ApplyHtmlDisclaimerLocation Second property: message.
Apply a DisclaimerFallbackAction When you create or modify the
disclaimer rule in PowerShell, use the
Third property
to the ApplyHtmlDisclaimerLocation
(PowerShell only):
message > DisclaimerTextLocation parameter with the value Prepend .
prepend a
disclaimer

Remove this RemoveHeader MessageHeaderField Removes the specified header field

header from the message header.

Modify the
message
properties >
remove a
message
header

Set the SetHeaderName First property: Adds or modifies the specified

message SetHeaderValue MessageHeaderField header field in the message
header to Second property: String header, and sets the header field to
this value the specified value.

Modify the
message
properties >
set a
message
header

Apply a ApplyClassification MessageClassification Applies the specified message

message classification to the message.
classification Note: This action isn't available in
standalone EOP environments.
Modify the
message
properties >
apply a
message
classification
Action in Action parameter in PowerShell Property Description
the EAC

Set the SetSCL SCLValue Sets the spam confidence level

spam (SCL) of the message to the
confidence specified value.
level (SCL)
to

Modify the
message
properties >
set the spam
confidence
level (SCL)

Apply Office ApplyRightsProtectionTemplate RMSTemplate Applies the specified Azure Rights

365 Management (Azure RMS)
Message template to the message. Azure
Encryption RMS is part of Azure Information
and rights Protection. For more information,
protection see Set up new Message
Encryption capabilities.
Apply
Message
Encryption
and rights
protection
to the
message
with

Modify the
message
security >
Message
Encryption
and rights
protection

Require TLS RouteMessageOutboundRequireTls n/a Forces the outbound messages to

encryption be routed over a TLS encrypted
connection.
Modify the
message
security >
require TLS
encryption
Action in Action parameter in PowerShell Property Description
the EAC

Encrypt the ApplyOME n/a If you haven't moved your

messages Microsoft 365 or Office 365
with the organization to Microsoft Purview
previous Message Encryption that's built on
version of Azure Information Protection, this
OME action encrypts the message and
attachments with the previous
Modify the version of OME.
message Notes:
security >
Apply Office We recommend that you
the previous make a plan to move to OME
version of on Azure Information
OME Protection as soon as it's
reasonable for your
organization. For
instructions, see Set up new
Message Encryption
capabilities.
If you receive an error stating
that IRM licensing isn't
enabled, you can't set up the
previous version of OME. If
you set up OME now, you'll
set up the OME capabilities
that are built on Azure
Information Protection.

Remove the RemoveOME n/a Decrypt the message and

previous attachments from the previous
version of version of OME so users don't
OME from need to sign in to the encryption
the message portal in order to view them. This
action is only available for
Modify the messages that are sent within your
message organization.
security >
Remove the
previous
version of
OME
Action in Action parameter in PowerShell Property Description
the EAC

Remove RemoveOMEv2 n/a Remove the Azure RMS template

Office 365 from the message.
Message
Encryption
and rights
protection

Modify the
message
security >
Message
Encryption
and rights
protection

Prepend the PrependSubject String Adds the specified text to the

subject of beginning of the Subject field of
the message the message. Consider using a
with space or a colon (:) as the last
character of the specified text to
differentiate it from the original
subject text.
To prevent the same string from
being added to messages that
already contain the text in the
subject (for example, replies), add
the The subject includes
(ExceptIfSubjectContainsWords)
exception to the rule.
Action in Action parameter in PowerShell Property Description
the EAC

Notify the NotifySender First property: Notifies the sender or blocks the
sender with RejectMessageReasonText NotifySenderType message when the message
a Policy Tip RejectMessageEnhancedStatusCode Second property: String matches a DLP policy.
(PowerShell only) Third property When you use this action, you
(PowerShell only): need to use the The message
DSNEnhancedStatusCode contains sensitive information
(MessageContainsDataClassification
condition.

When you create or modify the

rule in PowerShell, the
RejectMessageReasonText
parameter is optional. If you don't
use this parameter, the default text
Delivery not authorized, message
refused is used.

In PowerShell, you can also use the

RejectMessageEnhancedStatusCode
parameter to specify the enhanced
status code. If you don't use this
parameter, the default enhanced
status code 5.7.1 is used. p> This
action limits the other conditions,
exceptions, and actions that you
can configure in the rule.

Note: This action isn't available in

standalone EOP environments.

Generate GenerateIncidentReport First property: Addresses Sends an incident report that

incident IncidentReportContent Second property: contains the specified content to
report and IncidentReportContent the specified recipients.
send it to An incident report is generated for
messages that match data loss
prevention (DLP) policies in your
organization.
If the rule with this action is
matched, this action is going to be
executed even if the rule is in Audit
or AuditAndNotify mode.
Note that GenerateIncidentReport
action will not be executed for the
notifications or other incident
reports generated by DLP or Mail
flow rules.
 Action in Action parameter in PowerShell Property Description
the EAC

Notify the GenerateNotification NotificationMessageText Specifies the text, HTML tags, and
recipient message keywords to include in
with a the notification message that's sent
message to the message's recipients. For
example, you can notify recipients
that the message was rejected by
the rule, or marked as spam and
delivered to their Junk Email folder.
If the rule with this action is
matched, this action is going to be
executed even if the rule is in
AuditAndNotify mode, but it will
not be executed if the rule is in the
Audit mode.

Properties SetAuditSeverity AuditSeverityLevel Specifies whether to:

of this rule Prevent the generation of an
section > incident report and the
Audit this corresponding entry in the
rule with message tracking log.
severity Generate an incident report
level and the corresponding entry
in the message tracking log
with the specified severity
level (low, medium, or high).

Properties StopRuleProcessing n/a Specifies that after the message is

of this rule affected by the rule, the message is
section > exempt from processing by other
Stop rules.
processing
more rules

More
options >
Properties
of this rule
section >
Stop
processing
more rules

Property values
The property values that are used for actions in mail flow rules are described in the following table.

Property Valid values Description

Property Valid values Description

AddedManagerAction One of the following values: Specifies how to include the

To sender's manager in messages.
Cc If you select To, Cc, or Bcc, the
Bcc sender's manager is added as a
Redirect recipient in the specified field.

If you select Redirect, the message

is only delivered to the sender's
manager without notifying the
sender or the recipient.

This action only works if the

sender's Manager is defined.

Addresses Exchange recipients Depending on the action, you

might be able to specify any mail-
enabled object in the organization,
or you might be limited to a specific
object type. Typically, you can select
multiple recipients, but you can
only send an incident report to one
recipient.

AuditSeverityLevel One of the following values: The values Low, Medium, or High
Uncheck Audit this rule with specify the severity level that's
severity level, or select Audit this assigned to the incident report and
rule with severity level with the to the corresponding entry in the
value Not specified ( DoNotAudit ) message tracking log.
Low
Medium The other value prevents an
High incident report from being
generated, and prevents the
corresponding entry from being
written to the message tracking log.
Property Valid values Description

DisclaimerFallbackAction One of the following values: Specifies what to do if the

Wrap disclaimer can't be applied to a
Ignore message (for example, encrypted or
Reject signed messages where the
contents can't be altered). The
available fallback actions are:
Wrap: A new message is
created and the original
message is added to it as an
attachment. The disclaimer
text is added to the new
message, which is delivered
to the recipients. This is the
default value.
If you want other rules to
examine and act on the
original message (which is
now an attachment in the
new message), make sure
those rules are applied
before the disclaimer rule
by using a lower priority
for the disclaimer rule and
higher priority for other
rules.
If the process of inserting
the original message as an
attachment in the new
message fails, the original
message isn't delivered.
The original message is
returned to the sender in
a non-delivery report (also
known as an NDR or a
bounce message).
Ignore: The rule is ignored
and the original message is
delivered without the
disclaimer.
Reject: The original message
is returned to the sender in
an NDR.

DisclaimerText HTML string Specifies the disclaimer text, which

can include HTML tags, inline
cascading style sheet (CSS) tags,
and images by using the IMG tag.
The maximum length is 5000
characters, including tags.
Property Valid values Description

DisclaimerTextLocation Single value: Append or Prepend In PowerShell, you use the

ApplyHtmlDisclaimerLocation to
specify the location of the
disclaimer text in the message:

Append : Add the disclaimer to

the end of the message body.
This is the default value.
Prepend : Add the disclaimer
to the beginning of the
message body.

DSNEnhancedStatusCode Single DSN code value: Specifies the DSN code that's used.
5.7.1 You can create custom DSNs by
5.7.900 through 5.7.999 using the New-SystemMessage
cmdlet.

If you don't specify the rejection

reason text along with the DSN
code, the default reason text that's
used is Delivery not authorized,
message refused .

When you create or modify the rule

in PowerShell, you can specify the
rejection reason text by using the
RejectMessageReasonText
parameter.

IncidentReportContent One or more of the following values: Specifies the original message
Sender properties to include in the incident
Recipients report. You can choose to include
Subject any combination of these
Cc'd recipients ( Cc ) properties. In addition to the
Bcc'd recipients ( Bcc ) properties you specify, the message
Severity ID is always included. The available
Sender override information properties are:
( Override ) Sender: The sender of the
Matching rules ( RuleDetections ) original message.
False positive reports Recipients, Cc'd recipients,
( FalsePositive ) and Bcc'd recipients: All
Detected data classifications recipients of the message, or
( DataClassifications ) only the recipients in the Cc
Matching content ( IdMatch ) or Bcc fields. For each
Original mail ( AttachOriginalMail ) property, only the first 10
recipients are included in the
incident report.
Subject: The Subject field of
the original message.
Severity: The audit severity of
the rule that was triggered.
Message tracking logs
Property Valid values Description

include all the audit severity

levels, and can be filtered by
audit severity.

In the EAC, if you clear the

Audit this rule with severity
level check box (in
PowerShell, the
SetAuditSeverity parameter
value DoNotAudit ), rule
matches won't appear in the
rule reports.

If a message is processed by
more than one rule, the
highest severity is included in
any incident reports.
Sender override information:
The override if the sender
chose to override a Policy Tip.
If the sender provided a
justification, the first 100
characters of the justification
are also included.
Matching rules: The list of
rules that the message
triggered.
False positive reports: The
false positive if the sender
marked the message as a
false positive for a Policy Tip.
Detected data classifications:
The list of sensitive
information types detected in
the message.
Matching content: The
sensitive information type
detected, the exact matched
content from the message,
and the 150 characters before
and after the matched
sensitive information.
Original mail: The entire
message that triggered the
rule is attached to the
incident report.

In PowerShell, you specify

multiple values separated by
commas.
Property Valid values Description

MessageClassification Single message classification object In the EAC, you select from the list
of available message classifications.
In PowerShell, use the Get-
MessageClassification cmdlet to
see the message classification
objects that are available.

MessageHeaderField Single string Specifies the SMTP message header

field to add, remove, or modify.
The message header is a collection
of required and optional header
fields in the message. Examples of
header fields are To, From,
Received, and Content-Type.
Official header fields are defined in
RFC 5322. Unofficial header fields
start with X- and are known as X-
headers.

NotificationMessageText Any combination of plain text, HTML tags, Specified the text to use in a
and keywords recipient notification message.
In addition to plain text and HTML
tags, you can specify the following
keywords that use values from the
original message:

%%From%%
%%To%%
%%Cc%%
%%Subject%%
%%Headers%%
%%MessageDate%%
Property Valid values Description

NotifySenderType One of the following values: Specifies the type of Policy Tip that
Notify the sender, but allow them the sender receives if the message
to send ( NotifyOnly ) violates a DLP policy. The settings
Block the message ( RejectMessage ) are described in the following list:
Block the message unless it's a false Notify the sender, but allow
positive them to send: The sender is
( RejectUnlessFalsePositiveOverride ) notified, but the message is
Block the message, but allow the delivered normally.
sender to override and send Block the message: The
( RejectUnlessSilentOverride ) message is rejected, and the
Block the message, but allow the sender is notified.
sender to override with a business Block the message unless it's
justification and send a false positive: The message
( RejectUnlessExplicitOverride ) is rejected unless it's marked
as a false positive by the
sender.
Block the message, but allow
the sender to override and
send: The message is rejected
unless the sender has chosen
to override the policy
restriction.
Block the message, but allow
the sender to override with a
business justification and
send: This is similar to Block
the message, but allow the
sender to override and send
type, but the sender also
provides a justification for
overriding the policy
restriction.

When you use this action, you need

to use the The message contains
sensitive information
(MessageContainsDataClassification)
condition.

OutboundConnector Single outbound connector Specifies the identity of outbound

connector that's used to deliver
messages. For more information
about connectors, see Configure
mail flow using connectors.

In the EAC, you select the connector

from a list.

In PowerShell, use the Get-

OutboundConnector cmdlet to see
the connectors that are available.
 Property Valid values Description

RMSTemplate Single Azure RMS template object Specifies the Azure Rights
Management (Azure RMS) template
that's applied to the message.
In the EAC, you select the RMS
template from a list.

In PowerShell, use the Get-

RMSTemplate cmdlet to see the
RMS templates that are available.

For more information about RMS in

Microsoft 365 or Office 365, see
What is Azure Information
Protection?.

SCLValue One of the following values: Specifies the spam confidence level
Bypass spam filtering ( -1 ) (SCL) that's assigned to the
Integers 0 through 9 message. A higher SCL value
indicates that a message is more
likely to be spam.

String Single string Specifies the text that's applied to

the specified message header field,
NDR, or event log entry.
In PowerShell, if the value contains
spaces, enclose the value in
quotation marks (").

For more information

Mail flow rules (transport rules) in Exchange Online

Mail flow rule conditions and exceptions (predicates) in Exchange Online

Mail flow rule procedures in Exchange Online

Manage mail flow rules in Exchange
Online
Article • 02/22/2023

In Exchange Online organizations or standalone Exchange Online Protection (EOP)

organizations without Exchange Online mailboxes, you can use mail flow rules (also
known as transport rules) to look for specific conditions on messages that pass through
your organization and take action on them.

This article shows you how to create, copy, adjust the order, enable or disable, delete, or
import or export rules, and how to monitor rule usage.

 Tip

To make sure your rules work the way you expect, be sure to thoroughly test each
rule and interactions between rules.

Interested in scenarios where these procedures are used? See Mail flow rule procedures
in Exchange Online

What do you need to know before you begin?

Estimated time to complete each procedure: 5 minutes.

For information about how to access the Exchange admin center (EAC), see
Exchange admin center in Exchange Online. To connect to Exchange Online
PowerShell, see Connect to Exchange Online PowerShell. To connect to standalone
EOP PowerShell, see Connect to standalone Exchange Online Protection
PowerShell.

You need to be assigned permissions before you can perform these procedures. To
see what permissions you need, see the "Mail flow" entry in Feature permissions in
Exchange Online.

For information about keyboard shortcuts that may apply to the procedures in this
article, see Keyboard shortcuts for the Exchange admin center.

 Tip
 Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Create a mail flow rule

You can create a mail flow rule by setting up a Data Loss Prevention (DLP) policy (in
Exchange Online only; not in standalone EOP), creating a new rule, or by copying a rule.
You can use the Exchange admin center (EAC) or PowerShell.

７ Note

After you create or modify a mail flow rule, it can take up to 30 minutes or more in
some cases for the new or updated rule to be applied to email.

Use a DLP policy to create mail flow rules

７ Note

This section does not apply to standalone EOP organizations.

Each DLP policy is a collection of mail flow rules. After you create the DLP policy, you
can fine-tune the rules using the procedures below.

1. Create a DLP policy.

2. Modify the mail flow rules created by the DLP policy.

Use the EAC to create a mail flow rule

The EAC allows you to create mail flow rules by using a template, copying an existing
rule, or from scratch.

1. Go to Mail flow > Rules.

2. Create the rule by using one of the following options:

To create a rule from a template, click Add and select a template.

To copy a rule, select the rule, and then select Copy .
To create a new rule from scratch, Add and then select Create a new rule.
3. In the New rule dialog box, name the rule, and then select the conditions and
actions for this rule:

a. In Apply this rule if..., select the condition you want from the list of available
conditions.

Some conditions require you to specify values. For example, if you select
The sender is... condition, you must specify a sender address. If you're
adding a word or phrase, note that trailing spaces are not allowed.
If the condition you want isn't listed, or if you need to add exceptions,
select More options. Additional conditions and exceptions will be listed.
If you don't want to specify a condition, and want this rule to apply to
every message in your organization, select [Apply to all messages]
condition.

b. In Do the following..., select the action you want the rule to take on messages
matching the criteria from the list of available actions.

Some of the actions will require you to specify values. For example, if you
select the Forward the message for approval to... condition, you will need
to select a recipient in your organization.
If the condition you want isn't listed, select More options. Additional
conditions will be listed.

c. Specify how rule match data for this rule is displayed in the Data Loss
Prevention (DLP) reports and the Mail protection reports.

Under Audit this rule with severity level, select a level to specify the severity
level for this rule. The activity reports for mail flow rules group rule matches by
severity level. Severity level is just a filter to make the reports easier to use. The
severity level has no impact on the priority in which the rule is processed.

７ Note

If you clear the Audit this rule with severity level checkbox, rule matches
will not show up in the rule reports.

d. Set the mode for the rule. You can use one of the two test modes to test the
rule without impacting mail flow. In both test modes, when the conditions are
met, an entry is added to the message trace.

Enforce: This turns on the rule and it starts processing messages

immediately. All actions on the rule will be performed.
 Test with Policy Tips: This turns on the rule, and any Policy Tip actions (
Notify the sender with a Policy Tip) will be sent, but no actions related to
message delivery will be performed. Data loss prevention (DLP) is required
in order to use this mode. To learn more, see Policy Tips.
Test without Policy Tips: Only the Generate incident report action will be
enforced. No actions related to message delivery are performed.

4. If you are satisfied with the rule, go to step 5. If you want to add more conditions
or actions, or if you want to specify exceptions or set additional properties, click
More options. After you click More options, complete the following fields to
create your rule:

a. To add more conditions, click Add condition. If you have more than one
condition, you can remove any one of them by clicking Remove X next to it.
Note that there are a larger variety of conditions available once you click More
options.

b. To add more actions, click Add action. If you have more than one action, you
can remove any one of them by clicking Remove X next to it. Note that there
are a larger variety of actions available once you click More options.

c. To specify exceptions, click Add exception, then select exceptions using the
Except if... dropdown. You can remove any exceptions from the rule by clicking
the Remove X next to it.

d. If you want this rule to take effect after a certain date, click Activate this rule on
the following date: and specify a date. Note that the rule will still be enabled
prior to that date, but it won't be processed.

Similarly, you can have the rule stop processing at a certain date. To do so, click
Deactivate this rule on the following date: and specify a date. Note that the
rule will remain enabled, but it won't be processed.

e. You can choose to avoid applying additional rules once this rule processes a
message. To do so, click Stop processing more rules. If you select this, and a
message is processed by this rule, no subsequent rules are processed for that
message.

f. You can specify how the message should be handled if the rule processing can't
be completed. By default, the rule will be ignored and the message will be
processed regularly, but you can choose to resubmit the message for
processing. To do so, check the Defer the message if rule processing doesn't
complete check box.
 g. If your rule analyzes the sender address, it only examines the message headers
by default. However, you can configure your rule to also examine the SMTP
message envelope. To specify what's examined, click one of the following values
for Match sender address in message:

Header: Only the message headers will be examined.

Envelope: Only the SMTP message envelope will be examined.
Header or envelope: Both the message headers and SMTP message
envelope will be examined.

h. You can add comments to this rule in the Comments box.

5. Click Save to complete creating the rule.

Use Exchange Online PowerShell to create a mail flow

rule
This example uses the New-TransportRule cmdlet to create a new mail flow rule that
prepends " External message to Sales DG: " to messages sent from outside the
organization to the Sales Department distribution group.

PowerShell

New-TransportRule -Name "Mark messages from the Internet to Sales DG" -

FromScope NotInOrganization -SentTo "Sales Department" -PrependSubject
"External message to Sales DG:"

The rule parameters and action used in the above procedure are for illustration only.
Review all the available mail flow rule conditions and actions to determine which ones
meet your requirements.

How do you know this worked?

To verify that you have successfully created a new mail flow rule, do the following:

In the EAC, verify that the new mail flow rule you created is listed in the Rules list.

From Exchange Online PowerShell, verify that you created the new mail flow rule
successfully by running the following command (the example below verifies the
rule created in Exchange Online PowerShell example above):

PowerShell

Get-TransportRule "Mark messages from the Internet to Sales DG"

View or modify a mail flow rule

７ Note

After you create or modify a mail flow rule, it can take up to 30 minutes and more
in some case for the new or updated rule to be applied to email.

Use the EAC to view or modify a mail flow rule

1. In the EAC, go to Mail flow > Rules.
2. When you select a rule in the list, the conditions, actions, exceptions and select
properties of that rule are displayed in the details pane. To view all the properties
of a specific rule, double click it. This opens the rule editor window, where you can
make changes to the rule. For more information about rule properties, see Use the
EAC to create a mail flow rule section, earlier in this article.

Use Exchange Online PowerShell to view or modify a mail

flow rule
The following example gives you a list of all rules configured in your organization:

PowerShell

Get-TransportRule

To view the properties of a specific mail flow rule, you provide the name of that rule or
its GUID. It is usually helpful to send the output to the Format-List cmdlet to format the
properties. The following example returns all the properties of the mail flow rule named
Sender is a member of Marketing:

PowerShell

Get-TransportRule "Sender is a member of marketing" | Format-List

To modify the properties of an existing rule, use the Set-TransportRule cmdlet. This
cmdlet allows you to change any property, condition, action or exception associated
with a rule. The following example adds an exception to the rule "Sender is a member of
marketing" so that it won't apply to messages sent by the user Kelly Rollin:
 PowerShell

Set-TransportRule "Sender is a member of marketing" -ExceptIfFrom "Kelly

Rollin"

How do you know this worked?

To verify that you have successfully modified a mail flow rule, do the following:

From the rules list in the EAC, click the rule you modified in the Rules list and view
the details pane.

From Exchange Online PowerShell, verify that you modified the mail flow rule
successfully by running the following command to list the properties you modified
along with the name of the rule (the example below verifies the rule modified in
Exchange Online PowerShell example above):

PowerShell

Get-TransportRule "Sender is a member of marketing" | Format-List

Name,ExceptIfFrom

Mail flow rule properties

You can also use the Set-TransportRule cmdlet to modify existing mail flow rules in your
organization. Below is a list properties not available in the EAC that you can change. For
more information on using the Set-TransportRule cmdlet to make these changes see
Set-TransportRule

Condition Name Condition name in Description

in the EAC Exchange Online
PowerShell

Stop Processing StopRuleProcessing Enables you to stop processing additional rules

Rules

Header/Envelope SenderAddressLocation Enables you to examine the SMTP message

matching envelope to ensure the header and envelop
match

Audit severity SetAuditSeverity Enables you to select a severity level for the audit

Rule modes Mode Enables you to set the mode for the rule
Set the priority of a mail flow rule
The rule at the top of the list is processed first. This rule has a Priority of 0.

Use the EAC to set the priority of a rule

1. In the EAC, go to Mail flow > Rules. This displays the rules in the order in which
they are processed.
2. Select a rule, and use the arrows to move the rule up or down the list.

Use Exchange Online PowerShell to set the priority of a

rule
The following example sets the priority of "Sender is a member of Marketing" to 2:

PowerShell

Set-TransportRule "Sender is a member of Marketing" -Priority "2"

How do you know this worked?

To verify that you have successfully modified a mail flow rule, do the following:

From the rules list in the EAC, look at the order of the rules.

From Exchange Online PowerShell, verify the priority of the rules (the example
below verifies the rule modified in Exchange Online PowerShell example above):

PowerShell

Get-TransportRule * | Format-List Name,Priority

Enable or disable a mail flow rule

Rules are enabled when you create them. You can disable a mail flow rule.

Use the EAC to enable or disable a mail flow rule

1. In the EAC, go to Mail flow > Rules.
2. To disable a rule, clear the check box next to its name.
 3. To enable a disabled rule, select the check box next to its name.

Use Exchange Online PowerShell to enable or disable a

mail flow rule
The following example disables the mail flow rule "Sender is a member of marketing":

PowerShell

Disable-TransportRule "Sender is a member of marketing"

The following example enables the mail flow rule "Sender is a member of marketing":

PowerShell

Enable-TransportRule "Sender is a member of marketing"

How do you know this worked?

To verify that you have successfully enabled or disabled a mail flow rule, do the
following:

In the EAC, view the list of rules in the Rules list and check the status of the check
box in the ON column.

From Exchange Online PowerShell, run the following command which will return a
list of all rules in your organization along with their status:

PowerShell

Get-TransportRule | Format-Table Name,State

Remove a mail flow rule

Use the EAC to remove a mail flow rule

1. In the EAC, go to Mail flow > Rules.
2. Select the rule you want to remove and then click Delete .
Use Exchange Online PowerShell to remove a mail flow
rule
The following example removes the mail flow rule "Sender is a member of marketing":

PowerShell

Remove-TransportRule "Sender is a member of marketing"

How do you know this worked?

To verify that you have successfully removed the mail flow rule, do the following:

In the EAC, view the rules in the Rules list and verify that the rule you removed is
no longer shown.

From Exchange Online PowerShell, run the following command and verify that the
rule you remove is no longer listed:

PowerShell

Get-TransportRule

Monitor rule usage

If you're using Exchange Online or Exchange Online Protection, you can check the
number of times each rule is matched by using a rules report. In order to be included in
the reports, a rule must have the Audit this rule with severity level check box selected.
You can look at a report online, or download an Excel version of all the mail protection
reports.

７ Note

While most data is in the report within 24 hours, some data may take as long as 5
days to appear.

Use the new Exchange admin center to view a rules

report
 1. In the new EAC (https://admin.exchange.microsoft.com ), go to Reports > Mail
flow.
2. On the Mail flow reports page, find and select Exchange Transport Rule report.

Download an Excel version of the reports

For steps to download reports, see Download existing reports in the Microsoft Purview
compliance portal.

Import or export a mail flow rule collection

You must use Exchange Online PowerShell to import or export a mail flow rule
collection. For information about how to import a mail flow rule collection from an XML
file, see Import-TransportRuleCollection.

For information about how to export a mail flow rule collection to an XML file, see
Export-TransportRuleCollection.

Need more help?

Mail flow rules (transport rules) in Exchange Online

Mail flow rule conditions and exceptions (predicates) in Exchange Online

Mail flow rule actions in Exchange Online

Journal, transport, and inbox rule limits

Regular expressions to be used in
transport rules
Article • 03/21/2023

Applies to: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange
Online

You can use regular expressions in Microsoft Exchange Online transport rule predicates
to match text patterns in different parts of a message (such as message headers, sender,
recipients, message subject, and body). Predicates are used by conditions and
exceptions to determine whether a configured action should be applied to an e-mail
message.

７ Note

Due to the variances in customer environments, Microsoft Customer Support

Services (CSS) can't participate in the development or testing of custom Regular
Expression scripts ("RegEx scripts"). For RegEX custom script development, testing,
and debugging, Office 365 customers will need to rely upon internal IT resources.
Alternatively, Office 365 customers may choose to use an external consulting
resource such as Microsoft Consulting Services (MCS). Regardless of the script
development resource, CSS EXO and EOP support engineers aren't available to
assist customers with custom RegEx script inquiries.

Looking for management tasks related to transport rules? See Managing Transport
Rules.

Contents
This article contains the following sections:

Simple expressions vs regular expressions

Regular expressions in Exchange Online
Creating a transport rule that uses a regular expression

Simple expressions vs regular expressions

To understand regular expressions, you must first understand simple expressions. A
simple expression is a specific value that you want to match exactly in a message.
Predicates using simple expressions match specific words or strings. An example of a
simple expression is the title of a document that your organization doesn't want to be
distributed outside the organization, such as Yearly Sales Forecast.doc. A piece of data
in an email message must exactly match a simple expression to satisfy a condition or
exception in transport rules.

A regular expression is a concise and flexible notation for finding patterns of text in a
message. The notation consists of two basic character types:

Literal characters: Text that must exist in the target string. These characters are
normal characters, as typed.
Metacharacters: One or more special characters that aren't interpreted literally.
These characters indicate how the text can vary in the target string.

You can use regular expressions to quickly parse email messages to find specific text
patterns. These expressions enable you to detect messages with specific types of
content, such as social security numbers (SSNs), patent numbers, and phone numbers.

You can't reasonably match this data with a simple expression because a simple
expression requires that you enter every possible variation of the value that you want to
detect. In many cases, using simple expressions for such applications becomes a
logistical challenge, and matching a large number of simple expressions in message
content can be resource intensive. Using regular expressions is more efficient. Instead of
specifying all possible variations, you can configure the transport rule predicate to
search for a text pattern.

Regular expressions in Exchange Online

In the Exchange Management Shell, you can use regular expressions in any predicate
that accepts the Patterns predicate property. In the Exchange Management Console,
you can use regular expressions with any condition or exception that contains the words
with text patterns. For more information about predicates, see Transport Rule Predicates.

２ Warning

You must carefully test the regular expressions that you construct to ensure that
they yield the expected results. An incorrectly configured regular expression could
yield unexpected matches and cause unwanted transport rule behavior. These
implications may result in undesirable actions being taken on messages and
message content, potentially resulting in data loss when actions such as rejecting
or bouncing a message are used. Also, complex regular expressions may affect
 email transport performance. Test your regular expressions in a test environment
before you implement them in production.

The following table lists the pattern strings that you can use to create a pattern-
matching regular expression in Exchange Online:

Pattern Description
String

\S The \S pattern string matches any single character that's not a space.

\s The \s pattern string matches any single white-space character.

\D The \D pattern string matches any non-numeric digit.

\d The \d pattern string matches any single numeric digit.

\w The \w pattern string matches any single Unicode character categorized as a letter or a
decimal digit.

\W The \W pattern string matches any single Unicode character not categorized as a letter
or a decimal digit.

* The asterisk ( * ) character matches zero or more instances of the previous character.
For example, ab*c matches the following strings: ac, abc, and abbbbc.

() Parentheses act as grouping delimiters. For example, a(bc)* matches the following
strings: a, abc, abcbc, abcbcbc, and so on.

\ A backslash is used as an escaping character before a special character. Special

characters are characters used in pattern strings: Backslash ( \ ); Pipe; Asterisk ( * );
Opening parenthesis ( ( ); Closing parenthesis ( ) ); Caret ( ^ ); Dollar sign ( $ ). For
example, if you want to match a string that contains (525), you would type (525).

^ The caret ( ^ ) character indicates that the pattern string that follows the caret must
exist at the start of the text string being matched. For example, ^fred@contoso
matches fred@contoso.com and fred@contoso.co.uk but not alfred@contoso.com.

$ The dollar-sign $ character indicates that the preceding pattern string must exist at the
end of the text string being matched. For example, contoso.com$ matches
adam@contoso.com and kim@research.contoso.com, but doesn't match
kim@contoso.com.au.

Constructing regular expressions

By using the preceding table, you can construct a regular expression that matches the
pattern of the data that you want to match. Working from left to right, examine each
character or group of characters in the data that you want to match. Read the
description of each pattern string to determine how it's applied to the data that you're
matching. Then, determine which pattern string in the table represents that character or
group of characters, and add that pattern string to the regular expression. When
finished, you have a fully constructed regular expression.

This example of a regular expression matches North American telephone numbers in the
formats 425 555-0100 and 425.555.0100.

PowerShell

425(\s|.)\d\d\d(-|.)\d\d\d\d

You can expand on this example by adding the telephone format (425) 555-0100, which
uses parentheses around the area code. This example of a regular expression matches
all three telephone number formats.

\d\d\d((\s|.|-|)|)\s)\d\d\d(\s|.|-)\d\d\d\d

You can analyze the previous example as follows:

\d\d\d: This portion requires that exactly three numeric digits appear first.
((\s|.|-|)|)\s): This portion requires that a space, a period, or a hyphen exists after
the three-digit number. Each character-matching string is contained in the
grouping delimiters and is separated by the pipe character. This separation means
that only one of the specified characters inside the grouping delimiters can exist in
this location in the string being matched. For the separation between area code
and the next three digits, it also looks for a closed parenthesis, or closed
parenthesis and space.
\d\d\d: This portion requires that exactly three numeric digits appear next.
(\s|.|-): This portion requires that a space, a period, or a hyphen exists after the
three-digit number.
\d\d\d\d: This portion requires that exactly four numeric digits appear next.

The above regular expression will match the following sample values:

(425)555.0100
425 555 0100
425 555 0100
(425) 555-0100
425-555-0100
(425) 555-0100

Creating a transport rule that uses a regular expression

This example creates a transport rule in the PowerShell that uses regular expressions to
match SSNs in the subject of an email message.

PowerShell

New-TransportRule -Name "Social Security Number Block Rule" -

SubjectOrBodyMatchesPatterns '\d\d\d-\d\d-\d\d\d\d' -
RejectMessageEnhancedStatusCode "5.7.1" -RejectMessageReasonText "This
message has been rejected because of content restrictions"

This example lets you view the new transport rule.

PowerShell

Get-TransportRule "Social Security Number Block Rule" | Format-List

Best practices for configuring mail flow
rules in Exchange Online
Article • 05/31/2023

In Exchange Online organizations or standalone Exchange Online Protection (EOP)

organizations without Exchange Online mailboxes, follow these best practice
recommendations for mail flow rules (also known as transport rules) in order to avoid
common configuration errors. Each recommendation links to a article with an example
and step-by-step instructions.

Test your rules

To make sure unexpected things don't happen to email messages, and to make sure
you're really meeting the business, legal, or compliance intentions of your rule, be sure
to test it thoroughly. There are many options, and rules can interact with each other, so
it's important to test messages that you expect both will match the rule and won't
match the rule in case you inadvertently made a rule too general. To learn all the options
for testing rules, see Test mail flow rules in Exchange Online.

Scope your rule

Make sure your rule applies only to the messages you intend it to. For example:

Restrict a rule to messages either coming into or going out of the organization:
By default, a new rule applies to messages that are sent by and received by people
in your organization. So if you want the rule to apply only one way, be sure to
specify that in the conditions for the rule. For examples, see Use mail flow rules for
attachment blocking scenarios in Exchange Online
Restrict a rule based on the sender's or receiver's domain: By default, a new rule
applies to messages sent from or received by any domain. Sometimes you want a
rule to apply to all domains except for one, or to just one domain. See Create
blocked sender lists in EOP.

For a complete list of all the conditions and exceptions that are available for mail flow
rules, see Mail flow rule conditions and exceptions (predicates) in Exchange Online.

Know when you need two rules

Sometimes it takes two rules to do what you want. Mail flow rules are processed in
order, so multiple rules can apply to the same message. For example, if one of the
actions is to block the message, and you also have another action you'd like to apply,
such as copying the message to the sender's manager or changing the subject for the
notification message, you would need two rules. The first rule could copy the message
to the sender's manager and change the subject, and the second rule could block the
message.

If you use two rules like this, be sure that the conditions are identical. For example:

Set up a message approval chain

Modify the subject line for notifications

Don't repeat an action on every email in a

conversation
The chain of email in a conversation can include many individual messages, and
repeating the action on each message in the thread might get annoying. For example, if
you have an action such as adding a disclaimer, you might want it to apply only to the
first message in the thread. If so, add an exception for messages that already include the
disclaimer text. For an example, see Organization-wide message disclaimers, signatures,
footers, or headers in Exchange Online.

Know when to stop rule processing

Sometimes it makes sense to stop rule processing once a rule is matched. For example,
if you have one rule to block messages with attachments and one to insert a disclaimer
in messages that match a pattern, you probably should stop rule processing once the
message is blocked. There's no need for further action.

To stop rule processing after a rule is triggered, in the rule, select the Stop processing
more rules check box.

If you have lots of keywords or patterns to

match, load them from a file
For example, you might want to prevent emails from being sent if they contain a list of
unacceptable or bad words. You can create a text file containing these words and
phrases, and then use PowerShell to set up a mail flow rule that blocks messages that
use them.
The text file can contain regular expressions for patterns. These expressions are not
case-sensitive. Common regular expressions include:

Expression Matches

. Any single character

* Any additional characters

\d Any decimal digit

[character_group] Any single character in character_group.

For an example that shows a text file with regular expressions and the Exchange module
Windows PowerShell commands to use, see Use mail flow rules to route email based on
a list of words, phrases, or patterns in Exchange Online.

To learn how to specify patterns using regular expressions, see Regular Expression
Reference.

Don't chain DLP rule actions and mail flow rule

conditions
In the transport pipeline, mail flow rules evaluate and act on message before DLP rules.
Once a message has been evaluated by mail flow rules, the message isn't evaluated or
acted upon by mail flow rules again during delivery.

If a DLP rule changes message properties that affect delivery (for example, by adding
recipients), the message is resubmitted into the transport pipeline for delivery. Mail flow
rules don't evaluate the message again, because the message has already been
evaulated.

So, if a DLP rule add recipients to a message, the message containing those new
recipients isn't evaluated by mail flow rules.
Test mail flow rules in Exchange Online
Article • 02/22/2023

In Exchange Online organizations or standalone Exchange Online Protection (EOP)

organizations without Exchange Online mailboxes, you should test new mail flow rules
(also known as transport rules) before you turn them on. This way, if you accidentally
create a condition that doesn't do exactly what you want or interacts with other rules in
unexpected ways, you won't have any unintended consequences.

） Important

Wait at least 30 minutes after creating a rule before you test it. If you test
immediately after you create the rule, you may get inconsistent behavior.

Step 1: Create a rule in test mode

７ Note

DLP and policy tips are not available in standalone EOP.

You can evaluate the conditions for a rule without taking any actions that impact mail
flow by choosing a test mode. You can set up a rule so that you get an email notification
any time the rule is matched, or you can look at the Look at the message trace for
messages that might match the rule. There are two test modes:

Test without Policy Tips: Use this mode together with an incident report action,
and you can receive an email message each time an email matches the rule.

Test with Policy Tips: This mode is only available if you're using Data loss
prevention (DLP), which is available with some Exchange Online and Exchange
Online Protection (EOP) subscription plans. With this mode, a message is set to the
sender when a message they are sending matches a policy, but no mail flow
actions are taken.

Here's what you'll see when a rule is matched if you include the incident report action:
Use a test mode with an incident report action
1. In the Exchange admin center (EAC), go to Mail flow > Rules.

2. Create a new rule, or select an existing rule, and then select Edit.

3. Scroll down to the Choose a mode for this rule section, and then select Test
without Policy Tips or Test with Policy Tips.

4. Add an incident report action:

a. Select Add action, or, if this isn't visible, select More options, and then select
Add action.

b. Select Generate incident report and send it to.

c. Click Select one... and select yourself or someone else.

d. Select Include message properties, and then select any message properties that
you want included in the email you receive. If you don't select any, you will still
get an email when the rule is matched.

5. Select Save.

Step 2: Evaluate whether your rule does what

you intend
To test a rule, you can either send enough test messages to confirm that what you
expect happens, or look at the message trace for messages that people in your
organization send. Be sure to evaluate the following types of messages:

Messages that you expect to match the rule

Messages that you don't expect to match the rule
 Messages sent to and from people in your organization
Messages sent to and from people outside your organization
Replies to messages that match the rule
Messages that might cause interactions between multiple rules

Tips for sending test messages

One way to test is to sign in as both the sender and recipient of a test message.

If you don't have access to multiple accounts in your organization, you can test in a
trial account or create a few temporary fake users in your organization.

Because a web browser typically doesn't let you have simultaneous open sessions
on the same computer signed in to multiple accounts, you can use Internet
Explorer InPrivate Browsing , or a different computer, device, or web browser for
each user.

Look at the message trace

The message trace includes an entry for each rule that is matched for the message, and
an entry for each action the rule takes. This is useful for tracking what happens to test
messages, and also for tracking what happens to real messages going through your
organization.

1. In the EAC, go to Mail flow > Message trace.

2. Find the messages that you want to trace by using criteria such as the sender and
the date sent. For help specifying criteria, see Run a Message Trace and View
Results.
 3. After locating the message you want to trace, double-click it to view details about
the message.

4. Look in the Event column for Transport rule. The Action column shows the specific
action taken.

Step 3: When you're done testing, set the rule

to enforce
1. In the EAC, go to Mail flow > Rules.

2. Select a rule, and then select Edit.

3. Select Enforce.

4. If you used an action to generate an incident report, select the action and then
select Remove.

5. Select Save.

 Tip

To avoid surprises, inform your users about new rules.

Troubleshooting suggestions
Here are some common problems and resolutions:

Everything looks right, but the rule isn't working.

Occasionally it takes longer than 15 minutes for a new mail flow to be available.
Wait a few hours, and then test again. Also check to see if another rule might be
interfering. Try changing this rule to priority 0 by moving it to the top of the list.

Disclaimer is added to original message and all replies, instead of just the
original message.

To avoid this, you can add an exception to your disclaimer rule to look for a unique
phrase in the disclaimer.

My rule has two conditions, and I want the action to happen when either of the
conditions is met, but it only is matched when both conditions are met.
 You need to create two rules, one for each condition. You can easily copy the rule
by selecting Copy and then remove one condition from the original and the other
condition from the copy.

I'm working with distribution groups, and The sender is ( SentTo) doesn't seem
to be working.

SentTo matches messages where one of the recipients is a mailbox, mail-enabled

user, or contact, but you can't specify a distribution group with this condition.
Instead, use To box contains a member of this group ( SentToMemberOf).

Other testing options

If you're using Exchange Online or Exchange Online Protection, you can check the
number of times each rule is matched by using a rules report. In order to be included in
the reports, a rule must have the Audit this rule with severity level check box selected.
These reports help you spot trends in rule usage and identify rules that are not matched.

To view a rules report, in the Microsoft 365 admin center, select Reports.

７ Note

While most data is in the report within 24 hours, some data may take as long as 5
days to appear.
To learn more, see View mail protection reports.

Need more help?

Manage mail flow rules

Mail flow rules (transport rules) in Exchange Online

Mail flow rule procedures in Exchange
Online
Article • 02/22/2023

In Exchange Online organizations or standalone Exchange Online Protection (EOP)

organizations without Exchange Online mailboxes, you can use mail flow rules (also
known as transport rules) to meet the scenarios as described in this article.

To learn about concepts and objectives for mail flow rules, see Mail flow rules (transport
rules) in Exchange Online.

Mail flow rule procedures for anti-spam

features in Exchange Online and standalone
EOP
Use mail flow rules for attachment blocking scenarios: Learn how to use mail flow rules
to block all attachments.

Use mail flow rules to block messages with executable attachments: Learn how to use
mail flow rules to block messages that contain executable attachments.

Use mail flow rules to inspect message attachments: Learn how to use mail flow rule
conditions that allow you to inspect the content of message attachments.

Use mail flow rules to set the spam confidence level (SCL) in messages: Learn how to use
mail flow rules to mark specific messages as spam before they're even scanned by spam
filtering, or mark messages so they'll skip spam filtering.

Use mail flow rules to filter bulk email: Examples describing how to mark messages that
contain specific bulk indicator content as spam.

Use mail flow rules to see what users are reporting to Microsoft: Receive copies of
messages that users report as junk, not junk or phishing to Microsoft.

Mail flow rule procedures for other features in

Exchange Online and standalone EOP
Organization-wide message disclaimers, signatures, footers, or headers: Learn how to
set up a legal disclaimer, email disclaimer, consistent signature, email header, or email
footer by using mail flow rules.

Use mail flow rules so messages can bypass Clutter: Information to help you make sure
messages are sent to an inbox instead of the Clutter folder.

Use mail flow rules to route email based on a list of words, phrases, or patterns:
Information to help you comply with your organization's email policies.

Mail flow rule procedures for features in Exchange Online

only
Use mail flow rules for message approval scenarios in Exchange Online: Use mail flow
rules instead of enabling moderation on recipients to meet message approval scenarios.

Use mail flow rules to automatically add meetings to calendars in Exchange Online: Use
the Direct to Calendar feature in Exchange Online to add meetings directly to calendars
in Exchange Online.

Define rules to encrypt email messages in Exchange Online: Learn how to use mail flow
rules to encrypt messages using Microsoft Purview Message Encryption.

For more information

Mail flow rules (transport rules) in Exchange Online

Manage mail flow rules in Exchange Online

Best practices for configuring mail flow rules in Exchange Online

Test mail flow rules in Exchange Online

Use mail protection reports to view data about malware, spam, and rule detections
Common attachment blocking scenarios
for mail flow rules in Exchange Online
Article • 02/22/2023

In Exchange Online organizations or standalone Exchange Online Protection (EOP)

organizations without Exchange Online mailboxes, you might need to block or reject
certain types of messages in order to meet legal or compliance requirements, or to meet
specific business needs. This article discusses examples of common scenarios for
blocking all attachments which you can set up using mail flow rules (also known mail
flow rules).

Notes:

For additional examples showing how to block specific attachments by using mail
flow rules, see Use mail flow rules to inspect message attachments in Exchange
Online.

Anti-malware polices EOP allow you to block specific file types by turning on and
configuring the common attachment types filter. For instructions, see Configure
anti-malware policies in EOP.

To get started using mail flow rules to block certain message types, do the following
steps:

1. Open the Exchange admin center (EAC). For more information, see Exchange
admin center in Exchange Online.
2. Go to Mail flow > Rules.
3. Click New ( ) and then select Create a new rule.
4. In the Name box, specify a name for the rule, and then click More options.
5. Select the conditions and actions you want.

７ Note

In the EAC, the smallest attachment size that you can enter is 1 kilobyte, which
should detect most attachments. However, if you want to detect every possible
attachment of any size, you need to use PowerShell to adjust the attachment size to
1 byte after you create the rule in the EAC. To connect to PowerShell, see Connect
to Exchange Online PowerShell or Connect to standalone Exchange Online
Protection PowerShell.
 Embedded images are treated as attachments (for example, messages with a
picture in the signature). For this reason, we do not recommend using a very small
value for the attachment size since unexpected messages will be blocked.

Example 1: Block messages with attachments,

and notify the sender
If you don't want certain people in your organization to send or receive attachments
greater than 10 Megabytes, you can set up a mail flow rule to block messages with
attachments of this size.

In this example, all messages sent to or from the organization with attachments greater
than 10 Megabytes are blocked.

If all you want to do is block the message, you might want to stop rule processing once
this rule is matched. Scroll down the rule dialog box, and select the Stop processing
more rules check box.

Example 2: Notify intended recipients when an

inbound message is blocked
If you want to reject a message but let the intended recipient know what happened, you
can use the Notify the recipient with a message action.

You can include placeholders in the notification message so that it includes information
about the original message. The placeholders must be enclosed in two percent signs
(%%), and when the notification message is sent, the placeholders are replaced with
information from the original message. You can also use basic HTML such as <br>, <b>,
<i>, and <img> in the message.

Type of information Placeholder

Sender of the message. %%From%%

Recipients listed on the "To" line. %%To%%

Recipients listed on the "Cc" line. %%Cc%%

Subject of the original message. %%Subject%%

Headers from the original message. This is similar to the list of headers in %%Headers%%
a delivery status notification (DSN) generated for the original message.

Date the original message was sent. %%MessageDate%%

In this example, all messages that contain attachments and are sent to people inside
your organization are blocked, and the recipient is notified.

Example 3: Modify the subject line for

notifications
When a notification is sent to the recipient, the subject line is the subject of the original
message. If you want to modify the subject so that it is clearer to the recipient, you must
use two mail flow rules:

The first rule adds the word "undeliverable" to the beginning of the subject of any
messages with attachments.

The second rule blocks the message and sends a notification message to the
sender using the new subject of the original message.

） Important

The two rules must have identical conditions. Rules are processed in order, so the
first rule adds the word "undeliverable", and the second rule blocks the message
and notifies the recipient.

Here's what the first rule would look like if you want to add "undeliverable" to the
subject:

And the second rule does the blocking and notification (the same rule from Example 2):
Example 4: Apply a rule with a time limit
If you have a malware outbreak, you might want to apply a rule with a time limit so that
you temporarily block attachments. For example, the following rule has both a start and
stop day and time:
See also
Mail flow rules (transport rules) in Exchange Online
Use mail flow rules to block messages
with executable attachments in
Exchange Online
Article • 02/21/2023

In Exchange Online organizations or standalone Exchange Online Protection (EOP)

organizations without Exchange Online mailboxes, messages with harmful attachments
are blocked by anti-malware policies, including messages with executable attachments.
For more information, see Anti-malware protection in EOP.

To further enhance protection, you can use mail flow rules (also known as transport
rules) to identify and block messages that contain executable attachments as described
in this article.

For example, following a malware outbreak, a company could apply this rule with a time
limit so that affected users can get back to sending attachments after a specified length
of time.

What do you need to know before you begin?

You need to be assigned permissions in Exchange Online or Exchange Online
Protection before you can do the procedures in this article. Specifically, you need
the Transport Rules role, which is assigned to the Organization Management,
Compliance Management, and Records Management role groups by default.

For more information, see the following topics:

Permissions in Exchange Online
Permissions in standalone EOP
Use the EAC modify the list of members in role groups

To open the EAC in Exchange Online, see Exchange admin center in Exchange
Online. To open the EAC in standalone EOP, see Exchange admin center in
standalone EOP.

To connect to Exchange Online PowerShell, see Connect to Exchange Online

PowerShell. To connect to standalone EOP PowerShell, see Connect to Exchange
Online Protection PowerShell.

For more information about mail flow rules in Exchange Online and standalone
EOP, see the following topics:
 Mail flow rules (transport rules) in Exchange Online
Mail flow rule conditions and exceptions (predicates) in Exchange Online
Mail flow rule actions in Exchange Online

Use the EAC to create a rule that blocks

messages with executable attachments
1. In the EAC, go to Mail flow > Rules.

2. Click Add and then select Create a new rule.

3. In the New rule page that opens, configure the following settings:

Name: Enter a unique, descriptive name for the rule.

Click More Options.

Apply this rule if: Select Any attachment > has executable content.

Do the following: Select Block the message and then choose the action you
want:

reject the message and include an explanation: In the Specify reject

reason dialog that appears, enter the text you want to appear in the non-
delivery report (also known as an NDR or bounce message). The default
enhanced status code that's used is 5.7.1.

reject the message with the enhanced status code of: In the Enter
enhanced status code dialog that appears, enter the enhanced status
code that you want to appear in the NDR. Valid values are 5.7.1 or a value
from 5.7.900 to 5.7.999. The default rejection text is: Delivery not
authorized, message refused.

reject the message without notifying anyone

4. When you're finished, click Save. Your attachment blocking rule is now in force.

Use PowerShell to create a rule that blocks

messages with executable attachments
Use the following syntax to create a rule to block messages that contain executable
attachments:
 PowerShell

New-TransportRule -Name "<UniqueName>" -AttachmentHasExecutableContent $true

[-RejectMessageEnhancedStatusCode <5.7.1 | 5.7.900 to 5.7.999>] [-
RejectMessageReasonText "<Text>"] [-DeleteMessage $true]

Notes:

If you use the RejectMessageEnhancedStatusCode parameter without the

RejectMessageReasonText parameter, the default text is: Delivery not authorized,
message refused.

If you use the RejectMessageReasonText parameter without the

RejectMessageEnhancedStatusCode parameter, the default code is 5.7.1.

This example creates a new rule named Block Executable Attachments that silently
deletes messages that contain executable attachments.

PowerShell

New-TransportRule -Name "Block Executable Attachments" -

AttachmentHasExecutableContent $true -DeleteMessage $true

For detailed syntax and parameter information, see New-TransportRule.

How do you know this worked?

To verify that you've successfully create a mail flow rule to block messages that contain
executable attachments, do any of the following steps:

In the EAC, go to Mail flow > Rules > select the rule > click Edit , and verify the
settings.

In PowerShell, run the following command to verify the settings:

PowerShell

Get-TransportRule -Identity "<Rule Name>" | Format-List

Name,AttachmentHasExecutableContent,RejectMessage*,DeleteMessage
Use mail flow rules to inspect message
attachments in Exchange Online
Article • 02/22/2023

In Exchange Online organizations or standalone Exchange Online Protection (EOP)

organizations without Exchange Online mailboxes, you can inspect email attachments by
setting up mail flow rules (also known as transport rules). Mail flow rules allow you to
examine email attachments as a part of your messaging security and compliance needs.
When you inspect attachments, you can then take action on the messages based on the
content or characteristics of the attachments. Here are some attachment-related tasks
you can do by using mail flow rules:

Search for files with text that matches a pattern you specify, and add a disclaimer
to the end of the message.
Inspect content within attachments and, if there are any keywords you specify,
redirect the message to a moderator for approval before it's delivered.
Check for messages with attachments that can't be inspected and then block the
entire message from being sent.
Check for attachments that exceed a certain size and then notify the sender of the
issue, if you choose to prevent the message from being delivered.
Check whether the properties of an attached Office document match the values
that you specify. With this condition, you can integrate the requirements of your
mail flow rules and DLP policies with a third-party classification system, such as
SharePoint or the Windows Server File Classification Infrastructure (FCI).
Create notifications that alert users if they send a message that has matched a mail
flow rule.
Block all messages containing attachments. For examples, see Use mail flow rules
for attachment blocking scenarios in Exchange Online.

７ Note

All of these conditions will scan compressed archive attachments.

Exchange Online admins can create mail flow rules in the Exchange admin center (EAC)
at Mail flow > Rules. You need permissions to do this procedure. After you start to
create a new rule, you can see the full list of attachment-related conditions by clicking
More options > Any attachment under Apply this rule if. The attachment-related
options are shown in the following diagram.
For more information about mail flow rules, including the full range of conditions and
actions that you can choose, see Mail flow rules (transport rules) in Exchange Online.
Exchange Online Protection (EOP) and hybrid customers can benefit from the mail flow
rules best practices provided in Best Practices for Configuring EOP. If you're ready to
start creating rules, see Manage mail flow rules in Exchange Online.

 Tip

If you suspect that your rule is not working properly, first check which attachments
the message contains. To inspect which attachment/s the message contained
during Mail flow rule evaluation, see Test-TextExtraction.

This should work.

Inspect the content within attachments

You can use the mail flow rule conditions in the following table to examine the content
of message attachments. For these conditions, only the first 1 megabyte (MB) of text
extracted from an attachment is inspected. The 1-MB limit refers to the extracted text,
not the file size of the attachment. For example, a 2-MB file may contain less than 1 MB
of text, so all of the text would be inspected.
To start using these conditions when inspecting messages, you need to add them to a
mail flow rule. Learn about creating or changing rules at Manage mail flow rules in
Exchange Online.

Condition name Condition name in Description

in the EAC Exchange Online
PowerShell

Any AttachmentContainsWords This condition matches messages with

attachment's supported file type attachments that contain
content includes a specified string or group of characters.
Any attachment
> content
includes any of
these words

Any AttachmentMatchesPatterns This condition matches messages with

attachment's supported file type attachments that contain
content matches a text pattern that matches a specified
Any attachment regular expression.
> content
matches these
text patterns

Any AttachmentIsUnsupported Mail flow rules only can inspect the content
attachment's of supported file types. If the mail flow rule
content can't be finds an attachment that isn't supported, the
inspected AttachmentIsUnsupported condition is
Any attachment triggered. The supported file types are
> content can't described in the next section.
be inspected

７ Note

The condition names in Exchange Online PowerShell are parameter names on

the New-TransportRule and Set-TransportRule cmdlets. For more
information, see New-TransportRule.

Learn more about property types for these conditions at Mail flow rule
conditions and exceptions (predicates) in Exchange Online.

To learn how to use Windows PowerShell to connect to Exchange Online, see

Connect to Exchange Online PowerShell.
Supported file types for mail flow rule content inspection
The following table lists the file types supported by mail flow rules. The system
automatically detects file types by inspecting file properties rather than the actual file
name extension, thus helping to prevent malicious hackers from being able to bypass
mail flow rule filtering by renaming a file extension. A list of file types with executable
code that can be checked within the context of mail flow rules is listed later in this
article.

Category File extension Notes

Adobe PDF .pdf None

Compressed .arj, .bz2, .cab, .chm, .gz, .gzip, .lha, None

archive files .lzh, .lzma, .mhtml, .msp, .rar, .rar4,
.tar, .xar, .xz, .zip, .7z

HTML .ascx, .asp, .aspx, .css, .hta, .htm, None

.html, .htw, .htx, .jhtml

JSON adaptivecard, .json, messagecard None

Mail .eml, .msg, .nws None

Microsoft Office .doc, .docm, .docx, .dot, .dotm, The contents of any embedded parts
.dotx, .obd, .obt, .one, .pot, .potm, contained within these file types are also
.potx, .ppa, .ppam, .pps, .ppsm, inspected. However, any objects that
.ppsx, .ppt, .pptm, .pptx, .xlb, .xlc, aren't embedded (for example, linked
.xls, .xlsb, .xlsm, .xlsx, .xlt documents) aren't inspected. Content
within the custom properties is also
scanned.

Microsoft Office .excelml, .powerpointml, .wordml None

xml

Microsoft Visio .vdw, .vdx, .vsd, .vsdm, .vsdx, .vss, None

.vssm, .vssx, .vst, .vstm, .vstx, .vsx,
.vtx

OpenDocument .odp, .ods, .odt No parts of .odf files are processed. For
example, if the .odf file contains an
embedded document, the contents of
that embedded document aren't
inspected.

Other .dfx, .dxf, .encoffmetro, .fluid, None

.mime, .pointpub, .pub, .rtf, .vtt,
.xps
 Category File extension Notes

Text .asm, .bat, .c, .cmd, .cpp, .cs, .csv, Other files that are text based are also
.cxx, .def, .dic, .h, .hpp, .hxx, .ibq, scanned. This list is representative.
.idl, .inc, .inf, .ini, .inx, .java, .js, .lnk,
.log, .m3u, messagestorage, .mpx,
.php, .pl, .pos, .txt, .vcf, .vcs

XML .infopathml, .jsp, .mspx, .xml None

Inspect the file properties of attachments

The following conditions can be used in mail flow rules to inspect different properties of
files that are attached to messages. To start using these conditions when inspecting
messages, you need to add them to a mail flow rule. For more information about
creating or changing rules, see Manage mail flow rules.

７ Note

If you would like to block certain files using the file condition
AttachmentNameMatchesPatterns or AttachmentExtensionMatchesWords, be aware
that this condition is inspecting the actual file name extension and not the file
properties. Which is different, than the earlier mentioned file content inspection of
other conditions. If you need to block a file based on the system file proterty
detection, e.g. the file is renamed, please use the "common attachment filter"
feature of the Anti-Mailware policy instead.

Condition name Condition name in Exchange Description

in the EAC Online PowerShell

Any attachment's AttachmentNameMatchesPatterns This condition matches messages

file name with attachments whose file name
matches contains the characters you specify.

Any attachment
> file name
matches these
text patterns

Any attachment's AttachmentExtensionMatchesWords This condition matches messages

file extension with attachments whose file name
matches extension matches what you specify.

Any attachment
> file extension
Condition name Condition name in Exchange Description
in the EAC Online PowerShell

includes these
words

Any attachment AttachmentSizeOver This condition matches messages

is greater than or with attachments when those
equal to attachments are greater than or equal
to the size you specify.
Any attachment This condition refers to the sizes of
> size is greater individual attachments, not the
than or equal to cumulative size. For example, if you
set a rule to reject any attachment
that is 10 MB or greater, a single
attachment with a size of 15 MB are
rejected, but a message with three 5
MB attachments is allowed.

The message AttachmentProcessingLimitExceeded This condition matches messages

didn't complete when an attachment isn't inspected
scanning by the mail flow rules agent.

Any attachment
> didn't
complete
scanning

Any attachment AttachmentHasExecutableContent This condition matches messages that

has executable contain executable files as
content attachments. The supported file types
are listed here.
Any attachment
> has executable
content

Any attachment AttachmentIsPasswordProtected This condition matches messages

is password with attachments that are protected
protected by a password. Password detection
works for Office documents,
Any attachment compressed files (.zip, .7z), and .pdf
> is password files.
protected

Any attachment AttachmentPropertyContainsWords This condition matches messages

has these where the specified property of the
properties, attached Office document contains
including any of specified words. A property and its
these words possible values are separated with a
colon. Multiple values are separated
Any attachment with a comma. Multiple
> has these
 Condition name Condition name in Exchange Description
in the EAC Online PowerShell

properties, property/value pairs are also

including any of separated with a comma.
these words

７ Note

The condition names in Exchange Online PowerShell are parameter names on

the New-TransportRule and Set-TransportRule cmdlets. For more
information, see New-TransportRule.

Learn more about property types for these conditions at Mail flow rule
conditions and exceptions (predicates) in Exchange Online.

To learn how to connect to Exchange Online PowerShell, see Connect to

Exchange Online PowerShell.

Supported executable file types for mail flow rule

inspection
The mail flow rules use true type detection to inspect file properties rather than merely
the file extensions. This helps to prevent malicious hackers from being able to bypass
your rule by renaming a file extension. The following table lists the executable file types
supported by these conditions. If a file is found that isn't listed here, the
AttachmentIsUnsupported condition is triggered.

Type of file Native

extension

32-bit Windows executable file with a dynamic link library extension. .dll

Self-extracting executable program file. .exe

Uninstallation executable file. .exe

Program shortcut file. .exe

32-bit Windows executable file. .exe

Microsoft Visio XML drawing file. .vxd

OS/2 operating system file. .os2

 Type of file Native
extension

16-bit Windows executable file. .w16

Disk-operating system file. .dos

European Institute for Computer Antivirus Research standard antivirus test .com
file.

Windows program information file. .pif

Windows executable program file. .exe

） Important

.rar (self-extracting archive files created with the WinRAR archiver), .jar (Java archive
files), and .obj (compiled source code, 3D object, or sequence files) files are not
considered to be executable file types. To block these files, you can use mail flow
rules that look for files with these extensions as described earlier in this article, or
you can configure an antimalware policy that blocks these file types (the common
attachment types filter). For more information, see Configure anti-malware policies
in EOP.

Data loss prevention policies and attachment

mail flow rules

７ Note

This section does not apply to standalone EOP organizations.

To help you manage important business information in email, you can include any of the
attachment-related conditions along with the rules of a data loss prevention (DLP)
policy.

DLP policies and attachment-related conditions can help you enforce your business
needs by defining those needs as mail flow rule conditions, exceptions, and actions.
When you include the sensitive information inspection in a DLP policy, any attachments
to messages are scanned for that information only. However, attachment-related
conditions such as size or file type aren't included until you add the conditions listed in
this article. DLP isn't available with all versions of Exchange; learn more at Data loss
prevention.

For more information

For information on broadly blocking email with attachments, regardless of malware
status, see Common attachment blocking scenarios for mail flow rules in Exchange
Online.
Use mail flow rules to set the spam
confidence level (SCL) in messages in
Exchange Online
Article • 02/21/2023

In Exchange Online organizations or standalone Exchange Online Protection (EOP)

organizations without Exchange Online mailboxes, anti-spam policies (also known as
spam filter policies or content filter policies) scan inbound messages for spam. For more
information, see Configure anti-spam policies in EOP.

If you want to mark specific messages as spam before they're even scanned by spam
filtering, or mark messages so they'll skip spam filtering, you can create mail flow rules
(also known as transport rules) to identify the messages and set the spam confidence
level (SCL). For more information about the SCL, see Spam confidence level (SCL) in EOP.

What do you need to know before you begin?

You need to be assigned permissions in Exchange Online or Exchange Online
Protection before you can do the procedures in this article. Specifically, you need
the Transport Rules role, which is assigned to the Organization Management,
Compliance Management (global admins), and Records Management role groups
by default.

For more information, see the following topics:

Permissions in Exchange Online
Permissions in standalone EOP
Use the EAC modify the list of members in role groups

To open the EAC in Exchange Online, see Exchange admin center in Exchange
Online. To open the EAC in standalone EOP, see Exchange admin center in
standalone EOP.

To connect to Exchange Online PowerShell, see Connect to Exchange Online

PowerShell. To connect to standalone EOP PowerShell, see Connect to Exchange
Online Protection PowerShell.

For more information about mail flow rules in Exchange Online and standalone
EOP, see the following topics:
Mail flow rules (transport rules) in Exchange Online
Mail flow rule conditions and exceptions (predicates) in Exchange Online
 Mail flow rule actions in Exchange Online

Use the EAC to create a mail flow rule that sets

the SCL of a message
1. In the EAC, go to Mail flow > Rules.

2. Click Add and then select Create a new rule.

3. In the New rule page that opens, configure the following settings:

Name: Enter a unique, descriptive name for the rule.

Click More Options.

Apply this rule if: Select one or more conditions to identify messages. For
more information, see Mail flow rule conditions and exceptions (predicates)
in Exchange Online.

Do the following: Select Modify the message properties > set the spam
confidence level (SCL). In the Specify SCL dialog that appears, configure one
of the following values:

Bypass spam filtering: The messages will skip spam filtering. High confidence
phishing messages are still filtered. Other features in EOP are not affected (for
example, messages are always scanned for malware).

If you need to bypass spam filtering for SecOps mailboxes or phishing

simulations, don't use mail flow rules. See Configure the delivery of third-
party phishing simulations to users and unfiltered messages to SecOps
mailboxes.

Ｕ Caution

Be very careful about allowing messages to skip spam filtering. The mail
flow rule should use more conditions than just the sender's email
address or domain. For more information, see Create safe sender lists in
EOP.

0 to 4: The message is sent through spam filtering for additional processing.

5 or 6: The message is marked as Spam. The action that you've configured

for Spam filtering verdicts in your anti-spam policies is applied to the
 message (the default value is Move message to Junk Email folder).

7 to 9: The message is marked as High confidence spam. The action that

you've configured for High confidence spam filtering verdicts in your anti-
spam policies is applied to the message (the default value is Move message
to Junk Email folder).

4. Specify any additional properties that you want for the rule. When you're finished,
click Save.

How do you know this worked?

To verify that you've correctly set the SCL in messages, send an email message to
someone inside your organization, and verify that the action performed on the message
is as expected. For example, if you set the spam confidence level (SCL) to Bypass spam
filtering, then the message should be sent to the specified recipient's Inbox. However, if
you set the spam confidence level (SCL) to 9, and the High confidence spam action for
your applicable anti-spam policies is to move the message to the Junk Email folder, then
the message should be sent to the specified recipient's Junk Email folder.
Use mail flow rules to filter bulk email in
Exchange Online
Article • 01/26/2023

In Exchange Online organizations or standalone Exchange Online Protection (EOP)

organizations without Exchange Online mailboxes, anti-spam policies (also known as
spam filter policies or content filter policies) scan inbound messages for spam and bulk
mail (also known as gray mail). For more information, see Configure anti-spam policies
in EOP.

If you want more options to filter bulk mail, you can create mail flow rules (also known
as transport rules) to search for text patterns or phrases that are frequently found in
bulk mail, and mark those messages as spam. For more information about bulk mail, see
What's the difference between junk email and bulk email? and Bulk complaint level
(BCL) in EOP.

This topic explains how create these mail flow rules in the Exchange admin center (EAC)
and PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with
mailboxes in Exchange Online; standalone EOP PowerShell for organizations without
Exchange Online mailboxes).

What do you need to know before you begin?

You need to be assigned permissions in Exchange Online or Exchange Online
Protection before you can do the procedures in this article. Specifically, you need
the Transport Rules role, which is assigned to the Organization Management,
Compliance Management (global admins), and Records Management role groups
by default.

For more information, see the following topics:

Permissions in Exchange Online
Permissions in standalone EOP
Use the EAC modify the list of members in role groups

To open the EAC in Exchange Online, see Exchange admin center in Exchange
Online. To open the EAC in standalone EOP, see Exchange admin center in
standalone EOP.

To connect to Exchange Online PowerShell, see Connect to Exchange Online

PowerShell. To connect to standalone EOP PowerShell, see Connect to Exchange
 Online Protection PowerShell.

For more information about mail flow rules in Exchange Online and standalone
EOP, see the following topics:
Mail flow rules (transport rules) in Exchange Online
Mail flow rule conditions and exceptions (predicates) in Exchange Online
Mail flow rule actions in Exchange Online

The list of words and text patterns that are used to identify bulk mail in the
examples aren't exhaustive; you can add and remove entries as necessary.
However, they are a good starting point.

The search for words or text patterns in the subject or other header fields in the
message occurs after the message has been decoded from the MIME content
transfer encoding method that was used to transmit the binary message between
SMTP servers in ASCII text. You can't use conditions or exceptions to search for the
raw (typically, Base64) encoded values of the subject or other header fields in
messages.

The following procedures mark a bulk message as spam for your entire
organization. However, you can add another condition to apply these rules only to
specific recipients, so you can use aggressive filtering on a few, highly targeted
users, while the rest of your users (who mostly get the bulk email they signed up
for) aren't impacted.

Use the EAC to create mail flow rules that filter

bulk email
1. In the EAC, go to Mail flow > Rules.

2. Click Add and then select Create a new rule.

3. In the New rule page that opens, configure the following settings:

Name: Enter a unique, descriptive name for the rule.

Click More Options.

Apply this rule if: Configure one of the following settings to look for content
in messages using regular expressions (RegEx) or words or phrases:

The subject or body > subject or body matches these text patterns: In
the Specify words or phrases dialog that appears, enter one of the
 following values, click Add , and repeat until you've entered all the
values.
If you are unable to view the content of this email\, please

\>(safe )?unsubscribe( here)?\</a\>

If you do not wish to receive further communications like this\,

please

<img height="?1"? width="?1"? src=.?http\://

To stop receiving these+emails\:http\://

To unsubscribe from \w+ (e\-?letter|e?-?mail|newsletter)

no longer (wish )?(to )?(be sent|receive) w+ email

If you are unable to view the content of this email\, please click

here
To ensure you receive (your daily deals|our e-?mails)\, add

If you no longer wish to receive these emails

to change your (subscription preferences|preferences or

unsubscribe)

click (here to|the) unsubscribe

To edit an entry, select it and click Edit . To remove an entry, select it and
click Remove .

When you're finished, click OK.

The subject or body > subject or body includes any of these words: In
the Specify words or phrases dialog that appears, enter one of the
following values, click Add , and repeat until you've entered all the
values.
to change your preferences or unsubscribe

Modify email preferences or unsubscribe

This is a promotional email

You are receiving this email because you requested a subscription

click here to unsubscribe

You have received this email because you are subscribed

If you no longer wish to receive our email newsletter

to unsubscribe from this newsletter

If you have trouble viewing this email

This is an advertisement
you would like to unsubscribe or change your

view this email as a webpage

 You are receiving this email because you are subscribed

To edit an entry, select it and click Edit . To remove an entry, select it and
click Remove .

When you're finished, click OK.

Do the following: Select Modify the message properties > set the spam
confidence level (SCL). In the Specify SCL dialog that appears, configure one
of the following settings:

To mark messages as Spam, select 6. The action that you've configured for
Spam filtering verdicts in your anti-spam policies is applied to the
messages (the default value is Move message to Junk Email folder).

To mark messages as High confidence spam select 9. The action that

you've configured for High confidence spam filtering verdicts in your anti-
spam policies is applied to the messages (the default value is Move
message to Junk Email folder).

For more information about SCL values, see Spam confidence level (SCL) in EOP.

When you're finished, click Save

Use PowerShell to create mail flow rules that

filter bulk email
Use the following syntax to create one or both of the mail flow rules (regular
expressions vs. words):

PowerShell

New-TransportRule -Name "<UniqueName>" [-SubjectOrBodyMatchesPatterns "

<RegEx1>","<RegEx2>"...] [-SubjectOrBodyContainsWords "<WordOrPhrase1>","
<WordOrPhrase2>"...] -SetSCL <6 | 9>

This example creates a new rule named "Bulk email filtering - RegEx" that uses the same
list of regular expressions from earlier in the topic to set messages as Spam.

PowerShell

New-TransportRule -Name "Bulk email filtering - RegEx" -

SubjectOrBodyMatchesPatterns "If you are unable to view the content of this
email\, please","\>(safe )?unsubscribe( here)?\</a\>","If you do not wish to
receive further communications like this\, please","\<img height\="?1"?
 width\="?1"? src=.?http\://","To stop receiving these+emails\:http\://","To
unsubscribe from \w+ (e\-?letter|e?-?mail|newsletter)","no longer (wish )?
(to )?(be sent|receive) w+ email","If you are unable to view the content of
this email\, please click here","To ensure you receive (your daily deals|our
e-?mails)\, add","If you no longer wish to receive these emails","to change
your (subscription preferences|preferences or unsubscribe)","click (here
to|the) unsubscribe"... -SetSCL 6

This example creates a new rule named "Bulk email filtering - Words" that uses the same
list of words from earlier in the topic to set messages as High confidence spam.

PowerShell

New-TransportRule -Name "Bulk email filtering - Words" -

SubjectOrBodyContainsWords "to change your preferences or
unsubscribe","Modify email preferences or unsubscribe","This is a
promotional email","You are receiving this email because you requested a
subscription","click here to unsubscribe","You have received this email
because you are subscribed","If you no longer wish to receive our email
newsletter","to unsubscribe from this newsletter","If you have trouble
viewing this email","This is an advertisement","you would like to
unsubscribe or change your","view this email as a webpage","You are
receiving this email because you are subscribed" -SetSCL 9

For detailed syntax and parameter information, see New-TransportRule.

How do you know this worked?

To verify that you've configured mail flow rules to filter bulk email, do any of the
following steps:

In the EAC, go to Mail flow > Rules > select the rule > click Edit , and verify the
settings.

In PowerShell, replace <Rule Name> with the name of the rule, and run the
following command to verify the settings:

PowerShell

Get-TransportRule -Identity "<Rule Name>" | Format-List

From an external account, send a test message to an affected recipient that

contains one of the phrases or text patterns, and verify the results.
Use mail flow rules to see what your
users are reporting to Microsoft in
Exchange Online
Article • 01/26/2023

In Exchange Online organizations or standalone Exchange Online Protection (EOP)

organizations without Exchange Online mailboxes, there are multiple ways for users to
report messages to Microsoft for analysis. For more information, see Report messages
and files to Microsoft.

You can create a mail flow rule (also known as a transport rule) that looks for messages
that users report to Microsoft, and you can configure Bcc recipients to receive copies of
these reported messages.

You can create the mail flow rule in the Exchange admin center (EAC) and PowerShell
(Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in
Exchange Online; standalone EOP PowerShell for organizations without Exchange Online
mailboxes).

What do you need to know before you begin?

You need to be assigned permissions in Exchange Online or Exchange Online
Protection before you can do the procedures in this article. Specifically, you need
the Transport Rules role, which is assigned to the Organization Management,
Compliance Management (global admins), and Records Management role groups
by default.

For more information, see the following topics:

Permissions in Exchange Online
Permissions in standalone EOP
Use the EAC modify the list of members in role groups

To open the EAC in Exchange Online, see Exchange admin center in Exchange
Online. To open the EAC in standalone EOP, see Exchange admin center in
standalone EOP.

To connect to Exchange Online PowerShell, see Connect to Exchange Online

PowerShell. To connect to standalone EOP PowerShell, see Connect to Exchange
Online Protection PowerShell.
 For more information about mail flow rules in Exchange Online and standalone
EOP, see the following topics:
Mail flow rules (transport rules) in Exchange Online
Mail flow rule conditions and exceptions (predicates) in Exchange Online
Mail flow rule actions in Exchange Online

Use the EAC to create a mail flow rule to

receive copies of reported messages
1. In the EAC, go to Mail flow > Rules.

2. Click Add and then select Create a new rule.

3. In the New rule page that opens, configure the following settings:

Name: Enter a unique, descriptive name for the rule. For example, Bcc
Messages Reported to Microsoft.

Click More Options.

Apply this rule if: Select The recipient > address includes any of these
words: In the Specify words or phrases dialog that appears, enter one of the
following values, click Add , and repeat until you've entered all the values.
junk@office365.microsoft.com

abuse@messaging.microsoft.com
phish@office365.microsoft.com

not_junk@office365.microsoft.com

To edit an entry, select it and click Edit . To remove an entry, select it and
click Remove .

When you're finished, click OK.

Do the following: Select Add recipients > to the Bcc box. In the dialog that
appears, find and select the recipients that you want to add. When you're
finished, click OK.

4. You can make additional selections to audit the rule, test the rule, activate the rule
during a specific time period, and other settings. We recommend testing the rule
before you enforce it.

5. When you're finished, click Save.

Use PowerShell to create a mail flow rule to
receive copies of reported messages
This example creates a new mail flow rule named Bcc Messages Reported to Microsoft
that looks for email messages that are reported to Microsoft by using the methods
described in this article, and adds the users laura@contoso.com and julia@contoso.com
as Bcc recipients.

PowerShell

New-TransportRule -Name "Bcc Messages Reported to Microsoft" -

RecipientAddressContainsWords
"junk@office365.microsoft.com","abuse@messaging.microsoft.com","phish@office
365.microsoft.com","false_positive@messaging.microsoft.com" -BlindCopyTo
"laura@contoso.com","julia@contoso.com".

For detailed syntax and parameter information, see New-TransportRule.

How do you know this worked?

To verify that you've configured a mail flow rule to receive copies of reported messages,
do any of the following steps:

In the EAC, go to Mail flow > Rules > select the rule > click Edit , and verify the
settings.

In PowerShell, run the following command to verify the settings:

PowerShell

Get-TransportRule -Identity "Bcc Messages Reported to Microsoft" |

Format-List

Send a test message to one of the reporting email addresses and verify the results.
Organization-wide message disclaimers,
signatures, footers, or headers in
Exchange Online
Article • 04/10/2023

In Exchange Online organizations or standalone Exchange Online Protection (EOP)

organizations without Exchange Online mailboxes, you can add an HTML or plain text
legal disclaimer, disclosure statement, signature, or other information to the top or
bottom of email messages that enter or leave your organization. To do this, you create a
mail flow rule (also known as a transport rule) that adds the required information to
messages.

Notes:

Users can apply signatures to their own outgoing messages in Outlook or Outlook
on the web (formerly known as Outlook Web App). For more information, see
Create and add an email signature in Outlook on the web .

If you want the information to be added only to outgoing messages, you need to
add a corresponding condition (for example, recipients located outside the
organization). By default, mail flow rules are applied to incoming and outgoing
messages.

To avoid multiple disclaimers being added in an email conversation, add an

exception that looks for unique text in your disclaimer. This ensures that the
disclaimer is only added to the original message.

Test the disclaimer. When you create the mail flow rule, you have the option to
start using it immediately (Enforce), or to test it first and logging the results. We
recommend testing all mail flow rules prior to setting them to Enforce.

What do you need to know before you begin?

Estimated time to complete each procedure: 7 minutes.

For information about the Exchange admin center (EAC), see Exchange admin
center in Exchange Online. To connect to Exchange Online PowerShell, see Connect
to Exchange Online PowerShell. To connect to standalone EOP PowerShell, see
Connect to standalone Exchange Online Protection PowerShell.
 You need to be assigned permissions before you can perform these procedures. To
see what permissions you need, see the "Mail flow" entry in the Feature
permissions in Exchange Online article.

For information about keyboard shortcuts that may apply to the procedures in this
article, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the new EAC to add a disclaimer or other

email header or footer
1. In the new EAC at https://admin.exchange.microsoft.com , go to Mail flow >
Rules. Or, to go directly to the Rules page, use
https://admin.exchange.microsoft.com/#/transportrules .

2. On the Rules page, click Add a rule , and then select Apply disclaimers.

3. In the new rule wizard that opens, configure the following settings on the Set rule
conditions page:

Name: Enter a unique name for the rule.

Apply this rule if: Select the conditions that identify which messages get the
disclaimer. For example:
The recipient > is external/internal
 In the Select recipient location flyout that opens, select Outside the
organization, and then click Save.

Or, if you want this rule to apply to every message that enters or leaves the
organization, select Apply to all messages.

Do the following: Verify Apply a disclaimer to the message and append a

disclaimer are selected. If you'd rather put the disclaimer text at the top of
the message, select prepend a disclaimer instead.

Click the Enter text link to enter the text of the disclaimer.

Disclaimer text can include HTML tags and inline cascading style sheet
(CSS) tags. You can add images using the IMG tag. Disclaimer text also
supports the following tokens that use values from the sender:
%%City%%
%%Company%%
%%CountryOrRegion%%
%%Department%%
%%DisplayName%%
%%Fax%%
%%FirstName%%
%%HomePhone%%
%%Initials%%
%%LastName%%
%%Manager%%
%%MobilePhone%%
%%Notes%%
%%Office%%
%%Pager%%
%%Phone%%
%%PostalCode%%
%%PostOfficeBox%%
%%StateOrProvince%%
%%StreetAddress%%
%%Title%%
%%UserPrincipalName%%
%%WindowsEmailAddress%%

Click the Select one link to enter the fallback action if the disclaimer can't
be inserted in the message.
 Except if: To add an exception that prevents multiple disclaimers from being
added in an email conversation, configure the following settings:
Select The subject or body and Subject or body matches these text
patterns.
In the Specify words or phrases flyout that opens, enter the words or
phrases in the disclaimer, click Add, and then click Save.

When you're finished, click Next.

4. On the Set rule settings page, configure the following settings:

Rule mode: Leave the default value Enforce selected to turn on the rule
immediately, or select Test without Policy Tips to log the results without
actually adding the disclaimer to messages.
Severity: Assign the severity level that appears in the message log. Valid
values are:
Low
Medium
High
Not audit
Not specified
Activate this rule on and Deactivate this rule on: Optionally, select a date-
time range when the rule is active.
Stop processing more rules: Optionally, stop applying additional rules to a
message after the disclaimer rule processes the message.
Defer the message if rule processing doesn't complete: Optionally, defer the
message if the rule isn't able to process the message.
Match sender address in message: Select one of the following values:
Header: Only the message headers are examined. This is the default value
Envelope: Only the SMTP message envelope is examined.
Header or envelope: Both the message headers and SMTP message
envelope are examined.
Comments: Optionally, enter comments to help describe the rule.

When you're finished, click Next.

5. On the Review and finish page, review the settings of the rule and then click
Finish.

Use Exchange Online PowerShell to add a

disclaimer or other email header or footer
Use the New-TransportRule cmdlet to create the disclaimer rule. For detailed parameter
information, see Mail flow rule conditions and exceptions (predicates) in Exchange
Online.

This example creates a new mail flow rule that adds a disclaimer with an image to the
end of all email messages that are sent outside the organization.

PowerShell

New-TransportRule -Name "External Disclaimer" -SentToScope NotInOrganization

-ApplyHtmlDisclaimerText "<h3>Disclaimer Title</h3><p>This is the disclaimer
text.</p><img alt='Contoso logo'
src='http://www.contoso.com/images/logo.gif'>"

This example creates a new mail flow rule that adds an advertisement for one month to
the beginning of all outgoing messages.

PowerShell

New-TransportRule -Name "March Special" -Enabled $true -SentToScope

NotInOrganization -ApplyHtmlDisclaimerLocation Prepend -ActivationDate
'03/1/2017' -ExpiryDate '03/31/2017'-ApplyHtmlDisclaimerText "<table
align=center width=200 border=1 bordercolor=blue bgcolor=green
cellpadding=10 cellspacing=0><tr><td nowrap><a
href=http://www.contoso.com/marchspecials.htm>Click to see March
specials</a></td></tr></table>"

How do you know this worked?

To verify that you've successfully created a disclaimer, and that the disclaimer works as
expected, do the following steps:

Send yourself both a plain text email and an HTML email that match the conditions
and exceptions you defined, and verify that the text appears as you intended.
If you added an exception to avoid adding the disclaimer to successive messages
in a conversation, forward your test messages to yourself to verify that you don't
get an extra copy of the disclaimer.
Send yourself some messages that should not get the disclaimer and verify that
the disclaimer is not included.

Fallback options for disclaimer rules

If a mail flow rule can't modify the message to add the disclaimer (for example, the
message is encrypted), you need to specify what to do. This contingency is known as the
fallback option for the rule. The available fallback options for disclaimer rules are:

Wrap: A new message is created and the original message is added to it as an

attachment. The disclaimer text is added to the new message, which is delivered to
the recipients. This is the default value.
Subsequent mail flow rules that examine message properties (for example, the
message subject or text in the message body) will examine the new message,
not the original message (which is now an attachment in the new message). If
you want other rules to examine and act on the original message, make sure
those rules are applied before the disclaimer rule by using a lower priority for
the disclaimer rule and higher priority for other rules.
If the process of inserting the original message as an attachment in the new
message fails, the original message isn't delivered. The original message is
returned to the sender in a non-delivery report (also known as an NDR or a
bounce message).

Ignore: The rule is ignored and the original message is delivered without the
disclaimer.

Reject: The original message is returned to the sender in an NDR.

In the EAC, you select the fallback option in the rule action. In Exchange Online
PowerShell, you use the ApplyHtmlDisclaimerFallbackAction parameter.

For more information

After you configure a disclaimer rule, see Manage mail flow rules for information about
how to view, modify, enable, disable, or remove the rule.
Use mail flow rules so messages can
bypass Clutter in Exchange Online
Article • 02/22/2023

If you want to be sure that you receive particular messages, you can create a mail flow
rule (also known as a transport rule) that makes sure that these messages bypass your
Clutter folder. Check out Use Clutter to sort low-priority messages in Outlook for
more info on Clutter.

For additional management tasks related to mail flow rules, check out Mail flow rules
(transport rules) in Exchange Online and the New-TransportRule PowerShell article. If
you're new to Exchange Online PowerShell, check out Connect to Exchange Online
PowerShell.

What do you need to know before you begin?

Estimated time to complete: 5 minutes

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Mail flow" entry in the
Feature permissions in Exchange Online article.

For more information about opening and using the Exchange admin center (EAC),
see Exchange admin center in Exchange Online.

To learn how to connect to Exchange Online PowerShell, see Connect to Exchange

Online PowerShell.

For information about keyboard shortcuts that may apply to the procedures in this
article, see Keyboard shortcuts for the Exchange admin center.

Use the Exchange admin center to create a mail

flow rule to bypass the clutter folder
This example allows all messages with title "Meeting" to bypass clutter.

1. In the EAC, go to Mail flow > Rules.

2. Click New and then select Create a new rule.

3. In the New rule page that opens, configure the following settings:
 Name: Enter something descriptive. For example, Bypass Clutter if the subject
contains "meeting".
Apply this rule if > The subject includes > meeting
Do the following > Set the message header to this value > X-MS-Exchange-
Organization-BypassClutter: true.

4. When you're finished, click Save.

Use Exchange Online PowerShell to create a

mail flow rule to bypass the clutter folder
This example allows all messages with title "Meeting" to bypass clutter.

PowerShell

New-TransportRule -Name "<Unique rule name>" -SubjectContainsWords "Meeting"

-SetHeaderName "X-MS-Exchange-Organization-BypassClutter" -SetHeaderValue
"true"
 ） Important

In this example, both X-MS-Exchange-Organization-BypassClutter and true are case

sensitive.

For detailed syntax and parameter information, see New-TransportRule.

How do you know this worked?

You can check email message headers to see if the email messages are landing in the
Inbox due to the Clutter mail flow rule bypass. Pick an email message from a mailbox in
your organization that has the Clutter bypass mail flow rule applied. Look at the headers
stamped on the message, and you should see the X-MS-Exchange-Organization-
BypassClutter: true header. This means the bypass is working. Check out the View the
internet header information for an email message article for info on how to find the
header information.

７ Note

Calendar items (accepted, sent, or declined meetings notifications) won't contain

this header.
Use mail flow rules to route email based
on a list of words, phrases, or patterns
in Exchange Online
Article • 02/22/2023

In Exchange Online organizations or standalone Exchange Online Protection (EOP)

organizations without Exchange Online mailboxes, you can use mail flow rules (also
known as transport rules) to find and act on messages that contains specific words. This
action can help your users comply with your organization's email policies.

For a short list of words or phrases, you can use the Exchange admin center (EAC). For a
longer list, you can use Exchange Online PowerShell or standalone EOP PowerShell to
import the words from a text file.

If your Exchange Online organization uses Data loss prevention (DLP), see Data loss
prevention for additional options for identifying and routing email that contains
sensitive information (DLP is not available in standalone EOP).

Example 1: Use a short list of unacceptable

words
If your list of words or phrases is short, you can create a rule using the Exchange admin
center. For example, if you want to make sure no one sends email with bad words or
with misspellings of your company name, internal acronyms or product names, you
could create a rule to block the message and tell the sender. Note that words, phrases,
and patterns are not case sensitive.

This example blocks messages with common typos.

Example 2: Use a long list of unacceptable
words
If your list of words, phrases, or patterns is long, you can put them in a text file with
each word, phrase, or pattern on its own line. Use Exchange Online PowerShell to read in
the list of keywords into a variable, create a mail flow rule, and assign the variable with
the keywords to the mail flow rule condition. For example, the following script takes a
list of misspellings from a file called C:\My Documents\misspelled_companyname.txt.

PowerShell

$Keywords=Get-Content "C:\My Documents\misspelled_companyname.txt"

New-TransportRule -Name "Block messages with unacceptable words" -
SubjectOrBodyContainsWords $Keywords -SentToScope "NotInOrganization" -
RejectMessageReasonText "Do not use internal acronyms, product names, or
misspellings in external communications."

Using phrases and patterns in the text file

The text file can contain regular expressions for patterns. These expressions are not
case-sensitive. Common regular expressions include:

Expression Matches

. Any single character

 Expression Matches

* Any additional characters

\d Any decimal digit

[character_group] Any single character in character_group.

For example, this text file contains common misspellings of Microsoft.

text

[mn]sft
[mn]icrosft
[mn]icro soft
[mn].crosoft

To learn how to specify patterns using regular expressions, see Regular Expression
Reference.
Use mail flow rules for message
approval scenarios in Exchange Online
Article • 02/22/2023

７ Note

This article does not apply to standalone Exchange Online Protection (EOP)
organizations.

In Exchange Online organizations, a moderated recipient requires the approval one or

more moderators before messages are delivered to the recipient. For more information
see Moderated recipients in Exchange Online.

But, other than exceptions from specific senders, when you configure the moderation
settings in the properties of the recipient, all messages that are sent to the recipient
require approval before they're delivered, regardless of the content or specifics of the
messages.

For granular control over the type and circumstances of messages that require
moderation, you can use mail flow rules (also known as transport rules). This article
discusses examples of using mail flow rules for moderation in order to meet specific
legal, compliance, or business requirements.

Forward messages to a sender's manager for

approval
Here are some common types of messages that might require manager approval:

Messages sent from a user to certain distribution groups or recipients

Messages sent to external users or partners
Message sent between two groups
Messages sent with specific content, such as the name of a specific customer
Messages sent by a trainee

To require that messages need to be sent to the sender's manager for approval, follow
these steps:

1. Create a mail flow rule using the Send messages to a moderator template.
 2. Configure the action to send messages to the sender's manager for approval: Do
the following > Forward to the sender's manager for approval.

3. Configure the conditions that define the messages that require approval in Apply
this rule if.

Here's an example where all external messages sent by the trainee named Garth Fort
require approval by their manager.

Apply this rule if > The sender is > Garth Fort

and

Apply this rule if > The recipient is located > Outside the organization

Do the following > Forward to the sender's manager for approval

 ７ Note

Some rule settings, including the ability to add multiple conditions or exceptions to
the rule as in this example, are hidden by default. To see them, click More options.

Set up a message approval chain

You can require multiple levels of approval for messages. For example, you can require
that messages to a specific customer be approved first by a customer relationship
manager and then by a compliance officer, or you can require that expense reports be
approved by two levels of managers.

To create this type of multiple-level approval, create one mail flow rule for each level of
approval. Each rule detects the same patterns in the messages, as follows:

The first rule forwards the message to the first moderator. After the first moderator
approves the message, a second rule forwards the message to the second rule, and
so on.

If all moderators in the chain approve the message, the original message is sent to
the intended recipients.

If any of the moderators in the chain reject the approval request, the sender
receives a rejection message.

If any of the approval requests aren't approved within the expiration time (two
days for Exchange Online), the sender receives an expiration message.
 ７ Note

The processing of expired moderated messages runs every seven days. This
means that a moderated message can expire at any time between two and
nine days.

The following example assumes that you have a customer named Blue Yonder Airlines,
and you want both the customer relationship manager and the compliance officer to
approve all messages that go to this customer.

As shown in the following screenshot, you create two rules. The first rule goes to the
first-level approver. The second rule goes to the second-level approver.

The first rule identifies all messages with the company name Blue Yonder Airlines in the
subject or message, and it sends these messages to the internal customer relationship
manager named Garret Vargas.

Name: Blue Yonder Airlines: Approval #1 Relationship Manager

Priority: Before the second rule.

Apply this rule if > The sender is located > Inside the organization.

and

Apply this rule if > The subject or boy matches > 'B.Y.A' or 'BYA' or 'Blue Yonder
Airlines' or 'Blue Yonder'.

Do the following > Forward the message for approval to > Garret Vargas.
The second rule sends these messages to the compliance officer, Tony Krijnen for
approval:

Name: Blue Yonder Airlines: Approval #2 Compliance Manager

Priority: After the first rule.

Apply this rule if > The sender is located > Inside the organization.

and

Apply this rule if > The subject or boy matches > 'B.Y.A' or 'BYA' or 'Blue Yonder
Airlines' or 'Blue Yonder'.

Do the following > Forward the message for approval to > Tony Krijnen.
Forward messages that match one of several
criteria
Within a mail flow rule, all conditions in the rule must be true for the rule to match
(Condition1 AND Condition2). If you want the same action applied for multiple
conditions (Condition1 OR Condition2), you need to create a separate rule for each
condition.

To do this, on the Rules page in EAC, create a rule for the first condition. Then select the
rule, select Copy, and change the conditions in the new rule to match the second
condition.

For approval scenarios, be careful when you create multiple rules with the same action
so the same message isn't sent to the moderator multiple times. Add an exception to
the second rule so it ignores messages that matched the first rule.

For example, you want to send a message to a moderator if the message has "sales
quote" in the subject line or message body or in the content of any attachments.

You need two rules. If the first rule checks the subject line or message body, the second
rule that checks the attachment content needs an exception that checks for "sales
quote" in the subject line or message body (the condition of the first rule).

Name: Sales quote approval: Rule 2

Priority: Lower than the first rule.
 Apply this rule if > Any attachment's content includes > Sales quote.
Do the following > Forward to the sender's manager for approval
Except if > The subject or body matches > Sales quote.

７ Note

As described previously, some rule settings, including the ability to add multiple
conditions or exceptions to the rule as in this example, are hidden by default. To
see them, click More options.

Forward a message that contains sensitive

information
If you have the Data loss prevention (DLP) feature, many types of sensitive information
are predefined. With DLP, you see that the message contains a sensitive information
condition. Whether or not you have DLP, you can create conditions that identify specific
sensitive information patterns that are unique to your organization.

Here's an example where messages that contain a credit card number require approval.

Apply this rule if > The message contains sensitive information > Credit Card
Number
Do the following > Forward to the sender's manager for approval
Use mail flow rules to automatically add
meetings to calendars in Exchange
Online
Article • 02/22/2023

７ Note

This article does not apply to standalone Exchange Online Protection (EOP)
organizations.

With the Direct to Calendar feature in Exchange Online, admins can configure mail flow
rules (also known as transport rules) that allow designated users to add meetings to
calendars. The benefits of Direct to Calendar are:

The event is automatically added to the recipient's calendar without any action
from them. If the user received the meeting invitation, it's on their calendar.
The sender doesn't need to deal with Out of Office or other unwanted response
messages that result from sending meeting invitations to a large number of
recipients.
No meeting-related messages are seen by attendees unless the meeting is
cancelled.

Direct to Calendar requires two mail flow rules with specific conditions and actions.
These rules are described in the following table:

Rule Condition Action Comments

description
 Rule Condition Action Comments
description

This mail The sender is or The sender > Set the message We recommend that you
flow rule is this person (the From header to this value use dedicated mailboxes
turns parameter). or Modify the (shared mailboxes are OK)
regular message properties for sending Direct to
meeting This condition identifies the > set a message Calendar meeting
invitations users who are authorized to header (the invitations, because any
into Direct send Direct to Calendar SetHeaderName meeting invitations from
to Calendar meeting invitations. Although and SetHeaderValue these senders will be
meeting you can use other conditions, parameters). automatically added to
invitations. restricting the invitations by recipient calendars.
sender helps prevent This action sets the
unauthorized use of Direct to X-MS-Exchange- The dedicated mailboxes
Calendar meeting invitations. Organization- require no special
CalendarBooking- permissions to send Direct
Response header to to Calendar meeting
the value Accept . invitations.
Other valid values
are Tentative and
Decline .

This mail The sender is or The sender > Set the message Technically, this rule is
flow rule is this person (the From header to this value optional (without it,
prevents parameter). or Modify the meetings are still
Direct to message properties automatically added to
Calendar > set a message recipient calendars).
meeting header (the Note that this rule doesn't
invitations SetHeaderName prevent meeting
from and SetHeaderValue cancellation messages for
appearing parameters). Direct to Calendar
in the Inbox meetings from appearing
of This action sets the in the Inbox of recipients.
recipients. X-MS-Exchange-
Organization-
CalendarBooking-
TriageAction
header to the value
MoveToDeletedItems .
The other valid
value is None .

For more information about mail flow rules, see Mail flow rules (transport rules) in
Exchange Online.

What do you need to know before you begin?

 Estimated time to complete: 10 minutes

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Mail flow" entry in the
Feature permissions in Exchange Online article.

The designated accounts for sending Direct to Calendar meeting invitations need
to exist.

For more information about opening and using the Exchange admin center (EAC),
see Exchange admin center in Exchange Online.

To learn how to connect to Exchange Online PowerShell, see Connect to Exchange

Online PowerShell.

For information about keyboard shortcuts that may apply to the procedures in this
article, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the Exchange admin center to create Direct

to Calendar mail flow rules
1. In the EAC, go to Mail flow > rules.

2. Click New ( ), and then select Create a new rule.

3. In the New rule page that opens, click More options.

4. Configure these additional settings on the New rule page:

Name: Direct to Calendar response (or anything descriptive).

Apply this rule if > The sender > is this person: Select one or more users to
send Direct to Calendar meeting invitations.
Do the following > Modify the message properties > set a message header:
Enter the following values:
Set the message header X-MS-Exchange-Organization-CalendarBooking-
Response
to the value Accept

When you're finished, click Save.

5. Back at Mail flow > Rules, click New ( ) again, and then select Create a new rule.

6. In the New rule page that opens, click More options.

7. Configure these additional settings on the New rule page:

Name: Direct to Calendar triage action (or anything descriptive).

 Apply this rule if > The sender > is this person: Select the same users as in
step 3.
Do the following > Modify the message properties > set a message header:
Enter the following values:
Set the message header X-MS-Exchange-Organization-CalendarBooking-
TriageAction

to the value MoveToDeletedItems

When you're finished, click Save.

Use Exchange Online PowerShell to create

Direct to Calendar mail flow rules
1. To create the mail flow rule that turns regular meeting invitations into Direct to
Calendar meeting invitations, use the following syntax:

PowerShell

New-TransportRule -Name "Direct to Calendar response" -From "

<designated sender 1>","<designated sender 2>"... -SetHeaderName "X-MS-
Exchange-Organization-CalendarBooking-Response" -SetHeaderValue Accept

This example configures the rule using the dedicated mailbox named Direct to
Calendar invites.

PowerShell

New-TransportRule -Name "Direct to Calendar response" -From "Direct to

Calendar invites" -SetHeaderName "X-MS-Exchange-Organization-
 CalendarBooking-Response" -SetHeaderValue Accept

2. To create the mail flow rule that prevents Direct to Calendar meeting invitations
from appearing in the Inbox of recipients, use the following syntax:

PowerShell

New-TransportRule -Name "Direct to Calendar triage action" -From "

<designated sender 1>","<designated sender 2>"... -SetHeaderName "X-MS-
Exchange-Organization-CalendarBooking-TriageAction" -SetHeaderValue
MoveToDeletedItems

This example configures the rule using the dedicated mailbox named Direct to
Calendar invites.

PowerShell

New-TransportRule -Name "Direct to Calendar triage action" -From

"Direct to Calendar invites" -SetHeaderName "X-MS-Exchange-
Organization-CalendarBooking-TriageAction" -SetHeaderValue
MoveToDeletedItems

For detailed syntax and parameter information, see New-TransportRule.

How do you know this worked?

To verify that you have successfully configured Direct to Calendar meeting invitations,
use the designated sender mailbox to send a test meeting invitation to a small number
of recipients. Verify that the meeting automatically appears in the calendars of the
recipients, and verify there are no meeting-related messages in the Inbox (the second
rule should automatically move these messages to the Deleted Items folder).

More information
The designated sender mailbox will receive meeting acceptance responses to
Direct to Calendar meetings. Use the following strategies to help minimize the
impact of these messages on the designated sender:

In Outlook, enable the Update tracking information, and then delete

responses that don't contain comments and After updating tracking
information, move receipt to <Deleted Items> settings in Mail > Tracking for
 the designated sender mailbox. For more information, see Change how meeting
requests, polls, and read or delivery receipts are processed .

Clearing the Request Responses setting in Direct to Calendar meeting

invitations doesn't prevent responses from being sent back to the designated
sender mailbox.

If the designated mailbox sends a meeting cancellation for a Direct to Calendar

meeting, the cancelled meeting title is always changed to CANCELED: <previous
meeting title>, and the cancelled meeting remains in the calendars of attendees
until they manually remove it.

Meeting cancellation messages for Direct to Calendar meetings will always appear
in the Inbox of recipients.
Define mail flow rules to encrypt email
messages
Article • 07/21/2023

As an administrator that manages Exchange Online, you can create mail flow rules (also
known as transport rules) to help protect email messages you send and receive. You can
set up rules to encrypt any outgoing email messages and remove encryption from
encrypted messages coming from inside your organization or from replies to encrypted
messages sent from your organization. You can use the Exchange admin center (EAC)
or Exchange Online PowerShell to create these rules. In addition to overall encryption
rules, you can also choose to enable or disable individual message encryption options
for end users.

You can't encrypt inbound mail from senders outside of your Exchange Online
organization. If a mail flow rule is set up to encrypt mail from outside the organization,
the inbound mail will be delivered without encryption.

If you recently migrated from Active Directory RMS to Azure Information Protection,
you'll need to review your existing mail flow rules to ensure that they continue to work
in your new environment. Also, to use Microsoft Purview Message Encryption with Azure
Information Protection, you need to update your existing mail flow rules. Otherwise,
your users will continue to receive encrypted mail that uses the previous HTML
attachment format instead of the new, seamless experience. If you haven't set up
message encryption yet, see Set up Microsoft Purview Message Encryption for
information.

For information about the components that make up mail flow rules and how mail flow
rules work, see Mail flow rules (transport rules) in Exchange Online. For additional
information about how mail flow rules work with Azure Information Protection, see
Configuring Exchange Online mail flow rules for Azure Information Protection labels.

） Important

For hybrid Exchange environments, on-premises users can send and receive
encrypted mail using message encryption only if email is routed through Exchange
Online. To configure message encryption in a hybrid Exchange environment, you
need to first configure hybrid using the Hybrid Configuration wizard and then
configure mail to flow from Office 365 to your email server and configure mail to
flow from your email server to Office 365. Once you've configured mail to flow
 through Office 365, then you can configure mail flow rules for message encryption
by using this guidance.

 Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to
explore how additional Purview capabilities can help your organization manage
data security and compliance needs. Start now at the Microsoft Purview
compliance portal trials hub . Learn details about signing up and trial terms.

Create mail flow rules to encrypt email

messages with Microsoft Purview Message
Encryption
You can define mail flow rules for triggering message encryption with by using the EAC.

Use the EAC to create a rule for encrypting email

messages with Microsoft Purview Message Encryption
1. In a web browser, using a work or school account that has been granted global
administrator permissions, sign in to Office 365 .

2. Choose the Admin tile.

3. In the Microsoft 365 admin center , choose Admin centers > Exchange.

4. In the EAC, go to Mail flow > Rules and select New > Create a new rule. For
more information about using the EAC, see Exchange admin center in Exchange
Online.

5. In Name, type a name for the rule, such as Encrypt mail for
DrToniRamos@hotmail.com.

6. In Apply this rule if, select where the mail originates from inside the Exchange
Online organization. Add The sender is located > Inside the organization for
sending mail.

7. In Apply this rule if, select a condition, and enter a value if necessary. For example,
to encrypt messages going to DrToniRamos@hotmail.com:
 a. In Apply this rule if, select the recipient is.

b. Select an existing name from the contact list or type a new email address in the
check names box.

To select an existing name, select it from the list and then click OK.

To enter a new name, type an email address in the check names box and
then select check names > OK.

8. To add more conditions, choose More options and then choose add condition
and select from the list.

For example, to apply the rule only if the recipient is outside your organization,
select add condition and then select The recipient is external/internal > Outside
the organization > OK.

9. To enable message encryption, from Do the following, select Modify the message
security and then choose Apply Office 365 Message Encryption and rights
protection. Select an RMS template from the list, choose Save, and then choose
OK.

The list of templates includes all default templates and options as well as any custom
templates you've created for use by Office 365. If the list is empty, ensure that you have
set up Microsoft Purview Message Encryption as described in Set up Microsoft Purview
Message Encryption. For information about the default templates, see Configuring and
managing templates for Azure Information Protection. For information about the Do
Not Forward option, see Do Not Forward option for emails. For information about the
encrypt-only option, see Encrypt-only option for emails.

You can choose add action if you want to specify another action.

Use the EAC to update an existing mail flow rule to use

Microsoft Purview Message Encryption
1. In a web browser, using a work or school account that has been granted global
administrator permissions, sign in to Office 365 .

2. Choose the Admin tile.

3. In the Microsoft 365 admin center , choose Admin centers > Exchange.

4. In the EAC, go to Mail flow > Rules.

 5. In the list of mail flow rules, select the rule you want to modify to use with
Microsoft Purview Message Encryption and then choose Edit .

6. To enable encryption using Microsoft Purview Message Encryption, from Do the

following, choose Modify the message security and then choose Apply Office
365 Message Encryption and rights protection. Select an RMS template from the
list, choose Save and then choose OK.

The list of templates includes all default templates and options as well as any
custom templates you've created for use by Office 365. If the list is empty, ensure
that you have set up Microsoft Purview Message Encryption as described in Set up
Microsoft Purview Message Encryption. For information about the default
templates, see Configuring and managing templates for Azure Information
Protection. For information about the Do Not Forward option, see Do Not Forward
option for emails. For information about the encrypt-only option, see Encrypt Only
option for emails.

You can choose add action if you want to specify another action.

7. From the Do the following list, remove any actions that are assigned to Modify
the message security > Apply the previous version of OME.

8. Choose Save.

Create mail flow rules to remove encryption for

email messages with Microsoft Purview
Message Encryption
You can define mail flow rules to remove message encryption with Microsoft Purview
Message Encryption by using the EAC.

Use the EAC to create a rule to remove encryption from

email messages with Microsoft Purview Message
Encryption
You can remove encryption from messages that was applied by your organization. You
can also remove encryption from any encrypted attachments to ensure the whole email
message is without any protection.

1. In a web browser, using a work or school account that has been granted global
administrator permissions, sign in to Office 365 .
 2. Choose the Admin tile.

3. In the Microsoft 365 admin center , choose Admin centers > Exchange.

4. In the EAC, go to Mail flow > Rules and select New > Create a new rule. For
more information about using the EAC, see Exchange admin center in Exchange
Online.

5. In Name, type a name for the rule, such as Remove encryption from outgoing mail .

6. In Apply this rule if, select the conditions where encryption should be removed
from messages. Add The sender is located > Inside the organization for sending
mail out to any recipients or add The recipient is located > Inside the
organization for receiving mail replies from outside the organization.

7. In Do the following, select Modify the message security > Remove Office 365
Message Encryption and rights protection applied by the organization.

8. (Optional) In Do the following, select Modify the message security > Remove
attachment rights protection protection applied by the organization.

Save the rule.

Create mail flow rules for Office 365 Message

Encryption without Microsoft Purview Message
Encryption
If you haven't yet moved your organization to Microsoft Purview Message Encryption,
Microsoft recommends that you make a plan to move as soon as it is reasonable for
your organization. For instructions, see Set up Microsoft Purview Message Encryption.
Otherwise, see Defining mail flow rules for Office 365 Message Encryption that don't use
Microsoft Purview Message Encryption.

Related content
Encryption in Office 365

Set up Microsoft Purview Message Encryption

Add branding to encrypted messages

Mail flow rules (transport rules) in Exchange Online

Recoverable Items folder in Exchange
Online
Article • 02/22/2023

） Important

Please refer to the Microsoft 365 security center and the Microsoft Purview
compliance portal for Exchange security and compliance features. They are no
longer available in the new Exchange admin center .

To protect from accidental or malicious deletion and to facilitate discovery efforts

commonly undertaken before or during litigation or investigations, Exchange Online
uses the Recoverable Items folder. The Recoverable Items folder replaces the feature
that was known as the dumpster in earlier versions of Exchange. The following Exchange
features use the Recoverable Items folder:

Deleted item retention

Single item recovery

In-Place Hold

Litigation Hold

eDiscovery hold

Microsoft 365 and Office 365 retention policies

Mailbox audit logging

Calendar logging

Terminology
Knowledge of the following terms will help you understand the content in this article.

Delete: Describes when an item is deleted from any folder and placed in the Deleted
Items default folder.

Soft delete: Describes when an item is deleted from the Deleted Items default folder
and placed in the Recoverable Items folder. Also describes when an Outlook user
deletes an item by pressing Shift+Delete, which bypasses the Deleted Items folder and
places the item directly in the Recoverable Items folder.

Hard delete: Describes when an item is marked to be purged from the mailbox
database. This is also known as a store hard delete.

Recoverable Items folder

Each user mailbox is divided into two subtrees: the IPM (interpersonal messaging)
subtree, which contains the normal, visible folders such as Inbox, Calendar, and Sent
Items and the non-IPM subtree, which contains internal data, preferences, and other
operational data about the mailbox. The Recoverable Items folder resides in the non-
IPM subtree of each mailbox. This subtree isn't visible to users using Outlook, Outlook
on the web (formerly known as Outlook Web App), or other email clients.

This architectural change provides the following key benefits:

When a mailbox is moved to another mailbox database, the Recoverable Items

folder moves with it.

The Recoverable Items folder is indexed by Exchange Search and can be

discovered by using In-Place eDiscovery or Content Search in the Microsoft
Purview compliance portals.

The Recoverable Items folder has its own storage quota.

Exchange can prevent data from being purged from the Recoverable Items folder.

Exchange can track edits of certain content.

The Recoverable Items folder contains the following subfolders:

Deletions: This subfolder contains all items deleted from the Deleted Items folder.
(In Outlook, a user can soft delete an item by pressing Shift+Delete.) This subfolder
is available to users through the Recover Deleted Items feature in Outlook and
Outlook on the web.

Versions: If In-Place Hold, Litigation Hold, or a Microsoft 365 or Office 365

retention policy is enabled, this subfolder contains the original copy of the item
and also if the item is modified multiple times, a copy of the item before
modification is saved. To understand what action is considered as modification,
refer the Copy-on-Write section later in this article. This folder isn't visible to end
users.
 Purges: If either Litigation Hold or single item recovery is enabled, this subfolder
contains all items that are hard deleted. This folder isn't visible to end users.

Audits: If mailbox audit logging is enabled for a mailbox, this subfolder contains
the audit log entries. To learn more about mailbox audit logging, see Export
mailbox audit logs in Exchange Online.

DiscoveryHolds: If In-Place Hold is enabled or if a Microsoft 365 or Office 365

retention policy is assigned to the mailbox, this subfolder contains all items that
meet the hold query parameters and are hard deleted.

Calendar Logging: This subfolder contains calendar changes that occur within a
mailbox. This folder isn't available to users.

SubstrateHolds: If In-Place Hold, Litigation Hold, or a Microsoft 365 or Office 365

Teams Chat retention policy is enabled, this subfolder contains the original copy of
the Teams message if the message has been modified or deleted. A copy of the
item before modification is saved. This folder isn't visible to end users.

The following illustration shows the subfolders in the Recoverable Items folders. It also
shows the deleted item retention, single item recovery, and hold workflow processes
that are described in the following sections.

Deleted item retention

An item is considered to be soft deleted in the following cases:

A user deletes an item or empties all items from the Deleted Items folder.
 A user presses Shift+Delete to delete an item from any other mailbox folder.

Soft-deleted items are moved to the Deletions subfolder of the Recoverable Items
folder. This provides an additional layer of protection so users can recover deleted items
without requiring Help desk intervention. Users can use the Recover Deleted Items
feature in Outlook or Outlook on the web to recover a deleted item. Users can also use
this feature to permanently delete an item. For more information, see:

Recover deleted items in Outlook for Windows

Recover deleted items or email messages in Outlook on the web

Items remain in the Deletions subfolder until the deleted item retention period is
reached. The default deleted item retention period for Exchange Online is 14 days. You
can modify this period for mailboxes up to a maximum of 30 days. In addition to a
deleted item retention period, the Recoverable Items folder is also subject to quotas. To
learn more, see Recoverable Items mailbox quotas later in this article.

When the deleted item retention period expires, the item is removed from Exchange
Online.

Single item recovery

If an item is removed from the Deletions subfolder, either by a user purging the item by
using the Recover Deleted Items feature or by an automated process such as the
Managed Folder Assistant (retention tag set to permanently delete for example), the
item is moved to the Purges subfolder, and it can't be recovered by the user. When the
Managed Folder Assistant processes the Recoverable Items folder for a mailbox that has
single item recovery enabled, any item in the Purges subfolder isn't purged if the
deleted item retention period hasn't expired for that item. This means that an admin can
still recover the item by using an eDiscovery tool such as In-Place eDiscovery or Content
Search.

The following table lists the contents of and actions that can be performed in the
Recoverable Items folder if single item recovery is enabled.

State of Recoverable Recoverable Users can Managed Folder Assistant

single Items folder Items folder purge items automatically purges items from the
item contains contains from the Recoverable Items folder
recovery soft-deleted hard- Recoverable
items deleted Items folder
items
 State of Recoverable Recoverable Users can Managed Folder Assistant
single Items folder Items folder purge items automatically purges items from the
item contains contains from the Recoverable Items folder
recovery soft-deleted hard- Recoverable
items deleted Items folder
items

Enabled Yes Yes No Yes. By default, all items are purged

after 14 days, except for calendar
items, which are purged after 120
days. If the Recoverable Items warning
quota is reached before the deleted
item retention period elapses,
messages are deleted in first in, first
out (FIFO) order.

Disabled Yes No Yes Yes. By default, all items are purged

after 14 days, except for calendar
items, which are purged after 120
days. If the Recoverable Items warning
quota is reached before the deleted
item retention period elapses,
messages are deleted in first in, first
out (FIFO) order.

In-Place Hold and Litigation Hold

In Exchange Online, discovery managers can use In-Place eDiscovery with delegated
Discovery Management role group permissions to perform eDiscovery searches of
mailbox content. In Exchange Online, you can use In-Place Hold to preserve mailbox
items that match query parameters and protect the items from deletion by users or
automated processes. You can also use Litigation Hold to preserve all items in user
mailboxes and protect the items from deletion by users or automated processes.

Putting a mailbox on In-Place Hold or Litigation Hold stops the Managed Folder
Assistant from automatically purging messages from the DiscoveryHolds, Deletions, and
Purges subfolders. Additionally, copy-on-write page protection is also enabled for the
mailbox. Copy-on-write page protection creates a copy of the original item before any
modifications are written to the Exchange store. After the mailbox is removed from hold,
the Managed Folder Assistant resumes automated purging.

７ Note

If you put a mailbox on both In-Place Hold and Litigation Hold, Litigation Hold
takes preference because this puts the entire mailbox on hold.
The following table lists the contents of and actions that can be performed in the
Recoverable Items folder if Litigation Hold is enabled.

State of Recoverable Recoverable Items Users can Managed Folder

hold Items folder folder contains purge items Assistant automatically
contains soft- modified and from the purges items from the
deleted items hard-deleted Recoverable Recoverable Items folder
items Items folder

Enabled Yes Yes No No

Disabled Yes No Yes Yes

To learn more about In-Place eDiscovery, In-Place Hold, and Litigation Hold, see the
following articles:

In-Place eDiscovery in Exchange Online

In-Place Hold and Litigation Hold in Exchange Online

Copy-on-write page protection and modified items

If a user who is placed on In-Place Hold or Litigation Hold modifies specific properties of
a mailbox item, a copy of the original mailbox item is created before the changed item is
written. The original copy is saved in the Versions subfolder. This process is known as
copy-on-write page protection. Copy-on-write page protection applies to items residing
in any mailbox folder. The Versions subfolder isn't visible to users.

The following table lists the message properties that trigger copy-on-write page
protection.

Item type Properties that trigger copy-on-write page protection

Messages (IPM.Note*) Subject

Posts (IPM.Post*) Body

Attachments

Senders and recipients

Sent and received dates

 Item type Properties that trigger copy-on-write page protection

Items other than messages Any change to a visible property, except the following:
and posts Item location (when an item is moved between folders)
Item status change (read or unread)
Changes to a retention tag applied to an item

Items in the Drafts default None. Items in the Drafts folder are exempt from copy-on-write
folder page protection.

） Important

Copy-on-write page protection doesn't save a version of the meeting when a

meeting organizer receives responses from attendees and the meeting's tracking
information is updated. Also, changes to RSS feeds aren't captured by copy-on-
write page protection.

When a mailbox is no longer on In-Place Hold or Litigation Hold, copies of modified

items stored in the Versions folder are removed.

Recoverable Items mailbox quotas

When an item is moved to the Recoverable Items folder, its size is deducted from the
mailbox quota and added to the size of the Recoverable Items folder (quota available is
reduced). In Exchange Online, the default limits for the Recoverable Items quota are: a
soft limit of 20 GB and a hard limit of 30 GB. However, the quotas for the Recoverable
Items folder are automatically increased to 90 GB and 100 GB, respectively, when you
place a mailbox on Litigation Hold or In-Place Hold or if a Microsoft 365 or Office 365
retention policy is applied to the mailbox. For more information, see Increase the
Recoverable Items quota for mailboxes on hold.

If the Recoverable Items folder for a mailbox reaches the Recoverable Items quota, no
more items can be stored in the folder. This impacts mailbox functionality in the
following ways:

Mailbox users can't delete items.

The Managed Folder Assistant can't delete items based on retention tag or
managed folder settings.

For mailboxes that have single item recovery, In-Place Hold or Litigation Hold
enabled, the copy-on-write page protection process can't maintain versions of
 items edited by the user.

For mailboxes that have mailbox audit logging enabled, no mailbox audit log
entries can be saved in the Audits subfolder.

For mailboxes that aren't placed on In-Place Hold or Litigation Hold, the Managed
Folder Assistant automatically purges items from the Recoverable Items folder when the
deleted item retention period expires. If the folder reaches the Recoverable Items
warning quota, the assistant automatically purges items in first-in-first-out order.

If the mailbox is placed on In-Place Hold or Litigation Hold or assigned to a Microsoft

365 or Office 365 retention policy, copy-on-write page protection can't maintain
versions of modified items. To maintain versions of modified items, you need to reduce
the size of the Recoverable Items folder. For more information, see Delete items in the
Recoverable Items folder of cloud-based mailboxes on hold.

More information
Copy-on-write is only enabled when a mailbox is on In-Place Hold or Litigation
Hold.

If users need to recover deleted items from the Recoverable Items folder, point
them to the following articles:

Recover deleted items in Outlook for Windows

Recover deleted items or email in Outlook on the web

If you need to change the default deleted item retention period for Exchange
Online, read the following article:
Change how long permanently deleted items are kept for an Exchange Online
mailbox
Clean up or delete items from the
Recoverable Items folder in Exchange
Online
Article • 02/22/2023

） Important

Please refer to the Microsoft 365 security center and the Microsoft Purview
compliance portal for Exchange security and compliance features. They are no
longer available in the new Exchange admin center .

The Recoverable Items folder (known in earlier versions of Exchange as the dumpster)
exists to protect from accidental or malicious deletions and to facilitate discovery efforts
commonly undertaken before or during litigation or investigations.

How you clean up or delete items from a user's Recoverable Items folder depends on
whether the mailbox is placed on In-Place Hold or Litigation Hold, or had single item
recovery enabled:

If a mailbox isn't placed on In-Place Hold, Litigation Hold, or another type of hold
in Microsoft 365 or Office 365, or if a mailbox doesn't have single item recovery
enabled, you can delete items from the Recoverable Items folder. After items are
deleted, you can't use single item recovery to recover them.

If the mailbox is placed on In-Place Hold, Litigation Hold, or another type of hold
in Microsoft 365 or Office 365, or if single item recovery is enabled, you'll want to
preserve the mailbox data until the hold is removed or single item recovery is
disabled. In this case, you need to perform more detailed steps to clean up the
Recoverable Items folder.

To learn more about In-Place Hold and Litigation Hold, see In-Place Hold and Litigation
Hold in Exchange Online. To learn more about single item recovery, see Single item
recovery.

What do you need to know before you begin?

To create and run a Content Search, you have to be a member of the eDiscovery
Manager role group or be assigned the Compliance Search management role. To
delete messages, you have to be a member of the Organization Management role
 group or be assigned the Search And Purge management role. For information
about adding users to a role group, see Assign eDiscovery permissions in the
Microsoft Purview compliance portal.

Because incorrectly cleaning up the Recoverable Items folder can result in data
loss, it's important that you're familiar with the Recoverable Items folder and the
impact of removing its contents. Before performing this procedure, we recommend
that you review the information in Recoverable Items folder in Exchange Online.

You can only use Security & Compliance PowerShell to perform the procedures in
this article. To connect to Security & Compliance PowerShell, see Connect to
Security & Compliance PowerShell.

 Tip

Having problems? Ask for help in the Microsoft Tech Community. Visit it at
Microsoft Tech Community - Exchange .

Use Security & Compliance PowerShell to

delete items from the Recoverable Items folder
for mailboxes that aren't placed on hold or
don't have single item recovery enabled
You can delete items in the Recoverable Items folder by using the New-
ComplianceSearch and New-ComplianceSearchAction cmdlets in Security & Compliance
PowerShell.

To search for items that are located in the Recoverable Items folder, we recommend that
you perform a targeted collection. This means you narrow the scope of your search only
to items located in the Recoverable Items folder. You can do this by running the script in
the Use Content Search for targeted collections article. This script returns the value of
the folder ID property for all the subfolders in the target Recoverable Items folder. Then
you use the folder ID in a search query to return items located in that folder.

Here's an overview of the process to search for and delete items in a user's Recoverable
Items folder:

1. Run the targeted collection script that returns the folder IDs for all folders in the
target user's mailbox. The script connects to Exchange Online PowerShell and
 Security & Compliance PowerShell in the same PowerShell session. For more
information, see Run the script to get a list of folders for a mailbox or site.

2. Copy the folder IDs for all subfolders in the Recoverable Items folder. Alternatively,
you can redirect the output of the script to a text file.

Here is a list and description of the subfolders in the Recoverable Items folder that
you can search and delete items from:

Deletions: Contains soft-deleted items whose deleted item retention period

has not expired. Users can recover soft-deleted items from this subfolder
using the Recover Deleted Items tool in Outlook.

Purges: Contains hard-deleted items whose deleted item retention period

has expired. Users can also hard-delete items by purging items from their
Recoverable Items folder. If the mailbox is on hold, hard-deleted items are
preserved. This subfolder isn't visible to end-users.

DiscoveryHolds: Contains hard-deleted items that have been preserved by an

eDiscovery hold or a retention policy. This subfolder isn't visible to end-users.

SubstrateHolds: Contains hard-deleted items from Teams and other cloud-

based apps that have been preserved by a retention policy or other type of
hold. This subfolder isn't visible to end-users.

3. Use the New-ComplianceSearch cmdlet (in Security & Compliance PowerShell) or

use the Content Search tool in the Microsoft Purview compliance portal to create a
content search that returns items from the target user's Recoverable Items folder.
You can do this by including the FolderId in the search query for all subfolders that
you want to search. For example, the following query returns all messages in the
Purges and eDiscoveryHolds subfolders:

text

folderid:<folder ID of Purges subfolder> OR folderid:<folder ID of

DiscoveryHolds subfolder>

For more information and examples about running content searches that use the
folder ID property, see Use a folder ID or documentlink to perform a targeted
collection.

７ Note
 If you use the New-ComplianceSearch cmdlet to search the Recoverable
Items folder, be sure to use the Start-ComplianceSearch cmdlet to run the
search.

4. After you've created a content search and validated that it returns the items that
you want to delete, use the New-ComplianceSearchAction -Purge -PurgeType
HardDelete command (in Security & Compliance PowerShell) to permanently

delete the items returned by the content search that you created in the previous
step. For example, you can run a command similar to the following command:

PowerShell

New-ComplianceSearchAction -SearchName "RecoverableItems" -Purge -

PurgeType HardDelete

5. A maximum of 10 items per mailbox are deleted when you run the previous
command. That means you may have to run the New-ComplianceSearchAction -
Purge command multiple times to delete all the items that you want to delete in

the Recoverable Items folder. To delete additional items, you first have to remove
the previous compliance search purge action. You do this by running the Remove-
ComplianceSearchAction cmdlet. For example, to delete the purge action that was
run in the previous step, run the following command:

PowerShell

Remove-ComplianceSearchAction "RecoverableItems_Purge"

After you do this, you can create a new compliance search purge action to delete
more items. You'll have to delete each purge action before creating a new one.

To get a list of the compliance search actions, you can run the Get-
ComplianceSearchAction cmdlet. Purge actions are identified by _Purge appended
to the search name.

Use Exchange Online and Security &

Compliance PowerShell to clean up the
Recoverable Items folder for mailboxes that are
placed on hold or have single item recovery
enabled
This scenario is fully covered in the article Delete items in the Recoverable Items folder
of cloud mailbox's on hold.

How do you know this worked?

To verify that you've successfully deleted items from the Recoverable Items folder of a
mailbox, use the Get-MailboxFolderStatistics cmdlet in Exchange Online PowerShell to
check the size and number of items in the Recoverable Items folder. You can compare
these statistics with the ones you collected in Step 1.

Run the following command to get the current size and the total number of items in
folders and subfolders in the Recoverable Items folder in the user's primary mailbox.

PowerShell

Get-MailboxFolderStatistics <username> -FolderScope RecoverableItems | FL

Name,FolderAndSubfolderSize,ItemsInFolderAndSubfolders

Run the following command to get the size and total number of items in folders and
subfolders in the Recoverable Items folder in the user's archive mailbox.

PowerShell

Get-MailboxFolderStatistics <username> -FolderScope RecoverableItems -

Archive | FL Name,FolderAndSubfolderSize,ItemsInFolderAndSubfolders
Mail flow best practices for Exchange
Online, Microsoft 365, and Office 365
(overview)
Article • 03/22/2023

Use Microsoft Exchange Online and Microsoft 365 or Office 365 to manage mail flow.
Find out how, and get tips and best practices for setting up and managing your email.

This article is intended for IT Pros. Want something else?

Try Set up Microsoft 365 for business or Deploy Office 365 Enterprise for your
organization.

Microsoft 365 and Office 365 give you flexibility in determining the best arrangement
for how email is delivered to your organization's mailboxes. The path email takes from
the internet to a mailbox and vice versa is called mail flow. Most organizations want
Microsoft 365 or Office 365 to manage all their mailboxes and filtering, and some
organizations need more complex mail flow setups to make sure that they comply with
specific regulatory or business needs. If you're part of a small business or simply an
organization that wants Microsoft 365 or Office 365 to manage all your mailboxes and
mail flow, we recommend following the steps in Set up Microsoft 365 for business. That
article provides a complete checklist for setting up Microsoft 365 or Office 365 services
and programs, including how to set up your mail flow and email clients.

For information about how your email is protected with EOP, see Exchange Online
Protection Overview.

 Tip

Are you new to Microsoft 365 or Office 365 mail flow? Check out the External
Domain Name System records for Microsoft 365 or Office 365 topic. We
especially recommend reading the part about SPF records because customers often
list the wrong values in their SPF record, which can cause mail flow problems.

Microsoft 365 and Office 365 mail flow covers the following scenarios:

Mail flow setup Your organization's scenario Complexity

Mail flow setup Your organization's scenario Complexity

Manage all mailboxes and mail flow using Scenario 1 Simple

Microsoft 365 or Office 365 I'm a new Microsoft 365 or Office 365
customer, and all my users' mailboxes
are in Microsoft 365 or Office 365. I
want to use all filtering solutions
offered by Microsoft 365 and Office
365.
Scenario 2
I'm a new Microsoft 365 or Office 365
customer. I have an existing email
service but plan to move all the
existing users' mailboxes to the cloud
at once. I want to use all filtering
solutions offered by Microsoft 365
and Office 365.

Manage mail flow using a third-party Scenario 1 Complex

cloud service with Microsoft 365 or Office I plan to have Microsoft 365 or Office
365 365 host all of my organization's
mailboxes. My organization uses (or
plans to use) a third-party (mail
services) cloud solution for filtering
spam and malware. All email sent
from the internet must be filtered by
this third-party cloud service.
Scenario 2
I plan to have Microsoft 365 or Office
365 host all my organization's
mailboxes. My organization needs to
send all email to a third-party service,
such as archiving or auditing.
However, the third-party service
doesn't provide a spam filtering
solution.

Manage mail flow with mailboxes in Scenario 1 Very

multiple locations (Microsoft 365 or Office I'm migrating my mailboxes to complex
365 and on-prem) Microsoft 365 or Office 365, and I
want to keep some mailboxes on my
Important: In the near future, Microsoft organization's mail server (on-
365 and Office 365 will reject email from premises server). I want to use
unknown senders that are relayed from Microsoft 365 or Office 365 as my
on-premises servers. This means that if spam filtering solution and would like
the sender or recipient domain of a to send my messages from my on-
message doesn't belong to your premises server to the internet via
organization, Microsoft 365 or Office 365 Microsoft 365 or Office 365. Microsoft
will reject the message unless you have 365 or Office 365 sends and receives
created a connector to allow this behavior. all messages.
Mail flow setup Your organization's scenario Complexity

This change will help prevent Scenario 2

unauthorized parties from using your I'm migrating my mailboxes to
organization to send spam or malware Microsoft 365 or Office 365, and I
through Microsoft 365 or Office 365. want to keep some mailboxes on my
This change potentially affects your mail organization's mail server (on-
flow if you use any scenario in this section. premises server). I want to use the
Each scenario has best practices to ensure filtering and compliance solutions
that your mail flow continues that are already in my on-premises
uninterrupted. environment. And all messages
coming from the internet to my cloud
mailboxes or messages sent to the
internet from my cloud mailboxes
need to route through my on-
premises servers.
Scenario 3
I'm migrating my mailboxes to
Microsoft 365 or Office 365, and I
want to keep some mailboxes on my
organization's mail server (on-
premises server). I want to use the
filtering and compliance solutions
that are already in my on-premises
email environment. All messages
coming from the internet to my cloud
mailboxes or messages sent to the
internet from cloud mailboxes must
route through my on-premises
servers. And I need to point my
domain's MX record to my on-
premises server.
Scenario 4
I'm migrating my mailboxes to
Microsoft 365 or Office 365, and I
want to keep some mailboxes on my
organization's mail server (on-
premises server). I want to use the
filtering and compliance solutions
that are already in my on-premises
email environment. All messages sent
from my on-premises servers must
relay through Microsoft 365 or Office
365 to the internet. And I need to
point my domain's MX record to my
on-premises server.
 Mail flow setup Your organization's scenario Complexity

Manage mail flow using a third-party Scenario Most

cloud service with mailboxes on Microsoft I'm migrating my mailboxes to complex
365 or Office 365 and on-prem Microsoft 365 or Office 365, and I
want to keep some mailboxes on my
organization's mail server (on-
premises server). I want to use a
third-party cloud service to filter
spam from the internet. My messages
to the internet need to route through
Microsoft 365 or Office 365 to protect
my on-premises servers' IP addresses
from being added to external block
lists.

Send emails from a multifunction Scenario Complex

printer/scanner/fax/application through All my organization's mailboxes are
Microsoft 365 or Office 365 hosted in Microsoft 365 or Office 365,
For details about this scenario, see How to but I have a multifunction printer,
set up a multifunction device or scanner, fax machine, or an
application to send email using Microsoft application that needs to send email.
365 or Office 365.

Using Exchange Online Protection (EOP) Scenario Simple

standalone I have my own email servers (on-
For details about this scenario, see Mail premises servers), and I subscribe to
Flow in EOP and How connectors work EOP for email protection services
with my on-premises email servers only.

For information about migrating your email to Microsoft Exchange Online, see Ways to
migrate multiple email accounts to Microsoft 365 or Office 365.

Introduction to the basics of Microsoft 365 and

Office 365 mail flow
Microsoft 365 and Office 365 use domains, like contoso.com, to route email messages.
When you set up email in Microsoft 365 or Office 365, you typically switch from the
default domain that you got when you first signed up for Microsoft 365 or Office 365
(the domain ending with .onmicrosoft.com) to your organization's domain. Domain
names, like contoso.com, are managed by using a worldwide system of domain
registrars (for example, GoDaddy, HostGator, or Moniker) and databases called the
Domain Name System (DNS). DNS provides a mapping between human-readable
computer hostnames and the IP addresses used by networking equipment. If you're new
to DNS, we recommend that you read DNS basics. The following video provides you
with a quick overview of some of the most important concepts about what DNS is and
how it works.
https://www.microsoft.com/en-us/videoplayer/embed/c005f2a4-90ad-46fe-b1ab-
90f41f2a9d53?autoplay=false&postJsllMsg=true

Understanding how DNS records control mail flow

In Microsoft 365 and Office 365 mail flow, there are several components of DNS that are
particularly important for email authentication and delivery: MX records, SPF, DKIM, and
DMARC.

MX (mail exchanger) records provide an easy way for mail servers to know where to
send email. You can think of the MX record as a type of postal address. If you want
Microsoft 365 or Office 365 to receive all email addressed to anyone@contoso.com, the
MX record for contoso.com should point to Microsoft 365 or Office 365, and it will look
like the following example:

Hostname: contoso-com.mail.protection.outlook.com
Priority: 0
TTL: 1 hour

SPF (sender policy framework) is a specially formatted TXT record in DNS. SPF validates
that only the organization that owns a domain is actually sending email from that
domain. SPF is a security measure that helps makes sure someone doesn't impersonate
another organization. This impersonation is often called spoofing. As a domain owner,
you can use SPF to publish a list of IP addresses or subnets that are authorized to send
email on your organization's behalf. This can be helpful if you want to send email from
multiple servers or services with different IP addresses.

） Important

You can only have one SPF record per domain. Having multiple SPF records will
invalidate all SPF records and cause mail flow problems.

Because most modern email servers look up a domain's SPF record before they accept
any email from it, it's important to set up a valid SPF record in DNS when you first set up
mail flow. For a quick introduction to SPF and to get it configured quickly, see Set up
SPF in Microsoft 365 or Office 365 to help prevent spoofing. For a more in-depth
understanding of how Microsoft 365 and Office 365 use SPF, or for troubleshooting or
non-standard deployments such as hybrid deployments, start with How Microsoft 365
and Office 365 use Sender Policy Framework (SPF) to prevent spoofing.

DomainKeys Identified Mail (DKIM). lets you attach a digital signature to email
messages in the message header of emails you send. Email systems that receive email
from your domain use this digital signature to determine if incoming email that they
receive is legitimate. For information about DKIM and Microsoft 365 or Office 365, see
Use DKIM to validate outbound email sent from your domain in Microsoft 365 or Office
365.

Domain-based Message Authentication, Reporting, and Conformance (DMARC). helps

receiving mail systems determine what to do with messages that fail SPF or DKIM checks
and provides another level of trust for your email partners. For information on setting
up DMARC, see Use DMARC to validate email in Microsoft 365 or Office 365.

Use SPF, DKIM, and DMARC together for the best experience.

How MX records affect spam filtering

For the best mail flow experience (especially for spam filtering) we recommend pointing
the MX record for your organization's domain to Microsoft 365 or Office 365. Spam
scanning is the initial connection point to the Microsoft 365 or Office 365 service. Who
is sending the message, the IP address of the server that originally sent the message,
and the behavior of the connecting mail server, all help determine whether a message is
legitimate or spam. If your domain's MX record doesn't point to Microsoft 365 or Office
365, the spam filters won't be as effective. If your MX record doesn't point to Microsoft
365 or Office 365, there will be some valid messages that the service misclassifies as
spam and some spam messages that the service misclassifies as legitimate email.

With that said, there are legitimate business scenarios that require your domain's MX
record to point to somewhere other than Microsoft 365 or Office 365. For example,
email destined for your organization might need to initially arrive at another destination
(such as a third-party archiving solution), then route through Microsoft 365 or Office
365, and then be delivered to mailboxes on your organization's mail server. This setup
might provide the best solution to meet your business requirements.

Whatever your needs, this guide will help you understand how your MX records, SPF,
and, potentially, connectors need to be set up.

For more information

The following are additional topics related to mail flow in Exchange Online:
Test mail flow by validating your Microsoft 365 or Office 365 connectors

Troubleshoot Microsoft 365 or Office 365 mail flow

Use Directory Based Edge Blocking to reject messages sent to invalid recipients

Manage accepted domains in Exchange Online

Remote domains in Exchange Online

Message format and transmission in Exchange Online

Configure the external postmaster address in Exchange Online

How to set up a multifunction device or application to send email using Microsoft 365
or Office 365
Test mail flow by validating your
connectors in Exchange Online
Article • 02/22/2023

To validate and troubleshoot mail flow from Microsoft 365 or Office 365 to your
organization's email server (also called on-premises server), validate your connectors.
You can set up and validate connectors on the connectors page in the Exchange admin
center (EAC). The built-in validation tests that your mail flow from Microsoft 365 or
Office 365 reaches:

Your organization's email server

A partner organization.

For more information, see Validate connectors

Mail flow issues can also happen when your MX record is not setup correctly. To verify
your MX record, see Find and fix issues after adding your domain or DNS records.

７ Note

These tests replace Microsoft 365 or Office 365 mail flow troubleshooting that was
previously available in the Remote Connectivity Analyzer .

See also
Configure mail flow using connectors

Set up connectors to route mail between Microsoft 365 or Office 365 and your own
email servers

Validate connectors

When do I need a connector?

Troubleshoot mail flow in Exchange
Online
Article • 02/22/2023

Can't send or receive email? Microsoft 365 and Office 365 for business offer admins
several ways to troubleshoot. We recommend using the automated solutions because
they are typically easier and faster than manual troubleshooting.

For instructions about troubleshooting options, see Find and fix email delivery issues as
a Microsoft 365 or Office 365 for business admin.

Troubleshoot mail flow caused by connectors

To validate and troubleshoot mail flow from Microsoft 365 or Office 365 to the email
servers in your on-premises organization (also called the on-premises server), validate
your connectors. You can set up and validate connectors on the Connectors page in the
Exchange admin center (EAC). The built-in validation tests that your mail flow from
Microsoft 365 or Office 365 reaches:

Your organization's email server

A partner organization.

For more information, see Validate connectors.

Troubleshoot mail flow issues caused by

incorrect SPF records or MX records
How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing gives tips
on how to fix several SPF record errors. The beginning of that article also provides an
explanation of what SPF records are and how Microsoft 365 and Office 365 use them to
prevent spoofing.

Mail flow issues can also happen when your MX record is not setup correctly. To verify
your MX record, see Find and fix issues after adding your domain or DNS records.

For more information

Mail flow best practices for Exchange Online and Microsoft 365 or Office 365 (overview)
Mail flow in EOP
Configure mail flow using connectors in
Exchange Online
Article • 02/22/2023

Connectors are a collection of instructions that customize the way your email flows to
and from your Microsoft 365 or Office 365 organization. Actually, most Microsoft 365
and Office 365 organizations don't need connectors for regular mail flow. This article
describes the mail flow scenarios that require connectors.

What do connectors do?

Connectors are used in the following scenarios:

Enable mail flow between Microsoft 365 or Office 365 and email servers that you
have in your on-premises environment (also known as on-premises email servers).

Apply security restrictions or controls to email that's sent between your Microsoft
365 or Office 365 organization and a business partner or service provider.

Relay mail from devices, applications, or other non-mailbox entities in your on-
premises environment through Microsoft 365 or Office 365.

Avoid graylisting that would otherwise occur due to the large volume of mail that's
regularly sent between your Microsoft 365 or Office 365 organization and your on-
premises environment or partners.

７ Note

Graylisting is a delay tactic that protects email systems from spam. In

Microsoft 365 and Office 365, graylisting slows down suspiciously large
amounts of email by throttling the message sources based on their IP
addresses. Microsoft 365 or Office 365 responds to these abnormal influxes of
mail by returning a temporary non-delivery report error (also known as an
NDR or bounce message) in the range 451 4.7.500-699 (ASxxx). For more
details on these types of delivery issues, see Fix email delivery issues for error
code 451 4.7.500-699 (ASxxx) in Exchange Online.
What happened to inbound and outbound
connectors?
Nothing. We just don't call them "inbound" and "outbound" anymore (although the
PowerShell cmdlet names still contains these terms). If you previously set up inbound
and outbound connectors, they will still function in exactly the same way.

The process for setting up connectors has changed; instead of using the terms
"inbound" and "outbound", we ask you to specify the start and end points that you want
to use. The way connectors work in the background is the same as before (inbound
means into Microsoft 365 or Office 365; outbound means from Microsoft 365 or Office
365).

When do I need a connector?

Exchange Online is ready to send and receive email from the internet right away. You
don't need to set up connectors unless you have standalone Exchange Online Protection
(EOP) or other specific circumstances that are described in the following table:

Scenario Description Connector Connector settings

required?

You have a standalone EOP You have your own on- Yes Connector for
subscription. premises email servers, and incoming email:
you subscribe to EOP only for
email protection services for From: Your
your on-premises mailboxes on-premises
(you have no mailboxes in email server
Exchange Online). To: Office 365
For more information about
Connector for
standalone EOP, see
outgoing email:
Standalone Exchange Online
Protection and the How From: Office
connectors work with my on- 365
premises email servers section To: Your on-
later in this article. premises mail
server
Scenario Description Connector Connector settings
required?

Some of your mailboxes are Before you manually configure Yes Connector for
on your on-premises email connectors, check whether an incoming email:
servers, and some are in Exchange hybrid deployment
Exchange Online. better meets your business From: Your
needs. on-premises
For details, see the I have my email server
own email servers section To: Office 365
later in this article and
Connector for
Exchange Server Hybrid
outgoing email:
Deployments.
From: Office
365
To: Your on-
premises
email server

All of your mailboxes are in You can relay messages from Optional Only one connector
Exchange Online, you don't these non-mailbox entities for incoming email:
have any on-premises email through Microsoft 365 or
servers, but you need to Office 365. From: Your
send email from printers, organization's
fax machines, apps, or other For details, see Option 3: email server
devices. Configure a connector to send To: Office 365
mail using Office 365 SMTP
relay

Note: Instead of Office 365

SMTP relay, you can use direct
send to send email from your
apps or devices. But, direct
send introduces other issues
(for example, graylisting or
throttling).
 Scenario Description Connector Connector settings
required?

You frequently exchange You want to use Transport Optional Connector for
sensitive information with Layer Security (TLS) to encrypt incoming email:
business partners, and you sensitive information or you
want to apply security want to limit the source (IP From: Partner
restrictions. addresses) for email from the organization
partner domain. To: Office 365
For details, see Set up
Connector for
connectors for secure mail
outgoing email:
flow with a partner
organization. From: Office
365
To: Partner
organization

７ Note

If you don't have Exchange Online or EOP and are looking for information about
Send connectors and Receive connectors in Exchange 2016 or Exchange 2019, see
Connectors.

You can't have an "allow" by sender domain connector when there is a restrict by IP
or certificate connector. The restrict connector will take precedence, as partner
connectors are pulled up by IP or certificate lookup when restrictions and mail
rejections are applied. You should not have IPs and certificates configured in the
same partner connector. Instead, you should use separate connectors. Don't use
associated accepted domains unless you're testing the connector for a subset of
the accepted domains or recipient domains.

I have my own email servers

If you have Exchange Online or EOP and your own on-premises email servers, you
definitely need connectors. This is more complicated and has more options as described
in the following table:

Your on- Your service Have you Do I need to set up connectors manually?
premises subscription completed
email is an Exchange
organization hybrid
is deployment?
Your on- Your service Have you Do I need to set up connectors manually?
premises subscription completed
email is an Exchange
organization hybrid
is deployment?

Exchange Exchange Not available Yes. Follow the instructions in Set up connectors
2010 or later Online to route mail between Microsoft 365 or Office
Protection 365 and your own email servers.

Exchange Exchange No Consider whether an Exchange hybrid

2010 or later Online deployment will better meet your organization's
needs by reviewing the article that matches your
current situation in Exchange Server Hybrid
Deployments.

If a hybrid deployment is the right option for your

organization, use the Hybrid Configuration wizard
to integrate Exchange Online with your on-
premises Exchange organization.

If you don't want a hybrid deployment and you

only want connectors that enable mail routing,
follow the instructions in Set up connectors to
route mail between Microsoft 365 or Office 365
and your own email servers.

Exchange Exchange Yes No. The Hybrid Configuration wizard creates

2010 or later Online connectors for you. To view or edit those
connectors, go to the Connectors page in the
Exchange admin center (EAC), or rerun the Hybrid
Configuration wizard.

Exchange Exchange Not available Yes. Follow the instructions in Set up connectors
2007 or Online to route mail between Microsoft 365 or Office
earlier Protection or 365 and your own email servers.
Exchange
Online In limited circumstances, you might have a hybrid
configuration with Exchange Server 2007 and
Microsoft 365 or Office 365. Check whether
connectors are already set up for your
organization by going to the Connectors page in
the EAC.

Non- Exchange Not available Yes. Follow the instructions in Set up connectors
Microsoft Online to route mail between Microsoft 365 or Office
SMTP server Protection or 365 and your own email servers.
Exchange
Online
How connectors work with my on-premises email servers
Connectors enable mail flow in both directions (to and from Microsoft 365 or Office
365). You can enable mail flow with any SMTP server (for example, Microsoft Exchange
or a third-party email server).

The diagram below shows how connectors in Exchange Online or EOP work with your
own email servers.

In this example, John and Bob are both employees at your company. John has a mailbox
on an email server that you manage, and Bob has a mailbox in Exchange Online. John
and Bob both exchange mail with Sun, a customer with an internet email account:

When email is sent between John and Bob, connectors are needed
When email is sent between John and Sun, connectors are needed. (All internet
email is delivered via Microsoft 365 or Office 365).
When email is sent between Bob and Sun, no connector is needed.

） Important

Always confirm that your internet-facing email servers aren't accidentally

configured to allow open relay. An open relay allows mail from any source
(spammers) to be transparently re-routed through the open relay server. This
behavior masks the original source of the messages, and makes it look like the mail
originated from the open relay server.
What if I've already run the Hybrid Configuration Wizard?
If you've already run the Hybrid Configuration wizard, the required connectors are
already configured for you. You can view your hybrid connectors on the Connectors
page in the EAC. You can view, troubleshoot, and update these connectors using the
procedures described in Set up connectors to route mail between Microsoft 365 or
Office 365 and your own email servers, or you can re-run the Hybrid Configuration
wizard to make changes.

Connectors for mail flow with a partner

organization
You can create connectors to add additional security restrictions for email sent between
Microsoft 365 or Office 365 and a partner organization. A partner can be an
organization you do business with, such as a bank. It can also be a cloud email service
provider that provides services such as archiving, antispam, and so on. You can create a
partner connector that defines boundaries and restrictions for email sent to or received
from your partners, including scoping the connector to receive email from specific IP
addresses, or requiring TLS encryption.

Example use of connectors with a partner organization

The diagram below shows an example where ContosoBank.com is a business partner
that you share financial details with via email. Because you are sharing financial
information, you want to protect the integrity of the mail flow between your businesses.
Connectors with TLS encryption enable a secure and trusted channel for communicating
with ContosoBank.com. In this example, two connectors are created in Microsoft 365 or
Office 365. TLS is required for mail flow in both directions, so ContosoBank.com must
have a valid encryption certificate. A certificate from a commercial certification authority
(CA)that's automatically trusted by both parties is recommended.
Additional partner organization connector options:
specify a domain or IP address ranges
When you create a connector, you can also specify the domain or IP address ranges that
your partner sends mail from. If email messages don't meet the security conditions that
you set on the connector, the message will be rejected. For more information about
creating connectors to exchange secure email with a partner organization, see Set up
connectors for secure mail flow with a partner organization.

Connectors for mail notifications from printers

and devices
This scenario applies only to organizations that have all their mailboxes in Exchange
Online (no on-premises email servers) and allows an application or device to send mail
(technically, relay mail) through Microsoft 365 or Office 365. For example, if you want a
printer to send notifications when a print job is ready, or you want your scanner to email
documents to recipients, you can use a connector to relay mail through Microsoft 365 or
Office 365 on behalf of the application or device.

Keep in mind that there are other options that don't require connectors. For details
about all of the available options, see How to set up a multifunction device or
application to send email.

How do I set up connectors?

Before you set up a connector, you need to configure the accepted domains for
Microsoft 365 or Office 365. For more information, see Manage accepted domains in
Exchange Online.

Connector setup articles:

Set up connectors to route mail between Microsoft 365 or Office 365 and your
own email servers
Set up connectors for secure mail flow with a partner organization

See also
Set up connectors to route mail between Microsoft 365 or Office 365 and your own
email servers

Mail flow best practices for Exchange Online and Microsoft 365 or Office 365 (overview)

Set up connectors for secure mail flow with a partner organization

What happens when I have multiple connectors for the same scenario?
Do I need to create a connector in
Exchange Online?
Article • 02/22/2023

Find your mail flow scenario to see if you need to create a connector for your Exchange
Online organization.

Scenario Description Connector Connector settings

required?

You have a standalone You have your own on-premises Yes Connector for
EOP subscription. email servers, and you subscribe to incoming email:
EOP only for email protection
services for your on-premises From: Your
mailboxes (you have no mailboxes on-premises
in Exchange Online). email server
For more information, see the To: Office 365
topic Exchange Online Protection
Connector for
overview and How connectors
outgoing email:
work with my on-premises email
servers. From: Office
365
To: Your on-
premises mail
server

Some of your Before you manually configure Yes Connector for

mailboxes are on your connectors, check whether an incoming email:
on-premises email Exchange hybrid deployment
servers, and some are better meets your business needs. From: Your
in Exchange Online. For details, see I have my own on-premises
email servers and Exchange Server email server
Hybrid Deployments. To: Office 365

Connector for
outgoing email:

From: Office
365
To: Your on-
premises
email server
Scenario Description Connector Connector settings
required?

All of your mailboxes You don't have your own email Optional Only one connector
are in Exchange Online, servers, but you need to send for incoming email:
but you need to send email from non-mailboxes:
email from sources in printers, fax machines, apps, or From: Your
your on-premises other devices. organization's
organization. For details, see Option 3: email server
Configure a connector to send To: Office 365
mail using Microsoft 365 or Office
365 SMTP relay

You frequently You want to use Transport Layer Optional Connector for
exchange sensitive Security (TLS) to encrypt sensitive incoming email:
information with information or you want to limit
business partners, and the source (IP addresses) for email From: Partner
you want to apply from the partner domain. organization
security restrictions. For details, see Set up connectors To: Office 365
for secure mail flow with a partner
Connector for
organization.
outgoing email:

From: Office
365
To: Partner
organization

７ Note

For more information about these scenarios, see Configure mail flow using
connectors in Office 365.
Inbound connector: FAQ
Article • 07/25/2023

Summary: This article covers the most common questions asked by the customers and
administrators about using Inbound connectors in Exchange Online.

For Exchange Online customers (any Office 365/Microsoft 365 customers using
Exchange Online), the following document states best practices related to transport
connectors. For more information, see Configure mail flow using connectors in Exchange
Online.

The Inbound connector of OnPremises type can be created in the following ways:

1. Within the Exchange Admin Center in Exchange Online, it's defined as follows:

From: Your on-premises email server

To: Office 365

2. When you use a PowerShell cmdlet New-InboundConnector , use parameter -

ConnectorType with value OnPremises .

3. When Hybrid Configuration Wizard (HCW) is run on-premises, the connector is

named as Inbound from <TenantGUID> , and ConnectorSource parameter is set as
HybridWizard , and ConnectorType parameter is set as OnPremises .

The purpose of an Inbound connector of OnPremises type is for our customers that are
still in Hybrid mode. To send emails from their mailboxes hosted within on-premises
environment to mailboxes hosted in the Exchange Online service.

In addition, we do provide support for on-premises mailboxes to relay emails to the

Internet via Exchange Online. Inbound connectors of OnPremises type aren't designed
to relay bulk emails to the internet; hence any such activity is a misuse of the feature.

When you create an Inbound connector of OnPremises type, you may see the warning
message:

"Inbound connector for this service offering is created in a disabled state. Contact Support
to enable it."

When you update an Inbound connector of OnPremises type, you may see the warning
message:
"For this service offering, you can't enable an inbound connector. Contact Support to
enable it."

If this happens, do the following:

Read the below FAQ and document listed above to understand whether or not you
need an Inbound connector of OnPremises type.

If your organization does need to create an Inbound connector of OnPremises

type, contact Microsoft Support with your business justification. Our service
engineers then approve the legitimate usage and enable the connector.

FAQs

Q: When do I need to create an Inbound Connector of

OnPremises type?
You usually don't need to create an Inbound Connector of Onpremises type. See
Configure mail flow using connectors in Exchange Online for guidance.

Q: I'm using a third party filtering service to filter emails

from the internet for my organization. Do I need to create
an Inbound Connector of Onpremises type?
No, you don't need to create an Inbound Connector of Onpremises type. As long as the
configuration in the third party service delivers the messages using your organization’s
.onmicrosoft.com domain, your mail is successfully delivered.

Q: I'm using a third party add-on service to process

emails that are composed by users of my Exchange
Online organization before they're sent to the internet. I
need to create an Inbound connector of OnPremises type
to relay emails from the third party service for my
organization. What do I need to do?
It's a valid scenario of using Inbound connector of OnPremises type. Follow the
instructions as mentioned in Scenario Integrate Microsoft 365 or Office 365 with an
email add-on service.
In Step 4, if you're using PowerShell cmdlet New-InboundConnector to create a connector,
ensure SenderIPAddresses is empty. Only a unique certificate domain from the third
party service is allowed and the domain must be an accepted domain in your
organization. If your organization provides the add-on service and your customers
followed the instructions but still see a warning message, contact Microsoft support to
address the issue.

Q: Why do I see a warning message “Inbound connector

for this service offering is created in a disabled state.
Contact Support to enable it.” when I try to create an
Inbound Connector of OnPremiseType? What should I do,
if my organization needs to create an Inbound Connector
of OnPremises type?
These connectors are created as “Disabled” by default. Customers that experience this
behavior must contact Microsoft support with a business justification to enable an
Inbound connector of OnPremises type within their tenant.

Q: I'm running HCW(Hybrid Configuration Wizard) and I

see a warning message “Inbound Connectors created by
HCW are in disabled state”? What do I need to do to
enable the Inbound Connector by HCW?
In connectors created via EAC (Exchange Admin Center) or PowerShell cmdlet,
customers that experience this behavior must contact Microsoft support. With a
business justification to, enable an Inbound connector of OnPremises type for hybrid
use within their tenant.

Q: Can I modify the HCW created connector Inbound from

<TenantGUID> to use IP addresses versus certificates for
their hybrid service connectors? Is this allowed?
No. Hybrid connectors are supported only with certificates, not with IP addresses.
Set up connectors to route mail
between Microsoft 365 or Office 365
and your own email servers
Article • 02/22/2023

） Important

Effective from December 2022, the classic Exchange Admin Center will be
deprecated for worldwide customers. Microsoft recommends using the new
Exchange Admin Center , if not already doing so.

While most of the features have been migrated to new EAC, some have been
migrated to other admin centers and remaining ones will soon be migrated to New
EAC. Find features that are not yet there in new EAC at Other Features or use
Global Search that will help you navigate across new EAC.

This topic helps you set up the connectors you need for the following two scenarios:

You have your own email servers (also called on-premises servers), and you
subscribe to Exchange Online Protection (EOP) for email protection services.
You have (or intend to have) mailboxes in two places; some of your mailboxes are
in Microsoft 365 or Office 365, and some of your mailboxes are on your
organization email servers (also called on-premises servers).

） Important

Before you get started, make sure to check on your specific scenario in I have my
own email servers.

If you apply the steps described in this article to partner email services, you may
have unintended consequences including email delivery failure. To learn more
about partner scenarios, see Set up connectors for secure mail flow with a partner
organization.

How do connectors work with my on-premises

email servers?
If you have EOP and your own email servers, or if some of your mailboxes are in
Microsoft 365 or Office 365 and some are on your email servers, set up connectors to
enable mail flow in both directions. You can enable mail flow between Microsoft 365 or
Office 365 and any SMTP-based email server, such as Exchange or a third-party email
server.

The diagram below shows how connectors in Microsoft 365 or Office 365 (including
Exchange Online or EOP) work with your own email servers.

In this example, John and Bob are both employees at your company. John has a mailbox
on an email server that you manage, and Bob has a mailbox in Office 365. John and Bob
both exchange mail with Sun, a customer with an internet email account:

When email is sent between John and Bob, connectors are needed.
When email is sent between John and Sun, connectors are needed. (All internet
email is delivered via Office 365.)
When email is sent between Bob and Sun, no connector is needed.

If you have your own email servers and Microsoft 365 or Office 365, you must set up
connectors in Microsoft 365 or Office 365. Without connectors, email will not flow
between Microsoft 365 or Office 365 and your organization's email servers.

How do connectors route mail between

Microsoft 365 or Office 365 and my own email
server?
You need two connectors to route email between Microsoft 365 or Office 365 and your
email servers, as follows:

A connector from Office 365 to your own email server

When you set up Microsoft 365 or Office 365 to accept all emails on behalf of your
organization, you will point your domain's MX (mail exchange) record to Microsoft 365
or Office 365. To prepare for this mail delivery scenario, you must set up an alternative
server (called a "smart host") so that Microsoft 365 or Office 365 can send emails to your
organization's email server (also called "on-premises server"). To complete the scenario,
you might need to configure your email server to accept messages delivered by
Microsoft 365 or Office 365.

A connector from your own email server to Office 365

When this connector is set up, Microsoft 365 or Office 365 accepts messages from
your organization's email server and send the messages to recipients on your
behalf. This recipient could be a mailbox for your organization in Microsoft 365 or
Office 365, or it could be a recipient on the internet. To complete this scenario,
you'll also need to configure your email server to send email messages directly to
Microsoft 365 or Office 365.

This connector enables Microsoft 365 or Office 365 to scan your email for spam and
malware, and to enforce compliance requirements such as running data loss prevention
policies. When your email server sends all email messages directly to Microsoft 365 or
Office 365, your own IP addresses are shielded from being added to a spam-block list.
To complete the scenario, you might need to configure your email server to send
messages to Microsoft 365 or Office 365.

７ Note

This scenario requires two connectors: one from Microsoft 365 or Office 365 to
your mail servers, and one to manage mail flow in the opposite direction. Before
you start, ensure you have all the information you need, and continue with the
instructions until you have set up and validated both connectors.

Overview of the steps

Here is an overview of the steps:
 Complete the prerequisites for your email server environment.
Part 1: Configure mail to flow from Microsoft 365 or Office 365 to your on-
premises email server
Part 2: Configure mail to flow from your email server to Microsoft 365 or Office 365

Prerequisites for your on-premises email

environment
Prepare your on-premises email server so that it's ready to connect with Microsoft 365
or Office 365. Follow these steps:

1. Ensure that your on-premises email server is set up and capable of sending and
receiving Internet (external) email.

2. Check that your on-premises email server has Transport Layer Security (TLS)
enabled, with a valid certification authority-signed (CA-signed) certificate. We
recommend that the certificate subject name includes the domain name that
matches the primary email server in your organization. Buy a CA-signed digital
certificate that matches this description, if necessary.

3. If you want to use certificates for secure communication between Microsoft 365 or
Office 365 and your email server, update the connector your email server uses to
receive mail. This connector must recognize the right certificate when Microsoft
365 or Office 365 attempts a connection with your server. If you're using Exchange,
see Receive connectors for more information. On the Edge Transport Server or
Client Access Server (CAS), configure the default certificate for the Receive
connector. Update the TlsCertificateName parameter on the Set-ReceiveConnector
cmdlet in the Exchange Management Shell. To learn how to open the Exchange
Management Shell in your on-premises Exchange organization, see Open the
Exchange Management Shell.

4. Make a note of the name or IP address of your external-facing email server. If

you're using Exchange, this IP address is the Fully Qualified Domain Name (FQDN)
of your Edge Transport server or CAS that will receive email from Microsoft 365 or
Office 365.

5. Open port 25 on your firewall so that Microsoft 365 or Office 365 can connect to
your email servers.

6. Ensure that your firewall accepts connections from all Microsoft 365 or Office 365
IP addresses. See Exchange Online for the published IP address ranges.
 7. Make a note of an email address for each domain in your organization. You'll need
this email address later to test that your connector is working properly.

Part 1: Configure mail to flow from Microsoft

365 or Office 365 to your on-premises email
server
There are three steps for this configuration:

1. Configure your Microsoft 365 or Office 365 environment.

2. Set up a connector from Office 365 to your email server.
3. Change your MX record to redirect your mail flow from the internet to Microsoft
365 or Office 365.

1. Configure your Microsoft 365 or Office 365

environment
Make sure you have completed the following tasks in Microsoft 365 or Office 365:

1. To set up connectors, you need permissions assigned before you can begin. To
check what permissions you need, see the Microsoft 365 and Office 365
connectors entries in the Permissions in standalone EOP topic.

2. If you want EOP or Exchange Online to relay email from your email servers to the
internet, either:

Use a certificate configured with a subject name that matches an accepted

domain in Microsoft 365 or Office 365. We recommend that your certificate's
common name or subject alternative name matches the primary SMTP
domain for your organization. For details, see Prerequisites for your on-
premises email environment.

-OR-

Ensure that all the sender domains and subdomains of your organization are
configured as accepted domains in Microsoft 365 or Office 365.

For more information about defining accepted domains, see Manage accepted
domains in Exchange Online and Enable mail flow for subdomains in Exchange
Online.
 3. Decide whether you want to use mail flow rules (also known as transport rules) or
domain names to deliver mail from Microsoft 365 or Office 365 to your email
servers. Most businesses choose to deliver mail for all accepted domains. For more
information, see Scenario: Conditional mail routing in Exchange Online.

７ Note

You can set up mail flow rules as described in Mail flow rule actions in Exchange
Online. For example, you might want to use mail flow rules with connectors if your
mail is currently directed via distribution lists to multiple sites.

2. Set up a connector from Microsoft 365 or Office 365 to

your email server
Before you set up a new connector, check for any connectors that are already listed here
for your organization. For example, if you ran the Exchange Hybrid Configuration wizard,
connectors that deliver mail between Microsoft 365 or Office 365 and Exchange Server
will be set up already and listed here, as shown in the following two screenshots, for
New Exchange admin center (EAC) and Classic EAC, respectively.
If the connectors are already listed, you don't need to set them up again, but you can
edit them if you need to.

If you don't plan to use the hybrid configuration wizard, or if you're running Exchange
Server 2007 or earlier, or if you're running a non-Microsoft SMTP mail server, or if no
connector is listed from your organization's mail server to Microsoft 365 or Office 365,
set up a connector using the wizard, as described in the procedures below.

７ Note

Before creating a connector, navigate to the new EAC from the Microsoft 365
admin center by clicking Exchange under the Admin centers pane.

For New EAC

1. Navigate to Mail flow > Connectors. The Connectors screen appears.

2. Click + Add a connector. The New connector screen appears.

3. Under Connection from, choose Office 365.

4. Under Connection to, choose Your organization's email server.

5. Click Next. The Connector name screen appears.

6. Provide a name for the connector and click Next. The Use of connector screen
appears.

7. Choose an option that determines when you want to use the connector, and click
Next. The Routing screen appears.

７ Note
For information on choosing one of the three option on the Use of connector
screen and the reasons for choosing that option, see Options determining use of
connector, below in this article.

8. Enter the domain name or IP address of the host computer to which Office 365 will
deliver email messages.

9. Click +.

７ Note

It is mandatory to click + after entering the smart host name to navigate to the
next screen.

10. Click Next. The Security restrictions screen appears.

11. Define the settings by:

Checking the check box for Always use Transport Layer Security (TLS) to secure
the connection (recommended).

７ Note

It is not mandatory to configure the Transport Layer Security (TLS) settings on the
Security restrictions page. You can navigate to the next screen without choosing
anything on this screen. The need to define TLS settings on this page depends on
whether the destination server supports TLS or not.

If you opt to define the TLS settings, it becomes mandatory to choose.

Choosing any one of the two options under Connect only if the recipient's email
server certificate matches this criteria.

７ Note

If you are choosing the Issue by a trusted certificate authority (CA) option, the
Add the subject name or subject alternative name (SAN) matches this domain
name option is activated.

It is optional to choose the Add the subject name or subject alternative name
(SAN) matches this domain name option. However, if you choose it, you must
enter the domain name to which the certificate name matches.
 Clicking Next, on which the Validation email screen appears.

12. Enter an email that belongs to the mailbox of your organization's domain.

13. Click +.

７ Note

It is mandatory to click + for the Validate button to be enabled.

14. Click Validate. The connector validation process starts.

15. Once the validation process is completed, click Next. The Review connector screen
appears.

16. Review the settings you have configured and click Create connector.

The connector is created.

For Classic EAC

Click +. On the first screen, choose the options that are depicted in the following
screenshot.

Click Next, and follow the instructions in the wizard. Click the Help or Learn More links
if you need more information. The wizard will guide you through setup. At the end,
make sure your connector validates. If the connector does not validate, double-click the
message displayed to get more information, and see Validate connectors for help
resolving issues.
3. Change your MX record to redirect your mail flow from
the internet to Microsoft 365 or Office 365
To redirect email flow to Microsoft 365 or Office 365, change the MX (mail exchange)
record for your domain. For instructions on how to do this task, see Add DNS records to
connect your domain.

Part 2: Configure mail to flow from your email

server to Microsoft 365 or Office 365
There are two steps for this configuration:

1. Set up a connector from your email server to Microsoft 365 or Office 365.
2. Set up your email server to relay mail to the internet via Microsoft 365 or Office
365.

1. Set up a connector from your email server to Microsoft

365 or Office 365

For New EAC

1. Navigate to Mail flow > Connectors. The Connectors screen appears.

７ Note
If any connectors already exist for your organization, they are displayed on clicking
Connectors.

2. Click + Add a connector. The New connector screen appears.

3. Under Connection from, choose Your organization's email server.

７ Note

Once you select the Your organization's email server radio button under
Connection from, the option under Connection to is greyed out, implying that it is
 the default option chosen.

4. Click Next. The Connector name screen appears.

5. Provide a name for the connector and click Next. The Authenticating sent email
screen appears.

6. Choose either of the two options between By verifying that the subject name on
the certificate that the sending server uses to authenticate with Office 365
matches the domain entered in the text box below (recommended) and By
verifying that the IP address of the sending server matches one of the following
IP addresses, which belong exclusively to your organization.

７ Note

If you choose the first option, provide your domain name (if your organization has
only one domain) or any one of the domains of your organization (in case of
multiple domains). If you choose the second option, provide the IP address of
organization's domain server.

7. Click Next. The Review connector screen appears.

8. Review the settings you have configured, and click Create connector.

The connector is created.

７ Note

If you need more information, you can click the Help or Learn More links. In
particular, see Identifying email from your email server for help in configuring
certificate or IP address settings for this connector. The wizard will guide you
through setup.

For Classic EAC

To start the wizard, click the plus symbol +. On the first screen, choose the options that
are depicted in the following screenshot:
Click Next, and follow the instructions in the wizard. Click the Help or Learn More links
if you need more information. In particular, see Identifying email from your email server
for help configuring certificate or IP address settings for this connector. The wizard will
guide you through setup. At the end, save your connector.

2. Set up your email server to relay mail to the internet

via Microsoft 365 or Office 365
Next, you must prepare your email server to send mail to Microsoft 365 or Office 365.
This configuration of the email server enables mail flow from your email servers to the
Internet via Microsoft 365 or Office 365.

If your on-premises email environment is Microsoft Exchange, you create a Send

connector that uses smart host routing to send messages to Microsoft 365 or Office
365. For more information, seeCreate a Send connector to route outbound mail through
a smart host.

To create the Send connector in Exchange Server, use the following syntax in the
Exchange Management Shell. To learn how to open the Exchange Management Shell in
your on-premises Exchange organization, see Open the Exchange Management Shell.

７ Note

In the following procedures, the CloudServicesMailEnabled parameter is available in

Exchange 2013 or later.

PowerShell

New-SendConnector -Name <DescriptiveName> -AddressSpaces * -

CloudServicesMailEnabled $true -Fqdn <CertificateHostNameValue> -RequireTLS
 $true -DNSRoutingEnabled $false -SmartHosts <YourDomain>-
com.mail.protection.outlook.com -TlsAuthLevel CertificateValidation

This example creates a new Send Connector with the following properties:

Name: My company to Office 365

FQDN: mail.contoso.com
SmartHosts: contoso-com.mail.protection.outlook.com

PowerShell

New-SendConnector -Name "My company to Office 365" -AddressSpaces * -

CloudServicesMailEnabled $true -Fqdn mail.contoso.com -RequireTLS $true -
DNSRoutingEnabled $false -SmartHosts contoso-com.mail.protection.outlook.com
-TlsAuthLevel CertificateValidation

Change a connector that Microsoft 365 or

Office 365 is using for mail flow
To change settings for a connector, select the connector you want to edit and then
select the Edit icon as shown in the following screenshots, for New EAC and Classic EAC,
respectively.
The connector wizard opens, and you can make changes to the existing connector
settings. While you change the connector settings, Microsoft 365 or Office 365
continues to use the existing connector settings for mail flow. When you save changes
to the connector, Microsoft 365 or Office 365 starts using the new settings.

What happens when I have multiple connectors

for the same scenario?
Most customers don't need to set up connectors. For those customers who do, one
connector per single mail flow direction is enough. But you can also create multiple
connectors for a single mail flow direction, such as from Microsoft 365 or Office 365 to
your email server (also called on-premises server).

When there are multiple connectors, the first step to resolving mail flow issues is to
know which connector Microsoft 365 or Office 365 is using. Microsoft 365 or Office 365
uses the following order to choose a connector to apply to an email:

1. Use a connector that exactly matches the recipient domain.

2. Use a connector that applies to all accepted domains.
3. Use wildcard pattern matching. For example, *.contoso.com would match
mail.contoso.com and sales.contoso.com.

Example of how Microsoft 365 or Office 365 applies

multiple connectors
In this example, your organization has four accepted domains, contoso.com,
sales.contoso.com, fabrikam.com, and contoso.onmicrosoft.com. You have three
connectors configured from Microsoft 365 or Office 365 to your organization's email
server. For this example, these connectors are known as Connector 1, Connector 2, and
Connector 3.

Connector 1 is configured for all accepted domains in your organization. The following
screenshot shows the connectors wizard screen where you define which domains the
connector applies to. In this case, the setting chosen is For email messages sent to all
accepted domains in your organization. The following two screenshots depict the
chosen setting for New EAC and Classic EAC, respectively.
Connector 2 is set up specifically for your company domain Contoso.com. The following
screenshot shows the connectors wizard screen where you define which domains the
connector applies to. In this case, the setting chosen is Only when email messages are
sent to these domains. For Connector 2, your company domain Contoso.com is
specified. The following two screenshots depict the chosen setting for New EAC and
Classic EAC, respectively.

Connector 3 is also set up by using the option Only when email messages are sent to
these domains. But, instead of the specific domain Contoso.com, the connector uses a
wildcard: *.Contoso.com as shown in the following screenshot. The following two
screenshots depict the chosen setting for New EAC and Classic EAC, respectively.

For each email sent from Microsoft 365 or Office 365 to mailboxes on your email server,
Microsoft 365 or Office 365 selects the most specific connector possible. For email sent
to:

john@fabrikam.com, Microsoft 365 or Office 365 selects Connector 1.

john@contoso.com, Microsoft 365 or Office 365 selects Connector 2.
john@sales.contoso.com, Microsoft 365 or Office 365 selects Connector 3.

See also
Configure mail flow using connectors

Mail flow best practices for Exchange Online, Microsoft 365, and Office 365 (overview)

Validate connectors

Set up connectors for secure mail flow with a partner organization

Set up connectors for secure mail flow
with a partner organization in Exchange
Online
Article • 02/22/2023

You can create connectors to apply security restrictions to mail exchanges with a partner
organization or service provider. A partner can be an organization you do business with,
such as a bank. It can also be a third-party cloud service that provides services such as
archiving, anti-spam, and filtering.

You can create a connector to enforce encryption via transport layer security (TLS). You
can also apply other security restrictions such as specifying domain names or IP address
ranges that your partner organization sends mail from.

７ Note

Setting up a connector to exchange mail with a partner organization is optional;

mail flows to and from your partner organization occur without connectors.

If you use a third-party cloud service for email filtering and need instructions for making
this work with Microsoft 365 or Office 365, see Mail flow best practices for Exchange
Online and Microsoft 365 or Office 365 (overview).

Using connectors to exchange email with a

partner organization
By default, Microsoft 365 or Office 365 sends mails using TLS encryption, provided that
the destination server also supports TLS. If your partner organization supports TLS, you
only need to create a connector if you want to enforce certain security restrictions - for
example, you always want TLS applied, or you require certificate verification whenever
mail is sent from your partner to your organization.

７ Note

For information about TLS, see How Exchange Online uses TLS to secure email
connections and for detailed technical information about how Exchange Online
uses TLS with cipher suite ordering, see Enhancing mail flow security for Exchange
Online .
When you set up a connector, email messages are checked to ensure they meet the
security restrictions that you specify. If email messages don't meet the security
restrictions that you specify, the connector rejects them, and those messages will not be
delivered. This behavior of the connector makes it possible to set up a secure
communication channel with a partner organization.

You can set up one or both of the following, depending on your requirements:

Set up a connector to apply security restrictions to mail sent from Microsoft 365 or
Office 365 to your partner organization
Set up a connector to apply security restrictions to mail sent from your partner
organization to Microsoft 365 or Office 365

Also in this article:

Change a connector that Microsoft 365 or Office 365 is using for mail flow
Example security restrictions you can apply to email sent from a partner
organization

Review this section to help you determine the specific settings you need for your
business.

Set up a connector to apply security restrictions

to mail sent from Microsoft 365 or Office 365
to your partner organization
This section describes the process of setting up a connector in both the New Exchange
admin center (EAC) and the Classic EAC. Before you set up a new connector, do the
following:

Check for any connectors that are already listed here for your organization. For
example, if you already have a connector set up for a partner organization, you'll
see it listed. Ensure you don't create duplicate connectors for a single
organizational partner; when this happens, it can cause errors, and your mail might
not be delivered.

If any connectors already exist for your organization, you can see them listed here, as
shown in the below screenshots for New EAC and Classic EAC, respectively.
 Navigate to the new EAC from the Microsoft 365 admin center by clicking
Exchange under the Admin centers pane.

Below are the procedures to set up a new connector.

For New EAC

1. Navigate to Mail flow > Connectors. The Connectors screen appears.

2. Click +Add a connector. The New connector screen appears.

3. Under Connection from, choose Office 365.

 4. Under Connection to, choose Partner Organization.

5. Click Next. The Connector name screen appears.

6. Provide a name for the connector and click Next. The Use of connector screen
appears.

7. Choose any one of the two options between Only when i have a transport rule set
up that redirects messages to this connector and Only when email messages are
sent to these domains.

７ Note

If you choose the second option, provide the name of any one of the domains that
are part of your organization. If there is only one domain for your organization,
enter its name.

8. Click + (after entering the domain name, if you have chosen Only when email
messages are sent to these domains)

The domain name is displayed under the text box.

9. Click Next. The Routing screen appears.

10. Choose any of the two options between Use the MX record associated with the
partner's domain and Route email through these smart hosts.

11. Click Next. The Security restrictions screen appears.

７ Note

If you choose the first option, you need not mention the details of smart host. If
you choose second option, enter the domain name of the smart host in the text
box.

12. Check the check box for Always use Transport Layer Security (TLS) to secure the
connection (recommended).

７ Note

It is not mandatory to configure the Transport Layer Security (TLS) settings on the
Security restrictions page. You can navigate to the next screen without choosing
anything on this screen. The need to define TLS settings on this page depends on
whether the destination server supports TLS or not.

13. Choose one of the options under Connect only if the recipient's email server
certificate matches this criteria.

７ Note

If you are choosing the Issue by a trusted certificate authority (CA) option, the
Add the subject name or subject alternative name (SAN) matches this domain
name option is activated.

It is optional to choose the Add the subject name or subject alternative name
(SAN) matches this domain name option. However, if you choose it, you must
enter the domain name to which the certificate name matches.

14. Click Next. The Validation email screen appears.

15. Enter an email address that is part of the mailbox in your organization's email
server.

16. Click +.

17. Click Validate. The validation process starts.

18. Once the validation process is completed, click Next. The Review connector screen
appears.

19. Review the settings you have configured, and click Create connector.
The connector is created.

７ Note

If you need more information about the setup, click the Help or Learn More links.

20. At the end, ensure your connector validates. If the connector does not validate, see
Validate connectors for help resolving issues.

For Classic EAC

Navigate to the Classic EAC portal by clicking Classic Exchange admin center. Select
mail flow and then connectors.

To start the wizard, click the plus symbol +. On the first screen, choose the options that
are depicted in the following screenshot:

Click Next, and follow the instructions in the wizard. Click the Help or Learn More links
if you need more information. The wizard will guide you through setup. At the end,
ensure your connector validates. If the connector does not validate, see Validate
connectors for help resolving issues.

If you want to create a secure channel with your partner organization in both directions,
set up a connector that restricts mail flow from your partner organization to Microsoft
365 or Office 365.

Set up a connector to apply security restrictions

to mail sent from your partner organization to
Microsoft 365 or Office 365
You can set up a connector to apply security restrictions to email that your partner
organization sends to you. The procedure to set up a connector is described below.

For New EAC

1. Navigate to Mail flow > Connectors. The Connectors screen appears.

2. Click +Add a connector. The New connector screen appears.

3. Under Connection from, choose Partner organization.

７ Note

Once you select the Partner organization radio button under Connection from, the
option under Connection to is greyed out, implying that Office 365 is chosen by
default.
4. Click Next. The Connector name screen appears.

5. Provide a name for the connector and click Next. The Authenticating sent email
screen appears.

6. Choose one of the two options between By verifying that the sender domain
matches one of the following domains and By verifying that the IP address of
the sending server matches one of the following IP addresses, which belong to
your partner organization.

７ Note

If you choose By verifying that the sender domain matches one of the following
domains, you can provide the name of any one domain from the list of domains for
your organization. If you have only one domain for your organization, enter its
name. If you choose By verifying that the IP address of the sending server
matches one of the following IP addresses, which belong to your partner
organization, provide an IP address of any of the recipients who are part of your
organization's mailbox.

7. Click Next. The Security restrictions screen appears.

8. Check the check box for Reject email messages if they aren't sent over TLS.

７ Note

It is optional to choose the option of And require that the subject name of the
certificate that the partner uses to authenticate with Office 365 matches this
 domain name. If you choose this option, enter the domain name of the partner
organization.

9. Check the check box for Reject email messages if they aren't sent from within this
IP address range, and provide the IP address range.

） Important

You can choose this option in addition to the option specified in Step 5; Else, you
can choose either this option or the one in Step 5. Choosing at least one of these
options is mandatory.

10. Click Next. The Review connector screen appears.

11. Review the settings you have configured, and click Create connector.

The connector is created.

７ Note

If you need more information, you can click the Help or Learn More links. In
particular, see Identifying email from your email server for help in configuring
certificate or IP address settings for this connector. The wizard will guide you
through the setup.

For Classic EAC

To start the wizard, click the plus symbol +. On the first screen, choose the following
options:
Click Next, and follow the instructions in the wizard. Click the Help or Learn More links
if you need more information. The wizard will guide you through setup. At the end, save
your connector.

Ask your partner organization to send a test email. Ensure the email your partner
organization sends will cause the connector to be applied. For example, if you specified
security restrictions for mail sent from a specific partner domain, ensure they send test
mail from that domain. Check that the test email is delivered to confirm that the
connector works correctly.

Change a connector that Microsoft 365 or

Office 365 is using for mail flow
To change settings for a connector, perform the procedures specified below.

Select the connector you want to edit and then click the Edit icon, as shown in the
following two screens for New EAC and Classis EAC, respectively.
The connector wizard opens, and you can make changes to the existing connector
settings. While you change the connector settings, Microsoft 365 or Office 365
continues to use the existing connector settings for mail flow. When you save changes
to the connector, Microsoft 365 or Office 365 starts using the new settings.

Example security restrictions you can apply to

email sent from a partner organization
Review these connector examples to help you decide whether you want to apply
security restrictions to emails sent by a partner organization, and understand what
settings will meet your business needs:

Create a partner organization connector

For New EAC

For details on this procedure, see the For New EAC subsection in the Set up a
connector to apply security restrictions to mail sent from your partner organization to
Microsoft 365 or Office 365 section in this topic.
For Classic EAC

From the new EAC portal, navigate to the Classic EAC portal by clicking Classic Exchange
admin center. Select mail flow and then connectors.

To start the wizard, click the plus symbol +. To create a connector for email you receive
from a partner organization, use the options depicted in the following screenshot:

Once you choose this mail flow scenario, you can set up a connector that will apply
security restrictions to emails that your partner organization sends to you. For some
security restrictions, you might need to talk to your partner organization to obtain
information to complete some settings. Look for the examples that best meet your
needs to help you set up your partner connector.

７ Note

Any email sent from your partner organization which does not meet security
restrictions that you specify will not be delivered.

Example 1: Require that email sent from your partner

organization domain contosobank.com is encrypted
using transport layer security (TLS)
To do this, specify your partner organization domain name to identify mail from that
partner, and then choose transport layer security (TLS) encryption when you create the
connector for mail flow from your partner to Microsoft 365 or Office 365.

During setup of the connector in the New EAC, use the options as shown in the
following screenshots:
Use this screen to enter your partner organization's domain name(s) so the connector
can identify mail sent by your partner:

Choose this setting to require encryption for all email from ContosoBank.com using TLS:
During setup of the connector in the Classic EAC, use the options as shown in the
following screenshots:

Use this screen to enter your partner organization's domain name(s) so the connector
can identify mail sent by your partner:

Choose this setting to require encryption for all email from ContosoBank.com using TLS:
When you choose these settings, all emails from your partner organization's domain,
ContosoBank.com, must be encrypted using TLS. Any mail that is not encrypted will be
rejected.

Example 2: Require that email sent from your partner

organization domain ContosoBank.com is encrypted and
uses their domain certificate
To do this in the New EAC, perform the following steps:

1. Use all the settings shown in Example 1 above.

2. Add the certificate domain name that your partner organization uses to connect
with Microsoft 365 or Office 365.

To do this in the Classic EAC

1. Use all the settings shown in Example 1 above.

2. Add the certificate domain name that your partner organization uses to connect
with Microsoft 365 or Office 365.
When you set these restrictions, all mail from your partner organization domain must be
encrypted using TLS, and sent from a server with the certificate name you specify. Any
email that does not meet these conditions will be rejected.

Example 3: Require that all emails are sent from a specific

IP address range
This email could be from a partner organization, such as ContosoBank.com, or from
your on-premises environment. For instance, the MX record for your domain,
contoso.com, points to on-premises, and you want all emails being sent to contoso.com
to come from your on-premises IP addresses only. This helps prevent spoofing and
ensures your compliance policies can be enforced for all messages.

To do this, specify your partner organization domain name to identify mail from that
partner, and then restrict the IP addresses that you accept mail from. Using an IP
address makes the connector more specific because it identifies a single address or an
address range that your partner organization sends mails from.

In the New EAC, the procedure is as described below:

1. Enter your partner domain as described in Example 1 above.

2. Use the options as shown in the screenshot below.
In the Classic EAC, the procedure is as described below:

1. Enter your partner domain as described in Example 1 above.

2. Use the options as shown in the screenshot below.

When you set these restrictions, all emails that are sent from your partner organization
domain, ContosoBank.com, or from your on-premises environment will be from the IP
address or an address range you specify. Any mail that does not meet these conditions
will be rejected.

Example 4: Require that all email sent to your

organization from the internet is sent from a specific IP
address (third-party email service scenario)
Mail flow from a third-party email service to Microsoft 365 or Office 365 works without a
connector. However, in this scenario, you can optionally use a connector to restrict all
mail delivery to your organization. If you use the settings described in this example, they
will apply to all email sent to your organization. When all emails sent to your
organization comes from a single third-party email service, you can optionally use a
connector to restrict all mail delivery; only mail sent from a single IP address or address
range will be delivered.

７ Note

Ensure you identify the full range of IP addresses that your third-party email service
sends mail from. If you miss an IP address, or if one gets added without your
knowledge, some mails will not be delivered to your organization.

In the New EAC, to restrict all mails sent to your organization from a specific IP address
or address range, use the options during setup as shown in the following screenshots:
In the Classic EAC, to restrict all mails sent to your organization from a specific IP
address or address range, use the options during setup as shown in the following
screenshots:
When you set these restrictions, all mails sent to your organization will be from a
specific IP address range. Any internet email that does not originate from this IP address
range will be rejected.

Example 5: Require that all mail sent from your partner

organization IP address or address range is encrypted
using TLS
To identify your partner organization by IP address, in the New EAC, use the options
during setup as shown in the screenshot below:

Add the requirement for TLS encryption by using this setting:

To identify your partner organization by IP address, in the Classic EAC, use the options
during setup, as shown in the screenshots below:
Add the requirement for TLS encryption by using this setting:
When you set these restrictions, all mail from your partner organization sent from the IP
address or address range you specify must be sent using TLS. Any mail that does not
meet this restriction will be rejected.

See also
Configure mail flow using connectors in Microsoft 365 or Office 365

Mail flow best practices for Exchange Online, Microsoft 365, and Office 365 (overview)

Validate connectors

What happens when I have multiple connectors for the same scenario?
Validate connectors in Exchange Online
Article • 02/22/2023

If your organization has its own email server (also called on-premises server), you must
set up connectors to enable mail flow between Microsoft 365 or Office 365 and your
email server. For mail flow to work correctly, your connectors must be validated and
turned on. Connector validation runs as part of the connector setup process. This article
helps if you want to validate your connectors at a different time, or if you want to
understand more about the process. Use built-in connector validation to test whether a
connector is set up correctly and fix any mail flow issues before you turn the connector
on.

７ Note

If you want to change connector settings, Microsoft 365 or Office 365 uses the
existing connector settings for mail flow until you save your changes. For more
information, see Change a connector that Microsoft 365 or Office 365 is using for
mail flow

Validate and turn on connectors

This section describes the procedures to validate and turn on connectors in both the
New Exchange admin center (EAC) and Classic EAC.

Before validating and turning on the connectors, sign in to Microsoft 365 or Office 365,
choose Admin, and then select Exchange to go to the New EAC.

７ Note

To navigate to Classic EAC, you need not seperately launch its URL. You can
navigate from New EAC interface by clicking Classic Exchange admin center on the
left-bottom.

For New EAC

1. Navigate to Mail flow > Connectors. The Connectors screen appears.

７ Note
Any Microsoft 365 or Office 365 connectors that exist for your organization are
listed on the Connectors page. This list includes connectors that were created by
using the Hybrid Configuration Wizard or PowerShell. You can validate any
connector configured for mail flow from Microsoft 365 or Office 365 to your
organization's email server, or to a partner organization.

2. Choose and click the connector you want to validate or turn on.

3. Click the connector. The connector details screen appears.

4. View the information.

When you select a connector for mail flow that originates in Microsoft 365 or Office 365,
you can choose the Validate this connector link. You can also see whether the
connector was validated previously as shown in the following screenshot.

5. Under Status, if Off is displayed, click Edit name or status. The Connector name
screen appears.

6. Under What do you want to do after connector is saved, check the check box for
Turn it on.
 7. Click Next. The Validation email screen appears.

8. Enter an email address that is part of the active mailbox on your organization's
email server.

9. Click +, and then click Validate. The validation process starts.

10. Once the validation process is completed, click Save.

The connector is updated successfully from being turned off to being turned on.

For Classic EAC

1. Navigate to the Classic EAC portal by clicking Classic Exchange admin center.
Select mail flow and then connectors.

Any Microsoft 365 or Office 365 connectors that exist for your organization are
listed on the Connectors page. This includes connectors that were created by
using the Hybrid Configuration Wizard or PowerShell. You can validate any
connector configured for mail flow from Microsoft 365 or Office 365 to your
organization's email server, or to a partner organization.

2. Choose the connector you want to validate or turn on. You can see information
about the connector in the details pane as shown in the following screen shot.

3. When you select a connector for mail flow that originates in Microsoft 365 or
Office 365, you can choose the Validate this connector link. You can also see
whether the connector was validated previously as shown in the following screen
shot.
 4. With the connector selected, choose Validate this connector. The Validate this
connector dialog box opens. Enter one or more email addresses to start the
validation. Microsoft 365 or Office 365 uses these addresses to make sure your
mail flow is set up correctly. For example, if you want to validate a connector for
mail flow from Microsoft 365 or Office 365 to your organization's email server,
enter an email address for a mailbox located on that email server.

5. Choose Validate to continue. To find out what issues validation examines, and for
details about fixing any validation errors, see Validate connectors.

6. For each connector, check whether the connector is turned on. If a connector that
you need for mail flow isn't turned on, under Status choose Turn it on.

７ Note

If you continue to have mail flow issues after validating a connector, check whether
you have set up multiple connectors that might apply in a single scenario. For
example, problems can occur if you have more than one connector set up for mail
flow from Microsoft 365 or Office 365 to your email server. If you need multiple
connectors for mail flow from Microsoft 365 or Office 365 to your email server (or
to a partner), ensure you validate and turn on each connector. If you want to
change a connector, Microsoft 365 or Office 365 uses the existing connector
settings for mail flow until you save your changes. For more information, see
Change a connector that Microsoft 365 or Office 365 is using for mail flow

See also
Set up connectors to route mail between Microsoft 365 or Office 365 and your own
email servers

Configure mail flow using connectors

Validate connectors

When do I need a connector?

Scenario: Conditional mail routing in
Exchange Online
Article • 02/22/2023

There might be times you need to route mail differently. These different routes depend
on the recipient or sender of the mail, where it's being sent, the contents of the
message, and so on. For example, if you have multiple sites around the world, you might
want to route mails to a specific site. You can do this using connectors and mail flow
rules (also known as transport rules).

When the steps below are completed, a mail flow rule will redirect messages addressed
to users whose City property is set to New Orleans to the IP address specified by the
connector from Office 365 to your organization's email server.

Step 1: Use the Exchange admin center to

create the connector
The first thing we need to do is create a connector from Office 365 to your
organization's email server. This connector will be used by the mail flow rule that we'll
set up in Step 2. In this connector, you'll select where received messages originate from
(such as a mailbox in your Microsoft 365 or Office 365 organization), the type of
organization to which the messages will be sent (such as your on-premises servers), the
security that should be applied to the connection, and name or IP address of the target
server. If you want to learn more about how to create connectors, check out Configure
mail flow using connectors.

The subsequent two procedures are for creating connectors from Office 365 to your
organization's email server. These connectors are to be created in the New Exchange
admin center (EAC) and Classic EAC.

New EAC
1. Navigate to Mail flow > Connectors. The Connectors screen appears.

2. Click + Add a new connector. The New connector screen appears.

3. Under Connection from, choose Office 365.

4. Under Connection to, choose either Your organization's email server or Partner
organization (if you want to connect to a server other than your organizations).
5. Click Next. The Connector name screen appears.

6. Provide a name for the connector and add a description.

7. Check the check box for Turn it on under What do you want to do after
connector is saved?

8. Click Next. The Use of connector screen appears.

 9. Choose Only when I have a transport rule set up that redirects messages to this
connector.

10. Click Next. The Routing screen appears.

11. Enter one or more smart hosts in the text box. (These smart hosts are the ones to
which Microsoft 365 or Office 365 will deliver email messages.)

７ Note

You must provide either the domain name or the IP address of the server.

12. Click +. The smart host value is displayed under the text box.
７ Note

It is mandatory to click + after entering the smart host name to navigate to the
next screen.

13. Click Next. The Security restrictions screen appears.

14. Check the check box for Always use Transport Layer Security (TLS) to secure the
connection (recommended).
 15. Click Next. The Validation email screen appears.

16. Enter an email address that is valid on the mailbox of your organization's email
server.

17. Click +. The email address is displayed below the text box, indicating it is ready to
be validated.

18. Click Validate. The validation process starts.

19. Once the validation process is completed, click Next. The Review connector screen
appears.

20. Review the settings for the new connector and click Create connector. The
connector is created.

Classic EAC
1. Go to Mail flow > Connectors and click New to create a new connector.

2. In the From: drop-down box, choose Office 365.

3. In the To: drop-down box, choose either Your organization's email server or Partner
organization if you want to connect to a server other than your organizations.
4. Name the connector and add a description. If you want to turn on the connector
immediately, check Turn it on. Click Next.

5. Choose Only when I have a transport rule... and click Next.

6. Specify one or more smart hosts to which Microsoft 365 or Office 365 will deliver
email messages.

7. Define your Transport Layer Security (TLS) settings depending on your security
needs.
 8. Review your new connector configurations and click Next to validate the
connector.

Step 2: Use the EAC to create a mail flow rule

Now that we've created a connector, we need to create a mail flow rule that will send
mail to it based on the criteria you define. There are many conditions you can select
from to control when messages should be sent to the connector.

To create a mail flow rule in EAC, perform the following steps:

７ Note

The below procedure is applicable for New and Classic EACs.

1. In the EAC, navigate to Mail flow > Rules. Click New and choose Create a new
rule....

2. In the New rule window, name the rule. To see all the options available for the rule,
click More options... at the bottom of the page.
3. For *Apply this rule if..., select The recipient... and has specific properties
including any of these words. The select user properties box appears. Click , and
under User properties: choose City. City is an Active Directory attribute made
available for use by the rule. Specify the name of the city, such as New Orleans.
Click OK, and then click OK again to close the select user properties box.
 ） Important

Check the accuracy of user attributes in Active Directory to ensure that the
mail flow rule works as intended. > Note that changes made in the connector
from Office 365 to your organization's email server take time to replicate.

4. For *Do the following..., choose Redirect the message to... and then specify the
following connector. The select connector box appears. Choose the connector
(from Office 365 to your organization's email server) that you created previously.

You can choose more properties for the rule, such as the test mode and when to
activate the rule.

5. To save the connector, click Save.

Scenario: Integrate Exchange Online
with an email add-on service
Article • 02/22/2023

Many third-party cloud service solutions provide add-on services for Exchange Online.
For security reasons, we don't allow third-party email add-on services to be installed in
Exchange Online. But, you can work with the service provider to configure the settings in
your Exchange Online organization so that you can use the service.

This topic describes the best practices for how your organization can use a third-party
email add-on service by examining a fictional service named Contoso Signature Service.
This fictional service runs in Azure and provides custom email signatures.

７ Note

This service could be deployed in a cloud environment other than Azure.

The mail flow and a high-level summary of the service are shown in the following
diagram.

1. When a user in your Exchange Online organization composes and sends a

message, the message is diverted to Contoso Signature Service by using a
connector and a mail flow rule (also known as a transport rule) that you create.

Connections from Exchange Online to Contoso Signature Service are encrypted by

TLS, because you configure the certificate domain name for the service in the
connector settings (for example, smtp.contososignatureservice.com).
 2. Contoso Signature Service accepts the message and adds an email signature to the
message. The service also stamps the message with a custom header to indicate
the message has been processed.

3. Contoso Signature Service routes the message back to Exchange Online. A

connector that you create accepts the incoming messages from Contoso Signature
Service.

Contoso Signature Service uses smart host routing to route messages back to
the region where your Exchange Online organization is located. For example,
if your Exchange Online domain is fabrikam.onmicrosoft.com, the destination
smart host is fabrikam.mail.protection.outlook.com.
Contoso Signature Service provides a unique certificate domain name for
each customer. You configure this domain name as an accepted domain in
your Exchange Online organization and in the connector settings (for
example, S5HG3DCG14.smtp.contososignatureservice.com).

4. Exchange Online sends the message with the customized signature to the original
recipients.

The rest of this topic explains how to configure mail flow in Exchange Online to work
with the email add-on service.

７ Note

These elements are required for any email add-on service that you want to
integrate with your Exchange Online organization. You need to work with the email
add-on service provider to configure their required settings in Exchange Online.

What do you need to know before you begin?

Estimated time to complete: 15 minutes

You need permissions before you can perform this procedure or procedures. To
see what permissions you need, see the "Mail flow" entry in the Feature
permissions in Exchange Online topic.

To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online. To learn how to use Windows PowerShell to connect to Exchange Online,
see Connect to Exchange Online PowerShell.
 For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Step 1: Create a connector that routes messages

from Office 365 to the email add-on service
The important settings for the connector are:

From Office 365 to the email add-on service.

Uses smart host routing to the email add-on service.
Uses TLS to encrypt the connection based on the domain name of the email add-
on service (smart host).

Use the EAC to create the connector that routes messages

from Office 365 to the email add-on service

Create the outbound connector in the new EAC

1. In the EAC, go to Mail flow > Connectors, and then click Add a connector .

2. The new connector wizard opens. On the first page, configure these settings:

Connection from: Select Office 365.

Connection to: Your organization's email server
 When you're finished, click Next.

3. On the next page, configure these settings:

Name: Enter a descriptive name (for example, Office 365 to Contoso

Signature Service).
Description: Enter an optional description.
What do you want to do after connector is saved?: Configure these settings:
Turn it on leave this value selected.
Retain internal Exchange email headers (recommended): Configure one
of these values:
Checked: Preserves internal headers in messages that are sent to the
email add-on service, which means the messages are treated as trusted
internal messages. If you select this value, you'll also need to use the
same value on this setting for the inbound connector that you create in
Step 4 (otherwise, the inbound connector will remove the internal
Exchange headers from the returning messages).
Unchecked: Removes internal headers from messages before they're
sent to the email add-on service. If you select this value, the value of
this setting on the inbound connector that you create in Step 4 is
meaningless (by definition, there will be no internal Exchange headers
to keep or remove in returning messages).
 When you're finished, click Next.

4. On the Use of connector page, select Only when I have a transport rule set up
that redirects messages to this connector, and then click Next.

5. On the Routing page, enter the smart host value click or the email add-on service
(for example, smtp.contososignatureservice.com), click Add , and then click Next.

6. On the Security restrictions page, configure these settings:

 Verify Always use Transport Layer Security (TLS) to secure the connection
(recommended) is selected.
Verify Issued by a trusted certificate authority (CA) is selected.
Select And the subject name or subject alternative name (SAN) matches
this domain name, and enter the smart host that you used in the previous
step (for example, smtp.contososignatureservice.com).

When you're finished, click Next.

7. On the Validation email page, do these steps:

a. Enter a valid email address on your organization's email server, and then click
Add .
b. Click Validate to start the validation process.

After the validation process is complete, click Next.

8. On the Review connector page, review the settings for the new connector. You can
click Edit in the specific section to edit those settings.
 When you're finished, click Create connector.

Create the outbound connector in the classic EAC

1. Go to Mail flow > Connectors, and then click New .
2. The new connector wizard opens. On the Select your mail flow scenario page,
configure these settings:

From: Select Office 365.

To: Select Your organization's email server.

When you're finished, click Next.

3. On the next page, configure these settings:

Name: Enter a descriptive name (for example, Office 365 to Contoso

Signature Service).
Description: Enter an optional description.
What do you want to do after connector is saved?: Configure these settings:
Turn it on leave this value selected.
Retain internal Exchange email headers (recommended): Configure one
of these values:
Checked: Preserves internal headers in messages that are sent to the
email add-on service, which means the messages are treated as trusted
internal messages. If you select this value, you'll also need to use the
same value on this setting for the inbound connector that you create in
Step 4 (otherwise, the inbound connector will remove the internal
Exchange headers from the returning messages).
Unchecked: Removes internal headers from messages before they're
sent to the email add-on service. If you select this value, the value of
this setting on the inbound connector that you create in Step 4 is
meaningless (by definition, there will be no internal Exchange headers
to keep or remove in returning messages).
 (By definition, there will be no internal Exchange headers to keep or remove in
returning messages).

When you're finished, click Next.

4. On When do you want to use this connector? page, select Only when I have a
transport rule set up that redirects messages to this connector, and then click
Next.

5. On the How do you want to route email messages? page, click Add . In the Add
smart host dialog that appears, enter the smart host value for the email add-on
service (for example, smtp.contososignatureservice.com), click Save, and then click
Next.
6. On the How should Office 365 connect to your email server? page, configure
these settings:

Verify Always use Transport Layer Security (TLS) to secure the connection
(recommended) is selected.
Verify Issued by a trusted certificate authority (CA) is selected.
Select And the subject name or subject alternative name (SAN) matches
this domain name, and enter the smart host that you used in the previous
step (for example, smtp.contososignatureservice.com).

When you're finished, click Next.

7. On the Confirm your settings page, verify the settings. Click Back to modify the
settings as necessary.

When you're finished, click Next.

8. On the Validate this connector page, click Add . In the Add email dialog that
appears, enter an email address that isn't in Exchange Online to test the connector
(for example, admin@fabrikam.com), click OK, and then click Validate.

A progress indicator appears. When the connector validation is complete, click

Close.
 9. On the Validation result page, click Save.

Use Exchange Online PowerShell to create the outbound

connector to the email add-on service
To create the outbound connector to the email add-on service in Exchange Online
PowerShell, use this syntax:

PowerShell

New-OutboundConnector -Name "<Descriptive Name>" -ConnectorType OnPremises -

IsTransportRuleScoped $true -UseMxRecord $false -SmartHosts <SmartHost> -
TlsSettings DomainValidation -TlsDomain <SmartHost> [-
CloudServicesMailEnabled $true]

This example creates an outbound connector with these settings:

Name: Office 365 to Contoso Signature Service

Smart host destination of the email add-on service:
smtp.contososignatureservice.com
TLS domain for domain validation: smtp.contososignatureservice.com
Internal Exchange message headers that identify messages as internal are
preserved in the outbound messages.

PowerShell

New-OutboundConnector -Name "Office 365 to Contoso Signature Service" -

ConnectorType OnPremises -IsTransportRuleScoped $true -UseMxRecord $false -
SmartHosts smtp.contososignatureservice.com -TlsSettings DomainValidation -
TlsDomain smtp.contososignatureservice.com -CloudServicesMailEnabled $true

For detailed syntax and parameter information, see New-OutboundConnector.

Verify that you've successfully created the outbound

connector
To verify that you've successfully created an outbound connector to route messages to
the email add-on service, use either of these procedures:

In the EAC, go to Mail flow > Connectors, select the connector, and then verify the
settings.

In Exchange Online PowerShell, replace <Connector Name> with the name of the
connector, and run this command to verify the property values:

PowerShell

Get-OutboundConnector -Identity "<Connector Name>" | Format-List

Name,ConnectorType,IsTransportRuleScoped,UseMxRecord,SmartHosts,TlsSett
ings,TlsDomain,CloudServicesMailEnabled

Step 2: Create a mail flow rule to route

unprocessed messages to the email add-on
service
The rule routes messages from internal senders to the connector that you created in
Step 1 if the messages haven't already been processed by the email add-on service (the
custom header isn't stamped on the message).

Use the EAC to create a mail flow rule to route

unprocessed messages to the email add-on service

７ Note

Mail flow rule creation in the new EAC is exactly the same as in the classic EAC.

1. Go to Mail flow > Rules, and click New , and then select Create a new rule.
2. In the New rule page that opens, click More options near the bottom of the page.

3. On the New rule page, configure these settings:

Name: Enter a descriptive name (for example, Route email to Contoso

Signature Service).
Apply this rule if: Select The sender > Is external/internal > Select Inside the
organization, and then click OK.
Do the following: Select Redirect the message to > The following connector
> Select the connector you created in Step 1, and then click OK.
Except if: Click Add exception > Select A message header > Includes and of
these words.
Click Enter text, enter the name of the custom header field that's applied by
the email add-on service (for example, SignatureContoso), and then click OK.
 Click Enter words, enter the header field value that indicates a message has
been processed by the email add-on service (for example, true), click Add ,
and then click OK.
Near the bottom of the page, select Stop processing more rules.

When you're finished, click Save.

Use Exchange Online PowerShell to create a mail flow

rule to route unprocessed messages to the email add-on
service
To create the mail flow rule in Exchange Online PowerShell, use this syntax:

PowerShell

New-TransportRule -Name "<Descriptive Name>" -FromScope InOrganization -

RouteMessageOutboundConnector "<Connector Name>" -
ExceptIfHeaderContainsMessageHeader <HeaderName> -
ExceptIfHeaderContainsWords <HeaderValue> -StopRuleProcessing $true
This example creates the mail flow rule with these settings:

Name: Route email to Contoso Signature Service

Outbound connector name: Office 365 to Contoso Signature Service
Header field and value that indicates processing by the email add-on
serviceSignatureContoso with the value true.

PowerShell

New-TransportRule -Name "Route email to Contoso Signature Service" -

FromScope InOrganization -RouteMessageOutboundConnector "Office 365 to
Contoso Signature Service" -ExceptIfHeaderContainsMessageHeader
SignatureContoso -ExceptIfHeaderContainsWords true -StopRuleProcessing $true

For detailed syntax and parameter information, see New-TransportRule.

Verify that you've successfully created the mail flow rule

To verify that you've successfully created a mail flow rule to route unprocessed
messages to the email add-on service, use either of these procedures:

In the EAC, go to Mail flow > Rules, select the rule, click Edit , and verify the
settings of the rule.

In Exchange Online PowerShell, replace <Rule Name> with the name of the rule,
and run this command to verify the property values:

PowerShell

Get-TransportRule -Identity "<Rule Name>" | Format-List

Name,FromScope,RouteMessageOutboundConnector,ExceptIfHeaderContainsMess
ageHeader,ExceptIfHeaderContainsWords,StopRuleProcessing

Step 3: Add the custom certificate domain

provided by the email add-on service as an
accepted domain in Exchange Online
1. In the Microsoft 365 admin center at https://admin.microsoft.com , go to
Settings > Domains, and then click Add domain.
2. The add a domain wizard starts. On the Add a domain page, enter the custom
certificate domain that the email add-on service provided when you enrolled in the
service (for example, S5HG3DCG14.smtp.contososignatureservice.com), and then
click Use this domain.

Note: The value must be 48 characters or less.

3. On the Domain verification page, select one of the following values:

Add a TXT record to the domain's DNS records

If you can't add a TXT record, add an MX record to the domain's DNS
records
 When you're finished, click Continue

4. The next page that you see depends on your previous selection. Use the details on
the page to create the required TXT or MX proof of domain ownership record for
the custom certificate domain.

After you've created the proof of domain ownership record, click Verify and wait
for the results.

5. On the Connect domain page, click Save and close.

For more information, see Add your domain to Microsoft 365.

Step 4: Create a connector that receives

messages from the email add-on service
The important settings for the connector are:

From the email add-on service to Office 365.

TLS encryption and certificate verification is based on the custom certificate
domain name that you configured as an accepted domain in the previous step.

Use the EAC to create a connector that receives messages

from the email add-on service

Create the inbound connector in the new EAC

1. Go to Mail flow > Connectors, and then click Add a connector.

2. The new connector wizard opens. On the first page, configure these settings:

Connection from: Select Your organization's email server.

Connection to: Verify that Office 365 is selected.

3. When you're finished, click Next.

4. On the Connector name page, configure these settings:

Name: Enter a descriptive name (for example, Contoso Signature Service to

Office 365).
Description: Enter an optional description.
What do you want to do after connector is saved?: Configure these settings:
Turn it on: Verify that this setting is selected.
Retain internal Exchange email headers (recommended): Configure one
of these values:
Checked: Preserves internal headers in messages that are returning
from the email add-on service. If you selected this value on this setting
for the connector that you create in Step 1, you'll need to configure the
same value here. The internal Exchange headers in the returning
messages are preserved, which means the messages returning from the
email add-on service are treated as trusted internal messages.
 Unchecked: Removes the internal Exchange headers (if any) from
messages that are returning from the email add-on service.

When you're finished, click Next.

5. On the Authenticating sent email page, verify that the first option is selected
(verify by certificate), and enter the certificate domain that the email add-on
service gave to you when you enrolled in the service (for example,
S5HG3DCG14.smtp.contososignatureservice.com).

When you're finished, click Next.

6. On the Review connector page, verify the settings. You can click Edit in the
appropriate section to make changes. When you're finished, click Create
connector*.
Create the inbound connector in the classic EAC
1. Go to Mail flow > Connectors, and then click New .

2. The new connector wizard opens. On the Select your mail flow scenario page,
configure these settings:

From: Select Your organization's email server.

To: Select Office 365.
 When you're finished, click Next.

3. On the next page, configure these settings:

Name: Enter a descriptive name (for example, Contoso Signature Service to

Office 365).
Description: Enter an optional description.
What do you want to do after connector is saved?: Configure these
settings:
Turn it on: Verify that this setting is selected.
Retain internal Exchange email headers (recommended): Configure
one of these values:
Checked: Preserves internal headers in messages that are returning
from the email add-on service. If you selected this value on this
setting for the connector that you create in Step 1, you'll need to
configure the same value here. The internal Exchange headers in the
returning messages are preserved, which means the messages
returning from the email add-on service are treated as trusted
internal messages.
Unchecked: Removes the internal Exchange headers (if any) from
messages that are returning from the email add-on service.
 When you're finished, click Next.

4. On the How should Office 365 identify email from your email server? page, verify
that the first option is selected (verify by certificate), and enter the certificate
domain that the email add-on service gave to you when you enrolled in the service
(for example, S5HG3DCG14.smtp.contososignatureservice.com).

When you're finished, click Next.

5. On the Confirm your settings page, verify the settings. You can click Back to
modify the settings.

When you're finished, click Save.

Use Exchange Online PowerShell to create an inbound
connector to receive messages from the email add-on
service
To create the inbound connector from the email add-on service in Exchange Online
PowerShell, use this syntax:

PowerShell

New-InboundConnector -Name "<Descriptive Name>" -SenderDomains * -

ConnectorType OnPremises -RequireTls $true -RestrictDomainsToCertificate
$true -TlsSenderCertificateName <CertificateDomainName> [-
CloudServicesMailEnabled $true]

Name: Contoso Signature Service to Office 365

Domain name used by the email add-on service's certificate to authenticate with
your Office 365 organization: S5HG3DCG14.smtp.contososignatureservice.com
Internal Exchange message headers that identify messages as internal are
preserved in the outbound messages.

PowerShell

New-InboundConnector -Name "Contoso Signature Service to Office 365" -

SenderDomains * -ConnectorType OnPremises -RequireTls $true -
RestrictDomainsToCertificate $true -TlsSenderCertificateName
S5HG3DCG14.smtp.contososignatureservice.com -CloudServicesMailEnabled $true
For detailed syntax and parameter information, see New-InboundConnector.

Verify that you've successfully created the inbound

connector
To verify that you've successfully created an inbound connector to receive messages
from the email add-on service, use either of these procedures:

In the EAC, go to Mail flow > Connectors, select the connector, and then verify the
settings.

In Exchange Online PowerShell, replace <Connector Name> with the name of the
connector, and run this command to verify the property values:

PowerShell

Get-InboundConnector -Identity "<Connector Name>" | Format-List

Name,SenderDomains,ConnectorType,RequireTls,RestrictDomainsToCertificat
e,TlsSenderCertificateName,CloudServicesMailEnabled
Enhanced Filtering for Connectors in
Exchange Online
Article • 02/22/2023

Properly configured inbound connectors are a trusted source of incoming mail to

Microsoft 365 or Office 365. But in complex routing scenarios where email for your
Microsoft 365 or Office 365 domain is routed somewhere else first, the source of the
inbound connector is typically not the true indicator of where the message came from.
Complex routing scenarios include:

Third-party cloud filtering services

Managed filtering appliances
Hybrid environments (for example, on-premises Exchange)

Mail routing in complex scenarios looks like this:

As you can see, the message adopts the source IP of the service, appliance, or on-
premises Exchange organization that sits in front of Microsoft 365. The message arrives
in Microsoft 365 with a different source IP address. This behavior isn't a limitation of
Microsoft 365; it's simply how SMTP works.

In these scenarios, you can still get the most out of Exchange Online Protection (EOP)
and Microsoft Defender for Office 365 by using Enhanced Filtering for Connectors (also
known as skip listing).

After you enable Enhanced Filtering for Connectors, mail routing in complex routing
scenarios looks like this:
As you can see, Enhanced Filtering for connectors allows IP address and sender
information to be preserved, which has the following benefits:

Improved accuracy for the Microsoft filtering stack and machine learning models,
which include:
Heuristic clustering
Anti-spoofing
Anti-phishing
Better post-breach capabilities in Automated investigation and response (AIR)
Able to use explicit email authentication (SPF, DKIM, and DMARC) to verify the
reputation of the sending domain for impersonation and spoof detection. For
more information about explicit and implicit email authentication, see Email
authentication in EOP.

For more information, see the What happens when you enable Enhanced Filtering for
Connectors? section later in this article.

Use the procedures in this article to enable Enhanced Filtering for Connectors on
individual connectors. For more information about connectors in Exchange Online, see
Configure mail flow using connectors.

７ Note

We always recommend that you point your MX record to Microsoft 365 or

Office 365 in order to reduce complexity. For example, some hosts might
invalidate DKIM signatures, causing false positives. When two systems are
responsible for email protection, determining which one acted on the
message is more complicated.
The most common scenarios that Enhanced Filtering is designed for are
Hybrid environments; however, the mail destined for on-premises mailboxes
(outbound mail) will still not be filtered by EOP. The only way to get full EOP
scanning on all mailboxes is to move your MX record to Microsoft 365 or
Office 365.
 Except for linear inbound routing scenarios where MX points to on-premises
servers, adding your on-premises hybrid server IPs to the enhanced filter skip
list is not supported in a centralized mail flow scenario. Doing this can cause
EOP to scan your on-premises hybrid server emails, adding a compauth
header value, and may result in EOP flagging the message as spam. In a
configured hybrid environment, there is no need to add them to the skip list.
The skip list is primarily intended to address scenarios where there is a third-
party device/filter before your Microsoft 365 tenant. For more information,
see MX record points to third-party spam filtering.
Do not put another scanning service or host after EOP. Once EOP scans a
message, be careful not to break the chain of trust by routing mail through
any non-Exchange server that is not part of your cloud or on-premises
organization. When the message eventually arrives at the destination mailbox,
the headers from the first scanning verdict might no longer be accurate.
Centralized Mail Transport should not be used to introduce non-Exchange
servers into the mail flow path.

Configure Enhanced Filtering for Connectors

What do you need to know before you begin?

Include all of the trusted IP addresses that are associated with the on-premises
hosts or the third-party filters that send email into your Microsoft 365 or Office
365 organization, including any intermediate hops with public IP addresses. To get
these IP addresses, consult the documentation or support that's provided with the
service.

If you have mail flow rules (also known as transport rules) that set the SCL to -1 for
messages that flow through this connector, you must disable those mail flow rules
after you enable Enhanced Filtering for Connectors.

To open the Microsoft 365 Defender portal, go to https://security.microsoft.com .

To go directly to the Enhanced Filtering for Connectors page, use
https://security.microsoft.com/skiplisting .

To connect to Exchange Online PowerShell, see Connect to Exchange Online

PowerShell. To connect to Exchange Online Protection PowerShell, see Connect to
Exchange Online Protection PowerShell.
 To configure Enhanced Filtering for Connectors, you need to be a member of one
of the following role groups:
Organization Management or Security Administrator in the Microsoft 365
Defender portal.
Organization Management in Exchange Online.

Enhanced Filtering for Connectors is not supported in hybrid environments that

use Centralized Mail Transport.

Use the Microsoft 365 Defender portal to configure

Enhanced Filtering for Connectors on an inbound
connector
1. In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies &
Rules > Threat policies page > Rules section > Enhanced filtering.

2. On the Enhanced Filtering for Connectors page, select the inbound connector that
you want to configure by clicking on the name.

3. In the connector details flyout that appears, configure the following settings:

IP addresses to skip: Choose one of the following values:

Disable Enhanced Filtering for Connectors: Turn off Enhanced Filtering for
Connectors on the connector.

Automatically detect and skip the last IP address: We recommend this

value if you have to skip only the last message source.

Skip these IP addresses that are associated with the connector: Select
this value to configure a list of IP addresses to skip.

） Important
Entering the IP addresses of Microsoft 365 or Office 365 is not
supported. Do not use this feature to compensate for issues
introduced by unsupported email routing paths. Use caution and
limit the IP ranges to only the email systems that will handle your
own organization's messages prior to Microsoft 365 or Office 365.
Entering any private IP address defined by RFC 1918 (10.0.0.0/8,
172.16.0.0/12, and 192.168.0.0/16) is not supported. Enhanced
Filtering automatically detects and skips private IP addresses. If the
 previous hop is an email server that's behind a network address
translation (NAT) device that assigns private IP addresses, we
recommend that you configure NAT to assign a public IP address
to the email server.

If you selected Automatically detect and skip the last IP address or Skip
these IP addresses that are associated with the connector, the Apply to
these users section appears:

Apply to entire organization: We recommend this value after you've

tested the feature on a small number of recipients first.

Apply to a small set of users: Select this value to configure a list of

recipient email addresses that Enhanced Filtering for Connectors applies
to. We recommend this value as an initial test of the feature.

７ Note
This value is only affective on the actual email addresses that you
specify. For example, if a user has five email addresses associated
with their mailbox (also known as proxy addresses), you'll need to
specify all five of their email addresses here. Otherwise, messages
that are sent to the four other email addresses will go through
normal filtering.
In hybrid environments where inbound mail flows through on-
premises Exchange, you must specify the targetAddress of the
MailUser object. For example,
michelle@contoso.mail.onmicrosoft.com.
This value is only affective on messages where all recipients are
specified here. If a message contains any recipients that aren't
specified here, normal filtering is applied to all recipients of the
message.

Apply to entire organization: We recommend this value after you've

tested the feature on a few recipients first.

4. When you're finished, click Save.

Use Exchange Online PowerShell or Exchange Online
Protection PowerShell to configure Enhanced Filtering for
Connectors on an inbound connector
To configure Enhanced Filtering for Connectors on an inbound connector, use the
following syntax:

PowerShell

Set-InboundConnector -Identity <ConnectorIdentity> [-EFSkipLastIP <$true |

$false>] [-EFSkipIPs <IPAddresses>] [-EFUsers
"emailaddress1","emailaddress2",..."emailaddressN"]

EFSkipLastIP: Valid values are:

$true : Only the last message source is skipped.

$false : Skip the IP addresses specified by the EFSkipIPs parameter. If no IP

addresses are specified there, Enhanced Filtering for Connectors is disabled on

the inbound connector. The default value is $false .

EFSkipIPs: The specific IP addresses to skip when the EFSkipLastIP parameter value
is $false . Valid values are:
A single IP address: For example, 192.168.1.1 .
An IP address range: For example, 192.168.1.0-192.168.1.31 .
Classless Inter-Domain Routing (CIDR) IP: For example, 192.168.1.0/25 .

See the Skip these IP addresses that are associated with the connector
description in the previous section for limitations on IP addresses.

EFUsers: The comma-separated email address of recipient email addresses that you
want to apply Enhanced Filtering for Connectors to. See the Apply to a small set of
users description in the previous section for limitations on individual recipients.
The default value is blank ( $null ), which means Enhanced Filtering for Connectors
is applied to all recipients.

This example configures the inbound connector named From Anti-Spam Service with
the following settings:

Enhanced Filtering for Connectors is enabled on the connector, and the IP address
of the last message source is skipped.
Enhanced Filtering for Connectors only applies to the recipient email addresses
michelle@contoso.com, laura@contoso.com, and julia@contoso.com.

PowerShell
 Set-InboundConnector -Identity "From Anti-Spam Service" -EFSkipLastIP $true
-EFUsers "michelle@contoso.com","laura@contoso.com","julia@contoso.com"

Note: To disable Enhanced Filtering for Connectors, use the value $false for the
EFSkipLastIP parameter.

For detailed syntax and parameter information, see Set-InboundConnector.

What happens when you enable Enhanced

Filtering for Connectors?
The following table describes what connections look like before and after you enable
Enhanced Filtering for Connectors:

Feature Before After Enhanced Filtering is enabled

Enhanced
Filtering is
enabled

Email domain authentication Implicit Explicit, based on the source domain's SPF,
using anti- DKIM, and DMARC records in DNS.
spoof
protection
technology.

X-MS-Exchange- Not This header is stamped if skip listing was

ExternalOriginalInternetSender available successful, enabled on the connector, and
recipient match happens. The value of this field
contains information about the true source
address.

X-MS-Exchange- Not This header is stamped if skip listing was enabled

SkipListedInternetSender available on the connector, irrespective of recipient
matches. The value of this field contains
information about the true source address. This
header is used primarily for reporting purposes
and to help understand WhatIf scenarios.

You can view the improvements in filtering and reporting by using the Threat protection
status report in the Microsoft 365 Defender portal. For more information, see Threat
protection status report.

See also
Mail flow best practices for Exchange Online, Microsoft 365, and Office 365 (overview)

Configure mail flow using connectors

Use Directory-Based Edge Blocking to
reject messages sent to invalid
recipients in Exchange Online
Article • 02/22/2023

Directory-Based Edge Blocking (DBEB) lets you reject messages for invalid recipients at
the service network perimeter in Microsoft 365 organizations with Exchange Online
mailboxes and in standalone Exchange Online Protection (EOP) organizations without
Exchange Online mailboxes. DBEB lets admins add mail-enabled recipients to Microsoft
365 or Office 365 and block all messages sent to email addresses that aren't present in
Microsoft 365 or Office 365.

If a message is sent to a valid email address in Microsoft 365 or Office 365, the message
continues through the rest of the service filtering layers: anti-malware, anti-spam, and
mail flow rules (also known as transport rules). If the address doesn't exist, the service
blocks the message before filtering even occurs, and a non-delivery report (also known
as an NDR or bounce message) is returned to the sender. The NDR looks like this: 550
5.4.1 Recipient address rejected: Access denied .

If all recipients for your domain are in Exchange Online, DBEB is already in effect, and
you don't need to do anything. If you're migrating from another email system to
Exchange Online, you can use the procedure in this topic to enable DBEB for the domain
before the migration.

７ Note

In hybrid environments, in order for DBEB to work, the MX record for the
domain must point to Microsoft 365 or Office 365 so that email for the
domain is routed to Microsoft 365 or Office 365 first.

There are additional considerations when using DBEB with mail-enabled

public folders. DBEB is not supported for mail-enabled public folders that are
hosted in Exchange Online. DBEB is only supported for mail-enabled public
folders hosted on-premises. For more information about DBEB and mail-
enabled public folders, see Office 365 Directory Based Edge Blocking
support for on-premises Mail Enabled Public Folders .
What do you need to know before you begin?
Estimated time to complete: 5 to 10 minutes

To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at:
Exchange Online , or Exchange Online Protection .

Configure DBEB
This section describes the procedure to configure DBEB for both the New Exchange
admin center (EAC) and Classic EAC.

For New EAC

1. Verify that your accepted domain in Exchange Online is set to Internal relay:

a. Navigate to Mail flow > Accepted domains. The Accepted domains screen
appears.

b. Select an accepted domain and click it. The accepted domain's details screen
appears.

c. Ensure that the domain type is set to Internal relay. If it's set to Authoritative,
change it to Internal relay.

d. Click Save.

2. Add users to Microsoft 365 or Office 365. For example:

Directory synchronization: Add valid users to Office 365 by synchronizing

from your on-premises Active Directory environment to Azure Active
Directory in the cloud. For more information about how to set up directory
synchronization, see the Use directory synchronization to manage mail
users section inManage Mail Users in EOP.
 Add users via PowerShell or the EAC: For more information about how to do
this task, see Manage Mail Users in EOP or Manage mail users in Exchange
Online.

3. Set your accepted domain in Exchange Online to Authoritative:

a. Navigate to Mail flow > Accepted domains. The Accepted domains screen
appears.

b. Select an accepted domain and click it. The accepted domain's details screen
appears.

c. Ensure that the domain type is set to Authoritative. If it's set to Internal relay,
change it to Authoritative.

d. Click Save.

For Classic EAC

1. Verify that your accepted domain in Exchange Online is set to Internal relay:

a. Navigate to Mail flow > Accepted domains.

b. Select an accepted domain and click Edit.

c. Ensure that the domain type is set to Internal relay. If it's set to Authoritative,
change it to Internal relay.

d. Click Save.

2. Add users to Microsoft 365 or Office 365. For example:

Directory synchronization: Add valid users to Office 365 by synchronizing

from your on-premises Active Directory environment to Azure Active
Directory in the cloud. For more information about how to set up directory
synchronization, see "Use directory synchronization to manage recipients" in
Manage Mail Users in EOP.
Add users via PowerShell or the EAC: For more information about how to do
this task, see Manage Mail Users in EOP or Manage mail users in Exchange
Online.

3. Set your accepted domain in Exchange Online to Authoritative:

a. Navigate to Mail flow > Accepted domains.

b. Select an accepted domain and click Edit.

 c. Set the domain type to Authoritative.

d. Click Save.

4. Choose Save to save your changes, and confirm that you want to enable DBEB.

７ Note

Dynamic distribution groups do not sync to Azure AD and are therefore

blocked by DBEB. As a workaround in hybrid environments, you can create a
mail contact with the same external email address of the blocked dynamic
distribution group. In cloud-only environments, this workaround will not work.
To use dynamic distribution groups that receive email from external senders in
cloud-only environments, you need to disable DBEB (change the domain from
Authoritative to Internal relay).

Until all of your valid recipients have been added to Exchange Online and
replicated through the system, you should leave the accepted domain
configured as Internal relay. Once the domain type has been changed to
Authoritative, DBEB is designed to allow any SMTP address that has been
added to the service (except for mail-enabled public folders). There might be
infrequent instances where recipient addresses that do not exist in your
Microsoft 365 or Office 365 organization are allowed to relay through the
service.
Manage accepted domains in Exchange
Online
Article • 02/22/2023

When you add your domain to Microsoft 365 or Office 365, it's called an accepted
domain. This functionality of an accepted domain means that users in this domain can
send and receive mail. For more information on how to add your domain to Microsoft
365 or Office 365 using the Microsoft 365 admin center, see Add a domain to Microsoft
365 or Office 365.

After you add your domain using the Microsoft 365 admin center, you can use the
Exchange admin center (EAC) to view your accepted domains and configure the domain
type.

There are two types of accepted domains in Exchange Online:

Authoritative: Email is delivered to email addresses that are listed for recipients in
Microsoft 365 or Office 365 for this domain. Emails for unknown recipients are
rejected.

If you just added your domain to Microsoft 365 or Office 365 and you select this
option, it's critical that you add your recipients to Microsoft 365 or Office 365
before setting up mail to flow through the service.

Typically, you use this option when all the email recipients in your domain are
using Microsoft 365 or Office 365. You can also use it if some recipients exist on
your own email servers. However, if recipients exist on your own email servers,
you must add your recipients to this Microsoft 365 or Office 365 domain in
order to make sure that mail is delivered as expected. For more information
about how to manage your recipients, see these topics:
Exchange Online: Manage mail users
Exchange Online Protection: Manage mail users in EOP

Setting this option enables Directory-Based Edge Blocking (DBEB), which rejects
messages for invalid recipients at the service network perimeter. For more
information about configuring DBEB during a migration, see Use Directory-
Based Edge Blocking to reject messages sent to invalid recipients.

Internal relay (also known as non-authoritative): Recipients for this domain can
be in Microsoft 365 or Office 365 or your own email servers. Email is delivered to
 known recipients in Office 365 or is relayed to your own email server if the
recipients aren't known to Microsoft 365 or Office 365.

You should not select this option if all of the recipients for this domain are in
Microsoft 365 or Office 365.

If you select this option, you must create a connector for mail flow from
Microsoft 365 or Office 365 to your on-premises email server; otherwise
recipients on the domain who are not hosted in Microsoft 365 or Office 365
won't be able to receive mail on your own email servers. For more information
about setting up connectors, see Set up connectors to route mail between
Microsoft 365 or Office 365 and your own email servers.

This option is required if you enable the subdomain routing option on a domain
in order to let email pass through the service and be delivered to any
subdomains of your accepted domains. For more information, see Enable mail
flow for subdomains in Exchange Online.

What do you need to know before you begin?

Estimated time to complete: 10 minutes.

You need permissions before you can perform this procedure or procedures. To
see what permissions you need, see the "Domains" entry in the Feature
permissions in Exchange Online topic.

To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online. To connect to Exchange Online PowerShell, see Connect to Exchange
Online PowerShell.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

View accepted domains

Use the New Exchange admin center (EAC) to view
accepted domains
1. Navigate to Mail flow > Accepted domains. The Accepted domains screen
appears.

2. Click the Name, Accepted Domain, or Domain Type column heading to sort
alphabetically in ascending or descending order. By default, accepted domains are
sorted alphabetically by name in ascending order.

Use the Classic EAC to view accepted domains

1. Navigate to Mail flow > Accepted domains.

2. Click the Name, Accepted Domain, or Domain Type column heading to sort
alphabetically in ascending or descending order. By default, accepted domains are
sorted alphabetically by name in ascending order.
Configure the domain type
After you add a domain to your Exchange Online organization in the Microsoft 365
admin center, you can configure the domain type.

Use the EAC to change the domain type

New EAC
1. Navigate to Mail flow > Accepted domains. The Accepted domains screen
appears.

2. Select an accepted domain and click it. The accepted domain's details screen
appears.

3. Under the This accepted domain is section, select the domain type. The possible
values are Authoritative and Internal relay.

If you select Authoritative, you must confirm that you want to enable
Directory-Based Edge Blocking.

If you select Internal Relay, you can enable the match-subdomains to enable
mail flow to all subdomains. For more information, see Enable mail flow for
subdomains in Exchange Online.

4. Click Save.
Classic EAC
1. In the Classic EAC, go to Mail flow > Accepted domains.

2. Select the domain and click Edit .

3. In the Accepted Domain window, under This accepted domain is section, select
the domain type. The possible values are Authoritative and Internal relay.

If you select Authoritative, you must confirm that you want to enable
Directory-Based Edge Blocking.

If you select Internal Relay, you can enable the match-subdomains to enable
mail flow to all subdomains. For more information, see Enable mail flow for
subdomains in Exchange Online.

4. When you're finished, click Save.

Use Exchange Online PowerShell to view accepted

domains
To view summary information about all accepted domains, run the following command:

PowerShell

Get-AcceptedDomain

To view details about a specific accepted domain, use the following syntax.

PowerShell

Get-AcceptedDomain -Identity <Name> | Format-List

This example shows details about the accepted domain named contoso.com.

PowerShell

Get-AcceptedDomain -Identity contoso.com | Format-List

Use Exchange Online PowerShell to change the domain

type
To configure the domain type, use the following syntax:
 PowerShell

Set-AcceptedDomain -Identity <Name> -DomainType <Authoritative |

InternalRelay>

This example configures the accepted domain named contoso.com as an internal relay
domain.

PowerShell

Set-AcceptedDomain -Identity contoso.com -DomainType InternalRelay

For detailed syntax and parameter information, see Set-AcceptedDomain.

Enable mail flow for subdomains in
Exchange Online
Article • 02/22/2023

If you have a hybrid environment, with mailboxes hosted both in Exchange Online and
on-premises Exchange, and you have subdomains of the accepted domains that only
exist in your on-premises environment, you can enable email flow to and from these on-
premises subdomains. For example, if you have an accepted domain called
Contoso.com, and you enable match subdomains, users can send email to, or receive
email from all subdomains of Contoso.com that exist in your on-premises environment,
such as marketing.contoso.com and nwregion.contoso.com. In Microsoft Forefront
Online Protection for Exchange (FOPE), this feature was called catch-all domains.

） Important

If you have a limited number of subdomains, and know all the subdomain
names, we recommend setting up each subdomain as an accepted domain in
the Microsoft 365 admin center, instead of using the procedures in this topic.
By setting up each subdomain separately, you can have finer control over mail
flow and can include unique mail flow rules (also known transport rules) for
each subdomain. For more information about adding a domain in the
Microsoft 365 admin center, see Add a domain to Microsoft 365.
In order to enable match subdomains, an accepted domain must be set up as
an internal relay domain. For information about setting the domain type to
internal relay, see Manage accepted domains in Exchange Online.
In order to send email to public folders within your Exchange Online
environment, you need to set the domain type to internal relay if the domain
contains recipient addresses assigned to public folders. Directory-Based Edge
Blocking cannot be used for public folders.
After you enable match subdomains, in order for the service to deliver mail for
all subdomains to your organization's email server (outside Microsoft 365 or
Office 365), you must also change the connector that is used for transmitting
messages from Office 365 to your organization's email server. For instructions,
see Use the EAC to add the domain to the connector used for transmitting
messages from Office 365 to your organization's email server.
What do you need to know before you begin?
Estimated time to complete: 5 minutes

You need permissions before you can perform this procedure or procedures. To
see what permissions you need, see the "Domains" entry in the Feature
permissions in Exchange Online topic.

To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online. To connect to Exchange Online PowerShell, see Connect to Exchange
Online PowerShell.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the Exchange admin center (EAC) to set up

match subdomains on a domain

Set up match subdomains in the new EAC

1. Navigate to Mail Flow > Accepted domains. The Accepted domains screen
appears.
2. Select an accepted domain and click it. The accepted domain's details screen
appears.

3. Verify that Internal Relay is selected. If Authoritative is selected, change it to

Internal Relay.

4. Check the check box for Accept mail for all subdomains.
 5. Click Save.

The accepted domain is updated successfully.

Set up match subdomains in the classic EAC

1. Navigate to Mail Flow > Accepted domains, and select the domain. The domain
details dialog box is displayed.

2. In the Details pane, Verify that Internal Relay is selected.

 3. Select Accept mail for all subdomains.

Use the EAC to add the domain to the

connector used for transmitting messages from
Office 365 to your organization's email server
Add the domain connector in the new EAC
1. Navigate to Mail Flow > Connectors.

2. Select a connector that is used for transmitting messages from Office 365 to your
organization's email server.

3. Click the connector. The connector properties screen appears.

4. In the connector properties screen that appears, under Use of connector, click Edit
use.

5. In the Use of connector screen that appears, select Only when email messages are
sent to these domains.

6. In the text box, enter the name of the domain to which you want to apply the
connector. For example, *.contoso.com.

7. Click +.

8. Click Next.

9. In the Validation email screen that appears, In the text box, enter the email of an
active mailbox on your organization's server.

10. Once the validation process is completed, click Save.

Add the domain connector in the classic EAC
1. Navigate to Mail Flow > Connectors.

2. Select a connector that is used for transmitting messages from Office 365 to your
organization's email server.

3. Click the "Edit" icon . The Edit Connector screen appears.

4. Click Next. The When do you want to use this connector section appears.

5. Select the radio button for Only when email messages are sent to these domains.

6. Click the "Add" icon . The add domain screen appears.

7. In the text box, enter the name of the domain to which you want to apply the
connector. For example, *.contoso.com.

8. Click OK. The Edit Connector screen reappears. The value *.contoso.com is listed in
the text field.

9. Click Next and navigate through the other screens in the wizard.

10. Click Save on the last screen.

11. Click +.

12. Click Validate. The validation process starts.

13. Once the validation process is completed, click Save.

Use Exchange Online PowerShell to set up
match-subdomains on a domain
To add the match subdomains to a domain that is set up as an internal relay, use this
syntax:

PowerShell

Set-AcceptedDomain -Identity <Domain Name> -MatchSubdomains $true

This example sets up match subdomains for the contoso.com domain.

PowerShell

Set-AcceptedDomain -Identity contoso.com -MatchSubdomains $true

For detailed syntax and parameter information, see Set-AcceptedDomain.

Remote domains in Exchange Online
Article • 02/22/2023

There are many reasons why you might want to control the types and the format of
messages that your users send from Exchange Online to recipients in external domains.
For example:

You don't want to let your users forward messages to recipients in other domains.

You work with an organization that you don't want to receive automatic messages
from (for example, non-delivery reports and out-of-office replies).

You have a business partner that's outside your organization, and you'd like that
partner to receive the same out-of-office replies as those received by people inside
your organization.

Your users frequently send email to a company that supports limited email formats,
and you'd like to make sure all emails sent to that organization are sent in a format
that they can read.

To accomplish this, you use what's called a remote domain. The remote domain settings
override settings that your users might configure in Outlook or Outlook on the web
(formerly known as Outlook Web App), or that you configure in the Exchange admin
center (EAC) or Exchange Online PowerShell. For example, users might have an out-of-
office reply set up for people outside the organization, but if a sender from a remote
domain sends mail to them, and the remote domain is not set to receive out-of-office
replies, no out-of-office reply is sent. To change the settings, you can:

Create a remote domain for a specific domain, and set unique properties for emails
sent to that domain.

Modify the settings for the default remote domain. If you have no other remote
domains set up, changes to the default remote domain apply to all external
domains. If you have other remote domains set up, changes to the default remote
domain apply to all other external domains.

For instructions on how to create and configure remote domains, see Manage remote
domains in Exchange Online.

Reducing or increasing information flow to

another company
When a message comes from outside your organization, there are several types of
replies that are automatically generated. Some types of replies are set up by users in
Outlook or Outlook on the web, and others are set up by admins. Because the remote
domain settings override settings configured by users, as well as mail user and mail
contact settings configured by admins, you can choose which types of automatic replies
are sent to everyone on a remote domain.

If a remote domain configuration blocks a specific type of reply, like a non-delivery

report, from being sent to recipients in that domain, the reply is generated, but then it is
deleted before it is sent. No error message is sent. For example, if you turn off automatic
forwarding on the default remote domain, when users try to automatically forward email
to another domain, they can change their settings or create the Inbox rule, but their
messages won't be forwarded.

The following table shows the types of replies you can control in a remote domain and
the settings that each remote domain setting overrides.

Type of Description Per-user settings that this remote

reply domain setting overrides

Out-of- Specify whether an out-of-office This setting overrides out-of-office

office message should be sent to people on the reply settings specified by individual
messages remote domain, and if so, which message users in Outlook or Outlook on the
to use. You can select either the reply web .
that the user on your domain set up for
people outside your organization, or the
one for people inside your organization.
The default is to send the out-of-office
reply for people outside your
organization.

Automatic Allow or prevent automatic replies to This setting overrides automatic

replies senders on the remote domain. The replies set up by admins using the Set-
default is to allow automatic replies. MailboxAutoReplyConfiguration
cmdlet.
Type of Description Per-user settings that this remote
reply domain setting overrides

Automatic Allow or prevent automatically forwarded When users configure automatic

forwards messages to be sent to people on the forwarding to recipients on a remote
remote domain. The default is to allow domain, the remote domain settings
automatic forwarding. override users' automatic forwarding
settings (messages are blocked if
automatic forwards are disabled for
the remote domain). Users can
configure automatic forwarding by
using these methods:
Inbox rules in Outlook or
Outlook on the web to forward
messages. Learn more about
Inbox rules in Outlook and
Outlook on the web .
Forwarding options in Outlook
on the web. For more
information, see Forward email
from Office 365 to another email
account .

Note: When admins use other

methods to configure automatic
forwarding for users, the forwarded
messages aren't affected by the
remote domain settings (messages are
forwarded to recipients on the remote
domain even if automatic forwards are
disabled for the remote domain). For
example:

Mail forwarding for a user. For

more information, see Configure
email forwarding for a mailbox.
Mail flow rules (also known as
transport rules) to forward
messages. For more information,
see Mail flow rules (transport
rules) in Exchange Online

.
 Type of Description Per-user settings that this remote
reply domain setting overrides

Delivery Allow or prevent a delivery receipt to be An email sender on the remote

reports sent to people on the remote domain. domain can request a delivery receipt
The default is to allow sending delivery on a message. This remote domain
reports. setting can override the sender's
request for a delivery receipt and
prevent the delivery receipt from
being sent. For more information
about requesting a delivery receipt,
see Add delivery receipt to track an e-
mail message .

Non- Allow or prevent non-delivery reports This remote domain setting is the only
delivery (also known a NDRs or bounce way to prevent non-delivery reports
report messages) to be sent to people on the from being sent when a message can't
remote domain. The default is to allow be delivered.
sending non-delivery reports.

Meeting Prevent or allow meeting forward Meeting forward notifications are

forward notifications to be sent to people on the automatically created and sent to the
notifications remote domain. The default is to prevent meeting organizer when a meeting
sending meeting forward notifications. participant forwards a meeting.
Typically, they are sent to meeting
organizers only on domains that are
part of your Exchange Online
organization. Admins can enable them
to be sent to meeting organizers on
the remote domain.

Specifying message format

To make sure that email sent from your Exchange Online organization is compatible with
the receiving messaging system in the remote domain, you can specify the message
format and character set to use for all email messages sent to that remote domain. For
example, if you know that the remote domain is not using Exchange, you can specify to
never use Rich Text Format (RTF). The following table describes the message format
settings.

Setting Description Settings that this overrides

 Setting Description Settings that this overrides

Rich Text Choose how to format Message format can be defined in several places:
Format messages: Outlook or Outlook on the web, and the admin can
(RTF) Always: Use this value if also use the Set-MailContact or Set-MailUser
the remote domain uses cmdlets to modify settings per recipient.
Exchange. Remote domain settings override settings specified
Never: If the remote by a user or by the admin. For more information
domain does not use about the message formats and the order of
Exchange, use this value. precedence of message format settings, see
Follow user settings: Use Message format and transmission in Exchange
message format settings Online.
defined by the user. Use
this value if you don't
know what email system
the remote domain uses.

The default is to follow the

user's settings.

MIME None: Use the character These settings are used only if the message doesn't
character set specified in the include a character set. For a complete list of
set and message. supported character sets, see Supported character
Non- Select a character set sets for remote domains.
MIME from the list: If the
character message does not have a
set character set, the
selected character set is
used.

By default, no character sets are

specified.

If you specify a particular message format for the remote domain, the format of the
headers and message content sent to the domain are modified.

Other settings
You can configure other message settings for remote domains by using Exchange
Online PowerShell. For a complete list of settings, see Set-RemoteDomain.

More information
You can't remove the default remote domain.

You can specify all subdomains when you create a remote domain.
See also
Manage remote domains in Exchange Online
Manage remote domains in Exchange
Online
Article • 02/22/2023

Remote domains define settings based on the destination domain of each email
message. All organizations have a default remote domain named "Default" that's
applied to the domain "*". The default remote domain applies the same settings to all
email messages regardless of the destination domain. However, you can configure
specific settings for a specific destination domain.

The following table shows the default values for common settings:

Setting Default

Out of office Send external out-of-office replies to people on the remote domain.
replies

Automatic Allow automatic replies or automatically forwarded messages to be sent to

replies people on the remote domain.

Delivery and Allow delivery and non-delivery reports to be sent to people on the remote
non-delivery domain.
reports

Meeting Don't allow meeting forward notifications to be sent to people on the remote
forward domain.
notifications

Rich Text Follow settings created by each user in Outlook or Outlook on the web (formerly
format (RTF) known as Outlook Web App) when a message is sent to people on the remote
domain.

Supported Do not specify a MIME or non-MIME character set if the character set isn't
character set specified in the message sent to the remote domain.

For information about when to configure remote domains, descriptions of the available
settings, and information about how remote domain settings override per-user settings,
see Remote domains in Exchange Online.

What do you need to know before you begin?

Estimated time to complete each procedure: 5 minutes.
 You need permissions before you can perform this procedure or procedures. To
see what permissions you need, see the "Mail flow" entry in the Feature
permissions in Exchange Online topic.

To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online. To connect to Exchange Online PowerShell, see Connect to Exchange
Online PowerShell.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Create and configure remote domains

７ Note

If you create a remote domain for a specific destination domain, and a setting
for the specific remote domain conflicts with the same setting in the default
remote domain, the setting for the specific remote domain overrides the
setting in the default remote domain.
Once you've created a remote domain, you can't change or replace the
domain inside the remote domain. Instead, create and configure a new
remote domain with the new domain name.

Use the EAC to create and configure a remote domain

New EAC

1. Go to Mail flow > Remote domains. The Remote domain screen appears.

2. Click + Add a remote domain. The Name the domain screen appears.

3. In the Name text box, enter a descriptive name for the domain.
 4. In the Remote Domain text box, enter the full domain name. Use the wildcard
character (*) for all subdomains of a specified domain, for example, *.contoso.com.

5. Click Next. The Email reply types screen appears.

6. Define the following settings:

In the Out of Office reply types section, specify which type of out-of-office replies
should be sent to people at this domain.

In the Automatic replies section, specify whether you want to allow automatic
replies, automatic forwarding, or both.

7. Click Next. The Message reporting screen appears.

8. Specify whether you want to allow delivery reports and non-delivery reports by
checking the respective check boxes.

9. Click Next. The Text and character set screen appears.

10. Define the following settings:

In the Use Rich-text format pane, specify whether to follow each user's
message settings, or whether to always or never preserve RTF formatting.
Selecting Never means that RTF messages are sent as plain text or HTML.
In the Supported Character Set pane, specify which character set to use (if
the message doesn't specify the character set) by choosing from the MIME
character set or Non-MIME character set drop-down list.

11. Click Next. The Review screen appears.

12. Review the remote domain settings, and click Save.

The new remote domain is created and added to the list.

Classic EAC

1. Go to Mail flow > Remote domains.

2. To create a new domain:

a. Click New .
b. In the Name box, enter a descriptive name for the domain.
c. In the Remote Domain box, enter the full domain name. Use the wildcard
character (*) for all subdomains of a specified domain, for example,
*.contoso.com.
 3. To change settings for the default domain, select Default, and then select Edit.

4. Select the options you want:

In the Out of Office reply types section, specify which type of out-of-office
replies should be sent to people at this domain.
In the Automatic replies section, specify whether you want to allow
automatic replies, automatic forwarding, or both.
In the Message reporting section, specify:
Whether you want to allow delivery reports and non-delivery reports.
If a meeting set up by someone on the remote domain is forwarded to
another person in your organization, whether the notification message
should go to the meeting organizer on the remote domain.
In the Use Rich-text format section, specify whether to follow each user's
message settings, or whether to always or never preserve RTF formatting.
Selecting Never means that RTF messages are sent as plain text or HTML.
In the Supported Character Set area, specify which character set to use if the
message doesn't specify the character set.

5. Click Save. If you created a new remote domain, it is added to the list.

Remove remote domains

７ Note

You can't remove the default remote domain.

When you remove a remote domain, the default remote domain settings will
then apply to messages sent to that domain.
Removing a remote domain doesn't disable mail flow to the remote domain.

Use the EAC to remove a remote domain

New EAC

1. Go to Mail flow > Remote domains. The Remote domain screen appears.

2. Select a remote domain, and then click Delete .

3. In the warning dialog box, click Confirm. The remote domain is deleted.
Classic EAC
1. Go to Mail flow > Remote domains.

2. Select a remote domain, and then click Delete .

3. In the warning dialog box, select Yes.

Use Exchange Online PowerShell to create and configure

a remote domain
After you create the remote domain, you can configure the settings (you can't create the
remote domain and configure the settings in one step).

Step 1: Create the remote domain

To create a new remote domain, use the following syntax:

PowerShell

New-RemoteDomain -Name "<Unique Name"> -DomainName <single SMTP domain |

domain with subdomains>

This example creates a remote domain for messages sent to the contoso.com domain.

PowerShell

New-RemoteDomain -Name Contoso -DomainName contoso.com

This example creates a remote domain for messages sent to the contoso.com domain
and all its subdomains.

PowerShell

New-RemoteDomain -Name "Contoso and subdomains" -DomainName *.contoso.com

For detailed syntax and parameter information, see New-RemoteDomain.

Step 2: Configure the remote domain settings

To configure the settings for a remote domain, use the following syntax:

PowerShell
 Set-RemoteDomain -Identity <Name> [-AllowedOOfType <External |
InternalLegacy | ExternalLegacy | None>] [-AutoForwardEnabled <$true |
$false>] [-AutoReplyEnabled <$true | $false>] [-CharacterSet
<SupportedCharacterSet>] [-DeliveryReportEnabled <$true | $false>] [-
NonMimeCharacterSet <SupportedCharacterSet>] [-TNEFEnabled <$true | $false>]

This example disables automatic replies, automatic forwarding, and out-of-office replies
to recipients at all remote domains that aren't specified with their own remote domain.

PowerShell

Set-RemoteDomain -Identity Default -AutoReplyEnabled $false -

AutoForwardEnabled $false -AllowedOOFType None

This example sends internal out-of-office replies to users at the remote domain named
Contoso.

PowerShell

Set-RemoteDomain -Identity Contoso -AllowedOOFType InternalLegacy

This example prevents delivery reports and non-delivery reports from being sent to
users at Contoso.

PowerShell

Set-RemoteDomain -Identity Contoso -DeliveryReportEnabled $false -NDREnabled

$false

This example sends all messages to Contoso using Transport Neutral Encapsulation
Formation (TNEF) encoding, rather than MIME encoding. This usage of TNEF preserves
Rich Text format in messages.

PowerShell

Set-RemoteDomain -Identity Contoso -TNEFEnabled $true

This example sends all messages to Contoso using MIME encoding, which means that all
RTF messages are always converted to HTML or plain text.

PowerShell

Set-RemoteDomain -Identity Contoso -TNEFEnabled $false

This example uses the message-format settings the user has defined in Outlook or
Outlook on the web for encoding messages.

PowerShell

Set-RemoteDomain -Identity Contoso -TNEFEnabled $null

This example uses the Korean (ISO) character set for MIME messages sent to Contoso.

PowerShell

Set-RemoteDomain -Identity Contoso -CharacterSet iso-2022-kr

This example specifies using the Unicode character set for non-MIME messages sent to
Contoso.

PowerShell

Set-RemoteDomain -Identity Contoso -NonMimeCharacterSet utf-8

For detailed syntax and parameter information, see Set-RemoteDomain.

Use Exchange Online PowerShell to remove a remote

domain
To remove a remote domain, use the following syntax:

PowerShell

Remove-RemoteDomain -Identity <Remote Domain Name>

This example removes the remote domain named Contoso.

PowerShell

Remove-RemoteDomain -Identity Contoso

For detailed syntax and parameter information, see Remove-RemoteDomain.

Supported character sets for remote
domains in Exchange Online
Article • 02/22/2023

Remote domains define settings based on the destination domain of each email
message. All organizations have a default remote domain named "Default" that's
applied to the domain "*". The default remote domain applies the same settings to all
email messages regardless of the destination domain. However, you can configure
specific settings for a specific destination domain.

For more information about remote domains, see Remote domains in Exchange Online.

For remote domain procedures, see Manage remote domains in Exchange Online.

The following table describes the character sets that you can configure in remote
domains.

New Exchange admin center (EAC)

1. Navigate to Mail flow > Remote domains. The Remote domains screen appears.

2. Click + Add a remote domain.

The Name the domain screen appears.

3. Provide a name for the domain and the remote domain in their respective text
boxes.

4. Click Next. The Email reply types screen appears.

5. Configure the 'automatic email reply types' settings by choosing one of the
following options:

None
Allow only external out of office replies
Allow internal out of office replies

6. Click Next. The Message reporting screen appears.

7. Configure the message-reporting settings by choosing the following options:

Allow delivery options

Allow non-delivery options
 Allow meeting forward notifications

７ Note

You can choose one of more options.

8. Click Next. The Text and character set screen appears.

9. Configure the format and delivery method of email messages. Do this task by
choosing any of the options in the following panes:

Use rich-text format

Supported Character Set

10. Click Next. The Review screen appears.

11. Review the settings configured and click Save. The new review domain is created
successfully.

Classic EAC
Navigate to Mail flow > Remote domains. Click New to create a new remote
domain or select the existing remote domain and click Edit . In the settings
window that opens, use the MIME character set and Non-MIME character set
drop-down lists to select the character set.

In Exchange Online PowerShell, use the value in the Name column in the following
table for the CharacterSet parameter or NonMimeCharacterSet parameter on the
Set-RemoteDomain cmdlet.

Name Description

big5 Chinese Traditional (Big5)

DIN_66003 German (IA5)

euc-jp Japanese (EUC)

euc-kr Korean (EUC)

GB18030 Chinese Simplified (GB18030)

gb2312 Chinese Simplified (GB2312)

hz-gb-2312 Chinese Simplified (HZ)

Name Description

iso-2022-jp Japanese (JIS)

iso-2022-kr Korean (ISO)

iso-8859-1 Western European (ISO)

iso-8859-2 Central European (ISO)

iso-8859-3 Latin 3 (ISO)

iso-8859-4 Baltic (ISO)

iso-8859-5 Cyrillic (ISO)

iso-8859-6 Arabic (ISO)

iso-8859-7 Greek (ISO)

iso-8859-8 Hebrew (ISO)

iso-8859-9 Turkish (ISO)

iso-8859-13 Estonian (ISO)

iso-8859-15 Latin 9 (ISO)

koi8-r Cyrillic (KOI8-R)

koi8-u Cyrillic (KOI8-U)

ks_c_5601-1987 Korean (Windows)

NS_4551-1 Norwegian (IA5)

SEN_850200_B Swedish (IA5)

shift_jis Japanese (Shift-JIS)

utf-8 Unicode (UTF-8)

windows-1250 Central European (Windows)

windows-1251 Cyrillic (Windows)

windows-1252 Western European (Windows)

windows-1253 Greek (Windows)

windows-1254 Turkish (Windows)

windows-1255 Hebrew (Windows)

Name Description

windows-1256 Arabic (Windows)

windows-1257 Baltic (Windows)

windows-1258 Vietnamese (Windows)

windows-874 Thai (Windows)

Message format and transmission in
Exchange Online
Article • 02/22/2023

There are settings in Outlook, Outlook on the web, and Exchange Online that control the
format of email messages and how they are sent to people on other domains. The
default settings work in most cases. If specific recipients have trouble reading messages
sent from your organization, you can adjust the settings for individual users, or for all
users on a specific domain. For example, you can prevent recipients from receiving a
winmail.dat attachment.

There are two types of settings you can use:

Message format: When a user creates a message, they can choose the message
format in which to author the message. In Outlook, they have a choice between
plain text, HTML, and rich-text format. In Outlook on the web (formerly known as
Outlook Web App) they have a choice between plain text and HTML.

Message transmission: This means how the message is actually sent to the other
email system. Exchange can send messages to other domains by using
Multipurpose Internet Mail Extensions (MIME) or Transport Neutral Encapsulation
Format (TNEF). All three message formats can be sent using TNEF. Only HTML and
plain text can be sent using MIME. Message transmission format can be set by an
admin per domain or per recipient, and users can also specify message
transmission format.

Message formats
The following list describes the three message formats available in Exchange Online, and
shows which ones are available in Outlook and Outlook on the web:

Format Description Available Available in

in Outlook on the
Outlook web

Plain A plain text message uses only US-ASCII text as Yes Yes
text described in RFC 2822. The message can't contain
different fonts or other text formatting.

HTML An HTML message supports text formatting, Yes Yes

background images, tables, bullet points, and other
graphical elements.
 Format Description Available Available in
in Outlook on the
Outlook web

Rich RTF supports text formatting and other graphical Yes Can read messages
text elements. formatted in RTF,
format Only Outlook, Outlook on the web, and a few other but can't format or
(RTF) MAPI email clients understand RTF messages. send this format
Please note that RTF messages that are encrypted
with S/MIME will face limitations and may be prone
to face conversion issues (like journaling delivery).

Message transmission formats for mail sent to

external recipients
The following table describes the message transmission formats that Exchange Online
uses to send email messages to external recipients.

Transmission Description
format

Transport TNEF is a Microsoft-specific format for transmitting formatted email messages. A

Neutral TNEF message contains a plain text version of the message and an attachment
Encapsulation that packages the original formatted version of the message. Typically, this
Format attachment is named Winmail.dat. The Winmail.dat attachment includes
(TNEF) formatting, attachments, and Outlook-specific features such as meeting requests.
An email client that fully understands TNEF, such as Outlook, processes the
Winmail.dat attachment and displays the original message content without ever
displaying the Winmail.dat attachment. An email client that doesn't understand
TNEF may present a TNEF message in any of the following ways:
The plain text version of the message is displayed, and the message contains an
attachment named Winmail.dat, Win.dat, or some other generic name such as
Att_nnnnn_.dat or Att_nnnnn_.eml where the nnnnn placeholder represents a
random number.
The plain text version of the message is displayed. The TNEF attachment is
ignored or removed. The result is a plain text message.
There are third-party utilities that can help convert Winmail.dat attachments.

Multipurpose MIME is an internet standard that supports text in character sets other than
Internet Mail ASCII, non-text attachments, message bodies with multiple parts, and header
Extensions information in non-ASCII character sets.
(MIME)

Message format and transmission settings

Admins and users can control message formatting and transmission. Admin settings
override user settings.

Admins can control the following settings:

Remote domain settings: Remote domain settings control the format of messages
sent to people on the remote domain. You can control the format for a specific
external domain, or for all external domains. For more information about remote
domains, see Remote domains in Exchange Online. The remote domain settings
override the per-user settings set by admins or users.

Mail user and mail contact settings: You can change settings for individual
recipients by changing settings for specific mail users or mail contacts. Mail users
and mail contacts are similar because both have external email addresses and
contain information about people outside the Exchange Online organization. The
main difference is mail users have user IDs that can be used to sign in to the
Exchange Online organization. When an admin changes a per-recipient setting, it
overrides settings that a user sets for that recipient. For more information about
the admin settings, see Manage mail users and Manage mail contacts.

Users can control the following settings:

Outlook settings: In Outlook, you can set the message formatting and encoding
options described in the following list:

Message format: You can set the default message format for all messages. You
can override the default message format as you compose a specific message.

Internet message format: You can control whether TNEF messages are sent to
remote recipients or whether they are first converted to a more compatible
format. You can also specify various message encoding options for messages
sent to remote recipients. These settings don't apply to messages sent to
recipients in the Exchange Online organization.

Internet recipient message format: You can control whether TNEF messages are
sent to specific recipients or whether they are first converted to a more
compatible format. You can set the options for specific contacts in your
Contacts folder, and you can override these options for a specific recipient in
the To, Cc, or Bcc fields as you compose a message. These options aren't
available for recipients in the Exchange Online organization.

Internet recipient message encoding options: You can control the MIME or
plain text encoding options for specific contacts in your Contacts folder, and
you can override these options for a specific recipient in the To, Cc, or Bcc fields
 as you compose a message. These options aren't available for recipients in the
Exchange Online organization.

International options: You can control the character sets used in messages.

For more information about Outlook settings, see Change the message format in
Outlook .

Outlook on the web settings: You can set the default message format for all
messages. You can override the default message format as you compose a specific
message.
Configure the external postmaster
address in Exchange Online
Article • 02/22/2023

The external postmaster address is used as the sender for system-generated messages
and notifications sent to message senders that exist outside your Microsoft Exchange
Online organization. An external sender is any sender that has an email address in a
domain that isn't configured as an accepted domain in your organization.

By default, the value of the external postmaster address setting is blank. This default
value sets the external postmaster address to the value postmaster@<Default accepted
domain> for your organization.

There's no mailbox associated with the postmaster@<Default accepted domain> email

address.

What do you need to know before you begin?

Estimated time to complete: 15 minutes

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Mail flow" entry in the
Feature permissions in Exchange Online topic.

You can only use Exchange Online PowerShell to perform this procedure. To learn
how to connect to Exchange Online PowerShell, see Connect to Exchange Online
PowerShell.

Use Exchange Online PowerShell to configure

the external postmaster address
To configure the external postmaster address, use the following syntax:

PowerShell

Set-TransportConfig -ExternalPostmasterAddress <EmailAddress>

This example sets the external postmaster address to the value postmaster@contoso.com .

PowerShell
 Set-TransportConfig -ExternalPostmasterAddress postmaster@contoso.com

This example returns the external postmaster address to the default value.

PowerShell

Set-TransportConfig -ExternalPostmasterAddress $null

How do you know this worked?

To verify that you have successfully configured the external postmaster address, do the
following:

1. Run the following command to verify the property value:

PowerShell

Get-TransportConfig | Format-List ExternalPostmasterAddress

A blank value indicates the default value postmaster@<Default accepted domain>.

2. From an external email account, send a message to your Exchange organization

that will generate a non-delivery report (also known as an NDR or bounce
message). For example, you can configure a mail flow rule (also known as a
transport rule) to send an NDR for a message from that sender that contains
specific keywords. Verify that the sender's email address in the DSN matches the
external postmaster address you specified.

Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange
Online or Exchange Online Protection .
Manage all mailboxes and mail flow
using Microsoft 365 or Office 365
Article • 02/22/2023

Summary: How to use hosted mail flow with Microsoft 365 or Office 365.

For most organizations, we recommend using hosted mail flow because it's the simplest
configuration, in which Microsoft 365 or Office 365 manages all mailboxes and filtering.
This simple configuration makes it easy to set up and manage mail flow.

Manage all mailboxes and mail flow using

Microsoft 365 or Office 365 (recommended)

Hosted mail flow scenarios

I'm a new Microsoft 365 or Office 365 customer, and all my users' mailboxes are in
Microsoft 365 or Office 365. I want to use all filtering solutions that Office 365
offers.

I'm a new Microsoft 365 or Office 365 customer. I have an existing email service,
but I plan to immediately move all existing mailboxes to the cloud. I want to use all
filtering solutions that Microsoft 365 and Office 365 offer.

For this scenario, your organization's mail flow setup looks like the following diagram:

Best practices for hosted mail flow scenarios

To set up hosted mail flow, we recommend using the Microsoft 365 setup wizard. To get
to the Microsoft 365 setup wizard, go to Setup in the Microsoft 365 admin center.

The Microsoft 365 setup wizard walks you through the following steps.

1. Add your custom domains in Microsoft 365 or Office 365. To prove that you own
the domains, follow the instructions in Add a domain to Microsoft 365.

2. Create user mailboxes in Exchange Online or move all users' mailboxes to

Microsoft 365 or Office 365.

3. Update the DNS records for the domains that you added in step 1. (Not sure how
to do this task? Follow the instructions on this page.)

The following DNS records control mail flow:

MX record - Point your MX record to Microsoft 365 or Office 365 in the

following format: <domainKey>.mail.protection.outlook.com.

For example, the domain contoso.com should have the MX record contoso-
com.mail.protection.outlook.com.

SPF record - This record is a special TXT record in DNS that identifies a
service as a valid sender for a particular domain. Because Microsoft 365 and
Office 365 are sending all your messages, list only Microsoft 365 or Office 365
as a valid sender for your domain. To do that, add an SPF record for your
domain in the following format:
 text

v=spf1 include:spf.protection.outlook.com -all

For a full list of setup instructions, check out Set up Microsoft 365 for business or
Deploy Office 365 Enterprise for your organization.

See also
Mail flow best practices for Exchange Online, Microsoft 365, and Office 365 (overview)

Manage mail flow using a third-party cloud service

Manage mail flow with mailboxes in multiple locations

Manage mail flow using a third-party cloud service with mailboxes on Microsoft 365 or
Office 365 and on-prem

Troubleshoot mail flow

Test mail flow by validating your connectors

Manage mail flow using a third-party
cloud service with Exchange Online
Article • 02/22/2023

This topic covers the following complex mail flow scenarios using Exchange Online:

Scenario 1 - MX record points to third-party spam filtering

Scenario 2 - MX record points to third-party solution without spam filtering

７ Note

Examples in this topic use the fictitious organization, Contoso, which owns the
domain contoso.com and is a tenant in Exchange Online. This is just an example.
You can adapt this example to fit your organization's domain name and third-party
service IP addresses where necessary.

Using a third-party cloud service with

Microsoft 365 or Office 365

Scenario 1 - MX record points to third-party spam

filtering

） Important

Microsoft strongly recommends you to enable Enhanced Filtering for Connectors or

bypass filtering completely using a mail flow rule (check out point 5). Failure to
follow this will inevitably result in misclassification of inbound email to your
organization and to subpar experience of Office 365 email and protection features.

I plan to use Exchange Online to host all my organization's mailboxes. My organization

uses a third-party cloud service for spam, malware, and phish filtering. All email from the
internet must first be filtered by this third-party cloud service before being routed to
Microsoft 365 or Office 365.

For this scenario, your organization's mail flow setup looks like the following diagram:
Best practices for using a third-party cloud filtering service with
Microsoft 365 or Office 365

1. Add your custom domains in Microsoft 365 or Office 365. To prove that you own
the domains, follow the instructions in Add a domain to Microsoft 365.

2. Create user mailboxes in Exchange Online or move all users' mailboxes to

Microsoft 365 or Office 365.

3. Update the DNS records for the domains that you added in step 1. (Not sure how
to do this? Follow the instructions on this page.) The following DNS records control
mail flow:

MX record: Your domain's MX record must point to your third-party service

provider. Follow their guidelines for how to configure your MX record.

SPF record: All mail sent from your domain to the internet originates in
Microsoft 365 or Office 365, so your SPF record requires the standard value
for Microsoft 365 or Office 365:

text

v=spf1 include:spf.protection.outlook.com -all

You would only need to include the third-party service in your SPF record if
your organization sends outbound internet email through the service (where
the third-party service would be a source for email from your domain).
 When you're configuring this scenario, the "host" that you need to configure to
receive email from the third-party service is specified in the MX Record. For
example:

In this example, the host name for the Microsoft 365 or Office 365 host should be
hubstream-mx.mail.protection.outlook.com. This value can vary from domain to
domain, so check your value at Configuration > Domain > <select domain> to
confirm your actual value.

4. Lock down your Exchange Online organization to only accept mail from your third-
party service.

Create and configure a Partner inbound connector using either

TlsSenderCertificateName (preferred) or SenderIpAddresses parameters, then set the
corresponding RestrictDomainsToCertificate or RestrictDomainsToIPAddresses
parameters to $True. Any messages that are smart-host routed directly to
Exchange Online will be rejected (because they didn't arrive over a connection
using specified certificate or from the specified IP addresses).

For example:

PowerShell

New-InboundConnector -Name "Reject mail not routed through MX (third-

party service name)" -ConnectorType Partner -SenderDomains * -
RestrictDomainsToCertificate $true -TlsSenderCertificateName
*.contoso.com -RequireTls $true

or

PowerShell

New-InboundConnector -Name "Reject mail not routed through MX (third-

party service name)" -ConnectorType Partner -SenderDomains * -
RestrictDomainsToIPAddresses $true -SenderIpAddresses <#static list of
on-premises IPs or IP ranges of the third-party service>
 ７ Note

If you already have an OnPremises inbound connector for the same certificate
or sender IP addresses, you still need to create the Partner inbound connector
(the RestrictDomainsToCertificate and RestrictDomainsToIPAddresses
parameters are only applied to Partner connectors). The two connectors can
coexist without problems.

5. There are two options for this step:

Use Enhanced Filtering for Connectors (highly recommended): Use

Enhanced Filtering for Connectors (also known as skip listing) on the Partner
inbound connector that receives messages from the third-party application.
This allows EOP and Microsoft 365 Defender for Office 365 scanning on the
messages.

７ Note

For hybrid scenarios where third-party applications rely on an on-

premises Exchange server to send to Exchange Online, you also need to
enable Enhanced Filtering for Connectors on the OnPremises inbound
connector in Exchange Online.

Bypass spam filtering: Use a mail flow rule (also known as a transport rule) to
bypass spam filtering. This option will prevent most EOP and Defender for
Office 365 controls and will therefore prevent a double anti-spam check.
 ） Important

Instead of bypassing spam filtering using a mail flow rule, we highly

recommend that you enable Enhanced Filtering for Connector (also
known as Skip Listing). Most third-party cloud anti-spam providers
share IP addresses among many customers. Bypassing scanning on
these IPs might allow spoofed and phishing messages from these IP
addresses.

Scenario 2 - MX record points to third-party solution

without spam filtering
I plan to use Exchange Online to host all my organization's mailboxes. All email that's
sent to my domain from the internet must first flow through a third-party archiving or
auditing service before arriving in Exchange Online. All outbound email that's sent from
my Exchange Online organization to the internet must also flow through the service.
However, the service doesn't provide a spam filtering solution.
This scenario requires you to use Enhanced Filtering for Connectors. Otherwise, mail
from all internet senders appears to originate from the third-party service, not from the
true sources on the internet.

Best practices for using a third-party cloud service with Microsoft

365 or Office 365
We strongly recommend that you use the archiving and auditing solutions that are
provided by Microsoft 365 and Office 365.

See also
Mail flow best practices for Exchange Online, Microsoft 365, Office 365 (overview)

Some messages aren't routed through the on-premises organization when you use
centralized mail transport

Set up connectors for secure mail flow with a partner organization

Manage all mailboxes and mail flow using Microsoft 365 or Office 365

Manage mail flow with mailboxes in multiple locations (Microsoft 365 or Office 365 and
on-premises Exchange)

Manage mail flow using a third-party cloud service with Exchange Online and on-
premises mailboxes

Troubleshoot Microsoft 365 or Office 365 mail flow

Test mail flow by validating your connectors

Manage mail flow with mailboxes in
multiple locations (Exchange Online and
on-premises Exchange)
Article • 02/22/2023

Summary: How to manage mail flow in an Exchange hybrid environment, which is when
some mailboxes are on-premises and some are in Microsoft 365 or Office 365.

This topic covers the following complex mail flow scenarios using Microsoft 365 or
Office 365:

Scenario 1: MX record points to Microsoft 365 or Office 365 and Microsoft 365 or
Office 365 filters all messages

Scenario 2: MX record points to Microsoft 365 or Office 365 and mail is filtered on-
premises

Scenario 3: MX record points to my on-premises servers

Scenario 4: MX record points to my on-premises server, which filters and provides

compliance solutions for your messages. Your on-premises server needs to relay
messages to the internet through Microsoft 365 or Office 365.

７ Note

Examples in this topic use the fictitious organization, Contoso, which owns the
domain contoso.com. The IP address of the Contoso email server is 131.107.21.231,
and its third-party provider uses 10.10.10.1 for their IP address. These are just
examples. You can adapt these examples to fit your organization's domain name
and public-facing IP address where necessary.

Manage mail flow where some mailboxes are in

Microsoft 365 or Office 365 and some
mailboxes are on your organization's email
servers
Scenario 1: MX record points to Microsoft 365 or Office
365 and Microsoft 365 or Office 365 filters all messages
I'm migrating my mailboxes to Exchange Online, and I want to keep some
mailboxes on my organization's email server (on-premises server). I want to use
Microsoft 365 or Office 365 as my spam filtering solution and want to send my
messages from my on-premises server to the internet by using Microsoft 365 or
Office 365. Microsoft 365 or Office 365 sends and receives all messages.

Most customers who need a hybrid mail flow setup should allow Microsoft 365 or Office
365 to perform all their filtering and routing. We recommend that you point your MX
record to Microsoft 365 or Office 365 because this setting provides for the most
accurate spam filtering. For this scenario, your organization's mail flow setup looks like
the following diagram.

Best practices
1. Add your custom domains in Microsoft 365 or Office 365. To prove that you own
the domains, follow the instructions in Add a domain to Microsoft 365.

2. Create user mailboxes in Exchange Online or move all users' mailboxes to

Microsoft 365 or Office 365.
3. Update the DNS records for the domains that you added in step 1. (Not sure how
to do this task? Follow the instructions on this page.) The following DNS records
control mail flow:

MX record: Point your MX record to Microsoft 365 or Office 365 in the

following format: <domainKey>-com.mail.protection.outlook.com

For example, if your domain is contoso.com, the MX record should be:

contoso-com.mail.protection.outlook.com.

SPF record: This record should list Microsoft 365 or Office 365 as a valid
sender; any IP addresses from your on-premises servers that connect to EOP;
and any third parties that send email on behalf of your organization. For
example, if your organization's email server's internet-facing IP address
is131.107.21.231, the SPF record for contoso.com should be:

text

v=spf1 ip4:131.107.21.231 include:spf.protection.outlook.com -all

Alternatively, depending on the third-party requirements, you might need to

include the domain from the third-party, as shown in the following example:

text

v=spf1 include:spf.protection.outlook.com
include:third_party_cloud_service.com -all

4. In the Exchange admin center (EAC), use the connector wizard to Configure mail
flow using connectors in Microsoft 365 or Office 365 for the following scenarios:

Sending messages from Microsoft 365 or Office 365 to your organization's

email servers

Sending messages from your on-premises servers to Microsoft 365 or Office

365

If either of the following scenarios apply to your organization, you must

create a connector to support sending mail from your on-premises servers to
Microsoft 365 or Office 365.

Your organization is authorized to send messages on behalf of your client,

but your organization doesn't own the domain. For example, contoso.com is
 authorized to send email through fabrikam.com, which doesn't belong to
contoso.com.

Your organization relays non-delivery reports (also known as NDRs or bounce

messages) to the internet through Microsoft 365 or Office 365.

To create the connector, choose the first option in the connector creation
wizard on the How should Office 365 identify email for your email server
screen, as shown in the below two screenshots, for New EAC and Classic EAC,
respectively.

This configuration enables Microsoft 365 or Office 365 to identify your email server by
using the certificate. In this scenario, the certificate CN or Subject Alternative Name
(SAN) contains the domain that belongs to your organization. For more information, see
Identifying email from your email server. For connector configuration details see, Part 2:
Configure mail to flow from your email server to Microsoft 365 or Office 365.

5. You don't need connectors in the following scenarios unless one of your partners
has a special requirement, such as enforcing TLS with a bank.

Sending mail from Microsoft 365 or Office 365 to a partner organization

Sending mail from a partner organization to Microsoft 365 or Office 365

７ Note

If your organization's uses Exchange 2010 or later, we recommend that you use the
Hybrid Configuration Wizard to configure connectors in Microsoft 365 or Office
365 as well as on your on-premises Exchange servers. For this scenario, your
domain's MX record can't point to your organization's email server.

Scenario 2: MX record points to Microsoft 365 or Office

365 and mail is filtered on-premises
I'm migrating my mailboxes to Exchange Online and I want to keep some
mailboxes on my organization's email server (on-premises server). I want to use
the filtering and compliance solutions that are already in my on-premises
environment. All messages that come from the internet to my cloud mailboxes, or
messages sent to the internet from my cloud mailboxes, must route through my
on-premises servers.

If you have business or regulatory reasons for filtering mail in your on-premises
environment, we recommend pointing your domain's MX record to Microsoft 365 or
Office 365 and enabling centralized mail transport. This setup provides optimal spam
filtering and protects your organization's IP addresses. For this scenario, your
organization's mail flow setup looks like the following diagram.
Best practices

1. Add your custom domains in Microsoft 365 or Office 365. To prove that you own
the domains, follow the instructions in Add a domain to Microsoft 365.

2. Create user mailboxes in Exchange Online or move all users' mailboxes to

Microsoft 365 or Office 365.

3. Update the DNS records for the domains that you added in step 1. (Not sure how
to do this task? Follow the instructions on this page.) The following DNS records
control mail flow:

MX record: Point your MX record to Microsoft 365 or Office 365 in the

following format: <domainKey>-com.mail.protection.outlook.com
 For example, if your domain is contoso.com, the MX record should be: contoso-
com.mail.protection.outlook.com.

SPF record: This record should list Microsoft 365 or Office 365 as a valid
sender, plus any IP addresses from your on-premises servers that connect to
EOP, and any third parties that send email on behalf of your organization. For
example, if your organization's email server's internet-facing IP address is
131.107.21.231, the SPF record for contoso.com should be:

text

v=spf1 ip4:131.107.21.231 include:spf.protection.outlook.com -all

4. Use Centralized Mail Transport (CMT) for on-premises compliance solutions.

Mail that comes from the internet to a mailbox in Exchange Online first gets
sent to your on-premises server and then comes back to Exchange Online to
be delivered to the mailbox. Line 1 represents this path in the scenario 2
diagram.

Mail that comes from Exchange Online and is destined for the internet is first
sent to your on-premises servers, then comes back to Exchange Online, and
is then delivered to the internet. Line 4 represents this path in the scenario 2
diagram.

To achieve this configuration, create connectors via the Hybrid Configuration

Wizard or via cmdlets, and enable CMT. For details about CMT, see Transport
Options in Exchange Hybrid Deployments.

You don't need connectors in the following scenarios unless one of your partners has
special requirements, such as enforcing TLS with a bank.

Sending mail from Microsoft 365 or Office 365 to a partner organization

Sending mail from a partner organization to Microsoft 365 or Office 365

Scenario 3: MX record points to my on-premises servers

I'm migrating my mailboxes to Exchange Online, and I want to keep some
mailboxes on my organization's email server (on-premises server). I want to use
the filtering and compliance solutions that are already in my on-premises email
environment. All messages that come from the internet to my cloud mailboxes, or
messages sent to the internet from cloud mailboxes, must route through my on-
 premises servers. I need to point my domain's MX record to my on-premises
server.

As an alternative to Scenario 2, you can point your domain's MX record to your

organization's email server instead of to Microsoft 365 or Office 365. Some
organizations have a business or regulatory need for this setup, but filtering typically
works better if you use Scenario 2.

For this scenario, your organization's mail flow setup looks like the following diagram.

Best practices
If the MX record for your domain needs to point to your on-premises IP address, use the
following best practices:

1. Add your custom domains in Microsoft 365 or Office 365. To prove that you own
the domains, follow the instructions in Add a domain to Microsoft 365.
 2. Create user mailboxes in Exchange Online or move all users' mailboxes to
Microsoft 365 or Office 365.

3. Update the DNS records for the domains that you added in step 1. (Not sure how
to do this task? Follow the instructions on this page.) The following DNS records
control mail flow:

SPF record: This record should list Microsoft 365 or Office 365 as a valid
sender. It should also include any IP addresses from your on-premises servers
that connect to EOP and any third parties that send email on behalf of your
organization. For example, if your organization's email server's internet-facing
IP address is131.107.21.231, the SPF record for contoso.com should be:

text

v=spf1 ip4:131.107.21.231 include:spf.protection.outlook.com -all

4. Because you're not relaying messages from your on-premises servers to the
internet through Microsoft 365 or Office 365, you don't technically need to create
connectors for the following scenarios. But if at some point you change your MX
record to point to Microsoft 365 or Office 365, you'll need to create connectors;
therefore, it's best to do it up front. In the Exchange admin center, use the
connector wizard to Part 2: Configure mail to flow from your email server to
Microsoft 365 or Office 365 for the following scenarios, or use the Hybrid
Configuration Wizard to create connectors:

Sending mail from Microsoft 365 or Office 365 to your organization's email
servers

Sending mail from your on-premises servers to Microsoft 365 or Office 365

5. To make sure that messages are sent to your organization's on-premises servers
through MX, go to Example security restrictions you can apply to email sent from a
partner organization, and follow "Example 3: Require that all email from your
partner organization domain ContosoBank.com is sent from a specific IP address
range."

Scenario 4: MX record points to my on-premises server,

which filters and provides compliance solutions for your
messages. Your on-premises server needs to relay
messages to the internet through Microsoft 365 or Office
365.
 I'm migrating my mailboxes to Exchange Online, and I want to keep some
mailboxes on my organization's email server (on-premises server). I want to use
the filtering and compliance solutions that are already in my on-premises email
environment. All messages sent from my on-premises servers must relay through
Microsoft 365 or Office 365 to the internet. I need to point my domain's MX record
to my on-premises server.

For this scenario, your organization's mail flow setup looks like the following diagram.

Best practices
If the MX record for your domain needs to point to your on-premises IP address, use the
following best practices:

1. Add your custom domains in Microsoft 365 or Office 365. To prove that you own
the domains, follow the instructions in Add a domain to Microsoft 365.

2. Create user mailboxes in Exchange Online or move all users' mailboxes to

Microsoft 365 or Office 365.

3. Update the DNS records for the domains that you added in step 1. (Not sure how
to do this task? Follow the instructions on this page.) The following DNS records
control mail flow:

MX record: Point your MX record to your on-premises server in the following

format: mail.<domainKey>.com

For example, if your domain is contoso.com, the MX record should be:

.mail.contoso.com.

SPF record: This record should list Microsoft 365 or Office 365 as a valid
sender. It should also include any IP addresses from your on-premises servers
that connect to EOP and any third parties that send email on behalf of your
organization. For example, if your organization's email server's internet-facing
IP address is 131.107.21.231, the SPF record for contoso.com should be:

text

v=spf1 ip4:131.107.21.231 include:spf.protection.outlook.com -all

4. In the EAC, use the connector wizard to Configure mail flow using connectors in
Microsoft 365 or Office 365 for the following scenarios:

Sending mail from Microsoft 365 or Office 365 to your organization's email
servers

Sending mail from your on-premises servers to Microsoft 365 or Office 365

Create a connector to support the scenario "Sending mail from your on-
premises servers to Microsoft 365 or Office 365" if any of the following
scenarios apply to your organization:

Your organization is authorized to send mail on behalf of your client, but your
organization doesn't own the domain. For example, contoso.com is
authorized to send email through fabrikam.com, which doesn't belong to
contoso.com.
Your organization relays non-delivery reports (NDRs) to the internet through
Microsoft 365 or Office 365.

The MX record for your domain, contoso.com, points to your on-premises

server, and users in your organization automatically forward messages to
email addresses outside your organization. For example, kate@contoso.com
has forwarding enabled, and all messages go to kate@tailspintoys.com. If
john@fabrikam.com sends a message to kate@contoso.com, by the time the
message arrives at Microsoft 365 or Office 365, the sender domain is
fabrikam.com and the recipient domain is tailspin.com. The sender domain
and recipient domain don't belong to your organization.

To create the connector, choose the first option in the connector creation
wizard on the How should Microsoft 365 or Office 365 identify email for
your email server screen, as shown in the below two screenshots, for New
EAC and Classic EAC, respectively.
This option allows Microsoft 365 or Office 365 to identify your email server by using the
certificate. In this scenario, the certificate CN or Subject Alternative Name (SAN) contains
the domain that belongs to your organization. For more information, see Identifying
email from your email server. For connector configuration details see, Part 2: Configure
mail to flow from your email server to Microsoft 365 or Office 365.

5. Set up connectors for secure mail flow with a partner organization to make sure
that messages are sent to your organization's on-premises servers via MX.

See also
Mail flow best practices for Exchange Online, Microsoft 365, and Office 365 (overview)

Manage all mailboxes and mail flow using Microsoft 365 or Office 365

Manage mail flow using a third-party cloud service with Microsoft 365 or Office 365

Manage mail flow using a third-party cloud service with mailboxes on Microsoft 365 or
Office 365 and on-prem

Troubleshoot Office Microsoft 365 or 365 mail flow

Test mail flow by validating your Microsoft 365 or Office 365 connectors
Manage mail flow using a third-party
cloud service with Exchange Online and
on-premises mailboxes
Article • 02/22/2023

This topic covers the most complex mail flow scenario using Microsoft 365 or Office 365.

７ Note

Examples in this guide use the fictitious organization, Contoso, which owns the
domain contoso.com. The IP address of the Contoso mail server is 131.107.21.231,
and its third-party provider uses 10.10.10.1 for their IP address. These are just
examples. You can adapt these examples to fit your organization's domain name
and public-facing IP address where necessary.

Using a third-party cloud service with

mailboxes in Exchange Online and on my
organization's email servers

Scenario
I'm migrating my mailboxes to Exchange Online, and I want to keep some
mailboxes on my organization's on-premises email server. I want to use a third-
party cloud service to filter spam from the internet. My messages to the internet
must route through Microsoft 365 or Office 365 to prevent my on-premises
servers' IP addresses from being added to external block lists.

In this scenario, your organization's mail flow setup looks like the following diagram.
Best practices

1. Add your custom domains in Microsoft 365 or Office 365. To prove that you own
the domains, follow the instructions in Add a domain to Microsoft 365.

2. Create user mailboxes in Exchange Online or move all users' mailboxes to

Microsoft 365 or Office 365.

3. Update the DNS records for the domains that you added in step 1. (Not sure how
to do this? Follow the instructions on this page.) The following DNS records control
mail flow:

MX record: Point your MX record to your third-party service. Follow their

guidelines for configuring your MX record.

SPF record: Because your domain's MX record must point to a third-party

service (in other words, you require complex routing), include the third-party
service in your SPF record. Follow the third-party provider's guidelines for
adding them to your SPF record. Also add Microsoft 365 or Office 365 and
 the IP addresses of your on-premises servers as valid senders. For example, if
contoso.com is your domain name, the third-party cloud service IP address is
10.10.10.1, and your on-premises server IP address is 131.107.21.231, the SPF
record for contoso.com should be:

text

v=spf1 ip4:10.10.10.1 ip4:131.107.21.231

include:spf.protection.outlook.com -all

Alternatively, depending on the third-party's requirements, you might need to

include the domain from the third-party, as shown in the following example:

text

v=spf1 ip4:131.107.21.231 include:spf.protection.outlook.com

include:third_party_cloud_service.com -all

More information
There are additional considerations in hybrid deployments between on-premises
Exchange and Microsoft 365 or Office 365. For more information, see Exchange Server
hybrid deployments.

See also
Mail flow best practices for Exchange Online, Microsoft 365, and Office 365 (overview)

Manage all mailboxes and mail flow using Microsoft 365 or Office 365

Manage mail flow using a third-party cloud service with Microsoft 365 or Office 365

Manage mail flow with mailboxes in multiple locations (Microsoft 365 or Office 365 and
on-prem)

Troubleshoot Microsoft 365 or Office 365 mail flow

Test mail flow by validating your connectors

How to set up a multifunction device or
application to send email using
Microsoft 365 or Office 365
Article • 03/14/2023

） Important

Effective from December 2022, the classic Exchange Admin Center will be
deprecated for worldwide customers. Microsoft recommends using the new
Exchange Admin Center , if not already doing so. While most of the features have
been migrated to new EAC, some have been migrated to other admin centers and
remaining ones will soon be migrated to New EAC. Find features that are not yet
there in new EAC at Other Features or use Global Search that will help you
navigate across new EAC.

） Important

Mail flow rules are now available in the new Exchange admin center. Try it now !

Prerequisites: Office 365 or Microsoft 365 subscription, Exchange Online Plan .

This article explains how you can send email from devices and business applications
when all of your mailboxes are in Microsoft 365 or Office 365. For example:

You have a scanner, and you want to email scanned documents to yourself or
someone else.
You have a line-of-business (LOB) application that manages appointments, and you
want to email reminders to clients of their appointment time.

Option 1: Authenticate your device or

application directly with a Microsoft 365 or
Office 365 mailbox, and send mail using SMTP
AUTH client submission

７ Note
 This option is not compatible with Microsoft Security Defaults. We recommend
using Modern Authentication when connecting with our service. Although SMTP
AUTH now supports OAuth, most devices and clients have not been designed to
use OAuth with SMTP AUTH. As a result, there are no plans to disable Basic
Authentication for SMTP AUTH clients at this time. To find out more about OAuth,
see Authenticate an IMAP, POP or SMTP connection using OAuth.

You must also verify that SMTP AUTH is enabled for the mailbox being used. SMTP
AUTH is disabled for organizations created after January 2020 but can be enabled
per-mailbox. For more information, see Enable or disable authenticated client
SMTP submission (SMTP AUTH) in Exchange Online.

This option supports most usage scenarios and is the easiest to set up. Choose this
option when:

You want to send email from a third-party hosted application, service, or device.
You want to send email to people inside and outside your organization.

To configure your device or application, connect directly to Microsoft 365 or Office 365
using the SMTP AUTH client submission endpoint smtp.office365.com.

Each device or application must be able to authenticate with Microsoft 365 or Office
365. The email address of the account that's used to authenticate with Microsoft 365 or
Office 365 will appear as the sender of messages from the device or application.

How to set up SMTP AUTH client submission

Enter the following settings directly on your device or in the application as their guide
instructs (it might use different terminology than this article). As long as your scenario
meets the requirements for SMTP AUTH client submission, the following settings will
enable you to send email from your device or application.

Device or Application setting Value

Server/smart host smtp.office365.com

Port Port 587 (recommended) or port 25

TLS/StartTLS Enabled

Username/email address and Enter the sign-in credentials of the hosted mailbox being
password used
TLS and other encryption options
Determine what version of TLS your device supports by checking the device guide or
with the vendor. If your device or application doesn't support TLS 1.2 or above, you have
the following alternatives:

Depending on your requirements, use direct send (Option 2) or Microsoft 365 or

Office 365 SMTP relay (Option 3) instead.
Use an on-premises email server (Exchange Server or any other SMTP server) to
relay mail if your device is unable to meet the previous requirements for
connecting to Microsoft 365 or Office 365. In fact, you might find it easier to
configure and manage an on-premises SMTP server to relay messages from your
devices and applications, especially if you have many devices and applications that
send email.

To find out more about configuring your own email server to send mail to Microsoft 365
or Office 365, see Set up connectors to route mail between Microsoft 365 or Office 365
and your own email servers.

７ Note

If your device recommends or defaults to port 465, it doesn't support SMTP AUTH
client submission.

Features of SMTP AUTH client submission

SMTP AUTH client submission allows you to send email to people in your
organization and outside your company.
This method bypasses most spam checks for email sent to people in your
organization. This bypass can help protect your company IP addresses from being
blocked by a spam list.
With this method, you can send email from any location or IP address, including
your (on-premises) organization's network, or a third-party cloud hosting service,
like Microsoft Azure.

Requirements for SMTP AUTH client submission

Authentication: If possible, we recommend using Modern Authentication in the
form of OAuth. Otherwise, you'll need to use Basic Authentication (which is simply
a username and password) to send email from the device or application. To find
out more about OAuth, see Authenticate an IMAP, POP, or SMTP connection using
 OAuth. If SMTP AUTH is intentionally disabled for the organization or the mailbox
being used, you must use Option 2 or 3 below.
Mailbox: You must have a licensed Microsoft 365 or Office 365 mailbox to send
email from.
Transport Layer Security (TLS): Your device must be able to use TLS version 1.2
and above.
Port: Port 587 (recommended) or port 25 is required and must be unblocked on
your network. Some network firewalls or ISPs block ports, especially port 25,
because that's the port that email servers use to send mail.
DNS: Use the DNS name smtp.office365.com. Do not use an IP address for the
Microsoft 365 or Office 365 server, as IP Addresses are not supported.

７ Note

For information about TLS, see How Exchange Online uses TLS to secure email
connections and for detailed technical information about how Exchange Online
uses TLS with cipher suite ordering, see TLS cipher suites supported by Office 365.

Limitations of SMTP AUTH client submission

You can only send from one email address unless your device can store login
credentials for multiple Microsoft 365 or Office 365 mailboxes.
Microsoft 365 or Office 365 imposes some sending limits. See Exchange Online
limits - Receiving and sending limits for more information.

Option 2: Send mail directly from your printer

or application to Microsoft 365 or Office 365
(direct send)
Choose this option when:

Your environment has SMTP AUTH disabled.

SMTP AUTH client submission (Option 1) is not compatible with your business
needs or with your device.
You only need to send messages to recipients in your own organization who have
mailboxes in Microsoft 365 or Office 365; you don't need to send email to people
outside of your organization.

Other scenarios when direct send may be your best choice:

 You want your device or application to send from each user's email address and do
not want each user's mailbox credentials configured to use SMTP client
submission. Direct send allows each user in your organization to send email using
their own address.

Avoid using a single mailbox with Send As permissions for all your users. This
method is not supported because of complexity and potential issues.

You want to send bulk email or newsletters. Microsoft 365 or Office 365 does not
allow you to send bulk messages via SMTP AUTH client submission. Direct send
allows you to send a higher volume of messages.

There is a risk of your email being marked as spam by Microsoft 365 or Office 365.
You might want to enlist the help of a bulk email provider to assist you. For
example, they'll help you adhere to best practices, and can help ensure that your
domains and IP addresses are not blocked by others on the internet.

Settings for direct send

Enter the following settings on the device or in the application directly.

Device or Value
application setting

Server/smart host Your MX endpoint, for example, contoso-com.mail.protection.outlook.com

Port Port 25

TLS/StartTLS Optional

Email address Any email address for one of your Microsoft 365 or Office 365 accepted
domains. This email address does not need to have a mailbox.

We recommend adding an SPF record to avoid having messages flagged as spam. If you
are sending from a static IP address, add it to your SPF record in your domain registrar's
DNS settings as follows:

DNS entry Value

SPF v=spf1 ip4:<Static IP Address> include:spf.protection.outlook.com ~all

Step-by-step instructions for direct send

1. If your device or application can send from a static public IP address, obtain this IP
address and make a note of it. You can share your static IP address with other
devices and users, but don't share the IP address with anyone outside of your
company. Your device or application can send from a dynamic or shared IP address
but messages are more prone to antispam filtering.

2. Sign in to the Microsoft 365 admin center .

3. Go to Settings > Domains, select your domain (for example, contoso.com), and
find the MX record.

The MX record will have data for Points to address or value that looks similar to
contoso-com.mail.protection.outlook.com .

4. Make a note of the data of Points to address or value for the MX record, which we
refer to as your MX endpoint.

5. Go back to the device, and in the settings, under what would normally be called
Server or Smart Host, enter the MX record Points to address or value you
recorded in step 4.

７ Note

Do NOT use an IP address for the Microsoft 365 or Office 365 server
connection, as IP addresses are not supported.

6. Now that you are done configuring your device settings, go to your domain
registrar's website to update your DNS records. Edit your sender policy framework
(SPF) record. In the entry, include the IP address that you noted in step 1. The
finished string looks similar to the following example:
 v=spf1 ip4:10.5.3.2 include:spf.protection.outlook.com ~all

where 10.5.3.2 is your public IP address.

Ｕ Caution

This IP address will be authorized to send on your domain's behalf. Anyone

with access to it could send email to any external recipient and it would pass
SPF checking. You should consider carefully who has access to use this IP
address.

７ Note

Skipping this step might cause email to be sent to recipient Junk Email
folders.

7. To test the configuration, send a test email from your device or application, and
confirm that the recipient received it.

How direct send works

The application or device in your organization's network uses direct send and your
Microsoft 365 or Office 365 mail exchange (MX) endpoint to email recipients in your
organization. It's easy to find your MX endpoint in Microsoft 365 or Office 365 if you
need to look it up.

You can configure your device to send email direct to Microsoft 365 or Office 365. Use
direct send to relay email to recipients with Microsoft 365 or Office 365 mailboxes in
your organization. If your device uses direct send to try to relay an email for a recipient
who doesn't have a Microsoft 365 or Office 365 mailbox, the email will be rejected.

７ Note

If your device or application has the ability to act as a email server to deliver
messages to Microsoft 365 or Microsoft 365 or Office 365 as well as other email
providers, there are no Microsoft 365 or Office 365 settings needed for this
scenario. For more information, see your device or application instructions.

Features of direct send

 Uses Microsoft 365 or Office 365 to send emails, but does not require a dedicated
Microsoft 365 or Office 365 mailbox.
Doesn't require your device or application to have a static IP address. However, it is
recommended for your device or application to have a static IP address, if possible.
Doesn't work with a connector; never configure a device to use a connector with
direct send because such a configuration can cause problems.
Doesn't require your device to support TLS.

Direct send has higher sending limits than SMTP client submission. Senders are not
bound by the limits described in Option 1.

Requirements for direct send

Port: Port 25 is required and must be unblocked on your network.
Static IP address is recommended: A static IP address is recommended so that an
SPF record can be created for your domain. The SPF record helps avoid your
messages being flagged as spam.
Does not require a Microsoft 365 or Office 365 mailbox with a license.

Limitations of direct send

Direct send cannot be used to deliver email to external recipients, for example,
recipients with Yahoo or Gmail addresses.
Your messages will be subject to antispam checks.
Sent mail might be disrupted if your IP addresses are blocked by a spam list.
Microsoft 365 and Office 365 use throttling policies to protect the performance of
the service.

Option 3: Configure a connector to send mail

using Microsoft 365 or Office 365 SMTP relay
This option is more difficult to implement than the others. Only choose this option
when:

Your environment has SMTP AUTH disabled.

SMTP client submission (Option 1) is not compatible with your business needs or
with your device
You can't use direct send (Option 2) because you must send email to external
recipients.
SMTP relay lets Microsoft 365 or Office 365 relay emails on your behalf by using a
connector that's configured with your public IP address or a TLS certificate. Setting up a
connector makes this option more complicated.

Settings for Microsoft 365 or Office 365 SMTP relay

Device or Value
application setting

Server/smart host Your MX endpoint, for example, yourdomain-

com.mail.protection.outlook.com

Port Port 25

TLS/StartTLS Enabled

Email address Any email address in one of your Microsoft 365 or Office 365 verified
domains. This email address does not need a mailbox.

If you already have a connector that's configured to deliver messages from your on-
premises organization to Microsoft 365 or Office 365 (for example, a hybrid
environment), you probably don't need to create a dedicated connector for Microsoft
365 or Office 365 SMTP relay. If you need to create a connector, use the following
settings to support this scenario:

Connector setting Value

From Your organization's email server

To Microsoft 365 or Office 365

Domain restrictions: IP Your on-premises IP address or address range that the device or
address/range application will use to connect to Microsoft 365 or Office 365

We recommend adding an SPF record to avoid having messages flagged as spam. If you
are sending from a static IP address, add it to your SPF record in your domain registrar's
DNS settings as follows:

DNS entry Value

SPF v=spf1 ip4:<Static IP Address> include:spf.protection.outlook.com ~all

Step-by-step configuration instructions for SMTP relay

1. Obtain the public (static) IP address that the device or application with send from.
A dynamic IP address isn't supported or allowed. You can share your static IP
address with other devices and users, but don't share the IP address with anyone
outside of your company. Make a note of this IP address for later.

2. Sign in to the Microsoft 365 admin center .

3. Go to Settings > Domains, select your domain (for example, contoso.com), and
find the MX record.

The MX record will have data for Points to address or value that looks similar to
contoso-com.mail.protection.outlook.com .

4. Make a note of data of Points to address or value for the MX record, which we
refer to as your MX endpoint.

5. Check that the domains that the application or device will send to have been
verified. If the domain is not verified, emails could be lost, and you won't be able
to track them with the Exchange Online message trace tool.

6. In Microsoft 365 or Office 365, select Admin and then Exchange to go to the new
Exchange admin center.

７ Note

On clicking Exchange, the new Exchange admin center is launched. If you

want to navigate to the Classic Exchange admin center, click Classic Exchange
admin center on the left pane of the new Exchange admin center home page.

7. In the Exchange admin center (EAC), go to Mail flow > Connectors. The
Connectors screen is depicted in the subsequent two images below, for New EAC
 and Classic EAC, respectively.

8. Check the list of connectors set up for your organization. If there is no connector
listed from your organization's email server to Microsoft 365 or Office 365, create a
connector in the Exchange admin center (EAC):

Classic EAC:

a. Open the EAC at https://admin.protection.outlook.com/ecp/ and go to

Mail flow > Connectors, and then click Add . In the wizard that opens,
choose the options that are depicted in the following screenshot on the
first screen:
b. Click Next, and give the connector a name.

c. On the next screen, choose By verifying that the IP address of the

sending server matches one of these IP addresses that belong to your
organization, and add the IP address from Step 1.

d. Leave all the other fields with their default values, and select Save.

New EAC:

a. Open the EAC at https://admin.protection.outlook.com/ecp/ and go to

Mail flow > Connectors. Or, to go directly to the Connectors page, use
https://admin.exchange.microsoft.com/#/connectors .

b. Click Add a connector . In the wizard that opens, choose the options
that are depicted in the following screenshot on the first screen:
 c. Click Next. The Connector name screen appears.

d. Provide a name for the connector and click Next. The Authenticating sent
email screen appears.

e. Choose By verifying that the IP address of the sending server matches

one of these IP addresses which belong exclusively to your organization,
and add the IP address from Step 1 of Step-by-step configuration
instructions for SMTP relay section.

f. Click Save.

9. Now that you're done with configuring your Microsoft 365 or Office 365 settings,
go to your domain registrar's website to update your DNS records. Edit your SPF
record. Include the IP address that you noted in step 1. The finished string should
look similar to this v=spf1 ip4:10.5.3.2 include:spf.protection.outlook.com ~all ,
where 10.5.3.2 is your public IP address. Skipping this step can cause email to be
sent to recipient Junk Email folders.

10. Now, go back to the device, and in the settings, find the entry for Server or Smart
Host, and enter the MX record POINTS TO ADDRESS value that you recorded in
step 3.

11. To test the configuration, send a test email from your device or application, and
confirm that it was received by the recipient.
Configure a certificate-based connector to relay email
through Microsoft 365 or Office 365
If your devices or applications are capable of using a certificate for mail flow, you can
configure a certificate-based connector to relay email through Microsoft 365 or Office
365.

To do this task, verify the subject name on the certificate used by the sending device or
application. The common name (CN) or subject alternative name (SAN) in the certificate
should contain a domain name that you have registered in Microsoft 365 or Office 365.
Also, you must create a certificate-based connector in Microsoft 365 or Office 365 with
this same domain name to accept and relay emails coming from these devices,
applications, or any other on-premises server. For more information about this method,
see important notice for email customers who have configured connectors.

How Microsoft 365 or Office 365 SMTP relay works

The application or device in your organization's network uses a connector for SMTP
relay to email recipients in your organization.

The Microsoft 365 or Office 365 connector that you configure authenticates your
device or application with Microsoft 365 or Office 365 using an IP address. Your
device or application can send email using any address (including ones that can't
receive mail), as long as the address uses one of your domains. It is not mandatory
for the email address to be associated with an actual mailbox. For example, if your
domain is contoso.com, you could send from an address like
do_not_reply@contoso.com.

Microsoft 365 or Office 365 SMTP relay uses a connector to authenticate the mail
sent from your device or application. This authentication method allows Microsoft
365 or Office 365 to relay those messages to your own mailboxes and external
recipients. Microsoft 365 or Office 365 SMTP relay is similar to direct send except
that it can send mail to external recipients.

Due to the added complexity of configuring a connector, direct send is

recommended over Microsoft 365 or Office 365 SMTP relay, unless you must send
email to external recipients. To send email using Microsoft 365 or Office 365 SMTP
relay, your device or application server must have a static IP address or address
range. You can't use SMTP relay to send email directly to Microsoft 365 or Office
365 from a third-party hosted service, such as Microsoft Azure. For more
information, see Troubleshoot outbound SMTP connectivity issues in Azure.
Features of Microsoft 365 or Office 365 SMTP relay
Microsoft 365 or Office 365 SMTP relay doesn't require the use of a licensed
Microsoft 365 or Office 365 mailbox to send emails.
Microsoft 365 or Office 365 SMTP relay has higher sending limits than SMTP client
submission. Senders are not subject to the limits described in Option 1.

Requirements for Microsoft 365 or Office 365 SMTP relay

Static IP address or address range: Most devices or applications are unable to use
a certificate for authentication. To authenticate your device or application, use one
or more static IP addresses that are not shared with another organization.
Connector: Set up a connector in Exchange Online for email sent from your device
or application.
Port: Port 25 is required. Ensure this port is not blocked on your network or by
your ISP.

Limitations of Microsoft 365 or Office 365 SMTP relay

Sent mail can be disrupted if your IP addresses are blocked by a spam list.
Reasonable limits are imposed for sending. For more information, see High-risk
delivery pool for outbound messages.
Requires static unshared IP addresses (unless a certificate is used).
The connecting client is expected to retry within a reasonable period, in case of
transient failures. Microsoft recommends the connecting client to maintain SMTP
logs to help investigate these types of failures.

７ Note

As per SMTP RFC suggestion, Option 1 SMTP AUTH client submission may be
more appropriate method for an SMTP client/application, which is not a full-
featured mail server (MTA).

Compare the options

Here's a comparison of each configuration option and the features they support.
 Features SMTP client Direct send SMTP relay
submission

Send to recipients Yes Yes Yes

in your domain(s)

Relay to internet Yes No. Direct delivery Yes

via Microsoft 365 only.
or Office 365

Bypasses antispam Yes, if the mail is No. Suspicious emails No. Suspicious emails might
destined for one might be filtered. We be filtered. We recommend a
of your Microsoft recommend a custom SPF record.
365 or Office 365 custom Sender Policy
mailboxes. Framework (SPF)
record.

Supports mail sent Yes Yes. We recommend No

from applications updating your SPF
hosted by a third record to allow the
party third party to send as
your domain.

Saves to Sent Yes No No

Items folder

Requirements

Open network port Port 587 or port 25 Port 25 Port 25

Device or Required Optional Optional

application server
must support TLS

Requires Microsoft 365 or None One or more static IP

authentication Office 365 addresses. Your printer or the
username and server running your LOB app
password required must have a static IP address
to use for authentication with
Microsoft 365 or Office 365.

Here are the limitations of each configuration option:

Limitations SMTP client Direct send SMTP relay

submission

Throttling 10,000 recipients Standard throttling Reasonable limits are imposed. The
limits per day. 30 is in place to service can't be used to send spam or
messages per protect Microsoft bulk mail. For more information about
minute. 365 or Office 365.
 Limitations SMTP client Direct send SMTP relay
submission

reasonable limits, see High-risk delivery

pool for outbound messages.

Run diagnostic to Set up applications or

devices sending email using Microsoft 365

７ Note

This feature requires a Microsoft 365 administrator account.

If you still need help to set up applications or devices sending email using Microsoft 365
or you need help fixing issues with applications or devices sending email using
Microsoft 365, you can run an automated diagnostic.

To run the diagnostic check, select the following button:

Run Tests: Send email using Microsoft 365

A flyout page opens in the Microsoft 365 admin center. Select the appropriate option
that you are looking for, eg. new setup or troubleshooting existing setup.

Use your own email server to send email from

multifunction devices and applications
If you happen to have an on-premises email server, you should seriously consider using
that server for SMTP relay instead of Microsoft 365 or Office 365. A local email server
that you have physical access to is much easier to configure for SMTP relay by devices
and applications on your local network. The details about how to do this configuration
depends on your on-premises email server. For Exchange Server, see the following
articles:

Allow anonymous relay on Exchange servers

Receive messages from a server, service, or device that doesn't use Exchange

Related articles
Fix issues with printers, scanners, and LOB applications that send email using Microsoft
365 or Office 365

Set up connectors to route mail between Microsoft 365 or Office 365 and your own
email servers
Continuous error throttling for SMTP
AUTH submissions in Exchange Online
Article • 01/26/2023

Every day, our service sees millions of requests coming in to send emails via
smtp.office365.com using the SMTP AUTH protocol. Many of these are for Line-of-
Business (LOB) applications and services that customers have configured to send out
automated emails.

Many of these requests that we receive, result in an error which if sent by a user from
Outlook can result in the user seeing an error message that they could immediately take
action on to unblock sending emails. However, many automated email applications
aren't designed well to handle errors. On the contrary, they ignore errors and send
continuously believing that the error will correct itself.

For some errors such as those involving Send As or Mailbox Full, the issue won't correct
itself without human intervention. To protect our service from bombardment from these
requests and to get the message to administrators that something is wrong with the
mailbox or configuration, we're introducing continuous error throttling for SMTP AUTH.

The new errors that will be seen if throttling is hit are:

550 5.2.251 Sender throttled due to continuous mailbox full errors.

550 5.2.252 Sender throttled due to continuous send as denied errors.
550 5.2.253 Sender throttled due to continuous invalid license errors.
550 5.2.254 Sender throttled due to continuous too many recipients errors.
550 5.2.255 Sender throttled due to continuous invalid recipients errors.

If Exchange Online sees too many errors during submissions for a mailbox related to the
five issues covered, that mailbox will be throttled from sending using SMTP AUTH
specifically for a period of time.

In many of these cases, customers might fail to notice that anything is wrong and the
forgotten application will continue trying to send to no avail. However, the mailbox
could be configured to send out emails successfully with one application and
misconfigured with another. In such a scenario, messages that were successfully sent will
be blocked as well. Lastly, if a mailbox is left to reach its size limit, a previously working
application will hit this new error and be throttled if it is ignored.

It's up to administrators or users to test these applications to make sure that they work
when configured. If and when these errors are hit, they'll need to investigate the
misconfiguration in cases such as Send As denied or correct new issues such as a
mailbox becoming full. Investigating this will be on the client side. These messages are
not accepted by Microsoft 365 so Message Trace is of no help here.

After correcting the issue, the mailbox will begin working again after the throttling
period expires in the same way that hitting the Recipient Rate Limit for a mailbox
requires waiting for that throttling to elapse. The throttling period will be decided by
Microsoft based on a number of factors.

If customers don't want to wait that long, they can switch to using another mailbox as
long as the issue has been resolved. Support is unable to lift the throttling here.
Updated Requirements for SMTP Relay
through Exchange Online
Article • 06/23/2023

This article explains how you can update your requirements for SMTP relay through
Exchange Online. If your organization doesn't use Inbound Connectors of OnPremises
type then this change won't affect you.

Current Requirements
To relay email through Exchange Online, the following must be true:

1. Any of the following is an accepted domain of your organization, if:

a. SMTP certificate domain on the SMTP connection; or

b. SMTP envelope sender domain is in the MAIL FROM command (P1 sender
domain); or

c. SMTP header sender domain, as shown in email clients (P2 sender domain).

2. The sending host’s IP address or the certificate domain on the SMTP connection
matches your tenant’s Inbound Connector of OnPremises type.

New Requirements
On November 1, 2023, the matching condition for the SMTP P2 sender domain will be
removed. After this condition is removed, relaying email through Exchange Online will
require the following:

1. Any of the following is an accepted domain of your organization, if:

a. SMTP certificate domain on the SMTP connection; or

b. SMTP envelope sender domain in the MAIL FROM command (P1 sender
domain).

2. The sending host’s IP address or certificate domain on the SMTP connection

matches your organization’s Inbound connector of OnPremises type.

After November 1, 2023, if either of the above conditions aren't met, the relay attempt
from your on-premises environment to Exchange Online will be rejected.
This change may affect your organization’s email routing or delivery. Possible scenarios
that are affected by this change include, but may not be limited to:

1. Your organization hosts email on-premises, and you need to relay nondelivery
reports (NDRs) generated by your on-premises system through Exchange Online.
In this scenario, the NDRs often have null as the SMTP envelope sender (P1
sender), but the SMTP header sender domain (P2 sender domain) is your
organization’s domain.

2. Your organization uses an application hosted on-premises to send email, and the
SMTP envelope sender domain (P1 sender domain) isn't an accepted domain in
Exchange Online.

3. You use a third-party cloud service to relay messages by creating an Inbound

Connector of OnPremises type. For example, when you use a cloud service
platform to relay emails through Exchange Online, the SMTP envelope sender
domain (P1 sender domain) will be the third party service’s domain (perhaps for
bounce tracking), but the SMTP header domain (P2 sender domain) is your
organization’s domain.

To minimize the effects of this change before November

1, 2023, do the following:
1. If you need to relay emails from on-premises through Exchange Online, and some
of these emails apply to the scenarios indicated above, you must update your
Inbound connector of OnPremises type to use a certificate domain (instead of IP
addresses), in addition, you must add the certificate domain as an accepted
domain of your organization. For more information, see Configure a certificate-
based connector to relay email messages through Microsoft 365.

2. If you need to use a third-party add-on service to process email messages sent
from your organization and then relay through Exchange Online, the third-party
service must support a unique certificate for your organization, and the certificate
domain must be an accepted domain of your organization. An example is that your
organization uses a signature service to add signature/disclaimer for each email
sent from your organization. For more information, see Scenario: Integrate
Exchange Online with an email add-on service.
Fix issues with printers, scanners, and
LOB apps that send email using
Microsoft 365
Article • 03/27/2023

Email clients provide actionable error messages when something goes wrong. Sending
email from devices and applications is less easy to fix, and you might not get clear
information to help you. This article can help you troubleshoot, and it uses printer
configurations as examples.

As a first step to fixing any problems, check your configuration. See How to set up a
multifunction device or application to send email using Microsoft 365 or Office 365 for
detailed information about the configuration options.

My printer is already configured for email, but I

don't know which configuration option it uses
The following list describes the available configuration options:

1. SMTP AUTH client submission (recommended)

Your printer is connected to the server named smtp.office365.com.

You entered an email address and password for Microsoft 365 or Office 365
account/mailbox that the printer uses.
The printer can send email to people inside and outside your organization.
2. Direct send

Your printer is connected to a Microsoft 365 or Office 365 server whose name
ends with mail.protection.outlook.com.
There's no connector in Microsoft 365 or Office 365 for mail sent from your
on-premises organization to Microsoft 365 or Office 365.
The printer can send email only to people in your organization; the printer
can't send email to recipients outside your organization.
 3. Microsoft 365 or Office 365 SMTP relay

Your printer is connected to a Microsoft 365 or Office 365 server whose name
ends with mail.protection.outlook.com.
You've configured a connector in Microsoft 365 or Office 365 for mail sent
from your on-premises organization to Microsoft 365 or Office 365.
The printer can send email to people inside and outside your organization.

Fix issues with SMTP AUTH client submission

I set up my printer for SMTP AUTH client submission, but

it still can't send email
1. Check the settings that were entered directly into the printer:

Printer setting Value

Server/smart host smtp.office365.com

Port Port 587 (recommended) or port 25

TLS/StartTLS Enabled

Username/email address and Sign in credentials of Microsoft 365 or Office 365 mailbox
password the printer uses
2. If your printer didn't require a password for the username/email address that you
entered, then your printer is trying to send email without logging on to Microsoft
365 or Office 365. SMTP AUTH client submission requires your printer to sign in to
Microsoft 365 or Office 365. Direct send and Microsoft 365 or Office 365 SMTP
relay don't require a logon; consider one of these options instead.

3. Your printer or application must send email from the same email address that you
entered as logon credentials during email setup. If the printer or application tries
to send email from a different account, the result is an error similar to:

5.7.60 SMTP; Client does not have permissions to send as this sender.

For example, if you entered login credentials for sales@contoso.com in your

printer or application settings, but the printer tries to send email from
salesperson1@contoso.com, this configuration isn't supported. For this scenario,
use Microsoft 365 or Office 365 SMTP relay instead.

4. Test the username and password by logging on to Outlook on the web, and try to
send a test email to make sure the account isn't blocked. If the user is blocked, see,
Remove blocked users from the Restricted Users portal.

5. Next, test that you can connect to Microsoft 365 or Office 365 from your network
by doing the following steps:

a. Follow the instructions to install the Telnet Client tool on a computer on the
same network as the device or application.

b. Run the tool from the command line by typing telnet.

c. Type open smtp.office365.com 587 (or substitute 25 for 587 if you're using that
port setting instead).

d. If you connected successfully to an Office 365 server, expect to receive a

response line similar to the following response:

220 BY1PR10CA0041.outlook.office365.com Microsoft ESMTP MAIL Service

ready at Mon, 1 Jun 2015 12:00:00 +0000

e. If you can't connect to Microsoft 365 or Office 365, your network firewall or
Internet Service Provider (ISP) might have blocked port 587 or 25. Fix this issue
so you can send email from your printer.
 6. If none of these issues apply to your device, it might not meet requirements for
Transport Layer Security (TLS) encryption.

Recently, we started rejecting a percentage of connections to smtp.office365.com

that uses TLS1.0/1.1 for SMTP AUTH.

Your device must support TLS version 1.2 or above. Update the firmware on the
device or try one of the other configuration options where TLS is optional. If you
need to utilize TLS 1.0/1.1 for SMTP AUTH to retain legacy clients and devices, you
must opt-in by:

Set the AllowLegacyTLSClients parameter on the Set-TransportConfig cmdlet

to True. Or from Exchange admin center, go to Settings > Mail Flow and
(under Security) check "Turn on use of legacy TLS clients" and click on Save.
Legacy clients and devices need to be configured to submit to the new
endpoint smtp-legacy.office365.com.

To learn more, see New opt-in endpoint available for SMTP AUTH clients still needing
legacy TLS

For more information about TLS, see How Exchange Online uses TLS to secure email
connections.

I receive an authentication error when my device tries to

send email
This error can be caused by a number of issues:

1. Make sure that you entered the correct username and password.
2. Try logging into Outlook on the web with the printer's username and password.
Send an email to make sure that the mailbox is active and has not been blocked
for sending spam.
3. Check that your device or application supports TLS version 1.2 or above. The best
way to check is by upgrading the firmware on the device or updating the
application to the latest version. Contact the device manufacturer to confirm that it
supports TLS version 1.2 or above.

Error: Authentication unsuccessful

If you receive one of the following errors:

535 5.7.3 Authentication unsuccessful

5.7.57 Client not authenticated to send mail
There are a few things you should check:

1. Use Exchange Online PowerShell to verify that authenticated SMTP submission

(also known as SMTP AUTH) is enabled on the licensed mailbox that the printer or
application is using to connect to Microsoft 365 or Office 365:

In Exchange Online PowerShell, replace <EmailAddress> with the email address

and run the following command:

PowerShell

Get-CASMailbox -Identity <EmailAddress> | Format-List

SmtpClientAuthenticationDisabled

If the value is True, replace <EmailAddress> with the email address and run the
following command to enable it:

PowerShell

Set-CASMailbox -Identity <EmailAddress> -

SmtpClientAuthenticationDisabled $false

2. Disable Multi-Factor Authentication (MFA) on the licensed mailbox that's being

used:

In the Microsoft 365 admin center, in the left navigation menu, choose Users
> Active users.
On the Active users page, choose Multi-Factor Authentication.
On the multi-factor authentication page, select the user and disable the
Multi-Factor Authentication status.

3. Disable the Azure Security Defaults by toggling the Enable Security Defaults to
No:

Ｕ Caution

Don't do this step unless you understand the risks that are involved.

Sign in to the Azure portal as a Security administrator, Conditional Access

administrator, or Global administrator.
Browse to Azure Active Directory > Properties.
Select Manage security defaults.
Set the Enable security defaults toggle to No.
 Select Save.

4. Exclude the user from a Conditional Access policy that blocks Legacy
Authentication:

Sign in to the Azure portal as a Security administrator, Conditional Access

administrator, or Global administrator.
Browse to Azure Active Directory > Security > Conditional Access.
In the policy that blocks Legacy Authentication, exclude the mailbox being
used under Users and Groups > Exclude.
Select Save.

Error: 5.7.60 SMTP; Client does not have permissions to

send as this sender
This error indicates that the device is trying to send an email from an address that
doesn't match the logon credentials. An example would be if your entered login
credentials for sales@contoso.com in your application settings but the application tries
to send emails from salesperson1@contoso.com. If your application or printer behaves
this way, use Microsoft 365 or Office 365 SMTP relay because SMTP client submission
does not support this scenario.

Error: Client was not authenticated to send anonymous

mail during MAIL FROM
This error indicates that your printer connects to the SMTP client submission endpoint
(smtp.office365.com). However, your printer must also logon to a mailbox to send a
message. This error occurs when you have not entered mailbox logon credentials in the
printer's settings. If there is no option to enter credentials, this printer does not support
SMTP client submission; use either direct send or Microsoft 365 or Office 365 SMTP
relay instead. See How to set up a multifunction device or application to send email
using Microsoft 365 or Office 365.

Error: 550 5.1.8 Bad outbound sender

This error indicates that the device is trying to send an email from a Microsoft 365 or
Office 365 mailbox that is on a spam block list. For help, see Remove blocked users from
the Restricted Users portal.
Error: 535 5.7.139 Authentication unsuccessful, federated
STS service was unreachable.
This error related to federation gateway servers hosted on-premises by customers. We
were unable to reach the configured server location and therefore could not
authenticate the federated user.

Error: 535 5.7.139 Authentication unsuccessful, the

federated STS URL does not support HTTPS.
This error related to federation gateway servers hosted on-premises by customers. We
were unable to establish the required secure connection with the server and therefore
could not authenticate the federated user. Note: This may be due to the deprecation of
TLS1.0 and TLS1.1 which is occurring in 2022. You need to make sure your servers are
able to use TLS1.2. You can find more information here: Preparing for TLS 1.2 in Office
365 and Office 365 GCC.

Fix issues with direct send

I set up my printer for direct send and it's not sending

email - or - My device was sending email using direct
send, but it stopped working
This can be caused by a number of issues.

1. A common reason for issues with direct send is a blocked IP address. If antispam
tools detect outbound spam from your organization, your IP address can be
blocked by a spam block list. Check whether your IP address is on a block list by
using a third-party service, such as MXToolbox or WhatIsMyIPAddress. Follow up
with the organization that added your IP address to their block list. Microsoft 365
and Office 365 use block lists to protect our service. For help, see Remove blocked
users from the Restricted Users portal.

2. To rule out a problem with your device, send a test email to check your connection
to Microsoft 365 or Office 365. To send a test email, follow these steps in the
article, Use Telnet to Test SMTP Communication. If you can't connect to Microsoft
365 or Office 365, your network or ISP might have blocked communication using
port 25. If you can't reverse this, use SMTP client submission instead.
Client was not authenticated to send anonymous mail
during MAIL FROM error
This indicates that you are connecting to the SMTP client submission endpoint
(smtp.office365.com), which can't be used for direct send. For direct send, use the MX
endpoint for your Microsoft 365 or Office 365 organization, which ends with
"mail.protection.outlook.com." You can find your MX endpoint by following the steps in
Option 2: Send mail directly from your printer or application to Microsoft 365 or Office
365 (direct send).

My emails are not sent to recipients who are not in my

organization
This is by design. Direct send allows email to be sent only to recipients in your
organization that are hosted in Microsoft 365 or Office 365. If you need to send to
external recipients, use SMTP client submission or Microsoft 365 or Office 365 SMTP
relay.

The MX endpoint is too long for the printer setting box.

Can I use an IP address instead?
It's not possible to use an IP address in place of an MX endpoint. This could result in
your not being able to send messages in the future. If the MX endpoint is too long,
consider using SMTP client submission, which has a shorter endpoint
(smtp.office365.com).

Emails from my device are marked as junk by Microsoft

365 or Office 365
For direct send, we recommend using a device that sends from a static IP address. This
allows you to set up a Sender Policy Framework (SPF) record to help prevent emails
being marked as spam. Check that your SPF record is set up with your static IP address.
A network or ISP change could change your static IP address. Update your SPF record to
reflect this change. If you aren't sending from your own static IP address, consider SMTP
client submission instead.

Fix issues with Microsoft 365 or Office 365

SMTP relay
I set up my printer for Microsoft 365 or Office 365 SMTP
relay but it's not sending email -or- My device was
sending email using SMTP relay, but it stopped working
This can be caused by a number of issues.

1. A common reason for issues with Microsoft 365 or Office 365 SMTP relay is a
blocked IP address. If antispam tools detect outbound spam from your
organization, your IP address can be blocked by a spam block list. Check whether
your IP address is on a block list by using a third-party service, such as MXToolbox
or WhatIsMyIPAddress. Follow up with the organization that added your IP address
to their block list. Microsoft 365 and Office 365 use block lists to protect our
service. For help, see Remove blocked users from the Restricted Users portal.

2. To rule out a problem with your device, send a test email to check your connection
to Microsoft 365 or Office 365. To send a test email, follow these steps in the
article, Use Telnet to Test SMTP Communication. If you can't connect to Microsoft
365 or Office 365, your network or ISP might have blocked communication using
port 25. If you can't reverse this, use SMTP client submission instead.

Emails are no longer being sent to external recipients

Network or ISP changes might change your static IP address. This results in your
connector not identifying and relaying your messages to external recipients. Update
your connector and your SPF record with the new IP address. Follow the steps in Option
3: Configure a connector to send mail using Microsoft 365 or Office 365 SMTP relay to
edit your existing connector settings.

5.7.64 TenantAttribution; Relay Access Denied or 4.4.62

Mail sent to the wrong Office 365 region
This error indicates that email sent from your application or device is not correctly
attributed to your tenant. A common cause of this issue is a change in your dedicated
and static IP address or a change in the certificate used by your application or device.
Update the inbound connector with the new IP address or new certificate information.

Email from my device is marked as junk by Microsoft 365

or Office 365
Microsoft 365 or Office 365 SMTP relay requires your device to send email from a static
IP address. Check that your SPF record is set up with your static IP address. A network or
ISP change could change your static IP address. Update your SPF record to reflect this
change. If you aren't sending from your own static IP address, consider SMTP client
submission instead.

Run diagnostic to setup applications or devices

sending email using Microsoft 365

７ Note

This feature requires a Microsoft 365 administrator account.

If you still need help to fix issues with applications or devices sending email using
Microsoft 365, you can run an automated diagnostic.

To run the diagnostic check, select the following button:

Run Tests: Send email using Microsoft 365

A flyout page opens in the Microsoft 365 admin center. Select the appropriate option
that you are looking for, eg. new setup or troubleshooting existing setup.

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Email non-delivery reports and SMTP errors in
Exchange Online
Article • 08/02/2023

When there's a problem delivering an email message that you sent, Microsoft 365 or Office 365 will
generate an error code and often will send an email to let you know. The email you receive is a delivery
status notification, also known as a DSN or Bounce Message. The most common type is called a non-
delivery report (NDR) and they tell you that a message wasn't delivered. Non-delivery can be caused by
something as simple as a typo in an email address. NDRs include an error code that indicates why your
email wasn't delivered, solutions to help you get your email delivered, a link to more help on the web, and
technical details for administrators. Find out What's included in an NDR?.

Find my error code and get help delivering my email

The following table contains the error codes (also known as enhanced status codes) for the most common
Bounce Messages and errors that you might encounter in Exchange Online.

Error Description Possible cause Additional information

code

432 4.3.2 STOREDRV.Deliver; recipient thread limit The recipient For more information about this by-design
exceeded mailbox's ability to throttling, see Store Driver Fault Isolation
accept messages is Improvements in Exchange 2010 SP1 .
being throttled
because it's
receiving too many
messages too
quickly. This is done
so a single
recipient's mail
processing doesn't
unfairly impact other
recipients sharing
the same mailbox
database.

4.4.316 Connection refused [Message=Socket error Microsoft 365 or This error almost always indicates an issue with
code 10061] Office 365 is trying the receiving server or network outside of
to send a message Microsoft 365 or Office 365. The error should
to an email server also include the IP address of the server or
outside of Microsoft service that's generating the error, which you
365 or Office 365, can use to identify the party responsible for
but attempts to fixing this.
connect to it are
failing due to a
network connection
issue at the external
server's location.

4.4.7 Message expired The message in the This message usually indicates an issue on the
queue has expired. receiving server. Check the validity of the
The sending server recipient address, and determine if the
tried to relay or receiving server is configured correctly to
Error Description Possible cause Additional information
code

deliver the message, receive messages.

but the action wasn't
completed before You might have to reduce the number of
the message recipients in the message header for the host
expiration time about which you're receiving this error. If you
occurred. This send the message again, it's placed in the
message can also queue again. If the receiving server is available,
indicate that a the message is delivered.
message header
limit has been For more information, see Fix email delivery
reached on a remote issues for error code 4.4.7 in Exchange Online.
server, or some
other protocol time-
out occurred while
communicating with
the remote server.

4.4.8 MX hosts of <domain> failed MTA- The destination MX This error usually indicates an issue with the
STS validation host was not the destination domain's MTA-STS policy not
host expected per containing the MX host. For more information,
the domain's STS see Enhancing mail flow with MTA-STS.
policy.

4.5.3 Too many recipients The message has An envelope recipient is the original,
more than 200 unexpanded recipient that's used in the RCPT
SMTP envelope TO command to transmit the message
recipients from the between SMTP servers. When this error is
same domain. returned by Microsoft 365 or Office 365, the
sending server must break up the number of
envelope recipients into smaller chunks
(chunking) and resend the message.

4.7.5 Remote certificate failed MTA- The destination mail This error usually indicates an issue with the
STS validation. Reason: <validityStatus> server's certificate destination mail server's certificate. For more
must chain to a information, see Enhancing mail flow with
trusted root MTA-STS.
Certificate Authority
and the Common
Name or Subject
Alternative Name
must contain an
entry for the host
name in the STS
policy.

4.7.26 Access denied, a message sent over IPv6 The sending For more information, see Support for
[2a01:111:f200:2004::240] must pass message sent over anonymous inbound email messages over IPv6.
either SPF or DKIM validation, this IPv6 must pass
message is not signed either SPF or DKIM.

4.7.321 starttls-not-supported: Destination mail DNSSEC This message usually indicates an issue on the
server must support TLS to receive mail. checks have destination email server. Check the validity of
passed, yet the recipient address. Determine if the
upon destination server is configured correctly to
connection, receive the messages.
destination
mail server
Error Description Possible cause Additional information
code

doesn't
respond to the
STARTTLS
command.
The
destination
server
responds to
the STARTTLS
command, but
the TLS
handshake
fails.

4.7.322 certificate-expired: Destination mail DNSSEC checks have A valid X.509 certificate that isn't expired must
server's certificate is expired. passed, yet upon be presented. X.509 certificates must be
establishing the renewed after their expiration, most commonly
connection, the on an annual basis.
destination mail
server provides a
certificate that's
expired.

4.7.323 tlsa-invalid: The domain failed DANE Records are DNSSEC This message usually indicates an issue on the
validation. authentic, but one destination email server. Check the validity of
or multiple of these the recipient address and determine if the
scenarios occurred: destination server is configured correctly to
The receive messages. For more information, see
destination DANE protocol: updates and operational
mail server's guidance .
certificate
doesn't match
with what's
expected per
the authentic
TLSA record.
Authentic
TLSA record is
misconfigured.
Destination
domain is
being
attacked.
Any other
DANE failure.

4.7.324 dnssec-invalid: Destination domain The destination For more information, see Overview of
returned invalid DNSSEC records domain indicated it DNSSEC.
was DNSSEC-
authentic, but
Exchange Online
wasn't able to verify
it as DNSSEC-
authentic.
Error Description Possible cause Additional information
code

4.7.325 certificate-host-mismatch: Remote This happens when This message usually indicates an issue on the
certificate MUST have a common name or the presented destination email server. Check the validity of
subject alternative name matching the certificate identities the recipient address and determine if the
hostname (DANE) (CN and SAN) of a destination server is configured correctly to
destination SMTP receive messages. For more information, see
target host don't How SMTP DNS-based Authentication of
match any of the Named Entities (DANE) works to secure email
domains or MX host. communications.

4.7.500- Access denied, please try again later Suspicious activity If this activity is valid, this restriction will be
699 has been detected lifted shortly.
and sending has
been temporarily
restricted for further
evaluation.

4.7.850- Access denied, please try again later Suspicious activity If this activity is valid, this restriction will be
899 has been detected lifted shortly.
on the IP in
question, and it has
been temporarily
restricted while it's
being further
evaluated.

5.0.350 Generic error, x-dg-ref header is too 5.0.350 is a generic For more information, see Fix email delivery
long , or Requested action not taken: catch-all error code issues for error code 550 5.0.350 in Exchange
policy violation detected (AS345) for a wide variety of Online.
nonspecific errors
from the recipient's
email organization.
The specific x-dg-
ref header is too
long message is
related to Rich Text
formatted messages.
The specific
Requested action
not taken: policy
violation detected
(AS345) message is
related to nested
attachments.

5.1.0 Sender denied A common cause of Either the recipient address is incorrectly
this NDR is when formatted, or the recipient couldn't be
you use Microsoft correctly resolved. The first step in resolving
Outlook to save an this error is to check the recipient address, and
email message as a send the message again.
file, and then
someone opened For more information, see Fix email delivery
the message offline issues for error code 5.1.0 in Exchange Online.
and replied to it. The
message property
only preserves the
legacyExchangeDN
Error Description Possible cause Additional information
code

attribute when
Outlook delivers the
message, and
therefore the lookup
could fail.

5.1.1 Bad destination mailbox address This failure might be This error typically occurs when the sender of
caused by the the message enters an incorrect email address
following conditions: of the recipient. The sender should check the
The recipient's recipient's email address and send again. This
email address error can also occur if the recipient email
was entered address was correct in the past but has
incorrectly by changed or has been removed from the
the sender. destination email system.
The recipient's
email address If the sender of the message is in the same
doesn't exist organization as the recipient, and the
in the recipient's mailbox still exists, determine
destination whether the recipient's mailbox has been
email system. relocated to a new email server. If so, Outlook
The recipient's might not have updated the recipient cache
mailbox has correctly. Instruct the sender to remove the
been moved recipient's address from sender's Outlook
and the recipient cache and then create a new
Outlook message. Resending the original message will
recipient result in the same failure.
cache on the
sender's For more information, see Fix email delivery
computer issues for error code 5.1.1 through 5.1.20 in
hasn't Exchange Online.
updated.
An invalid
legacy domain
name (DN)
exists for the
recipient's
mailbox Active
Directory
Domain
Service.

5.1.8 Access denied, bad outbound sender The account has For more information, see Fix email delivery
been blocked for issues for error code 5.1.8 in Exchange Online.
sending too much
spam. Typically, this
problem occurs
because the account
has been
compromised
(hacked) by phishing
or malware.

5.1.10 Recipient not found The recipient's <SMTP For more information, see Fix email delivery
Address> wasn't issues for error code 550 5.1.10 in Exchange
Online.
Error Description Possible cause Additional information
code

found by SMTP
address lookup.

5.1.90 Your message can't be sent because The sender has This could indicate the account has been
you've reached your daily limit for exceeded the compromised and is being used to send spam.
message recipients recipient rate limit as For more information, see How to determine
described in whether your account has been compromised.
Sending limits.

5.2.2 Submission quota exceeded The sender has This could indicate the account has been
exceeded the compromised and is being used to send spam.
recipient rate limit or For more information, see How to determine
the message rate whether your account has been compromised.
limit as described in
Sending limits.

5.2.121 Recipient's per hour message receive The sender has The automated mailer or sender should try
limit from specific sender exceeded exceeded the again later, and reduce the number of
maximum number messages they send per hour to a specific
of messages they're recipient.
allowed to send per
hour to a specific This limit helps protect Microsoft 365 or Office
recipient in 365 users from rapidly filling their inboxes with
Exchange Online. a large number of messages from errant
automated notification systems or other single-
sender mail storms.

5.2.122 Recipient's per hour message receive The Microsoft 365 or The automated mailer or sender should try
limit exceeded Office 365 recipient again later, and reduce the number of
has exceeded the messages they send per hour to a specific
number of messages recipient.
they can receive per
hour from all This limit helps protect Microsoft 365 and
senders. Office 365 users from rapidly filling their
inboxes with a large number of messages from
errant automated notification systems or other
mail storms.

5.3.190 Journaling on-premises messages to Journaling on- A journaling rule is configured in the
Microsoft 365 or Office 365 not premises messages organization's on-premises environment to
supported when Journaling Archive is to Microsoft 365 or journal on-premises messages to Microsoft 365
disabled Office 365 isn't or Office 365, but Journaling Archive is
supported for this disabled. For this scenario to work, the
organization organization's Office 365 administrator should
because they either enable Journaling Archive or change the
haven't turned on journaling rule to journal messages to a
Journaling Archive in different location.
their settings.

5.4.1 Relay Access Denied The mail server For more information, see Fix email delivery
that's generating the issues for error code 5.4.1 in Exchange Online.
error doesn't accept
mail for the
recipient's domain.
This error is caused
by mail server or
Error Description Possible cause Additional information
code

DNS
misconfiguration.

5.4.1 Recipient address rejected: Access The recipient's For more information, see Use Directory Based
denied address doesn't Edge Blocking to reject messages sent to
exist. invalid recipients.

5.4.6 or Routing loop detected A configuration This error occurs when the delivery of a
5.4.14 error has caused an message generates another message in
email loop. 5.4.6 is response. That message then generates a third
generated by on- message, and the process is repeated, creating
premises Exchange a loop. To help protect against exhausting
server (you'll see this system resources, Exchange interrupts the mail
code in hybrid loop after 20 iterations. Mail loops are typically
environments). created because of a configuration error on the
5.4.14 is generated sending mail server, the receiving mail server,
by Exchange Online. or on both. Check the sender's and the
recipient's mailbox rules configuration to
By default, after 20 determine whether automatic message
iterations of an forwarding is enabled.
email loop,
Exchange interrupts For more information, see Fix email delivery
the loop and issues for error code 5.4.6 or 5.4.14 in Exchange
generates an NDR to Online.
the sender of the
message.

5.4.8 MX hosts of <domain> failed MTA- The destination MX This error usually indicates an issue with the
STS validation host was not the destination domain's MTA-STS policy not
host expected per containing the MX host. For more information,
the domain's STS see Enhancing mail flow with MTA-STS.
policy.

5.4.300 Message expired The email took too

long to be
successfully
delivered, either
because the
destination server
never responded or
the sent message
generated an NDR
error and that NDR
couldn't be
delivered to the
original sender.

5.5.0 550 5.5.0 Requested action not taken: The recipient's <SMTP Similar to 550 5.1.10. For more information, see
mailbox unavailable Address> domain is Fix email delivery issues for error code 550
@hotmail.com or 5.1.10 in Exchange Online.
@outlook.com and
it wasn't found by
SMTP address
lookup.

5.6.11 Invalid characters Your email program For more information, see Fix email delivery
added invalid issues for error code 5.6.11 in Exchange Online.
Error Description Possible cause Additional information
code

characters (bare line

feed characters) into
a message you sent.

5.7.1 Delivery not authorized The sender of the This error occurs when the sender tries to send
message isn't a message to a recipient but the sender isn't
allowed to send authorized to do this. This error frequently
messages to the occurs when a sender tries to send messages
recipient. to a distribution group that has been
configured to accept messages only from
members of that distribution group or other
authorized senders. The sender must request
permission to send messages to the recipient.

This error can also occur if an Exchange

transport rule rejects a message because the
message matched conditions that are
configured on the transport rule.

For more information, see Fix email delivery

issues for error code 5.7.1 in Exchange Online.

5.7.1 Unable to relay The sending email This error occurs when the sending email
system isn't allowed system tries to send an anonymous message to
to send a message a receiving email system, and the receiving
to an email system email system doesn't accept messages for the
that isn't the final domain or domains specified in one or more of
destination of the the recipients. The following reasons are the
message. most common ones for this error:
A third party tries to use a receiving
email system to send spam, and the
receiving email system rejects the
attempt. By the nature of spam, the
sender's email address might have been
forged, and the resulting NDR could
have been sent to the unsuspecting
sender's email address. It's difficult to
avoid this situation.
An MX record for a domain points to a
receiving email system where that
domain isn't accepted. The administrator
responsible for the specific domain name
must correct the MX record or configure
the receiving email system to accept
messages sent to that domain, or do
both.
A sending email system or client that
should use the receiving email system to
relay messages doesn't have the correct
permissions to do this.

For more information, see Fix email delivery

issues for error code 5.7.1 in Exchange Online.

5.7.1 Client was not authenticated The sending email This error occurs when the receiving server
system didn't must be authenticated before message
authenticate with submission, and the sending email system
Error Description Possible cause Additional information
code

the receiving email hasn't authenticated with the receiving email

system. The system. The sending email system
receiving email administrator must configure the sending
system requires email system to authenticate with the receiving
authentication email system for delivery to be successful.
before message
submission. For more information, see Fix email delivery
issues for error code 5.7.1 in Exchange Online.

5.7.5 Remote certificate failed MTA- The destination mail This error usually indicates an issue with the
STS validation. Reason: <validityStatus> server's certificate destination mail server's certificate. For more
must chain to a information, see Enhancing mail flow with
trusted root MTA-STS.
Certificate Authority
and the Common
Name or Subject
Alternative Name
must contain an
entry for the host
name in the STS
policy.

5.7.12 Sender was not authenticated by The sender's For more information, see Fix email delivery
organization message is rejected issues for error code 5.7.12 in Exchange Online.
because the
recipient address is
set up to reject
messages sent from
outside its
organization. Only
an email
administrator for the
recipient's
organization can
change this.

5.7.23 The message was rejected because of The destination For more information, see Fix email delivery
Sender Policy Framework violation email system uses issues for error code 5.7.23 in Exchange Online.
SPF to validate
inbound mail, and
there's a problem
with your SPF
configuration.

5.7.57 Client was not authenticated to send You configured an For more information, see Fix email delivery
anonymous mail during MAIL FROM application or device issues for error code 5.7.57 in Exchange Online.
to send (relay) email
messages in
Microsoft 365 or
Office 365 using the
smtp.office365.com
endpoint, and
there's a problem
with the
configuration of the
Error Description Possible cause Additional information
code

application or
device.

5.7.64 TenantAttribution; Relay Access Denied You use an inbound For more information, see Fix email delivery
connector to receive issues for error code 5.7.64 in Exchange Online.
messages from your
on-premises email
environment, and
something has
changed in your on-
premises
environment that
makes the inbound
connector's
configuration
incorrect.

5.7.124 Sender not in allowed-senders list The sender doesn't For more information, see Fix email delivery
have permission to issues for error code 5.7.124 in Exchange
send to the Online.
distribution group
because the sender
isn't in the group's
allowed-senders list.
Depending how the
group is set up, even
the group's owner
might need to be
added to the
allowed sender list
in order to send
messages to the
group.

5.7.133 Sender not authenticated for group The recipient For more information, see Fix email delivery
address is a group issues for error code 5.7.133 in Exchange
distribution list that Online.
is set up to reject
messages sent from
outside its
organization. Only
an email
administrator for the
recipient's
organization or the
group owner can
change this.

5.7.134 Sender was not authenticated for The recipient For more information, see Fix email delivery
mailbox address is a mailbox issues for error code 5.7.134 in Exchange
that is set up to Online.
reject messages sent
from outside its
organization. Only
an email
administrator for the
recipient's
Error Description Possible cause Additional information
code

organization can
change this.

5.7.13 or Sender was not authenticated for public The recipient For more information, see Fix email delivery
135 folder address is a public issues for error code 5.7.13 or 5.7.135 in
folder that is set up Exchange Online.
to reject messages
sent from outside its
organization. Only
an email
administrator for the
recipient's
organization can
change this.

5.7.136 Sender was not authenticated The recipient For more information, see Fix email delivery
address is a mail issues for error code 5.7.136 in Exchange
user that is set up to Online.
reject messages sent
from outside its
organization. Only
an email
administrator for the
recipient's
organization can
change this.

5.7.25 Access denied, the sending IPv6 address The sending IPv6 For more information, see Support for
[2a01:111:f200:2004::240] must have a address must have a anonymous inbound email messages over IPv6.
reverse DNS record reverse DNS record
to send email over
IPv6.

5.7.321 starttls-not-supported: Destination mail DNSSEC This message usually indicates an issue on the
server must support TLS to receive mail. checks have destination mail server. Check the validity of
passed, yet, the recipient address and determine if the
upon destination server is configured correctly to
connection, receive messages.
the
destination
mail server
doesn't
respond to the
STARTTLS
command.
The
destination
server
responds to
the STARTTLS
command, but
the TLS
handshake
fails.
Error Description Possible cause Additional information
code

5.7.322 certificate-expired: Destination mail DNSSEC checks have A valid X.509 certificate that isn't expired must
server's certificate is expired. passed, yet, upon be presented. X.509 certificates must be
establishing the renewed after their expiration, most commonly
connection, the on an annual basis.
destination mail
server provides a
certificate that is
expired.

5.7.323 tlsa-invalid: The domain failed DANE Records are DNSSEC This message usually indicates an issue on the
validation. authentic but one or destination mail server. Check the validity of
multiple of these the recipient address and determine if the
things occurred: destination server is configured correctly to
The receive messages.
destination
mail server's For more information about DANE, see
certificate https://datatracker.ietf.org/doc/html/rfc7671 .
doesn't match
with what is
expected per
the authentic
TLSA record.
Authentic
TLSA record is
misconfigured.
Destination
domain is
being
attacked.
The certificate
start date is in
the future.
Any other
DANE failure.

5.7.324 dnssec-invalid: Destination domain The destination For more information about DNSSEC, see
returned invalid DNSSEC records domain indicated it Overview of DNSSEC.
was DNSSEC
authentic but
Exchange Online
wasn't able to verify
it as DNSSEC
authentic.

5.7.325 certificate-host-mismatch: Remote This error occurs This message usually indicates an issue on the
certificate MUST have a common name or when the presented destination email server. Check the validity of
subject alternative name matching the certificate identities recipient address and determine if the
hostname (DANE) (CN and SAN) of a destination server is configured correctly to
destination SMTP receive messages. For more information, see
target host don't How SMTP DNS-based Authentication of
match any of the Named Entities (DANE) works to secure email
domains or MX host. communications.

5.7.501 Access denied, spam abuse detected The sending account For more information, see Fix email delivery
has been banned issues for error code 451 5.7.500-699 (ASxxx) in
Exchange Online.
Error Description Possible cause Additional information
code

due to detected
spam activity. Verify that account issues have been resolved,
and reset its credentials. To restore this
account's ability to send mail, contact support
through your regular channel.

5.7.502 Access denied, banned sender The sending account Verify that account issues have been resolved,
has been banned and reset its credentials. To restore this
due to detected account's ability to send mail, please contact
spam activity. support through your regular channel.

5.7.503 Access denied, banned sender The sending account Verify that account issues have been resolved,
has been banned and reset its credentials. To restore this
due to detected account's ability to send mail, please contact
spam activity. support through your regular channel.

5.7.504 [email@contoso.com]: Recipient address The recipient Verify the recipient's email address, and try
rejected: Access denied address that you're again.
attempting to
contact isn't valid.

5.7.505 Access denied, banned recipient The recipient that If you feel this is an error, contact support.
you're attempting to
contact isn't valid.

5.7.506 Access Denied, Bad HELO Your server is This isn't allowed, and it's characteristic of
attempting to typical spambot behavior.
introduce itself
(HELO according to
RFC 821) as the
server it's trying to
connect to, rather
than its own fully
qualified domain
name.

5.7.507 Access denied, rejected by recipient The IP that you're Contact the recipient to resolve this issue.
attempting to send
from has been
blocked by the
recipient's
organization.

5.7.508 Access denied, [$SenderIPAddress] has The sender's IPv6 Not applicable
exceeded permitted limits within $range range has attempted
range to send too many
messages in too
short a time period.

5.7.509 Access denied, sending domain The sender's domain For information on why this error occurred, see
[$SenderDomain] does not pass DMARC in the 5322.From Why does DMARC fail?.
verification and has a DMARC policy of address doesn't pass
reject. DMARC. A user too receives this Bounce Message
because it failed DMARC and the DMARC
policy is set to reject all failures. The user then
should contact their email administrator for
additional help.
Error Description Possible cause Additional information
code

5.7.510 Access denied, [contoso.com] does not The sender is Not applicable
accept email over IPv6 attempting to
transmit a message
to the recipient over
IPv6, but the
recipient doesn't
accept email
messages over IPv6.

5.7.511 Access denied, banned sender The IP that you're To delist the address, email
attempting to send delist@microsoft.com and provide the full NDR
from has been code and IP address.
banned.
For more information, see Use the delist portal
to remove yourself from the blocked senders
list.

5.7.512 Access denied, message must be RFC 5322 Message was sent Office 365 only. Each message must contain a
section 3.6.2 compliant without a valid valid email address in the "From" header field.
"From" email Proper formatting of this address includes
address. angle brackets around the email address, for
example, <security@contoso.com>. Without
an address with this format, Microsoft 365 or
Office 365 will reject the message.

5.7.513 Service unavailable, Client host The recipient The domain that received the email has
[$ConnectingIP] blocked by domain has added blocked your sender's IP address. If you think
$recipientDomain using Customer Block your sending IP your IP address has been added to the
list (AS16012607) address to its recipient domain's custom blocklist by error,
custom blocklist. you need to contact them directly and ask
them to remove it from the blocklist.

5.7.606- Access denied, banned sending IP The IP that you're Verify that you're following the best practices
649 [IP1.IP2.IP3.IP4] attempting to send for email deliverability, and ensure your IPs'
from has been reputations haven't been degraded as a result
banned. of compromise or malicious traffic. If you
believe you're receiving this message by error,
you can use the self-service portal to request
your IP address to be removed from this list.

For more information, see Use the delist portal

to remove yourself from the blocked senders
list.

5.7.703 Your message can't be delivered because Someone in your

messages to XXX, YYY are blocked by your organization sent
organization using Tenant Allow Block mail to an email
List. address or domain
that's blocked in the
Tenant Allow/Block
List. The entire
message is blocked
for all internal and
external recipients of
the message, even if
only one recipient
email address or
 Error Description Possible cause Additional information
code

domain is defined in
a block entry.

5.7.705 5.7.705 Access denied, tenant has Most of the traffic Ensure that any compromises or open relays
exceeded threshold , 5.7.708 Access from this tenant has have been resolved, and then contact support
5.7.708 denied, traffic not accepted from this been detected as through your regular channel.
IP suspicious and this
detection has For more information, see Fix email delivery
resulted in a ban on issues for error codes 5.7.700 through 5.7.750
the sending ability in Exchange Online.
for the tenant.

5.7.750 Service unavailable. Client blocked from A suspicious number Add and validate any or all domains that you
sending from unregistered domains of messages from use to send email from Microsoft 365 or Office
unprovisioned 365.
domains is coming
from this tenant. For more information, see Fix email delivery
issues for error codes 5.7.700 through 5.7.750
in Exchange Online.

n/a The message can't be submitted because The user account The account has likely been compromised. For
the sender's submission quota was has exceeded the more information, see Fix email delivery issues
exceeded recipient rate limit for error 'the sender's submission quota was
(10,000 recipients exceeded' in Exchange Online.
per day).

Run non-delivery report diagnostics

７ Note

This feature requires a Microsoft 365 administrator account. This feature isn't available for Microsoft
365 Government, Microsoft 365 operated by 21Vianet, or Microsoft 365 Germany.

To learn more about the description of the non-delivery report (NDR), possible cause, and solution (by
running the following NDR diagnostic), you can run an automated diagnostic. Ensure you get the NDR code
or status code from the undeliverable/non-delivery report.

To run the diagnostic check, select the following button:

Run Tests: NDR diagnostics

A flyout page opens in the Microsoft 365 admin center. Paste the NDR code or error message, and then
select Run Tests.

What's included in an NDR?

Exchange NDRs are designed to be easy to be read and understood by email users and administrators.
There are a couple of different formats for NDRs. The newest style NDR contains a problem description in
everyday language, along with steps to fix it. The following figure shows the format for this type of NDR:
Information provided in the newest style NDRs is designed to help the typical email users solve their
problem immediately. When that isn't possible, the NDR provides details for administrators and also a link
to more help on the web. The fields that appear in the newest Office 365 NDRs are described in the
following table:

Field Description

Office 365 This section indicates that Microsoft 365 or Office 365 generated the NDR. The logo doesn't mean that
logo Microsoft 365 or Office 365 was responsible for the error. This tells which messaging endpoints or
services are involved in the email transaction, which isn't always clear in older style NDRs.

Cause This section provides the reason that the message wasn't delivered.

Fix-it owner This section provides an at-a-glance view of the issue and who needs to fix it. The image shows the
indicator three basic parties in a Microsoft 365 or Office 365 email transaction: the sender, Microsoft 365 or
Office 365, and the recipient. The area marked in red is where the problem usually must be fixed.

How to fix it This section is designed for the end user or the email sender who receives the NDR. It explains how to
fix the issue.

More info for This section provides a detailed explanation of the problem and solution along with technical details
 Field Description

email admins and a link to a web-based article that has detailed reference information.

Message hops This section contains times and system references for the message, which allows an administrator to
follow the message's hops or server-to-server path. With this information, an administrator might
quickly spot problems between message hops.

For NDRs that don't have the latest format, the information might be separated into two sections: User
information and Diagnostic information for administrators. The following figure shows the format for one
type of Exchange Online NDR:

User information
The User information section appears first in some NDRs, and the main purpose is to provide a summary
about what went wrong. The text is designed to help the message sender determine why the message was
rejected and, if possible, how to resend the message successfully. The email address of each recipient is
listed, and the reason for the failure is included in the space below the recipient's email address. The name
of the mail server that rejected the message might also be included in this section.

Diagnostic information for administrators

The Diagnostic information for administrators section provides deeper technical information to help
administrators troubleshoot the message delivery problem. It contains detailed information about the
specific error that occurred during delivery of the message, the server that generated the NDR, and the
server that rejected the message. This section uses the following format:

text

Diagnostic information for administrators

Generating server:
<server name>
<rejected recipient>
<remote server>
 <enhanced status code>

<SMTP response>
Original message headers
<message header fields>

Field Description

Generating This field indicates the name of the SMTP mail server that created the NDR. If no remote server is listed
server below the sender's email address, the generating server is also the server that rejected the original
email message. When the remote mail server acknowledges and accepts the message, but later rejects
the message, for example, because of content restrictions, the remote server generates the NDR. If the
remote mail server never acknowledges and never accepts the message, the sending server in Exchange
Online generates the NDR.

<Rejected This value is the email address of the recipient. If delivery failed to more than one recipient, the email
recipient> address of each recipient is listed. The following information is also included for each failed recipient:
Field
Description

<Remote This value is the name of the mail server that rejected the message. If the original message is
server> successfully acknowledged by the receiving server, but is later rejected, the remote server value isn't
populated.

<Enhanced This value is assigned by the mail server that rejected the original message and indicates why the
status code> message was rejected. These codes are defined in RFC 3463, and use the format abc x.y.z, where the
placeholder values are integers. For example, a 5.x.x code indicates a permanent error, and a 4.x.x code
indicates a temporary error. Although the enhanced status code is often generated by an external mail
server, Exchange Online uses the enhanced status code value to determine the text to display in the
User information section.

<SMTP This value is returned by the mail server that rejected the original message. This text provides an
response> explanation for the enhanced status code value. The text is always presented in US-ASCII format.

Original This section contains the message header fields of the rejected message. These header fields can
message provide useful diagnostic information, such as the path that the message took before it was rejected, or
headers whether the To field value matches the rejected recipient value.

How to interpret an Exchange NDR

Here's an example. Suppose you receive an Exchange NDR that contains the following information:

Output

Delivery has failed to these recipients or groups:

ronald@contoso.com
Your message wasn't delivered due to a permission or security issue. It might have been
rejected by a moderator, the address might only accept email from certain senders, or another
restriction might be preventing delivery. The following organization rejected your message:
mail.contoso.com.
Diagnostic information for administrators:
Generating server: alpineskihouse.com
ronald@contoso.com
mail.contoso.com #<exchange.contoso.com #5.7.1 smtp;530 5.7.1 Client was not authenticated>
#SMTP#
Original message headers:
...
From the User information section, you can determine that the recipient is Ronald Slattery, and that the
message was rejected by the mail server mail.contoso.com, which isn't an Exchange Online or Exchange
Online Protection mail server.

From the Diagnostic information for administrators section, you can see that alpineskihouse.com
attempted to connect to the server mail.contoso.com to deliver the message to the recipient
ronald@contoso.com. However, mail.contoso.com responded with the error 530 5.7.1 Client was not
authenticated . Even though bigfish.com generated the NDR, mail.contoso.com actually rejected the

message, so the administrators at contoso.com are responsible for understanding and fixing the problem.
This particular error indicates that the server mail.contoso.com is configured not to accept anonymous
email from the Internet.

Although the Original message headers are omitted from this example due to their length and complexity,
you can typically extract useful information from the following header fields:

To: This field might be helpful if the email address was mistyped.

Received: These fields can tell you what the path was for the message, and the last hop that
generated the delivery status notification if it isn't easy to tell from the Generating server value in the
NDR.

Received-SPF: If this value is anything other than pass , check the Sender Policy Framework (SPF) DNS
record for your domain. For more information, see Add or edit custom DNS records.

Still need help with SMTP errors, NDRs or other status

notifications?

Additional email help

Get help when email messages won't send

Find and fix email delivery issues as a Microsoft 365 for business admin

Anti-spam protection in EOP

Recover deleted items in a user mailbox - Admin Help

My messages won't send

Fix Outlook account problems in Microsoft 365

Message trace in the Security & Compliance Center

 Troubleshoot Microsoft 365 mail flow

Why does DMARC fail?

1. Missing or incorrect DMARC/DNS records: Alignment issues, missing SPF, and policy issues.
2. Missing DKIM or DKIM records: Missing DKIM DNS record (public key) or the Message isn't DKIM
signed at the time of sending (private key).
3. Forwarding emails: Forwarding can break SPF/DKIM, which fails DMARC.

How do I fix this error?

1. If you're using/paying a DMARC service to read your reports, ask them what is happening.
2. Read the NDR message to trace information that provides the reasons for the DMARC failure.
3. Add/correct/align based on the ascertained reasons for the DMARC failure.

How can I see the message headers?

Microsoft includes the headers in the NDR email sent back to the original sender of the message that failed
DMARC.

Header information

SPF/DKIM Failures:

Azure PowerShell

Transport; Wed, 22 Mar 2023 21:14:22 +0000

Authentication-Results: spf=none (sender IP is 40.95.88.73)
smtp.mailfrom=o365e083.onmicrosoft.com; dkim=none (message not signed)
header.d=none;dmarc=fail action=oreject
header.from=o365e.onmicrosoft.com;compauth=fail reason=000
Received-SPF: None (protection.outlook.com: o365e.onmicrosoft.com does
not designate permitted sender hosts)
Authentication-Results-Original: dkim=none (message not signed)
header.d=none; dmarc=none action=none
header.from=o365e.onmicrosoft.com;
X-Test-Message-Executed-by: daiq_debug
Message-ID: <991e8244-85@A.MB3331.outlook.com>
From: admin@o365e.onmicrosoft.com
Subject: Consumer dmarc reject test
MIME-Version: 1.0
Content-Type: text/plain
Sender: "admin@o365e.onmicrosoft.com"
<admin@o365e.onmicrosoft.com>

Alignment P1 and P2 Domains don't align (match)

Azure CLI

Message-ID: <1430c613-58@A.MB3outlook.com>
From: admin@o365e083.onmicrosoft.com
Subject: Consumer auto forward test
MIME-Version: 1.0
Content-Type: text/plain
Sender: "admin@o365e039.onmicrosoft.com"
 <admin@o365e039.onmicrosoft.com>
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: AMB3284:EE_|DU0PRMB172:EE
To: Undisclosed recipients:;
Return-Path: admin@o365e039.onmicrosoft.com
Date: Tue, 11 Apr 2023 16:20:03 +0000

Still need help with DMARC?

DNS
DMARC
SPF
DKIM

Microsoft DNS articles

DMARC
SPF
DKIM

Header Readers
MSFT Header Reader
Google Admin Toolbox Messageheader

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Fix NDR error "550 5.1.8 Access denied"
in Exchange Online
Article • 02/13/2023

Getting an error message that means the mail you sent wasn't delivered is frustrating.
This topic tells you what to do if you get error code 550 5.1.8 Access denied in a non-
delivery report (also known as an NDR, bounce message, delivery status notification, or
DSN), and mail isn't delivered.

I got this bounce message. How I'm an email admin. How do I fix this email
do I fix it? delivery issue?

What is 550 5.1.8 and why did I get this bounce

message?
You received this NDR with error code 5.1.8 because your account has been blocked for
sending too much spam. Typically, this problem occurs because your account has been
compromised (hacked) by phishing or malware.

I got this bounce message. How do I fix it?

First, you need to reset your password and scan your devices for malware. However, the
hacker might have configured other settings on your mailbox (for example, created
Inbox rules to auto-forward email messages or added additional mailbox delegates). So,
follow the additional steps in How to determine whether your account has been
compromised.

Then, you need to tell your email admin that you think your account has been
compromised. Your admin will need to unblock your account before you can send email
again.

I'm an email admin. How do I fix this email

delivery issue?
The sending account might be compromised. You'll need to:
 Determine if the account is compromised. If the account is compromised, follow
the steps in Responding to a Compromised Email Account in Exchange Online.

Go to the Restricted users page in the Microsoft 365 Defender portal at

https://security.microsoft.com/restrictedusers to unblock the account. After you
unblock the account, the user should be able to resume sending messages within a
few hours.

To help prevent future account compromises, follow the recommendations in Top

10 ways to secure Microsoft 365 for business plans.

Still need help with error code 5.1.8?

See also
Email non-delivery reports in Exchange Online

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Fix NDR error 5.4.6 or 5.4.14 in
Exchange Online
Article • 02/13/2023

It's frustrating when you get an error after sending an email message. This topic
describes what you can do if see the error codes 5.4.6, 5.4.14 or other error codes
related to mail routing loops in a non-delivery report (also known as an NDR, bounce
message, delivery status notification, or DSN).

Why did I get this bounce message?

The most likely cause is the message hop count being exceeded or the route through
which the message is delivered being broken. Some causes and solutions are provided
in this topic.

5.4.6 indicates a mail loop or routing problem in on-premises Exchange Server, which
you would likely encounter in a hybrid environment.

5.4.14 indicates a mail loop or routing problem in Exchange Online.

The information here applies to a range of error codes 5.4.6 through 5.4.20. Use the
information in the NDR to help you decide how to fix the problem.

I got this bounce message. How do I I'm an email admin. How do I fix this
fix it? issue?

I got this bounce message. How do I fix it?

Typically, these issues can only be fixed by an Exchange Online admin and not the
average email sender. Contact your email admin and refer them to this information so
they can try to resolve the issue for you.

I'm an email admin. How do I fix this issue?

The most common issues and fixes are described in the following sections.

Accepted domain issues

Verify that the recipient's domain is configured as an authoritative accepted domain in
Exchange Online. For more information, see Manage accepted domains in Exchange
Online.

Hybrid configuration issues

If your domain is part of a hybrid deployment between Exchange and Exchange Online,
check the following items based on your configuration.

You route all incoming mail for your hybrid domain through
Exchange Online

This error can happen when the MX record for your hybrid domain points to Exchange
Online, and the connector that's used to route email from Exchange Online to your on-
premises Exchange organization is configured to use DNS routing instead of smart host
routing.

To fix the problem, configure a dedicated connector to be used for hybrid. This
connector will use smart host routing and will have your on-premises hybrid server
configured as a smart host. The easiest way to fix the problem is to rerun the Hybrid
Configuration Wizard in your on-premises Exchange organization. Or, you can verify the
configuration of the connector that's used for hybrid by following these steps:

New EAC

1. Open the Microsoft 365 admin center , and then click Admin centers > Exchange
(you might need to click ...show all first). The New EAC screen appears.

2. In the Exchange admin center (EAC), click Mail Flow > Connectors.

3. Select the connector that's used for hybrid, and then click it.

The connector properties screen appears.

4. Under Routing, click Edit routing. The Routing screen appears.

 5. Ensure that the correct IP address or FQDN is specified for the smart host in your
on-premises Exchange organization.

Classic EAC

1. Open the Microsoft 365 admin center , and then click Admin centers > Exchange
(you might need to click ...show all first).

2. Click Classic Exchange admin center on the left pane of the New EAC screen.

７ Note

You can go to the Classic EAC screen only from the New EAC screen.

3. Click mail flow on the left pane. The mail flow home screen appears.

4. Click the connectors tab.

5. Select the connector that's used for hybrid, and click Edit .

6. Go to How do you want to route email messages screen.

 7. Ensure that the correct IP address or FQDN is specified for the smart host in your
on-premises Exchange organization.

You route all outgoing mail from Exchange Online through your
on-premises hybrid server
This configuration is controlled by the value of the RouteAllMessagesViaOnPremises
parameter on the connector that's used for hybrid. When the value of this parameter is
$true , you're routing all outgoing mail from Exchange Online through your on-premises
hybrid server. You can verify this value by replacing <Connector Name> with your value
and running the following command in Exchange Online PowerShell:

PowerShell

Get-OutboundConnector -Identity "<Connector Name>" | Format-List

Name,RouteAllMessagesViaOnPremises

In this configuration, the error is caused by either of the following issues on the
connector from your on-premises Exchange organization to Exchange Online:

You don't have a connector (from Office 365 to your organization's email server)
that has the Connector Type value On-premises.
The connector from Office 365 to your organization's email server is scoped to one
or more accepted domains.

To fix the problem, configure a dedicated connector (from Office 365 to your
organization's email server) that has the Connector Type value On-premises* and that's
not scoped to any accepted domains. The easiest way to fix the problem is to rerun the
Hybrid Configuration Wizard in the on-premises Exchange organization. Or, you can
verify the configuration of the connector (from Office 365 to your organization's email
server) that is used for hybrid by following these steps:

1. Open the Microsoft 365 admin center , and then click Admin centers > Exchange
(you might need to click ...show all first).

2. In the EAC, click Mail Flow > Connectors.

3. Select the connector that's used for hybrid, and then click Edit . Verify the
following information:

General: Verify that the On-premises option is selected.

Scope: Verify that the Accepted domains option is empty with no data.

For more information about mail routing in hybrid deployments, see Transport routing
in Exchange hybrid deployments.

Causes for NDR 5.4.14 and what does this error

mean?
There are two likely possibilities:

Based on the domain in the recipient's email address, your Exchange Online
organization accepted the message, but then couldn't correctly route the message
to the recipient. This failure is likely caused by accepted domain configuration
issues.
In hybrid environments, there are misconfigured connectors in your Exchange
Online organization.

Details about NDRs related to hop count exceeded

Here are some of the error codes that are related to mail routing loops or a bad mail
routing configuration:

554 5.4.6 Hop count exceeded - possible mail loop (always generated by on-

premises Exchange Servers)

5.4.14 Hop count exceeded - possible mail loop ATTR34 (always generated by
Exchange Online)

Still need help?

See also
Email non-delivery reports in Exchange Online

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Fix NDR error "550 5.7.12" in Exchange
Online
Article • 02/13/2023

It's frustrating when you get an error after sending an email message. This topic
describes what you can do if you see status code 550 5.7.12 or 5.7.12 in a non-delivery
report (also known as an NDR, bounce message, delivery status notification, or DSN).
You'll see this automated notification when the recipient is configured to reject
messages that are sent from outside of its organization.

I got this bounce message. How do I I'm an email admin. How do I fix this
fix it? issue?

I got this bounce message. How do I fix it?

Only an email admin in the recipient's organization can fix this issue. Contact the email
admin and refer them to this information so they can try to resolve the issue for you.

I'm an email admin. How do I fix this issue?

The two methods that will allow an external sender to send messages to the recipient in
your organization are described in the following sections.

To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online.

Method 1: Allow all internal and external senders to send

messages to this recipient
Open the EAC and use one of the following procedures based on the recipient type.

User mailboxes

New EAC

1. Go to Recipients > Mailboxes.

 2. Select a mailbox from the list and click it. The mailbox properties screen appears.

3. Under Mail flow settings, click Manage mail flow settings. The Manage mail flow
settings screen appears.

4. In the Message delivery restriction pane, click Edit. The Message delivery
restrictions screen appears.

5. Clear the check box for Require senders to be authenticated in the Accept
messages from section.

6. Click Save.

Classic EAC**

1. Go to Recipients > Mailboxes.

2. Select the mailbox from the list, and then click Edit . The mailbox properties
screen appears.

3. Go to Mailbox features > Message Delivery Restrictions > and then click View
details. The message delivery restrictions screen appears.

4. Clear the check box for Require that all senders are authenticated in the Accept
messages from section.

5. Click OK, and then click Save.

Groups (distribution groups, mail-enabled security groups, and

dynamic distribution groups)

Groups in the new EAC

1. Go to Recipients > Groups.

2. Select the group from the list and click it. The group properties screen appears.

3. Click the Settings tab. The group settings screen appears.

4. Under the Delivery management pane, click Edit delivery management. The
Delivery management screen appears.

5. Choose the radio button for Allow messages from people inside and outside my
organization.
 6. Click Save changes.

Groups in the classic EAC

1. Go to Recipients > Groups > select the group from the list, and then click Edit .
The group properties screen appears.

2. On the left pane, click Delivery management.

3. Click the radio button for Senders inside and outside of my organization.

4. Click Save.

Mail users

） Important

Currently, editing mail flow settings for a mail user is available only in the Classic
EAC.

1. Go to Recipients > Contacts.

2. Select the mail user from the list, and then click Edit . The mail user properties
screen appears.

3. Go to Mailbox flow settings > Message Delivery Restrictions and click View
details. The Message delivery restrictions screen appears.

4. Clear the check box for Require that all senders are authenticated in the Accept
messages from section.

5. Click OK, and then click Save.

Shared mailboxes

Shared mailboxes in the new EAC

1. Go to Recipients > Mailboxes.

2. Select a shared mailbox from the list and click it. The mailbox properties screen
appears.
 3. Under Mail flow settings, click Manage mail flow settings. The Manage mail flow
settings screen appears.

4. In the Message delivery restriction pane, click Edit. The message delivery
restrictions screen appears.

5. Clear the check box for Require senders to be authenticated in the Accept
messages from section.

6. Click Save.

Shared mailboxes in the classic EAC

1. Go to Recipients > Mailboxes.

2. Select a shared mailbox from the list, and then click Edit . The shared mailbox
properties screen appears.

3. Go to Mailbox features > Message Delivery Restrictions > and then click View
details. The Message delivery restrictions screen appears.

4. Clear the check box for Require that all senders are authenticated in the Accept
messages from section.

5. Click OK, and then click Save.

Method 2: Use the recipient's allowed senders list

Instead of allowing all external senders to send messages to this recipient, you can use
the recipient's allowed senders list to selectively allow messages from all internal
senders and the specified external senders.

Notes:

To add an external sender to a recipient's allowed senders list, you must first create
a mail contact or a mail user to represent the external sender in your organization.

To add everyone in your organization to a recipient's allowed sender's list, you can
create a distribution group or a dynamic distribution group that contains everyone
in your organization. After you create this group, you can add it to the recipient's
allowed senders list.

The recipient's allowed senders list is different from the organization's allowed
senders list for anti-spam that you manage in the EAC at Protection > Spam filter.
To configure the recipient's allowed senders list, open the EAC and use one of the
following procedures based on the recipient type.

User mailboxes

New EAC

1. Go to Recipients > Mailboxes.

2. Select a user mailbox from the list and click it. The mailbox properties screen
appears.

3. Under Mail flow settings, click Manage mail flow settings. The Manage mail flow
settings screen appears.

4. In the Message delivery restriction pane, click Edit. The Message delivery
restrictions screen appears.

5. Configure the following settings under the Accept messages from section:

Clear the check box for Require senders to be authenticated.

Choose the radio button for Selected senders.

Click + Add sender.

In the Accept messages from screen, select the external senders and the "all
internal users" group.

Add the external senders and the "all internal users" group to the list of the
allowed senders of the recipient.
 6. When you're finished, click Confirm.

7. Click Save.

Classic EAC

1. Go to Recipients > Mailboxes.

2. Select the mailbox from the list, and then click Edit . The mailbox properties
screen appears.

3. Go to Mailbox features > Message Delivery Restrictions > and then click View
details. The message delivery restrictions screen appears.

4. Configure the following settings in the Accept messages from section:

Clear the check box for Require that all senders are authenticated.

Select Only senders in the following list, and then click Add . In the Select
Members dialog box that opens, select external senders and the "all internal
users" group.

Add the external senders and the "all internal users" group to the list of the
allowed senders of the recipient.

When you're finished, click OK.

 5. Click OK, and then click Save.

Still need help with error code 550 5.7.12?

See also
Email non-delivery reports in Exchange Online

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Fix NDR error "550 5.7.13" or "550
5.7.135" in Exchange Online
Article • 02/13/2023

It's frustrating when you get an error after sending an email message. This topic
describes what you can do if you see error code 550 5.7.13 or 550 5.7.135 in a non-
delivery report (also known as an NDR, bounce message, delivery status notification, or
DSN). You'll see this automated notification when the recipient is a public folder that's
configured to reject messages from external senders (senders from outside the
organization).

I got this bounce message. How do I fix I'm an email admin. How do I fix
this issue? this issue?

I got this bounce message. How do I fix this

issue?
Only an email admin in the recipient's organization can fix this issue. Contact the email
admin and refer them to this information so they can try to resolve the issue for you.

I'm an email admin. How do I fix this issue?

The two methods that will allow the external sender to send messages to the public
folder in your organization are described in the following sections.

To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online.

Method 1: Allow all internal and external senders to send

messages to this public folder
In New EAC

1. Navigate to Public folders > Public folders.

2. Choose a public folder from the list, and then click Edit . The public folder
properties screen appears.
 3. Click Mail flow settings.

4. Under Message delivery Restrictions > Accept messages from, perform the
following tasks:

Clear the check box for Require that all senders are authenticated.

Select All senders.

5. Click Save.

In Classic EAC
1. In the Classic EAC, go to Public folders > Public folders > select the public folder
from the list, and then click Edit .

2. In the public folder properties dialog box that opens, go to Mail flow settings, and
configure the following settings in the Accept messages from section:

Clear the check box for Require that all senders are authenticated.

Select All senders.

 3. Click Save.

Method 2: Use the public folder's allowed senders list

Instead of allowing all external senders to send messages to this public folder, you can
use the public folder's allowed senders list to selectively allow messages from all internal
senders and the specified external senders.

Notes:

To add an external sender to a public folder's allowed senders list, you must first
create a mail contact or a mail user to represent the external sender in your
organization.

To add everyone in your organization to a public folder's allowed sender's list, you
can create a distribution group or a dynamic distribution group that contains
everyone in your organization. After you create this group, you can add it to the
public folder's allowed senders list.

The public folder's allowed senders list is different from the organization's allowed
senders list for anti-spam that you manage in the EAC at Protection > Spam filter.

To configure the public folder's allowed senders list, open the EAC do the following
steps:

In New EAC

1. Navigate to Public folders > Public folders.

2. Choose a public folder from the list, and then click Edit . The public folder
properties screen appears.

3. Under Message delivery Restrictions > Accept messages from, perform the
following tasks:

Clear the check box for Require that all senders are authenticated.

Select Only senders in the following list, and then click +.

The Select members screen appears.

Check the check boxes of the specific external senders and the all-internal-
users group you want to add to the senders list.

Click add.
 When you're finished, click OK.

4. Click Save.

In Classic EAC

1. In the Classic EAC, go to Public folders > Public folders > select the public folder
from the list, and then click Edit .
2. In the public folder properties dialog box that opens, go to Mail flow settings, and
configure the following settings in the Accept messages from section:

Clear the check box for Require that all senders are authenticated.

Select Only senders in the following list, and then click Add . In the Select
Members dialog box that opens, select the external senders and the "all
internal users" group.

Add the external senders and the "all internal users" group to the allowed
senders list.

When you're finished, click OK.

 3. Click Save.

Still need help with error code 550 5.7.13 or 550

5.7.135?

See also
Email non-delivery reports in Exchange Online

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Fix NDR error "550 5.7.23" in Exchange
Online
Article • 02/13/2023

This topic describes what you can do if you see error code 550 5.7.23 in a non-delivery
report (also known as an NDR, bounce message, delivery status notification, or DSN).

I got this bounce message. How do I fix I'm an email admin. How can I fix
it? this?

I got this bounce message. How do I fix it?

Only an email admin in your Microsoft 365 or Office 365 organization can fix this issue.
Contact your email admin and refer them to this information so they can try to resolve
the issue for you.

I'm an email admin. How do I fix this?

This bounce message most likely indicates a Sender policy framework (SPF)
configuration issue in your Microsoft 365 or Office 365 organization.

The Diagnostic information for administrators section in the bounce message will
contain the original error message when Office 365 tried to send the message to the
external email server or service.

To fix this issue, do the following steps:

Verify the SPF DNS record for your domain. To do this, we recommend that you
use a publicly available SPF or DNS record checker on the web.

Provision all of the domains you own. We limit the number of emails with
unprovisioned domains that a tenant can send.

Add your on-premises IPs, if any, to the SPF record of any domains you send for.
This would include any unprovisioned domains you might be relaying through
Microsoft 365 or Office 365.

Verify that the outbound message wasn't identified as spam by Microsoft 365 or
Office 365 and routed through the High Risk Delivery Pool. Messages in the High
 Risk Delivery Pool won't pass SPF checks, and therefore won't be accepted by the
destination email organization.

To receive Bcc copies of outbound messages that are determined to be spam, see
Configure outbound spam policy notifications.

If you determine that the outbound message was incorrectly detected as spam by
Microsoft 365 or Office 365, contact support.

Still need help with error code 550 5.7.23?

See also
Email non-delivery reports in Exchange Online

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Fix NDR error "550 5.7.57" in Exchange
Online
Article • 02/13/2023

It's frustrating when you get an error after sending an email message. This topic
describes what you can do if you see error code 550 5.7.57 in a non-delivery report (also
known as an NDR, bounce message, delivery status notification, or DSN).

I got this bounce message. How do I fix I'm an email admin. How can I fix
it? this?

Why did I get this bounce message?

When you connect to the smtp.office365.com endpoint to submit (relay) messages
through Microsoft 365 or Office 365, you need to authenticate with the credentials of a
user who has an Exchange Online mailbox. This bounce message indicates a problem in
the configuration of the connecting application or device.

I got this bounce message. How do I fix it?

In the configuration of the connecting application or device, verify that the
specified credentials are correct.

Verify that the application or device is able to negotiate TLS, as TLS is required in
order to authenticate. For more information, see How to set up a multifunction
device or application to send email.

I'm an email admin. How do I fix this?

The distinction between an end user and an admin is blurred for this bounce message,
as the problem lies within the configuration of the application or device.

Still need help with error code 550 5.7.57?

See also
Email non-delivery reports in Exchange Online

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Fix NDR error "550 5.7.64" in Exchange
Online
Article • 02/13/2023

It's frustrating when you get an error after sending an email message. This topic
describes what you can do if you see error code 550 5.7.64 in a non-delivery report (also
known as an NDR, bounce message, delivery status notification, or DSN).

I got this bounce message. How do I fix I'm an email admin. How can I fix
it? this?

I got this bounce message. How do I fix it?

Only an email admin in your Microsoft 365 or Office 365 organization can fix this issue.
Contact your email admin and refer them to this information so they can try to resolve
the issue for you.

I'm an email admin. How do I fix this?

This problem happens when you use an inbound connector to receive messages from
your on-premises email environment, and something has changed in your on-premises
environment that makes the inbound connector's configuration incorrect. For example:

The host name that's specified in the certificate on the inbound connector no
longer matches the source email server.

IP address of the source email server no longer matches the source IP address on
the inbound connector.

The Diagnostic information for administrators section in the bounce message will
contain the original error message when Microsoft 365 or Office 365 tried to send the
message to the external email server or service.

To fix this issue, see this topic.

Still need help with error code 550 5.7.64?

See also
Email non-delivery reports in Exchange Online

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Fix NDR error "550 5.7.124" or "5.7.124"
in Exchange Online
Article • 02/13/2023

It's frustrating when you get an error after sending an email message. This topic
describes what the remedies if you see status code 550 5.7.124 or 5.7.124 in a non-
delivery report.

７ Note

Non-delivery report is also known as an NDR, bounce message, delivery status

notification, or DSN.

You'll see this automated notification when the sender isn't specified in the group's
allowed senders list (directly or as a member of a group). Depending how the group is
configured, even the group's owner might need to be in the group's allowed senders list
in order to send messages to the group.

I got this bounce message. How I'm the group owner or email admin. How do I
do I fix it? fix this issue?

I got this bounce message. How do I fix it?

Typically, members of a group can send messages to the group. If the group is in your
Exchange Online organization, you can try to join the group in Outlook or Outlook on
the web (formerly known as Outlook Web App). For instructions, see Join a group in
Outlook .

You might have to wait for the group's owner to approve your request to join the group
before you can successfully send messages to it. If the group isn't in your organization,
or if the group doesn't allow requests to join, then you'll need to ask the group owner to
add you to the allowed senders list. You'll find instructions for finding the group owner
in the NDR.

I'm the group owner or email admin. How do I

fix this issue?
The two methods that will allow the sender to send messages to the group are
described in the following sections.

To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online.

Method 1: Add the sender to the group's existing allowed

senders list

New EAC

1. Go to Recipients > Groups.

2. Click the Distribution list tab.

3. Select a group from the list and click it. The group properties screen appears.

4. Click the Settings tab.

5. Under Delivery management, click Edit delivery management. The Delivery

management screen appears.

6. Under Sender options, choose the option Only allow messages from people
inside my organization.
7. Under Specified senders, click on the text box. The list of senders is displayed.

Choose senders from the list. The chosen sender's name is displayed below the
text box.
 8. Click Save changes.

Classic EAC

1. In the Classic EAC, go to Recipients > Groups > select the group from the list, and
then click Edit .

2. In the group properties dialog box that opens, go to Delivery management and
then click Add .
 3. In the Select Allowed Senders dialog box that opens, select the sender or a group
that the sender is a member of.

4. Add the sender or the sender's group to the list of allowed senders.

5. When you're finished, click OK, and click Save.

７ Note

To add an external sender to a group's allowed senders list, you must first create a
mail contact or a mail user to represent the external sender in your organization.

Method 2: Allow all internal and external senders to send

messages to this group
If you decide that you don't need to restrict the message senders to this group, you can
remove the restrictions so anyone can send messages to this group:

New EAC
1. Go to Recipients > Groups.

2. Click the Distribution list tab.

3. Select a group from the list and click it. The group properties screen appears.
4. Click the Settings tab.

5. Under Delivery management, click Edit delivery management. The Delivery

management screen appears.

6. Under Sender options, choose Allow messages from people inside and outside
my organization.

7. Click Save changes.

Classic EAC
1. In the EAC, go to Recipients > Groups > select the group from the list, and then
click Edit .

2. In the group properties dialog box that opens, go to Delivery management.

3. In the Distribution Group box, select Delivery management and configure the
following settings:

Remove any entries in the allowed senders list by selecting one entry,
pressing CTRL + A to select all entries, and then clicking Remove .

Select Senders inside and outside of my organization.

4. When you're finished, click Save.

More information about groups

Groups with more than 5,000 members have the following restrictions automatically
applied to them:

Senders to the group must be members of the group.

Messages sent to the group require the approval of a moderator. To configure
moderation for a group, see Configure moderated recipients in Exchange Online.
Large messages can't be sent to the group. However, senders of large messages
will receive a different NDR. For more information about large messages, see
 Distribution group limits.

Still need help with error code 550 5.7.124?

See also
Email non-delivery reports in Exchange Online

Create and manage distribution groups in Exchange Online.

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Fix NDR error "550 5.7.133" in Exchange
Online
Article • 02/13/2023

It's frustrating when you get an error after sending an email message. This topic
describes what you can do if you see error code 550 5.7.133 in a non-delivery report
(also known as an NDR, bounce message, delivery status notification, or DSN). You'll see
this automated notification when the recipient is a group that's configured to reject
messages from external senders, that is, senders from outside the organization.

I got this bounce message. How do I'm the group owner or email admin. How
I fix this issue? do I fix this issue?

I got this bounce message. How do I fix this

issue?
Only the group owner or an email admin in the recipient's organization can fix this issue.
Contact the group owner or email admin and refer them to this information so they can
try to resolve the issue for you.

I'm the group owner or email admin. How do I

fix this issue?
The two methods that will allow an external sender to send messages to the distribution
group in your organization are described in the following sections.

To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online.

Method 1: Allow all internal and external senders to send

messages to this group

New Exchange admin center (EAC)

1. Go to Recipients > Groups.
2. Select a group from the list and click it. The group properties screen appears.

3. Click the Settings tab.

4. Under Delivery management, click Edit delivery management. The Delivery

management screen appears.

5. Under Sender options, choose Allow messages from people inside and outside
my organization.
 6. Click Save changes.

Classic EAC

1. In the EAC, go to Recipients > Groups > select the group from the list, and then
click Edit .

2. In the group properties dialog box that opens, go to Delivery management >
select Senders inside and outside of my organization.
 3. Click Save.

Method 2: Use the group's allowed senders list

Instead of allowing all external senders to send messages to this group, you can use the
group's allowed senders list to selectively allow messages from all internal senders and
the specified external senders.

Notes:

To add an external sender to a group's allowed senders list, you must first create a
mail contact or a mail user to represent the external sender in your organization.

To add everyone in your organization to a group's allowed sender's list, you can
create a distribution group or a dynamic distribution group that contains everyone
in your organization. After you create this group, you can add it to the group's
allowed senders list.

The group's allowed senders list is different from the organization's allowed
senders list for anti-spam that you manage in the EAC at Protection > Spam filter.

To configure the group's allowed senders list, perform the following steps:
New EAC
1. Go to Recipients > Groups.

2. Select a group from the list and click it. The group properties screen appears.

3. Click the Settings tab.

4. Under Delivery management, click Edit delivery management. The Delivery

management screen appears.

5. Under Sender options, choose Allow messages from people inside and outside
my organization.

6. Under Specified senders, click inside the text box. The list of senders (internal and
external) is displayed.
 7. Choose the senders you want to add to the senders list, and click Save changes.

Classic EAC
1. Go to Recipients > Groups > select the group from the list, and then click Edit .
2. In the group properties dialog box that opens, go to Delivery management and
configure the following settings:

Select Senders inside and outside of my organization.

Click Add . In the Select Allowed Senders dialog box, select and add the
external senders and the "all internal users" group. When you're finished, click
OK.
 3. Click Save.

Still need help with error code 550 5.7.133?

See also
Email non-delivery reports in Exchange Online

Create and manage distribution groups in Exchange Online.

Feedback
Was this page helpful? ﾂ Yes ﾄ No
Provide product feedback | Get help at Microsoft Q&A
Fix NDR error "550 5.7.134" in Exchange
Online
Article • 02/13/2023

It's frustrating when you get an error after sending an email message. This topic
describes what you can do if you see error code 550 5.7.134 in a non-delivery report
also known as an NDR, bounce message, delivery status notification, or DSN). You'll see
this automated notification when the recipient is a mailbox that's configured to reject
messages from external senders (senders from outside the organization).

I got this bounce message. How do I fix I'm an email admin. How do I fix
this issue? this issue?

I got this bounce message. How do I fix this issue?

Only an email admin in the recipient's organization can fix this issue. Contact the email
admin and refer them to this information so they can try to resolve the issue for you.

I'm an email admin. How do I fix this issue?

The two methods that will allow an external sender to send messages to the mailbox in
your organization are described in the following sections.

To open the New Exchange admin center (EAC), see Exchange admin center in Exchange
Online.

To open the Classic EAC, click Classic Exchange admin center on the left pane of the
Exchange admin center (New) home screen, as shown in the image below.
Method 1: Allow all internal and external senders to send
messages to this mailbox

New EAC

1. Go to Recipients > Mailboxes.

2. Select a user mailbox from the list and click it. The user mailbox properties screen
appears.
3. Under Mail flow settings, click Manage mail flow settings. The Manage mail flow
settings screen appears.

4. In the Message delivery restriction pane, click Edit. The Message delivery
restrictions screen appears.

5. Under Accept messages from, clear the check box for Require senders to be
authenticated.
 6. Click Save.

Classic EAC

1. In the Classic EAC, go to Recipients > Mailboxes > select the mailbox from the list,
and then click Edit .

2. In the mailbox properties dialog box that opens, go to Mailbox features >
Message Delivery Restrictions > and then click View details.
 3. In the Message delivery restrictions dialog box that opens, clear the check box for
Require that all senders are authenticated in the Accept messages from section.

4. Click OK, and then click Save.

Method 2: Use the mailbox's allowed senders list

Instead of allowing all external senders to send messages to this mailbox, you can use
the mailbox's allowed senders list to selectively allow messages from all internal senders
and the specified external senders.

Notes:

To add an external sender to a mailbox's allowed senders list, you must first create
a mail contact or a mail user to represent the external sender in your organization.
To add everyone in your organization to a mailbox's allowed sender's list, you can
create a distribution group or a dynamic distribution group that contains everyone
in your organization. After you create this group, you can add it to the mailbox's
allowed senders list.
The mailbox's allowed senders list is different from the organization's allowed
senders list for anti-spam that you manage in the EAC at Protection > Spam filter.

To configure the mailbox's allowed senders list, do the following steps:

New EAC
1. Go to Recipients > Mailboxes.
2. Select a user mailbox from the list and click it. The user mailbox properties screen
appears.

3. Under Mail flow settings, click Manage mail flow settings. The Manage mail flow
settings screen appears.

4. In the Message delivery restriction pane, click Edit. The Message delivery
restrictions screen appears.

5. Under Accept messages from:

Clear the check box for Require senders to be authenticated.

Select Selected senders.

Click + Add sender. The Accept messages from screen appears.

Check the check boxes of the internal-senders group and the specific external
users you want to add.

Click Confirm.
 The Message delivery restrictions screen reappears.

6. Click Save.
Classic EAC
1. In the Classic EAC, go to Recipients > Mailboxes > select the mailbox from the list,
and then click Edit .

2. In the mailbox properties dialog box that opens, go to Mailbox features >
Message Delivery Restrictions > and then click View details.

3. In the Message delivery restrictions dialog box that opens, configure the
following settings in the Accept messages from section:

Clear the check box for Require that all senders are authenticated.

Select Only senders in the following list, and then click Add . In the Select
Members dialog box that opens, select the external senders and the "all
internal users" group.

Add the external senders and the "all internal users" group.

When you're finished, click OK.

 4. Click OK, and then click Save.

Still need help with error code 550 5.7.134?

See also
Email non-delivery reports in Exchange Online

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Fix NDR error "550 5.7.136" in Exchange
Online
Article • 02/13/2023

It's frustrating when you get an error after sending an email message. This topic
describes what you can do if you see error code 550 5.7.136 in a non-delivery report,
also known as an NDR, bounce message, delivery status notification, or DSN. You'll see
this automated notification when the recipient is a mail user that's configured to reject
messages from external senders, that is, senders from outside the organization.

I got this bounce message. How do I fix I'm an email admin. How do I fix
this issue? this issue?

I got this bounce message. How do I fix this

issue?
Only an email admin in the recipient's organization can fix this issue. Contact the email
admin and refer them to this information so they can try to resolve the issue for you.

I'm an email admin. How do I fix this issue?

The two methods that will allow an external sender to send messages to the mail user in
your organization are described in the following sections. These two methods can be
implemented using the Classic EAC.

７ Note

Currently, there is no support for the two methods in the New EAC.

To open the Classic EAC, click Classic Exchange admin center on the left pane of the
home screen of the New EAC.
 .

Method 1: Allow all internal and external senders to send

messages to this mail user
1. Go to Recipients > Contacts > select the mail user from the list, and then click Edit
.

The mail user properties dialog box opens.

2. Go to Mailbox flow settings and then click View details in the Message Delivery
Restrictions section.
 The Message delivery restrictions dialog box opens.

3. Configure the following settings in the Accept messages from section:

Clear the check box for Require that all senders are authenticated.
Select All senders.

4. Click OK, and then click Save.

Method 2: Use the mail user's allowed senders list

Instead of allowing all external senders to send messages to this mail user, you can use
the mail user's allowed senders list to selectively allow messages from all internal
senders and the specified external senders.

Notes:

To add an external sender to a mail user's allowed senders list, you must first
create a mail contact or a mail user to represent the external sender in your
organization.

To add everyone in your organization to a mail user's allowed sender's list, you can
create a distribution group or a dynamic distribution group that contains everyone
in your organization. After you create this group, you can add it to the mail user's
allowed senders list.

The mail user's allowed senders list is different from the organization's allowed
senders list for anti-spam that you manage in the EAC at Protection > Spam filter.

To configure the mail user's allowed senders list, open the Classic EAC do the following
steps:

1. Go to Recipients > Contacts > select the mail user from the list, and then click Edit
.
 The mail user properties dialog box opens.

2. Go to Mailbox flow settings and then click View details in the Message Delivery
Restrictions section.

The Message delivery restrictions dialog box opens.

3. Configure the following settings in the Accept messages from section:

Clear the check box for Require that all senders are authenticated.

Select Only senders in the following list, and then click Add . In the Select
Members dialog box that opens, select the external senders and the "all
internal users" group.

Add the external senders and the "all internal users" group to the allowed
senders list.

When you're finished, click OK.

 4. Click OK, and then click Save.

Still need help with error code 550 5.7.136?

See also
Email non-delivery reports in Exchange Online

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Fix NDR error "550 5.7.700" through
"550 5.7.750" in Exchange Online
Article • 07/27/2023

It's frustrating when you get an error after sending an email message. This topic
describes what you can do if you see error codes 550 5.7.700 through 550 5.7.750 in a
non-delivery report (also known as an NDR, bounce message, delivery status
notification, or DSN).

Use the information in the NDR to help you decide how to fix the problem.

I got this bounce message. How do I I'm an email admin. What can I do to
fix it? fix this?

Why did I get this bounce message?

5.7.703 Your message can't be delivered because messages to XXX, YYY are
blocked by your organization using Tenant Allow Block List: This error occurs
when someone in your organization sent mail to an email address or domain that's
blocked in the Tenant Allow/Block List. The entire message is blocked for all
internal and external recipients of the message, even if only one recipient email
address or domain is defined in a block entry.

5.7.705 Access denied, tenant has exceeded threshold: This error occurs when too
much spam or bulk mail has been sent by your organization and we place a block
on outgoing mail.

5.7.708 Access denied, traffic not accepted from this IP: This error occurs when
sending email from known, low reputation IP addresses that are typically used by
new customers.

5.7.750 Client blocked from sending from unregistered domain: The error occurs
when a large volume of messages are sent from domains that aren't provisioned in
Office 365 (added as accepted domains and validated).

I got this bounce message. How do I fix it?

Only an email admin in your organization can fix the issue. Contact your email admin
and refer them to this information so they can resolve the issue for you.

I'm an email admin. What can I do to fix this?

The solutions for specific error codes are described in the following sections.

5.7.703 Your message can't be delivered because

messages to XXX, YYY are blocked by your organization
using Tenant Allow Block List
Although the Tenant Allow/Block List is mostly about preventing outside users from
sending email into your organization, users in the organization also can't send mail to
those blocked senders or sender domains. The entire message is blocked for all internal
and external recipients of the message, even if only one recipient email address or
domain is defined in a block entry.

5.7.705 Access denied, tenant has exceeded threshold

Common causes are compromised on-premises servers or compromised admin
accounts that have been used to create connectors. Either condition can allow spam to
pass through your organization.

To remove this block, you need to understand and explain the cause to a support agent,
as well as correct the underlying problem. Admins can use the following reports to
investigate who or what is causing the issue:

Mailflow status report (Outbound):

https://security.microsoft.com/mailflowStatusReport?viewid=type
Threat protection status (spam only):
https://security.microsoft.com/reports/TPSAggregateReportATP
Top senders and recipients:
https://security.microsoft.com/reports/TopSenderRecipients
Outbound Connector report:
https://admin.exchange.microsoft.com/#/reports/outboundconnectordetails

To further investigate, you can use message trace

In rare cases, this issue could also happen if you renew your subscription after it has
already expired. It takes time for the service to sync the new subscription information
(typically, no more than one day), but your organization could be blocked from sending
email in the meantime. The best way to prevent this issue is to make sure your
subscription does not expire.

5.7.708 Access denied, traffic not accepted from this IP

This error can happen when you are trying out a Microsoft 365 trial tenant. If you receive
this error before you can purchase licenses, contact support to request an exception for
the low reputation IP address until you're able to purchase licenses.

5.7.750 Client blocked from sending from unregistered

domain
In most cases, the connectors are set up correctly, but email is being sent from
unregistered (also known as unprovisioned) domains. Office 365 allows a reasonable
amount of email from unregistered domains, but you should configure every domain
that you use to send email as an accepted domain.

To fix this error, you can:

Most common solution: Add and validate all domains in Microsoft 365 or Office
365 that you use to send email messages. For more information, see Add a
domain.

Use a certificate-based outbound connector where the certificate's domain is an

accepted and validated domain in Microsoft 365 or Office 365. For more
information, see Configure mail flow using connectors.

Look for unusual connectors and compromised accounts. Attackers will often
create new inbound connectors in your Microsoft 365 or Office 365 organization to
send spam. For more information, see Validate connectors, and Responding to a
compromised email account.

Still need help with error codes 5.7.700 through

5.7.750?
See also
Email non-delivery reports in Exchange Online

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Fix NDR error code "451 4.7.500-699
(ASxxx)" in Exchange Online
Article • 02/13/2023

It's frustrating when you get an error after sending an email message. This topic
describes what you can do if you see error code 451 4.7.500-699 (ASxxx) in a non-
delivery report (also known as an NDR, bounce message, delivery status notification, or
DSN).

Why did I get this bounce message?

You received this NDR because the source email server (the connecting IP address)
changed its previous email sending patterns by sending a much higher volume of
messages than in the past.

This error code is part of anti-spam filtering in Microsoft 365 or Office 365. You'll get this
error when the source IP address that's sending you email changes significantly from its
previously-established patterns. This part of a filtering technique known as graylisting:
when new senders appear, they're treated more suspiciously than senders with a
previously-established history of sending email messages (think of it as a probation
period).

This error response is called IP throttling, and it can help reduce the amount of spam
that you receive.

I got this bounce message. How do I fix I'm an email admin. How can I fix
it? this?

fix-
this)

I got this bounce message. How do I fix it?

If you received this NDR in response to a message that you sent, try the following steps:

1. If your organization uses Exchange Online Protection (EOP) as part of Microsoft

365 or Office 365 or standalone EOP subscription, an email admin can use the
steps in the next section to fix the problem.
 2. If your organization does not use EOP (for example, if you provide a third-party
service), the error will resolve itself as you establish an email sending history with
Microsoft 365 or Office 365 over a period of a few days.

If the problem continues, send the bounce message to your email admin for assistance
and refer them to the information in this topic.

I'm an email admin. How do I fix this?

To remove throttling for these messages, you need to configure a connector:

1. If you're trying to relay outbound email from your on-premises email server
through Microsoft 365 or Office 365, you need to configure a connector from your
email server to Microsoft 365 or Office 365. For more information, see Set up
connectors to route mail between Microsoft 365 or Office 365 and your own email
servers.

2. If inbound email to your Microsoft 365 or Office 365 organization is first routed
through a third-party service, appliance, or device, you need to set up a connector
to apply security restrictions.

After you have set up a connector, you can monitor if IP throttling has stopped.

７ Note

We don't recommend sending more than test messages from your initial
onmicrosoft.com domain. Email from onmicrosoft.com domains is limited and
filtered to prevent spam. In typical production environments, you need to add a
custom domain and then send your regular volume of email messages. For more
information on domains, check out this Domains FAQ.

Still need help with error code 451 4.7.500-699

(ASxxx)?
See also
Email non-delivery reports in Exchange Online

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Fix NDR error "550 4.4.7" in Exchange
Online
Article • 02/13/2023

） Important

Mail flow rules are now available in the new Exchange admin center. Try it now !

It's frustrating when you get an error after sending an email message. This article
describes what you can do if you see error code 550 4.4.7 in a non-delivery report (also
known as an NDR, bounce message, delivery status notification, or DSN).

Why did I get this bounce message?

For more information, see the Causes for error code 4.4.7 section later in this article.

Use the information in the NDR to help you decide how to fix the problem.

I got this bounce message. I'm an email admin. How Causes for error
How do I fix it? do I fix this? code 4.4.7

I got this bounce message. How do I fix it?

This section contains the steps that you can try to fix the problem yourself.

If the steps in this section don't fix the problem for you, contact your email admin and
refer them to this article so they can try to resolve the issue for you.

If you get this error only for messages that you sent to a specific domain (for example,
only recipients in the @fabrikam.com domain), the problem is likely with that
destination domain. For example:

Temporary network or internet connection issues in the destination domain.

Aggressive anti-spam settings in the destination domain that block legitimate

senders (for example, all senders from any domain in Exchange Online).
If you suspect a problem with the destination domain, notify the recipient (by phone, in
person, etc.) with the information in the NDR so they can notify their email admins:

The name of the email mail server in the destination domain, and the error
message that's returned by the email server.

The number of delivery attempts made that were made by the datacenter server in
Exchange Online, and how long it tried to reach the remote server.

The email admins in the destination domain will need to investigate the issue. Possible
solutions might include:

Stop blocking messages from Exchange Online or specifically allow messages from
senders in your domain.

Contact the support channels for their email server or service. Microsoft support
might also be able to help.

I'm an email admin. How do I fix this?

If the admins in the destination domain determine the problem isn't on their end, the
solution might be related the configuration of your Exchange Online organization (or
also your on-premises Exchange organization if you're in a hybrid deployment).

Here are some steps for you to try:

Solution 1: The MX record for your domain might be missing or incorrect. Get
more information about how MX records work at DNS basics.

Solution 2: Test your MX record and your organization's ability to send mail by
using the Outbound SMTP Email test in the Microsoft Remote Connectivity
Analyzer .

Solution 3: The Sender Policy Framework (SPF) record for your domain might be
incomplete, and might not include all email sources for your domain. For more
information, see Set up SPF to help prevent spoofing.

Solution 4: Your domain might have expired due to non-payment. Verify with your
domain registrar that your domain is active and not expired.

Solution 5: If the recipient is in your on-premises Exchange organization in a

hybrid deployment, there might be a problem with your hybrid configuration. Give
the information in the NDR to your on-premises Exchange administrators. They
 might need to rerun the Hybrid Configuration Wizard due to changes in their on-
premises IP addresses or firewall rules.

For more information about message routing in hybrid deployments, see Transport
routing in Exchange hybrid deployments.

Causes for error code 4.4.7

When Exchange Online attempts to deliver a message, the destination email might be
unable or unwilling to accept the message. This can result in a temporary 4_.x.x_ error
code from the destination email server (instead of a permanent 5.x.x error code that
indicates the message was rejected). Exchange Online repeatedly tries to deliver the
message over 24 hours. Only after two days of unsuccessful delivery attempts do the
recipient receive this NDR.

The possible causes of this error are:

The destination email server is offline or unreachable.

The server won't accept delivery of the message.

A network problem is causing message delivery to time out.

Details for error code 5.1.0

The NDR from Exchange Online for this specific error might contain some or all of the
following information:

User information section

The server has tried to deliver this message, without success, and has stopped
trying. Try sending this message again. If the problem continues, contact your
help desk.

Diagnostic information for administrators section

#550 4.4.7 QUEUE.Expired; message expired ##

The message was considered too old by the rejecting system, either because it
remained on that host too long or because the time-to-live value specified by
the sender of the message was exceeded.

450 4.7.0 Proxy session setup failed on Frontend with '451 4.4.0 Primary
target IP address responded with ... Be sure to record the error that follows
 this string and the last end point attempted.

Still need help with error code 4.4.7?

See also
Email non-delivery reports in Exchange Online

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Fix NDR error "550 5.0.350" in Exchange
Online
Article • 02/13/2023

It's frustrating when you get an error after sending an email message. This topic
describes what you can do if you see error code 550 5.0.350 in a non-delivery report
(also known as an NDR, bounce message, delivery status notification, or DSN).

Use the information in the NDR to help you decide how to fix the problem.

I got this bounce message. How do I fix I'm an email admin. How can I fix
it? this?

Why did I get this bounce message?

5.0.350 is a generic wrapper that's used by Exchange Online for a wide variety of non-
specific errors that are typically returned by the recipient's email organization.

But, if the NDR also contains x-dg-ref header is too long , that's a specific problem
with a specific solution. This issue occurs if you use Rich Text formatting in Outlook
messages. The message likely contains at least one attachment, and one of the
attachments is likely an email message that also contains at least one attached email
message.

Or, if the NDR also contains Requested action not taken: policy violation detected
(AS345) , that's another specific problem with a specific solution. This issue occurs if the

message contains an attachment (for example, a Word file) with 20 or more embedded
files (for example, Excel or Word files).

I got this bounce message. How do I fix it?

If the NDR contains x-dg-ref header is too long , use HTML formatting for messages in
Outlook instead of Rich Text Format. For more information, see Change the message
format to HTML, Rich Text Format, or plain text .

If the NDR contains Requested action not taken: policy violation detected (AS345) ,
remove some embedded files from the attachment.
Otherwise, forward the NDR to your admin for help.

I'm an email admin. How do I fix this?

x-dg-ref header is too long

In Rich Text formatted messages, the attachment's binary large object (BLOB) becomes
part of the header stream in the X-MS-TNEF-Correlator header field. If the attachment is
too big, the line length of the header field is too long, so the receiving email server will
reject the message.

In Exchange Online, you can control TNEF (also known as the Transport Neutral
Encapsulation Format, Outlook Rich Text Format, or Exchange Rich Text Format) settings
in remote domains, and in the properties of mail contacts or mail users. For more
information, see Message format and transmission in Exchange Online.

Other 5.0.350 errors

Typically, there's nothing that support can do for you, since the problem lies with the
recipient's email system.

The Diagnostic information for administrators section in the bounce message will
contain the original error message when Microsoft 365 or Office 365 tried to send the
message to the external email server or service. Use this information to help identify the
issue, and to see if there's anything you can do to fix the problem.

Still need help with error code 550 5.0.350?

See also
Email non-delivery reports in Exchange Online
Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Fix NDR error "550 5.1.0" in Exchange
Online
Article • 02/13/2023

It's frustrating when you get an error after sending an email message. This topic
describes what you can do if you see error code 550 5.1.0 or 5.1.0 in a non-delivery
report (also known as an NDR, bounce message, delivery status notification, or DSN).

Use the information in the NDR to help you decide how to fix the problem.

Why did I get this bounce message?

The destination email server that generated the 5.1.0 error won't accept messages from
you (the sender) or messages for the recipient. This can happen if messages from you
(your email address, your Exchange Online organization, or even all of Exchange Online)
are being blocked by the recipient.

I got this bounce message. I'm an email admin. How Details for error
How do I fix it? do I fix this? code 5.1.0

I got this bounce message. How do I fix it?

This section contains steps that you can try to fix the problem yourself.

If these steps don't fix the problem for you, contact your email admin and refer them to
this topic so they can try to resolve the issue for you.

You're in the recipient's block list

Your email address could be in the recipient's personally-maintained block list. This is
the likely cause if you can successfully send messages to other recipients in the same
domain (for example, @fabrikam.com).

Contact the recipient (by phone, in person, etc.) to verify that your email address isn't in
their block list.

Remove bad entries from your Auto-Complete List

You might have an invalid entry in your Auto-Complete list (also known as the nickname
cache) for the recipient. For example, the recipient might have been moved from an on-
premises Exchange organization to Exchange Online, or vice-versa. Although the
recipient's email address is the same, other internal identifiers for the recipient might
have changed, thus breaking your cached entry for the recipient.

Fix your Auto-Complete list entries in Outlook

To remove invalid recipients or all recipients from your Auto-Complete list in Outlook
2010 later, see Manage suggested recipients in the To, Cc, and Bcc boxes with Auto-
Complete .

To resend the message in Outlook, see Resend an email message .

Fix your Auto-Complete list entries in Outlook on the web

To remove recipients from your Auto-Complete list in Outlook on the web (formerly
known as Outlook Web App), do one of the following procedures:

Remove a single recipient from your Outlook on the web Auto-

Complete list

1. In Outlook on the web, click New mail.

2. Start typing the recipient's name or email address in the To field until the recipient
appears in the drop-down list.

3. Use the Down Arrow and Up Arrow keys to select the recipient, and then press the
Delete key.

Remove all recipients from your Outlook on the web Auto-

Complete list

You can only clear your Auto-Complete list in the light version of Outlook on the web.
To open your mailbox in the light version of Outlook on the web, do either of the
following steps:

Open the mailbox in an older web browser that only supports the light version of
Outlook on the web (for example, Internet Explorer 9).

Configure your Outlook on the web settings to only use the light version of
Outlook on the web (the change takes effect the next time you open the mailbox):
 1. In Outlook on the web, click Settings .

2. In the Search all settings box, type light and select Outlook on the web
version in the results.

3. In the page that opens, select Use the light version of Outlook on the web,
and then click Save.

4. Log off, close your web browser, and open the mailbox again in Outlook on
the web.

After you open your mailbox in the light version of Outlook on the web, do the
following steps to clear all entries from your Auto-Complete list:

1. Choose Options and verify that Messaging is selected.

2. In the E-Mail Name Resolution section, click Clear Most Recent Recipients list,
and then click OK in the confirmation dialog box.

3. While you're still in Options, to return your mailbox to the full version of Outlook
on the web, go to Outlook version, clear the check box for Use the light version,
and then click Save.

4. Log off and close your web browser. The next time you open your mailbox in a
supported web browser, you'll use the full version of Outlook on the web.

I'm an email admin. How do I fix this?

The Sender Policy Framework (SPF) record for your Exchange Online domain might be
incomplete, and might not include all sources of mail for your domain. For more
information, see Set up SPF to help prevent spoofing.

Details for error code 5.1.0

The NDR from Exchange Online for this specific error might contain some or all of the
following information:

User information section: Address Rejected. A problem occurred during the

delivery of this message to this email address.

Diagnostic information for administrators section: Recipient address rejected: SPF

Permanent Error.
Still need help?

See also
Email non-delivery reports in Exchange Online

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Fix NDR error code "550 5.1.1" through
"550 5.1.20" in Exchange Online
Article • 02/13/2023

） Important

Mail flow rules are now available in the new Exchange admin center. Try it now !

It's frustrating when you get an error after sending an email message. This article
describes what you can do if you see error codes 550 5.1.1 through 5.1.20 in a non-
delivery report (also known as an NDR, bounce message, delivery status notification, or
DSN).

I got this bounce message. How do I I'm an email admin. What can I do to fix
fix it? this?

I got this bounce message. How do I fix it?

Here are some steps that you can try to fix the problem yourself.

If the steps in this section don't fix the problem for you, contact your email admin and
refer them to the information in this article so they can try to resolve the issue for you.

Solution 1: Confirm the recipient's email address

It sounds too simple, but the wrong email address is the most common issue that
causes 5.1.x errors. Check for correct spelling and send the message again if you find an
error in the email address.

To resend the message in Outlook, see Resend an email message .

Solution 2: Remove the recipient's email address from

your Auto-Complete list
You might have an invalid entry in your Auto-Complete list (also known as the nickname
cache) for the recipient. For example, the recipient might have been moved from an on-
premises Exchange organization to Exchange Online, or vice-versa. Although the
recipient's email address is the same, other internal identifiers for the recipient might
have changed, thus breaking your cached entry for the recipient.

Fix your Auto-Complete list entries in Outlook

To remove invalid recipients or all recipients from your Auto-Complete list in Outlook
2010 later, see Manage suggested recipients in the To, Cc, and Bcc boxes with Auto-
Complete .

Fix your Auto-Complete list entries in Outlook on the web

To remove recipients from your Auto-Complete list in Outlook on the web (formerly
known as Outlook Web App), do one of the following procedures:

Remove a single recipient from your Outlook on the web Auto-

Complete list

1. In Outlook on the web, click New mail.

2. Start typing the recipient's name or email address in the To field until the recipient
appears in the drop-down list.

3. Use the Down Arrow and Up Arrow keys to select the recipient, and then press the
Delete key.

Remove all recipients from your Outlook on the web Auto-

Complete list**
You can only clear your Auto-Complete list in the light version of Outlook on the web.
To open your mailbox in the light version of Outlook on the web, do either of the
following steps:

Open the mailbox in an older web browser that only supports the light version of
Outlook on the web (for example, Internet Explorer 9).

Configure your Outlook on the web settings to only use the light version of
Outlook on the web (the change takes effect the next time you open the mailbox):

1. In Outlook on the web, click Settings .

2. In the Search all settings box, type light and select Outlook on the web
version in the results.

3. In the page that opens, select Use the light version of Outlook on the web,
and then click Save.

4. Log off, close your web browser, and open the mailbox again in Outlook on
the web.

After you open your mailbox in the light version of Outlook on the web, do the
following steps to clear all entries from your Auto-Complete list:

1. Choose Options and verify that Messaging is selected.

2. In the E-Mail Name Resolution section, click Clear Most Recent Recipients list,
and then click OK in the confirmation dialog box.

3. While you're still in Options, to return your mailbox to the full version of Outlook
on the web, go to Outlook version, clear the check box for Use the light version,
and then click Save.

4. Log off and close your web browser. The next time you open your mailbox in a
supported web browser, you'll use the full version of Outlook on the web.

To remove invalid recipients or all recipients from your Auto-Complete list in Outlook
2010 later, see Manage suggested recipients in the To, Cc, and Bcc boxes with Auto-
Complete .

Solution 3: Confirm that the recipient isn't auto-

forwarding messages from you to another (and likely,
invalid) email address
Does the recipient's email address in your original message exactly match the recipient's
email address in the NDR? Compare the recipient's email address in the NDR with the
recipient's email address in the message in your Sent Items folder.

If the addresses don't match, contact the recipient (by phone, in person, etc.) and ask
them if they've configured an email rule that forwards incoming email messages from
you to another destination. Their rule could have tried to send a copy of your message
to a bad email address. If the recipient has such a rule, they'll need to correct the
destination email address or remove the rule in order to prevent 5.1.x message delivery
errors.

Solution 4: Verify that your account hasn't been

compromised
Did you send the original message at all? If not, it's possible that a spammer or hacker
inappropriately used your account to send the message.

Check your recent messages in the Sent Items folder for strange or unknown messages
(messages that you didn't send). If you find any, it's possible that your email account
was compromised.

If you believe that your account has been compromised, follow these steps:

Reset your password and scan your devices for malware. However, the hacker
might have configured other settings on your mailbox (for example, created Inbox
rules to auto-forward email messages or added additional mailbox delegates). So,
follow the additional steps in How to determine whether your account has been
compromised.

Notify your email admin. Your admin will need to unblock your account before you
can send email again.

Solution 5: Confirm that the NDR is related to a message

that you actually sent
If your Sent folder contains only messages that you know you sent, then the NDR you
received could be a result of backscatter (a useless NDR about a message you didn't
send), and you can ignore it.

Typically, if a message can't be delivered, the recipient's email system will use the
sender's email address in the From field to notify the sender in an NDR like this one. But
what if the message was sent by a spammer who falsified the From address so it
appears the message came from your email address? The resulting NDR that you'll
receive is useless because it creates the false impression that you did something wrong.
This type of useless NDR is called backscatter. It's annoying, but if this NDR is
backscatter, your account hasn't been compromised.

Check your recent messages in the Sent Items folder for strange or unknown messages
(messages that you didn't send). If you don't see any suspicious messages, it's likely that
the NDR you received is backscatter. If you've already changed your password and run
an anti-malware scan, you can ignore these backscatter NDRs.

To learn more, see Backscatter in EOP.

I'm an email admin. What can I do to fix this?

If the steps in the previous section don't solve the issue for the sender, the solution
might be related to the way the user's Microsoft 365 or Office 365 account is set up. If
you have a hybrid topology, the solution might also be related to the on-premises mail
transfer agent. It might also be a problem with the recipient's domain configuration.
Here are four solutions you can try. You might not need to try all of them to get the
message sent successfully.

Solution 1: Check the Microsoft 365 admin center for

configuration problems or service-wide issues
For Microsoft 365 or Office 365 accounts, the Microsoft 365 admin center provides a
central source for various tools, notifications, and information that you can use to
troubleshoot this and other issues.

Open the Microsoft 365 admin center , and from the Home page, do the following
items:

1. Check the Message Center to see if your organization has a known configuration
issue.

2. Go to Health > Service health to see if there's a current service issue in Microsoft
365 or Office 365 affecting the user's account.

3. Check the sender and recipient domains for incorrect or stale mail exchange (MX)
resource records by running the Mailflow Troubleshooter tool that is available
within Microsoft 365 and Office 365.
If there's a problem with the recipient's domain, contact the recipient or the recipient's
email administrator to let them know about the problem. They'll have to resolve the
issue in order to prevent NDR 5.1.x errors.

Solution 2: Update stale MX records

Error code 5.1.1 can be caused by problems with the MX resource record for the
recipient's domain. For example, the MX record might point to an old email server, or
the MX record might be ambiguous due to a recent configuration change.

７ Note

Updates to a domain's DNS records can take up to 72 hours to propagate to all

DNS servers on the Internet.

If external senders (senders outside your organization) receive this NDR when they send
message to recipients in your domain, try the following steps:

The MX resource record for your domain might be incorrect. The MX record for an
Exchange Online domain points to the email server (host)
<domain>.mail.protection.outlook.com.

Verify that you have only one MX record configured for your Exchange Online
domain. We don't support using more than one MX record for domains enrolled in
Exchange Online.

Test your MX record and your ability to send email from your Exchange Online
organization by using the Verify MX Record and Outbound Connector Test at
Office 365 > Mail Flow Configuration in the Microsoft Remote Connectivity
Analyzer.

For more information, see Add DNS records to connect your domain and Set up SPF to
help prevent spoofing.

Solution 3: Update forwarding rules to remove incorrect

email addresses
This NDR might be caused by a forwarded (unintended) recipient that's configured for
the intended recipient. For example:

A forwarding Inbox rule or delegate that the recipient configured in their own
mailbox.
 A mail flow rule (also known as a transport rule) configured by an email admin that
copies or forwards messages sent to the recipient to another invalid recipient.

For more information, see Configure email forwarding for a mailbox.

Still need help with error code 5.1.1 to 5.1.20?

See also
Email non-delivery reports in Office 365

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Fix NDR error "550 5.1.10" in Exchange
Online
Article • 02/13/2023

） Important

Mail flow rules are now available in the new Exchange admin center. Try it now !

Problems sending and receiving email messages can be frustrating. If you get a non-
delivery report (NDR), also called a bounce message, for error code 550 5.1.10, this
article can help you fix the problem and get your message sent.

I got this bounce message. How do I I'm an email admin. How can I fix this
fix it? issue?

Why did I get this bounce message?

You received this NDR with error code 5.1.10 for one of the following reasons:

The recipient's email address doesn't exist or couldn't be found. Go to the I got
this bounce message. How do I fix it? section in this article.

Typically, if a message can't be delivered, the recipient's email system will use the
sender's email address in the From field to notify the sender in an NDR like this one. But
what if the message was sent by a spammer who falsified the From address so it
appears the message came from your email address? The resulting NDR that you'll
receive is useless because it creates the false impression that you did something wrong.
This type of useless NDR is called backscatter. It's annoying, but if this NDR is
backscatter, your account hasn't been compromised.

A spammer sent a message to a non-existent recipient, and they falsified the From
address so it appears the message was sent by your email address. The resulting
bounce message that you get is called backscatter, and you can safely ignore or
delete the bounce message.

Backscatter itself is harmless, but if you're getting much of it, it's possible that your
computer or device is infected with spam-sending malware. Consider running an
anti-malware scan. Additionally, to help prevent spammers from impersonating
 you or others in your organization, ask your email admin to read this topic: Set up
SPF to help prevent spoofing.

I got this bounce message. How do I fix it?

Here are some steps that you can try to fix the problem yourself.

If the steps in this section don't fix the problem for you, contact your email admin and
refer them to the information in this article so they can try to resolve the issue for you.

Verify recipient's email address and resend your message

Verify recipient's email address and resend your message in

Outlook
1. Open the bounce message. In the Report tab, choose Send Again.

If your original message had an attachment larger than 10 MB, the Send Again
option might not be available or might not work. Instead, resend the message
from your Sent Items folder. For more information, see Resend an email
message .

2. In the new copy of your message, select the recipient's email address in the To box
and then press the Delete key.

3. Remove the recipient's email address from the Auto-Complete list (a bad or
outdated entry could be causing the problem):

a. In the To box, start typing the recipient's email address until it appears in the
Auto-Complete drop-down list as shown below.
 b. Use the Down Arrow key to select the recipient from the Auto-Complete drop-
down list and then press the Delete key or choose the Delete icon to the
right of the email address.

4. In the To box, continue typing the entire recipient email address. Be sure to spell
the address correctly.

b. Use the Down Arrow key to select the recipient from the Auto-Complete drop-
down list and then press the Delete key or choose the Delete icon to the right
of the email address.

5. In the To box, continue typing the entire recipient email address. Be sure to spell
the address correctly.

6. Click Send.
Verify recipient's email address and resend your message in
Outlook on the web (formerly known as Outlook Web App)

1. Open the bounce message. In the reading pane, just below the message header
information, choose To send this message again, click here.

If your original message had an attachment larger than 10 MB, the Send Again
option might not be available or might not work. Instead, resend the message
from your Sent Items folder.

2. On the To line of the new copy of your message, choose the Delete icon to
delete the recipient's email address.

If your
original message had an attachment larger than 10 MB, the Send Again option
might not be available or might not work. Instead, resend the message from your
Sent Items folder.

3. On the To line of the new copy of your message, choose the Delete icon to delete
the recipient's email address.

4. Remove the recipient's email address from the Auto-Complete list (a bad or
outdated entry could be causing the problem):
 a. On the empty To line, start typing the recipient's name or email address until it
appears in the Auto-Complete drop-down list.

b. Use the Down Arrow key to select the recipient from the Auto-Complete list,
and then press the Delete key. Or, hover over the recipient's name and click the
Delete icon .

c. Use the Down Arrow key to select the recipient from the Auto-Complete list,
and then press the Delete key. Or, hover over the recipient's name and click the
Delete icon.

5. On the To line, continue typing the recipient's entire email address. Be sure to spell
the address correctly.

6. Click Send.

Ask the recipient to check for broken forwarding rules or

settings
Does the recipient's email address in your original message exactly match the recipient's
email address in the NDR? Compare the recipient's email address in the NDR with the
recipient's email address in the message in your Sent Items folder.

If the addresses don't match, contact the recipient (by phone, in person, etc.) and ask
them if they've configured an email rule that forwards incoming email messages from
you to another destination. Their rule could have tried to send a copy of your message
to a bad email address. If the recipient has such a rule, they'll need to correct the
destination email address or remove the rule in order to prevent 5.1.x message delivery
errors.

Microsoft 365 and Office 365 support multiple ways to forward messages automatically.
If the intended recipient of your message is using Microsoft 365 or Office 365, ask them
to review the Update, disable, or remove Inbox Rules forwarding and Disable account
forwarding sections below.
If the problem persists after performing these steps, ask the recipient to refer their email
admin to the I'm an email admin. How can I fix this issue? section below.

Update, disable, or remove Inbox rules forwarding

1. In Microsoft 365 or Office 365, sign in to your user account.

2. Click the gear icon in the top-right corner to show the Settings pane.

3. Select Your app settings > Mail.

4. From the Options navigation pane on the left, select Mail > Automatic processing
> Inbox and sweep rules.
 5. From the Options navigation pane on the left, select Mail > Automatic processing
> Inbox and sweep rules.

6. Update, turn off, or delete any rules that might be forwarding the sender's
message to a non-existent or broken email address.

Disable account forwarding

1. Sign in to your Microsoft 365 or Office 365 account, and from the same Options
navigation as shown above, select Mail > Accounts > Forwarding.

2. Select Stop forwarding and click Save to disable account forwarding.

I'm an email admin. How can I fix this issue?

If the sender can't fix the issue themselves, the problem might be that an email system
on the receiving side isn't configured correctly. If you're the email admin for the
recipient, try one or more of the following fixes and then ask the sender to resend the
message.

Verify that the recipient exists and has an active license

assigned
To verify that the recipient exists and has an active license assigned:

1. In the Microsoft 365 admin center, choose Users to go to the Active users page.

2. In the Active users > Filters search field, type part of the recipient's name, and
then press Enter to locate the recipient. If the recipient doesn't exist, then you must
create a new mailbox or contact for this user. (For more information, see Add users
individually or in bulk.) If the recipient does exist, make sure the recipient's
username matches the email address the sender used.

3. If the user's mailbox is hosted in Exchange Online, click the user's record to review
their details and verify that they've been assigned a valid license for email (for
example, an Office 365 Enterprise E5 license).

4. If the user's mailbox is hosted in Exchange Online, but no license has been
assigned, choose Edit and assign the user a license.

5. If the user's mailbox is hosted in Exchange Online, click the user's record to review
their details and verify that they've been assigned a valid license for email (for
 example, an Office 365 Enterprise E5 license).

6. If the user's mailbox is hosted in Exchange Online, but no license has been
assigned, choose Edit and assign the user a license.

Fix or remove broken forwarding rules or settings

Microsoft 365 or Office 365 provides the following features for users and email admins
to forward messages to another email address:

Forwarding using Inbox rules (user)

Account forwarding (user and email admin)

Forwarding using mail flow rules (email admin)

Follow the steps below to fix the recipient's broken mail forwarding rule or settings.

Forwarding using Inbox rules (user)

The recipient might have an Inbox rule that is forwarding messages to a problematic
email address. Inbox rules are available only to the user (or someone with delegated
access to their account). See Update, disable, or remove Inbox Rules forwarding for how
the user, or their delegate, can change or remove a broken forwarding Inbox rule.

Account forwarding (user and email admin)

1. In the Microsoft 365 admin center, choose Users.

2. In the Active users > Filters search field, type part of the recipient's name and then
press Enter to locate the recipient. Click the user's record to view its details.

3. From the user's profile page, select Mail Settings > Email forwarding > Edit.
 4. Turn off Email forwarding and select Save.

5. Turn off Email forwarding and select Save.

Forwarding using mail flow rules (email admin)

Unlike Inbox rules that are associated with a user's mailbox, mail flow rules (also known
as transport rules) are organization-wide settings and can only be created and edited by
email admins.

1. In the Microsoft 365 Admin center, select Admin centers > Exchange.

2. In the Exchange admin center (EAC), that is, New EAC or Classic EAC, go to Mail
flow > Rules.

3. Look for any redirect rules that might be forwarding the sender's message to
another address.

An example of a redirect rule in New EAC is the following image.

 An example of a redirect rule in Classic EAC is the following image.

4. In the Exchange admin center (EAC), that is, New EAC or Classic EAC, go to Mail
flow > Rules.

5. Look for any redirect rules that might be forwarding the sender's message to
another address.

An example of a redirect rule in New EAC is the following image.

An example of a redirect rule in Classic EAC is the following image.

6. Update, turn off, or delete any suspect forwarding rules.

Update accepted domain settings
Notes:

Message routing (especially in hybrid configurations) can be complex. Even if

changing the accepted domain setting fixes the bounce message problem, it might
not be right solution for you. In some cases, changing the accepted domain type
might cause other unanticipated problems. Review Manage accepted domains in
Exchange Online and then proceed with caution.
If the accepted domain in Exchange Online is Authoritative: The service looks
for the recipient in the Exchange Online organization, and if the recipient isn't
found, message delivery stops and the sender will receive this bounce message.
On-premises users must be represented in the Exchange Online organization by
mail contacts or mail users (created manually or by directory synchronization).
If the accepted domain in Exchange Online is Internal Relay: The service looks
for the recipient in the Exchange Online organization, and if the recipient isn't
found, the service relays the message to your on-premises Exchange
Organization (assuming you've correctly set up the required connector to do
so).

When setting an accepted domain to Internal Relay, you must set up a

corresponding Microsoft 365 or Office 365 connector to your on-premises
environment. Failing to do so will break mail flow to your on-premises recipients.
For more information about connectors, see Configure mail flow using connectors.

To change the Accepted Domain from Authoritative to Internal Relay:

If you have a hybrid configuration with a Microsoft 365 or Office 365 connector
configured to route messages to your on-premises environment, and you believe that
Internal Relay is the correct setting for your domain, change the Accepted Domain from
Authoritative to Internal Relay.

New Exchange admin center (EAC):

1. Open the New Exchange admin center (EAC). For more information, see Exchange
admin center in Exchange Online.

2. Choose Mail flow > Accepted domains. The Accepted domains screen appears.

3. Select a recipient's domain and double-click it.

 The accepted's domain details screen appears.

4. Click the radio button for Internal Relay.

5. Click Save.

Classic EAC:

1. Open the Classic EAC. For more information, see Exchange admin center in
Exchange Online.

2. From the EAC, choose Mail flow > Accepted domains and select the recipient's
domain.
 3. Double-click the domain name.

4. In the Accepted Domain dialog box, set the domain to Internal Relay, and then
select Save.

Manually synchronize on-premises and Microsoft 365 or Office 365

directories

If you have a hybrid configuration and the recipient is located in the on-premises
Exchange organization, it's possible that the recipient's email address isn't properly
synchronized with Microsoft 365 or Office 365. Follow these steps to synchronize
directories manually:

1. Log into the on-premises server that's running Azure AD Connect sync.

2. Open Windows PowerShell on the server and run the following commands:
 PowerShell

Start-ADSyncSyncCycle -PolicyType Delta

When synchronization completes, repeat the steps in the Verify that the recipient exists
and has an active license assigned section to verify that the recipient address exists in
Exchange Online.

Verify the custom domain's mail exchanger

(MX) record
If you have a custom domain (for example, contoso.com instead of
contoso.onmicrosoft.com), it's possible that your domain's MX record isn't configured
correctly.

1. In the Microsoft 365 Admin center, go to Settings > Domains, and then select the
recipient's domain.

2. In the pop-out Required DNS settings pane, select Check DNS.

 3. In the pop-out Required DNS settings pane, select Check DNS.

4. Verify that there's only one MX record configured for the recipient's domain.
Microsoft doesn't support using more than one MX record for a domain that's
enrolled in Exchange Online.

5. If Microsoft 365 or Office 365 detects any issues with your Exchange Online DNS
record settings, follow the recommended steps to fix them. You might be
prompted to make the changes directly within the Microsoft 365 admin center.
Otherwise, you must update the MX record from your DNS host provider's portal.
For more information, see Create DNS records at any DNS hosting provider.

７ Note

Typically, your domain's MX record should point to the Microsoft 365 or

Office 365 fully qualified domain name: <your
domain>.mail.protection.outlook.com. DNS record updates usually propagate
across the Internet in a few hours, but they can take up to 72 hours.

Still need help with a 5.1.10 bounce message?

See also
Email non-delivery reports in Exchange Online

Backscatter in EOP

Configure email forwarding for a mailbox

Synchronizing your directory with Microsoft 365 or Office 365 is easy

Create DNS records at any DNS hosting provider

Set up SPF to help prevent spoofing

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Fix NDR error "550 5.4.1" in Exchange
Online
Article • 02/13/2023

It's frustrating when you get an error after sending an email message. This topic
describes what you can do if you see error code 5.4.1 in a non-delivery report (also
known as an NDR, bounce message, delivery status notification, or DSN).

Why did I get this bounce message?

The email server that's generating the error doesn't accept email from the sender's
domain (for example, @fabrikam.com). This error is generally caused by email server or
DNS misconfiguration.

I got this bounce message. How do I fix I'm an email admin. How can I fix
it? this?

I got this bounce message. How do I fix it?

Here are some steps that you can try to fix the problem yourself.

If the steps in this section don't fix the problem for you, contact your email admin and
refer them to the information in this topic so they can try to resolve the issue for you.

Just wait: It might seem strange, but this error might go away on its own after a
few days. If your email admin made changes to your organization's domain name
system (DNS) records, the change can prevent you from sending and receiving
email for a brief period, even if they did everything correctly (it can take up to 72
hours for DNS changes to propagate on the internet). If you'd like more details
about DNS records, see DNS basics .

Service outage: A problem with the whole Microsoft 365 or Office 365 service
could be causing the problem. Even your email admins can't do anything about
service outages except wait for the problem to be resolved.

I'm an email admin. How can I fix this?

The most common issues and fixes are described in the following sections.

Incorrect MX record
If external senders receive this NDR when they send email to recipients in your domain,
try the following fixes:

Fix your MX record: For example, it might be pointing to an invalid mail server.
Check with your domain registrar or DNS hosting service to verify the MX record
for your domain is correct. The MX record for a domain that's enrolled in Exchange
Online uses the syntax <domain>.mail.protection.outlook.com.

Verify only one MX record is configured for your domain: We don't support using
more than one MX record for domains enrolled in Exchange Online.

Test your MX record: Use the Outbound SMTP EMail test in the Microsoft Remote
Connectivity Analyzer .

Domain configuration issues

1. Open the Microsoft 365 admin center .

2. Click Domains and verify your domain appears in the list as Active.

3. Select the domain and click Troubleshoot. Follow the troubleshooting wizard
steps.

If you control of the DNS records for your Microsoft 365 or Office 365 domain, you can
also check the status of the domain in the Exchange admin center (EAC) by following
these steps:

1. In the Microsoft 365 admin center, click Admin > Exchange.

2. Click Mail flow > Accepted domains.

3. Verify that your domain is listed, and verify the Domain Type value for the domain.
Typically, the value should be Authoritative. However, if you have properly
configured a shared domain, the value might be Internal Relay.

Updated DNS records haven't propagated

You updated your domain's DNS records correctly for Microsoft 365 or Office 365, but
the changes haven't propagated to all DNS servers on the internet. Changes to your
domain's DNS records might take up to 72 hours to propagate to all DNS servers on the
internet.

Hybrid deployment configuration issues

If your domain is part of a hybrid deployment between on-premises Exchange and
Exchange Online, check the following items:

Verify the configuration of the Send connectors and Receive connectors in your
on-premises Exchange organization that are used for hybrid. These connectors are
configured automatically by the Hybrid Configuration Wizard, and the wizard
might need to be run again by your Exchange administrator.

For more information, see this topic.

For more information about transport routing in hybrid deployments, see Transport
Routing in Exchange Hybrid Deployments.

Service issues in Exchange Online

A service issue in Microsoft 365 or Office 365 might be causing the problem. To check
the status of Microsoft 365 or Office 365, do the following steps:

1. Open the Microsoft 365 admin center .

2. Click Service health to see an overview of any issues.

3. Select View all to a get more details about all known issues.

Details about this NDR

The Exchange Online non-delivery report (NDR) notification for this specific error might
contain some or all of the following information:

User information section

Relay Access Denied

The outbound connection attempt was not answered because either the remote
system was busy or it was unable to take delivery of the message.

Diagnostic information for administrators section

No answer from host.

 #550 5.4.1 Relay Access Denied ##

Still need help?

See also
Email non-delivery reports in Exchange Online

Use Directory-Based Edge Blocking to reject messages sent to invalid recipients in

Exchange Online

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Fix NDR error "550 5.6.11" in Exchange
Online
Article • 02/13/2023

It's frustrating when you get an error after sending an email message. This topic
describes what you can do if you see error code 5.6.11 in a non-delivery report (also
known as an NDR, bounce message, delivery status notification, or DSN).

I got this bounce message. How do I fix I'm an email admin. How can I fix
it? this?

Why did I get this bounce message?

You received this bounce message with error code 5.6.11 because your message contain
bare line feeds, and the destination email server doesn't support messages with bare
line feeds.

A bare line feed is a line feed (LF) character that's not immediately preceded by a
carriage return (CR) character. In other words, instead of a line of text ending with CR LF,
it ends with only LF.

Typically, each line in an email message ends with a carriage return followed by a line
feed (CR LF).

If a message contains bare line feeds, the SMTP Chunking feature is required to transmit
the message between email servers. Chunking uses the SMTP BDAT command as
defined in RFC 3030 . If the destination email server doesn't support BDAT, then it can't
accept messages that contain bare line feeds.

Microsoft 365 and Office 365 used to remove bare line feeds from messages to enable
delivery to older email servers that didn't support SMTP Chunking and the BDAT
command. In an effort to better support security standards (for example, DomainKeys
Identified Mail or DKIM), Office 365 no longer removes bare line feeds from messages.

I got this bounce message. How do I fix it?

If you received this NDR as a result of a message that you sent, you can try the following
steps fix the problem:
 1. Send the message using a different email program that doesn't add bare line feeds
to messages, such as Outlook on the web (formerly known as Outlook Web
App).

2. If the original message contained an attachment, try sending the message without
the attachment.

If these steps don't fix the problem for you, contact your email admin and refer them to
the information in this topic so they can try to resolve the issue for you.

I'm an email admin. How can I fix this?

If the steps in the previous section didn't fix the problem, the recipient's email admin
can fix the problem by using one solutions described in this section.

Solution 1: Disable bare line feed rejection (allow

messages that contain bare line feeds) in the destination
email server
Some email servers support the ability to disable bare line feed rejection. For example,
Receive connectors in Exchange Server support the BareLinefeedRejectionEnabled
setting. If the recipient's email server is Exchange, the admin could configure the setting
-BareLinefeedRejectionEnabled $false on the server's Receive connector for internet

mail. For more information, see Set-ReceiveConnector.

Solution 2: Upgrade the destination email server to a

newer version (or different email server software) that
supports the SMTP BDAT command
Email servers that supports the SMTP BDAT command can accept messages with bare
line feeds. Most modern email servers support BDAT; however, some free and older
email servers don't support BDAT.

What's a bare line feed?

A bare line feed is a single line feed character (LF or ASCII 10) that isn't immediately
preceded by the carriage return character (CR or ASCII 13). The line separator in an
email message is supposed to be CRLF, not LF.
Still need help?

See also
Email non-delivery reports in Exchange Online

RFC 6376 DomainKeys Identified Mail (DKIM) Signatures

RFC 3030 SMTP Service Extensions for Transmission of Large and Binary Mime Messages
(BDAT Support)

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Fix NDR error "550 5.7.1" in Exchange
Online
Article • 02/28/2023

） Important

Mail flow rules are now available in the new Exchange admin center. Try it now !

It's frustrating when you get an error after sending an email message. This topic
describes what you can do if you see error code 5.7.1 in a non-delivery report (also
known as an NDR, bounce message, delivery status notification, or DSN). This
information also applies to error codes 5.7.0 through 5.7.999.

I got this bounce message. How do I fix I'm an email admin. How can I fix
this issue? this issue?

This information also applies to error codes 5.7.0 through 5.7.999 in Exchange Online
and Microsoft 365 or Office 365. There can be several causes for dsn error code 5.7.1, for
which solutions are provided later in this topic.

Why did I get this bounce message?

Typically, this error indicates a security setting in your organization or the recipient's
organization is preventing your message from reaching the recipient. For example:

You don't have permission to send to the recipient.

The recipient is a group, and you don't have permission to send to the group or
one of its subgroups.
You don't have permission to send email through an email server that's between
you and the recipient.
Your message was routed to the wrong email server.

I got this bounce message. How do I fix this

issue?
Typically, you can't fix the problem yourself. You'll need the recipient or the recipient's
email admin to fix the configuration on their end. However, here are some steps that
you can try:

If the recipient is external (outside of your organization): Contact the recipient

(by phone, in person, etc.) and ask them to tell their email admin about your email
delivery problem. Their email admin might need to reconfigure the recipient's
mailbox so it accepts email from you.

If the recipient is an internal group: You might not have permission to send to the
group or to one of its subgroups. In this case, the NDR will include the names of
the restricted groups that you don't have permission to send to. Ask the owner of
the restricted group to grant you permission to send messages to the group. If you
don't know the group's owner, you can find it in Outlook or Outlook on the web
(formerly known as Outlook Web App) by doing the following steps:
Outlook: Select the NDR, double-click the group name on the To line, and then
choose Contact.
Outlook on the web: Select the NDR, choose the group name on the To line,
and then choose Owner.

If you're sending to a large distribution group: Groups with more than 5,000
members have the following restrictions automatically applied to them:
Messages sent to the group require approval by a moderator.
Large messages can't be sent to the group. However, senders of large messages
will receive a different NDR. For more information about large messages, see
Distribution group limits.

To resolve the issue, join the group, or ask the group's owner or moderator to
approve your message. Refer them to the I'm the owner of a restricted group.
What can I do? section later in this topic.

If none of the previous steps apply or solve your issue, contact the recipient's email
administrator, and refer them to the I'm an email admin. How can I fix this issue? section
later in this topic.

I'm the owner of a restricted group. What can I do?

If a message sender received this NDR when they attempted to send a message to your
group, and you want them to successfully send messages to your group, try one of the
following steps:

Remove the sender restriction: Change your group settings to unblock the sender
in one of the following ways:
 Add the sender to the group's allowed senders list. Note that you must create a
mail contact or a mail user to represent the external sender in your
organization.
If the sender is restricted because they're external (outside your organization),
configure the group to accept messages from external senders.
If you've configured a mail flow rule (also known as a transport rule) to restrict
certain senders or groups of senders, you can modify the rule to accept
messages from the sender.

Restrictions on large groups: Groups with more than 5,000 members have the
following restrictions automatically applied:
Messages sent to the group require approval by a moderator.
Large messages can't be sent to the group (but you'll receive a different NDR
from this one if that's the issue). See Exchange Online Limits.

To resolve the issue for the sender, approve their message, or add them to the
group.

Managing distribution groups

Configure moderated recipients in Exchange Online
Create and manage distribution groups in Exchange Online

I'm an email admin. How can I fix this issue?

The sender is external (outside your organization)

If only this recipient is having difficulty accepting messages from external senders,
configure the recipient or your email servers to accept messages from external or
anonymous senders.

The recipient is a public folder in your Exchange Online

organization
When the recipient is a mail-enabled public folder in your Exchange Online
organization, an external sender will receive an NDR with the following error code:

Remote Server returned '<xxxxxxxx> #5.7.1 smtp;550 5.7.1 RESOLVER.RST.AuthRequired;

authentication required [Stage: CreateMessage]'

To configure the public folder to accept messages from external senders, follow these
steps:
New EAC
1. Open the Exchange admin center (EAC). For more information, see Exchange
admin center in Exchange Online.

2. Go to Public folders > Public folders.

3. Choose a public folder from the list, and then click Edit .

4. Click Mail flow settings.

5. Under Message Delivery Restrictions > Accept messages from, perform the
following tasks:

Clear the check box for Require that all senders are authenticated.
Select All senders.
 6. Click Save.

Classic EAC
1. Open the Exchange admin center (EAC). For more information, see exchange
admin center in exchange online.

2. In the EAC, go to Public folders > Public folders > select the public folder from
the list, and then click Edit .
3. In the public folder properties dialog box that opens, go to Mail flow settings, and
configure the following settings in the Accept messages from section:

Clear the check box for Require that all senders are authenticated.
Select All senders.

4. Click Save.
The sender is external and their source IP address is on
Microsoft's blocklist
In this case, the NDR the sender receives would include information in the Diagnostics
for administrators section similar to the following information:

5.7.1 Service unavailable; Client host [xxx.xxx.xxx.xxx] blocked using Blocklist 1;

To request removal from this list please forward this message to

delist@microsoft.com

To remove the restriction on the sender's source email system, forward the NDR
message to delist@microsoft.com. Also see Use the delist portal to remove yourself
from the blocked senders list.

Your domain isn't fully enrolled in Microsoft 365 or Office

365
If your domain isn't fully enrolled in Microsoft 365 or Office 365, try the following steps:

Verify your domain appears as Healthy in the Microsoft 365 admin center at
Settings > Domains.
For information about adding your domain to Microsoft 365 or Office 365, see Add
a domain to Microsoft 365.
To troubleshoot domain verification issues, see Troubleshoot domain verification
issues in Office 365 .

Your domain's MX record has a problem

If you have an incorrect MX record, try the following steps:

1. Check the sender and recipient domains for incorrect or stale MX records by using
the Advanced diagnostics > Exchange Online test in the Microsoft Support and
Recovery Assistant. For more information about the Support and Recovery
Assistant, see About the Microsoft Support and Recovery Assistant .

2. Check with your domain registrar or DNS hosting service to verify the MX record
for your domain is correct. The MX record for a domain that's enrolled in Exchange
Online uses the syntax _\<domain\ >_.mail.protection.outlook.com .

3. Verify Inbound SMTP Email and Outbound SMTP Email at Office 365 > Mail Flow
Configuration in the Microsoft Remote Connectivity Analyzer .
 4. Verify you have only one MX record configured for your domain. Microsoft doesn't
support using more than one MX record for a domain that's enrolled in Exchange
Online.

Your domain's SPF record has a problem

The Sender Policy Framework (SPF) record for your domain might be incomplete, and
might not include all email sources for your domain. For more information, see Set up
SPF to help prevent spoofing.

Hybrid configuration issues

If your domain is part of a hybrid deployment between on-premises Exchange and
Exchange Online, the Hybrid Configuration Wizard should automatically configure
the required connectors for mail flow. Even so, you can use the steps in this section
to verify the connector settings.

1. Open the Microsoft 365 admin center at

https://portal.microsoftonline.com , and click Admin > Exchange.

2. In the Exchange admin center, click Mail Flow > Connectors. Select the
connector that's used for hybrid, and choose Edit. Verify the following
information:

Delivery: If Route mail through smart hosts is selected, confirm the

correct IP address or FQDN is specified. If MX record associated with the
recipient domain is selected, confirm the MX record for the domain points
to the correct mail server.

You can test your MX record and your ability to send mail from your
Exchange Online organization by using the Outbound SMTP Email test in
the Microsoft Remote Connectivity Analyzer .

Scope: If you need to route inbound internet mail to your on-premises

Exchange organization, Domains need to include all email domains that
are used in your on-premises organization. You can use the value asterisk
(*) to also route all outbound internet mail through the on-premises
organization.

If the connectors are configured incorrectly, your Exchange administrator needs to

rerun the Hybrid Configuration Wizard in the on-premises Exchange organization.
 If you disable an on-premises Active Directory account, you'll get the following
error message:

Your message couldn't be delivered to the recipient because you don't have
permission to send to it. Ask the recipient's email admin to add you to the
accept list for the recipient. For more information, see DSN 5.7.129 Errors in
Exchange Online and Microsoft 365 or Office 365.

To cease all communication with the Exchange Online mailbox, you need to delete
the on-premises user account instead of disabling it.

Another solution would be to remove the license, but then you would need to
create a mail flow rule (also known as a transport rule) to prevent the user from
receiving email messages. Otherwise, the user would continue to receive messages
for about 30 days after removal of the license.

Consider this scenario as part of the workflow for disabling a user on Exchange
Online.

Still need help?

See also
Email non-delivery reports in Exchange Online

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Fix NDR error "the sender's submission
quota was exceeded" in Exchange
Online
Article • 02/13/2023

It's frustrating when you get an error after sending an email message. This topic
describes what you can do if you see the error:

The message can't be submitted because the sender's submission quota was
exceeded.

in a non-delivery report (also known as an NDR, bounce message, delivery status

notification, or DSN).

Why did I get this bounce message?

You received this NDR because you have exceeded the recipient rate limit (10,000
recipients per day).

I got this bounce message. How do I fix I'm an email admin. How can I fix
it? this?

I got this bounce message. How do I fix it?

If you knowingly sent 10,000 messages in the last 24 hours, you need to wait one day
before you can send email from your mailbox.

If you didn't send the messages and you suspect your account has been compromised,
reset your password and scan your devices for malware. However, the attacker might
have configured other settings on your mailbox (for example, Inbox rules to forward
messages or additional mailbox delegates). So, follow the steps in How to determine
whether your Office 365 account has been compromised.

I'm an email admin. How do I fix this?

More information about sending and receiving limits in Exchange Online is available at
Receiving and sending limits.

The sending account might be compromised. You'll need to:

Determine if the account is compromised. If the account is compromised, follow

the steps in Responding to a Compromised Email Account in Exchange Online.

To help prevent future account compromises, follow the recommendations in Top

10 ways to secure Microsoft 365 for business plans.

Still need help?

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Ways to migrate multiple email
accounts to Microsoft 365 or Office 365
Article • 04/24/2023

） Important

Effective from December 2022, the classic Exchange Admin Center will be
deprecated for worldwide customers. Microsoft recommends using the new
Exchange Admin Center (EAC) , if not already doing so.

While most of the features have been migrated to the new EAC, some have been
migrated to other admin centers and remaining ones will soon be migrated to the
new EAC. Find features that're not yet there in new EAC at Other Features or use
Global Search that will help you navigate across the new EAC.

Your organization can migrate email to Microsoft 365 or Office 365 from other systems.
Your administrators can migrate mailboxes from Exchange Server or migrate email from
another IMAP-enabled email system. And your users can import their own email,
contacts, and other mailbox information to a Microsoft 365 or Office 365 mailbox
created for them. Your organization can also work with a partner to migrate email.

Before you start an email migration, review limits and best practices for Exchange Online
to ensure you get the performance and behavior you expect after migration.

For information on choosing the best option for your organization, see Decide on a
migration path or Exchange migration advisors .

 Tip

Another option available to assist you with your email migration is FastTrack Center
Benefit Overview. FastTrack specialists can help you plan and perform your
migration. For more information, see Data Migration.

You can also view an overview video:

https://www.microsoft.com/en-us/videoplayer/embed/226b533f-a08b-476f-b1ca-
1c0e96b1c85b?autoplay=false&postJsllMsg=true

Migrate mailboxes from Exchange Server

For migrations from an existing on-premises Exchange Server environment, an
administrator can migrate all email, calendar, and contacts from user mailboxes to
Microsoft 365 or Office 365.

There are three types of email migrations that can be made from an Exchange Server:

Migrate all mailboxes at once (cutover migration) or Express migration

Use this type of migration if you're running Exchange 2003, Exchange 2007,
Exchange 2010, or Exchange 2013, and if there are fewer than 2000 mailboxes. You
can perform a cutover migration by starting from the EAC; for more information,
see Perform a cutover migration to Microsoft 365 or Office 365. For information on
how to use the Express migration, see Use express migration to migrate Exchange
mailboxes to Microsoft 365 or Office 365.

） Important

With cutover migration, you can move up to 2000 mailboxes, but due to
length of time it takes to create and migrate 2000 users, it's more reasonable
to migrate 150 users or less.

Migrate mailboxes in batches (staged migration)

Use this type of migration if you're running Exchange 2003 or Exchange 2007, and
if there are more than 2000 mailboxes. For an overview of staged migration, see
What you need to know about a staged email migration to Microsoft 365 or Office
365. To perform the migration tasks, see Perform a staged migration of Exchange
Server 2003 and Exchange 2007 to Microsoft 365 or Office 365.

Migrate using an integrated Exchange Server and Microsoft 365 or Office 365
environment (hybrid)

Use this type of migration to maintain both on-premises and online mailboxes for
your organization and to gradually migrate users and email to Microsoft 365 or
Office 365. Use this type of migration if:
 You have Exchange 2010 and more than 150-2,000 mailboxes.

You have Exchange 2010 and want to migrate mailboxes in small batches over
time.

You have Exchange 2013 or later.

For more information, see Use the Microsoft 365 and Office 365 mail migration
advisor.

Use the Import Service to migrate PST files

If your organization has many large PST files, you can use the Import Service to migrate
email data to Microsoft 365 or Office 365.

You can use the Import Service either to upload the PST files through a network, or to
mail the PST files in a drive that you prepare.

For more information, see Overview of importing your organization's PST files.

Migrate email from another IMAP-enabled

email system
You can use the Internet Message Access Protocol (IMAP) to migrate user email from
Gmail, Exchange, Outlook.com, and other email systems that support IMAP migration.
When you migrate the user's email by using IMAP, only the items in the users' inbox or
other mail folders are migrated. Contacts, calendar items, and tasks can't be migrated
with IMAP; a user can manually migrate them.

IMAP migration also doesn't create mailboxes in Microsoft 365 or Office 365. You'll have
to create a mailbox for each user before you migrate their email.
To migrate email from another mail system, see Migrate your IMAP mailboxes to
Microsoft 365 or Office 365. After the email migration is done, any new mail sent to the
source email isn't migrated.

Have users import their own email

Users can import their own email, contacts, and other mailbox information to Microsoft
365 or Office 365. For information on how to do it, see Migrate email and contacts to
Microsoft 365 or Office 365.

Work with a partner to migrate email

If none of the types of migrations described will work for your organization, consider
working with a partner to migrate email to Microsoft 365 or Office 365.

For information on how to find a partner, see the Microsoft solution providers page.

Users provisioning for the different migration types

Exchange Source Target Recipient in Target

Migration
Type

Hybrid Exchange > On- Exchange > Online > Mail User with ExchangeGuid
onboarding premises > Hybrid Hybrid Org A
Org A
 Exchange Source Target Recipient in Target
Migration
Type

Hybrid Exchange > Online > Exchange > On- Mail User / Remote Mailbox
offboarding Hybrid Org A premises > Hybrid with ExchangeGuid
Org B

Cross-tenant Exchange > Online > Exchange > Online > Mail User with ExchangeGuid +
Migration Tenant A Tenant B matching attributes

Cutover Exchange > On- Exchange > Online No recipient (migration service
migration premises creates the mailbox in EXO)

Gmail Google Workspace Exchange > Online Mail User (migration service
migration converts to mailbox in EXO)

IMAP IMAP server Exchange > Online Mailbox

migration

Related Topics
Use PowerShell for email migration to Microsoft 365 or Office 365
Decide on a migration path in Exchange
Online
Article • 02/22/2023

Deciding on the best migration path of your users' email to Microsoft 365 or Office 365
can be difficult. This article gives guidance based on your current email system and
other factors, such as how quickly you want to migrate to Microsoft 365 or Office 365.
Your migration performance will vary based on your network, mailbox size, migration
speed, and so on.

） Important

This topic is intended for global administrators. If you want to migrate email for a
single account, see Migrate email and contacts to Microsoft 365 or Office 365
instead.

How do I decide which method to use?

Before you start an email migration, review the limits and Migration performance and
best practices for Exchange Online to make sure you get the performance and behavior
you expect after migration.

You, as global administrator, can migrate mailboxes from an Exchange Server or from
another email system. The content in the following sections is organized by email
system, and the linked topics help you decide on the best method based on number of
mailboxes and your time and mailbox size constraints.

Your existing system is an Exchange Server

For migrations from an existing on-premises Exchange Server environment, you can
migrate all email, calendar items, tasks and contacts from user mailboxes to Office 365.
The available methods are cutover, staged, and Exchange Hybrid migrations. These
migration methods copy over all mail data, including contacts, calendar items, and tasks.
You can also use the Internet Message Access Protocol (IMAP) migration from Exchange
servers, and if your Exchange server is older than Exchange 2003, IMAP migration is your
only option. Note that IMAP migration will copy over only email data.

） Important
 Staged and Exchange Hybrid migrations require that you also set up directory
synchronization. For more information, see Microsoft 365 or Office 365 integration
with on-premises environments.

For migration recommendations, expand one of the following sections based on your
source system:

Exchange 2003 or Exchange 2007

If your source system is Exchange 2003 or Exchange 2007, consider the following
options.

７ Note

Even though cutover migration supports moving up to 2000 mailboxes, due to

length of time it takes to create and migrate 2000 users, it is more reasonable to
migrate 150 users or less.

Number How Use

of quickly
mailboxes do you
want to
migrate?

Fewer Over a Cutover

than 150 weekend For an overview, see What you need to know about a cutover email
or a few migration to Microsoft 365 or Office 365.
days.

Fewer Slowly, by Staged

than 150 migrating For an overview, see What you need to know about a staged email
a few migration.
users at a
time.

Over 150 Over a Staged

weekend If you have more than 150 mailboxes , the best method is to use staged
or a few migration where you can migrate a limited number of users at a time.
days. This is because cutover migration performance suffers when you try to
migrate more than 150 mailboxes.
 Number How Use
of quickly
mailboxes do you
want to
migrate?

Over 150 Slowly, by Staged

migrating
a few
users at a
time.

If the mailboxes you're migrating contain a large amount of data, you can also use the
Import service to import PST files to Microsoft 365 or Office 365. You can use the
Microsoft 365 or Office 365 Import Service to either ship the files or to import them
across the network.

If you have an extremely large number of mailboxes (5,000+), you might want to hire a
partner to help you migrate your email data.

You can search for partners on the Microsoft solution providers page.

Exchange 2010, 2013 or 2016

If your source system is Exchange 2010, Exchange 2013 , or Exchange Server 2016,
consider the following options.

７ Note

Even though cutover migration support moving up to 2000 mailboxes, due to

length of time it takes to create and migrate 2000 users, it is more reasonable to
migrate 150 users or less.

Number How Use

of quickly
mailboxes do you
want to
migrate?

Fewer Over a Cutover or Express migration.

than 150 weekend
or a few
days.
 Number How Use
of quickly
mailboxes do you
want to
migrate?

Fewer Slowly, by Exchange Hybrid

than 150 migrating
a few
users at a
time.

Over 150 Over a Exchange Hybrid

weekend If you have more than 150 mailboxes, the best method is to use an
or a few Exchange hybrid migration where you can migrate a limited number of
days. users at a time. This is because cutover migration performance suffers
when you try to migrate more than 150 mailboxes.

Over 150 Slowly, by Exchange Hybrid

migrating
a few
users at a
time.

If the mailboxes you're migrating contain a large amount of data, you can also use the
Import service to import PST files to Microsoft 365 or Office 365. You can use the Import
Service to either ship the files or to import them across the network.

If you have an extremely large number of mailboxes (5,000+), you might want to hire a
partner to help you migrate your email data.

You can search for partners on the Microsoft solution providers page.

Exchange Server 2000 or earlier versions

For earlier versions of Exchange server, you will have to use IMAP migration.

Other email systems

For other email systems that support IMAP, you can use IMAP migrations.

Depending on your source system, see one of the following:

Migrate Google Workspace (formerly G Suite) mailboxes to Microsoft 365 or Office

365
 Migrate other types of IMAP mailboxes to Microsoft 365 or Office 365

This topic includes the instructions for the migration CSV files for Exchange,
Mirapoint, Dovecoat, and Courier IMAP.

IMAP migration in the Microsoft 365 admin center

If the mailboxes you're migrating contain a large amount of data, you can also use the
Import service to import PST files to Microsoft 365 or Office 365. You can use the Import
Service to either ship the files or to import them across the network.

You can also hire a partner to help you migrate your email data. You can search for
partners on the Microsoft solution providers page.

Leave us a comment
Were these instructions helpful? If so, please let us know at the bottom of this topic. If
they weren't, and you're still having trouble deciding on a migration strategy, tell us
what source email system you want to migrate from and we'll use your feedback to
improve our content.
Use Minimal Hybrid to quickly migrate
Exchange mailboxes to Microsoft 365 or
Office 365
Article • 02/22/2023

You can use the minimal hybrid, also known as express migration, option in the
Exchange Hybrid Configuration Wizard to migrate the contents of user mailboxes to
Microsoft 365 or Office 365 over a course of couple of weeks or less.

Pre-requisites
Use minimal hybrid to migrate emails if you:

Are running at least one Exchange 2010, Exchange 2013, and/or Exchange 2016
server on-premises.

Plan to move to Exchange Online over a course of few weeks or less.

Do not plan to continue to run directory synchronization to manage your users.

Step 1: Verify you own the domain

During the migration, the Simple Mail Transfer Protocol (SMTP) address of each on-
premises mailbox is used to create the email address for a new Office 365 mailbox. To
run an express migration, the on-premises domain must be a verified domain in your
Microsoft 365 or Office 365 organization.

1. Sign in to Microsoft 365 or Office 365 with your work or school account.

2. Choose Setup > Domains.

3. On the Domains- page, click Add domain to start the domain wizard.

4. On the Add a domain page, type in the domain name (for example, Contoso.com)
you use for your on-premises Exchange organization, and then choose Next.

5. On the Verify domain page, select either Sign in to GoDaddy (if your DNS records
are managed by GoDaddy) or Add a TXT record instead for any other registrars >
 Next.

6. Follow the instructions provided for your DNS hosting provider. The TXT record
usually is chosen to verify ownership.

You can also find the instructions in Create DNS records at any DNS hosting
provider for Office 365.

After you add your TXT or MX record, wait about 15 minutes before proceeding to
the next step.

7. In the domain wizard, choose done, verify now, and you'll see a verification page.
Choose Finish.

If the verification fails at first, wait awhile, and try again.

Do not continue to the next step in the domains wizard. You now have verified
that you own the on-premises Exchange organization domain and are ready to
continue with an email migration.

You will finish setting up your domain after the migrations are complete.

Step 2: Start express migration

On a computer that is domain joined to your on-premises organization, sign in to your
Microsoft 365 or Office 365 account by using your global admin credentials, and start
the Exchange Hybrid Configuration Wizard on the Data migration page of the Microsoft
365 admin center.

1. In the Microsoft 365 Admin center, go to Setup > Migrations.

2. On the Migrations page, choose Email.

3. On the Migrate your email page, choose Get started.

4. On the Email sources page, choose Download the Hybrid Configuration Wizard.

5. On the Download and run the Office 365 Hybrid Configuration Wizard page,
choose Download application

6. On the first Hybrid Configuration Wizard page, choose next and on the On-
premises Exchange Server Organization page, accept the default values and
choose next.

By default the wizard connects to the Exchange server running the latest version.
 7. On the Credentials page, choose Use current Windows credentials for on-
premises Exchange server, and enter admin credentials for it and your Microsoft
365 or Office 365 organization choose next, and then choose next again once the
connections and credentials have validated.

8. On the Hybrid Features page, select Minimal Hybrid Configuration > next.

9. On the Ready for Update page, choose update to prepare the on-premises
mailboxes for migration.

Step 3: Run directory synchronization to create

users in Microsoft 365 or Office 365
1. On the User Provisioning page, select Synchronize my users and passwords one
time.

At this point you are prompted to download and install the Azure AD Connect
wizard to synchronize your users from on-premises to Microsoft 365 or Office 365.

2. Once Azure AD Connect has downloaded, run it and choose the default options
for Express settings.
 After synchronization is completed, you will be taken to the Data migration page
where you can see all of your users that were synchronized to Microsoft 365 or
Office 365.

After the one-time synchronization is done, directory synchronization is turned off

for your Microsoft 365 or Office 365 organization.

Step 4: Give Microsoft 365 or Office 365

licences to your users
After Azure AD connect synchronizes your users and their passwords to Microsoft 365 or
Office 365, you have to assign licenses to them so that they have a cloud mailbox to
which to migrate their on-premises mailbox data.

The status on the Data migration page indicates that a license is needed as shown in
the figure.

In the Admin center, go to Users > Active users and follow these instructions to Add
users individually or in bulk.
Step 5: Start migrating user mailbox data
After you assign licences to your users you can go to the Data migration page to start
migrating their mailboxes.

1. Go to Setup > Data migration, and on the Migration page choose Exchange for
your data service.

2. On the Data migration page, select the users whose mailboxes you want to
migrate and then choose Start migration.

It is recommended that you migrate mailboxes for two or three users as a test
before migrating all of your users to make sure everything works as expected.

The Data migration page will display the migration status as it progresses. For a
full list, see Migration users status report, which you can also view in the Exchange
admin center.

Step 6: Update DNS records

Email systems use a DNS record called an MX record to figure out where to deliver
emails. During the email migration process, your MX record was pointing to your on-
premises Exchange email system. Now that the email migration to Microsoft 365 or
Office 365 is complete, it's time to point your MX record at Microsoft 365 or Office 365.
You will also need to finish setting up your DNS records. In the Microsoft 365 admin
center, go to Settings > Domains and then choose the domain name you want to
update, for example contoso.com. The domains wizard will guide you through the
update steps. See this article for instructions specific to your registrar or host: Add DNS
records to connect your domain.

See also
Microsoft 365 and Office 365 migration performance and best practices

How to decommission Exchange servers in a Hybrid environment

Modify or remove Exchange 2010

How to remove an Exchange 2007 organization

What you need to know about a cutover
email migration in Exchange Online
Article • 02/22/2023

As part of a Microsoft 365 or Office 365 deployment, you can migrate the contents of
user mailboxes from a source email system to Microsoft 365 or Office 365. When you do
this all at one time, it's called a cutover migration. Additionally, this migration method
moves mail users, mail contacts, and mail-enabled groups with their membership.
Choosing a cutover migration is suggested when:

Your current on-premises Exchange organization is Microsoft Exchange Server

2003 or later.

Your on-premises Exchange organization has fewer than 2,000 mailboxes.

７ Note

Even though cutover migration supports moving up to 2000 mailboxes, due

to length of time it takes to create and migrate 2000 users, it is more
reasonable to migrate 150 users or less.

If a cutover migration won't work for you, see Ways to migrate email to Microsoft 365 or
Office 365 for other options.

Things to consider
Setting up an email cutover migration to Microsoft 365 or Office 365 requires careful
planning. Before you begin, here are a few things to consider:

You can move your entire email organization to Microsoft 365 or Office 365 over a
few days and manage user accounts in Microsoft 365 or Office 365.

A maximum of 2,000 mailboxes can be migrated to Microsoft 365 or Office 365 by

using a cutover Exchange migration. However, it is recommended that you only
migrate 150 mailboxes.

The primary domain name used for your on-premises Exchange organization must
be an accepted as a domain owned by you in your Microsoft 365 or Office 365
organization.
 After the migration is complete, each user who has an on-premises Exchange
mailbox also will be a new user in Microsoft 365 or Office 365. But you'll still have
to assign licenses to users whose mailboxes are migrated.

Impact to users
After your on-premises and Microsoft 365 or Office 365 organizations are set up for a
cutover migration, post-setup tasks could impact your users.

Administrators or users must configure desktop computers: Make sure that

desktop computers are updated and set up for use with Microsoft 365 or Office
365. These actions allow users to use local user credentials to sign in to Microsoft
365 or Office 365 from desktop applications. Users with permission to install
applications can update and set up their own desktops. Or updates can be
installed for them. After updates are made, users can send email from Outlook
2013, Outlook 2010, or Outlook 2007.

Potential delay in email routing: Email sent to on-premises users whose mailboxes
were migrated to Microsoft 365 or Office 365 are routed to their on-premises
Exchange mailboxes until the MX record is changed.

How does cutover migration work?

The main steps you perform for a cutover migration are shown in the following
illustration.
1. The administrator communicates upcoming changes to users and verifies domain
ownership with the domain registrar.

2. The administrator prepares the servers for a cutover migration and creates empty
mail-enabled security groups in Microsoft 365 or Office 365.

3. The administrator connects Microsoft 365 or Office 365 to the on-premises email
system (this is called creating a migration endpoint).

4. The administrator migrates the mailboxes and then verifies the migration.

5. Grant Microsoft 365 or Office 365 licenses to your users.

6. The administrator configures the domain to begin routing email directly to

Microsoft 365 or Office 365.

7. The administrator verifies that routing has changed, and then deletes the cutover
migration batch.

8. The administrator completes post-migration tasks in Microsoft 365 or Office 365

(assigns licenses to users and creates an Autodiscover Domain Name System (DNS)
 record), and optionally decommissions the on-premises Exchange servers.

See how-to steps in Complete post migration tasks.

9. The administrator sends a welcome letter to users to tell them about Microsoft 365
or Office 365 and to describe how to sign in to their new mailboxes.

Ready to start?
If you're comfortable setting up a migration to Microsoft 365 or Office 365, here are the
tasks that need to be done:

Set up Exchange Server by using the Exchange admin center.

Change your organization's MX record to point to Microsoft 365 or Office 365

when the migration is complete. Your MX record is how other mail systems find the
location of your email system. Changing your MX record allows other mail systems
to begin to send email directly to the new mailboxes in Microsoft 365 or Office
365. We provide instructions on how to do this for many DNS providers. To set up
your public DNS servers, you need to change your organization's MX record to
point to Microsoft 365 or Office 365 if you choose to route all incoming internet
mail for your on-premises Exchange organization through Microsoft 365 or Office
365.

If you're ready to begin a cutover migration, go to Perform a cutover migration of email.

See also
Ways to migrate email to Microsoft 365 or Office 365

Use PowerShell to perform a cutover migration

Migrate email to Exchange Online using
the Exchange cutover method
Article • 02/22/2023

As part of a Microsoft 365 or Office 365 deployment, you can migrate the contents of
user mailboxes from a source email system to Microsoft 365 or Office 365. When you do
this all at one time, it's called a cutover migration. Choosing a cutover migration is
suggested when:

Your current on-premises Exchange organization is Microsoft Exchange Server

2003 or later.

Your on-premises Exchange organization has fewer than 2,000 mailboxes.

７ Note

Even though cutover migration supports moving up to 2000 mailboxes, due

to length of time it takes to create and migrate 2000 users, it is more
reasonable to migrate 150 users or fewer.

Plan for migration

Setting up an email cutover migration to Microsoft 365 or Office 365 requires careful
planning. Before you begin, here are a few things to consider:

You can move your entire email organization to Microsoft 365 or Office 365 over a
few days and manage user accounts in Microsoft 365 or Office 365.

A maximum of 2,000 mailboxes can be migrated to Microsoft 365 or Office 365 by

using a cutover Exchange migration. However, it is recommended that you only
migrate 150 mailboxes.

The primary domain name used for your on-premises Exchange organization must
be an accepted as a domain owned by you in your Microsoft 365 or Office 365
organization.

After the migration is complete, each user who has an on-premises Exchange
mailbox also will be a new user in Microsoft 365 or Office 365, but you must still
assign licenses to users whose mailboxes are migrated.
 ７ Note

When migrating from Exchange 2003, TCP port 6001, 6002 and 6004 need to
be open on the Exchange 2003 side.

Impact to users
After your on-premises and Microsoft 365 or Office 365 organizations are set up for a
cutover migration, post-setup tasks could impact your users.

Administrators or users must configure desktop computers: Make sure that

desktop computers are updated and set up for use with Microsoft 365 or Office
365. These actions allow users to use local user credentials to sign in to Microsoft
365 or Office 365 from desktop applications. Users with permission to install
applications can update and set up their own desktops. Or updates can be
installed for them. After updates are made, users can send email from Outlook
2013, Outlook 2010, or Outlook 2007.

Potential delay in email routing: Email sent to on-premises users whose mailboxes
were migrated to Microsoft 365 or Office 365 are routed to their on-premises
Exchange mailboxes until the MX record is changed.

How does cutover migration work?

The main steps you perform for a cutover migration are shown in the following
illustration.
1. The administrator communicates upcoming changes to users and verifies domain
ownership with the domain registrar.

2. The administrator prepares the servers for a cutover migration and creates empty
mail-enabled security groups in Microsoft 365 or Office 365.

3. The administrator connects Microsoft 365 or Office 365 to the on-premises email
system (this is called creating a migration endpoint).

4. The administrator migrates the mailboxes and then verifies the migration.

5. Grant Microsoft 365 or Office 365 licenses to your users.

6. The administrator configures the domain to begin routing email directly to

Microsoft 365 or Office 365.

7. The administrator verifies that routing has changed, and then deletes the cutover
migration batch.

8. The administrator completes post-migration tasks in Microsoft 365 or Office 365

(assigns licenses to users and creates an Autodiscover Domain Name System (DNS)
 record), and optionally decommissions the on-premises Exchange servers.

9. The administrator sends a welcome letter to users to tell them about Microsoft 365
or Office 365 and to describe how to sign in to their new mailboxes. (See Overview
of Outlook e-mail profile for information on creating new Outlook profiles).

Ready to run a cutover migration?

Expand the sections below and follow the steps.

Prepare for a cutover migration

Before you migrate mailboxes to Microsoft 365 or Office 365 by using a cutover
migration, there are a few changes to your Exchange Server environment you must
complete first.

７ Note

If you have turned on directory synchronization, you need to turn it off before you
can perform a cutover migration. You can do this by using PowerShell. For
instructions, see Turn off directory synchronization.

1. Configure Outlook Anywhere on your on-premises Exchange Server: The email

migration service uses Outlook Anywhere (also known as RPC over HTTP), to
connect to your on-premises Exchange Server. Outlook Anywhere is automatically
configured for Exchange 2013. For information about how to set up Outlook
Anywhere for Exchange 2010, Exchange 2007, and Exchange 2003, see the
following:

Exchange 2010: Enable Outlook Anywhere

Exchange 2007: How to Enable Outlook Anywhere

How to configure Outlook Anywhere with Exchange 2003

2. You must use a certificate issued by a trusted certification authority (CA) with your
Outlook Anywhere configuration in order for Microsoft 365 or Office 365 to run a
cutover migration. If you are doing a cutover migration, you will need to add the
Outlook Anywhere and Autodiscover services to your certificate. For instructions
on how to set up certificates, see:

Add an SSL certificate to Exchange 2013

 Add an SSL certificate to Exchange 2010

Add an SSL certificate to Exchange 2007

3. Optional: Verify that you can connect to your Exchange organization using
Outlook Anywhere: Try one of the following methods to test your connection
settings.

Use Outlook from outside your corporate network to connect to your on-
premises Exchange mailbox.

Use the Microsoft Exchange Remote Connectivity Analyzer to test your

connection settings. Use the Outlook Anywhere (RPC over HTTP) or Outlook
Autodiscover tests.

Wait for the connection to automatically be tested when you connect

Microsoft 365 or Office 365 to your email system later in this procedure.

4. Set permissions: The on-premises user account that you use to connect to your
on-premises Exchange organization (also called the migration administrator) must
have the necessary permissions to access the on-premises mailboxes that you want
to migrate to Microsoft 365 or Office 365. This user account is used when you
connect Microsoft 365 or Office 365 to your email system later in this procedure.
To migrate the mailboxes, the admin must have one of the following permissions:

The migration administrator must be assigned the FullAccess permission for

each on-premises mailbox.

or

The migration administrator must be assigned the Receive As permission on

the on-premises mailbox database that stores user mailboxes.

For instructions about how to set these permissions, see Assign Exchange
permissions to migrate mailboxes to Microsoft 365 or Office 365.

5. Verify that the mailboxes to be migrated are not hidden from the address lists.

6. Disable Unified Messaging (UM): If UM is turned on for the on-premises

mailboxes you're migrating, turn off UM before migration. Turn on Cloud
Voicemail for your users after the migration is complete.

7. Create security groups and clean up delegates: Because the email migration
service can't detect whether on-premises Active Directory groups are security
groups, it can't provision any migrated groups as security groups in Microsoft 365
 or Office 365. If you want to have security groups in Microsoft 365 or Office 365,
you must first provision an empty mail-enabled security group in Microsoft 365 or
Office 365 before starting the cutover migration.

Additionally, this migration method only moves mailboxes, mail users, mail
contacts, and mail-enabled groups with their membership. If any other Active
Directory object, such as user mailbox that is not migrated to Microsoft 365 or
Office 365 is assigned as a manager or delegate to an object being migrated, you
must remove them from the object before migration.

Step 1: Verify you own the domain

During the migration, the Simple Mail Transfer Protocol (SMTP) address of each on-
premises mailbox is used to create the email address for a new Microsoft 365 or Office
365 mailbox. To run a cutover migration, the on-premises domain must be a verified
domain in your Microsoft 365 or Office 365 organization.

1. Sign in to Microsoft 365 or Office 365 with your work or school account.

2. Choose Setup > Domains.

3. On the Domains- page, click Add domain to start the domain wizard.

4. On the Add a domain page, type in the domain name (for example, Contoso.com)
you use for your on-premises Exchange organization, and then choose Next.

5. On the Verify domain page, select either Sign in to GoDaddy (if your DNS records
are managed by GoDaddy) or Add a TXT record instead for any other registrars >
Next.

6. Follow the instructions provided for your DNS hosting provider. The TXT record
usually is chosen to verify ownership.

You can also find the instructions in Add DNS records to connect your domain.

After you add your TXT or MX record, wait about 15 minutes before proceeding to
the next step.

7. In the Office 365 domain wizard, choose done, verify now, and you'll see a
verification page. Choose Finish.

If the verification fails at first, wait awhile, and try again.

 Do not continue to the next step in the domain wizard. You now have verified that
you own the on-premises Exchange organization domain and are ready to
continue with an email migration.

Step 2: Connect Microsoft 365 or Office 365 to

your email system
A migration endpoint contains the settings and credentials needed to connect the on-
premises server that hosts the mailboxes you're migrating with Microsoft 365 or Office
365. The migration endpoint also defines the number of mailboxes to migrate
simultaneously. For a cutover migration, you'll create an Outlook Anywhere migration
endpoint.

1. Go to the Exchange admin center.

2. In the Exchange admin center, go to Recipients > Migration.

3. Choose More > Migration endpoints.

4. On the Migration endpoints page, choose New .

5. On the Select the migration endpoint type page, choose Outlook Anywhere >
Next.

6. On the Enter on-premises account credentials page, enter information in the

following boxes:

Email address: Type the email address of any user in the on-premises
Exchange organization that will be migrated. Microsoft 365 or Office 365 will
test the connectivity to this user's mailbox. Make sure that this mailbox is not
hidden from the address lists.

Account with privileges: Type the username (domain\username format or an

email address) for an account that has the necessary administrative
permissions in the on-premises organization. Microsoft 365 or Office 365 will
use this account to detect the migration endpoint and to test the permissions
assigned to this account by attempting to access the mailbox with the
specified email address.
 Password of account with privileges: Type the password for the account with
privileges that is the administrator account.

7. Choose Next and do one of the following:

If Microsoft 365 or Office 365 successfully connects to the source server, the
connection settings are displayed. Choose Next.

If the test connection to the source server isn't successful, provide the
following information:

Exchange server: Type the fully qualified domain name (FQDN) for the on-
premises Exchange Server. This is the host name for your Mailbox server. For
example, EXCH-SRV-01.corp.contoso.com.

RPC proxy server: Type the FQDN for the RPC proxy server for Outlook
Anywhere. Typically, the proxy server is the same as your Outlook on the web
(formerly known as Outlook Web App) URL. For example, mail.contoso.com,
which is also the URL for the proxy server that Outlook uses to connect to an
Exchange Server

8. On the Enter general information page, type a Migration endpoint name, for
example, Test5-endpoint. Leave the other two boxes blank to use the default
values.
 9. Choose New to create the migration endpoint.

To validate your Exchange Online is connected to the on-premises server, you can
run the command in Example 4 of Test-MigrationServerAvailability.

Step 3: Create the cutover migration batch

In a cutover migration, on-premises mailboxes are migrated to Microsoft 365 or Office
365 in a single migration batch.

1. In the Exchange admin center, go to Recipients > Migration.

2. Choose New > Migrate to Exchange Online.

3. On the Select a migration type page, choose Cutover migration > next.

4. On the Confirm the migration endpoint page, the migration endpoint information
is listed. Verify the information and then choose next.
 5. On the Move configuration page, type the name (cannot contain spaces or special
characters) of the migration batch, and then choose next. The batch name is
displayed in the list of migration batches on the Migration page after you create
the migration batch.

6. On the Start the batch page, choose one of the following:

Automatically start the batch: The migration batch is started as soon as you
save the new migration batch with a status of Syncing.

Manually start the batch later: The migration batch is created but is not
started. The status of the batch is set to Created. To start a migration batch,
select it on the migration dashboard, and then choose Start.

7. Choose new to create the migration batch.

The new migration batch is displayed on the migration dashboard.

Step 4: Start the cutover migration batch

If you created a migration batch and configured it to be started manually, you can start
it by using the Exchange admin center.

1. In the Exchange admin center, go to Recipients > Migration.

2. On the migration dashboard, select the batch and then choose Start.

3. If a migration batch starts successfully, its status on the migration dashboard

changes to Syncing.
Verify the synchronization worked
You'll be able to follow the sync status on the migration dashboard. If there are errors,
you can view a log file that gives you more information about them.

You can also verify that the users get created in the Microsoft 365 admin center as the
migration proceeds.

After the migration is done, the sync status is Synced.

Optional: Reduce email delays

Although this task is optional, doing it can help avoid delays in the receiving email in the
new Microsoft 365 or Office 365 mailboxes.

When people outside of your organization send you email, their email systems don't
double-check where to send that email every time. Instead, their systems save the
location of your email system based on a setting in your DNS server known as a time-
to-live (TTL). If you change the location of your email system before the TTL expires, the
sender's email system tries to send email to the old location before figuring out that the
location changed. This location change can result in a mail delivery delay. One way to
avoid this is to lower the TTL that your DNS server gives to servers outside of your
organization. This will make the other organizations refresh the location of your email
system more often.

Most email systems ask for an update each hour if a short interval such as 3,600 seconds
(one hour) is set. We recommend that you set the interval at least this low before you
start the email migration. This setting allows all the systems that send you email enough
time to process the change. Then, when you make the final switch over to Microsoft 365
or Office 365, you can change the TTL back to a longer interval.

The place to change the TTL setting is on your email system's MX record. This lives on
your public-facing DNS system. If you have more than one MX record, you need to
change the value on each record to 3,600 seconds or less.
If you need some help configuring your DNS settings, see Add DNS records to connect
your domain.

Step 5: Route your email directly to Microsoft

365 or Office 365
Email systems use a DNS record called an MX record to figure out where to deliver
emails. During the email migration process, your MX record was pointing to your source
email system. Now that the email migration to Microsoft 365 or Office 365 is complete,
it's time to point your MX record at Microsoft 365 or Office 365. This helps make sure
that email is delivered to your Microsoft 365 or Office 365 mailboxes. Moving the MX
record will also let you turn off your old email system when you're ready.

For many DNS providers, there are specific instructions to change your MX record. If
your DNS provider isn't included, or if you want to get a sense of the general directions,
general MX record instructions are provided as well.

It can take up to 72 hours for the email systems of your customers and partners to
recognize the changed MX record. Wait at least 72 hours before you proceed to the next
task: Delete the cutover migration batch.

Step 6: Delete the cutover migration batch

After you change the MX record and verify that all email is being routed to Microsoft
365 or Office 365 mailboxes, notify the users that their mail is going to Microsoft 365 or
Office 365. After this you can delete the cutover migration batch. Verify the following
before you delete the migration batch.

All users are using Microsoft 365 or Office 365 mailboxes. After the batch is
deleted, mail sent to mailboxes on the on-premises Exchange Server isn't copied to
the corresponding Microsoft 365 or Office 365 mailboxes.

Microsoft 365 or Office 365 mailboxes were synchronized at least once after mail
began being sent directly to them. To do this, make sure that the value in the Last
Synced Time box for the migration batch is more recent than when mail started
being routed directly to Microsoft 365 or Office 365 mailboxes.

When you delete a cutover migration batch, the migration service cleans up any records
related to the migration batch and then deletes the migration batch. The batch is
removed from the list of migration batches on the migration dashboard.

1. In the Exchange admin center, go to Recipients > Migration.

 2. On the migration dashboard, select the batch, and then choose Delete.

７ Note

It can take a few minutes or the batch to be removed.

3. In the Exchange admin center, go to Recipients > Migration.

4. Verify that the migration batch is no longer listed on the migration dashboard.

Step 7: Assign licenses to Microsoft 365 and

Office 365 users
Activate user accounts for the migrated accounts by assigning licenses: If you don't
assign a license, the mailbox is disabled when the grace period ends (30 days). To assign
a license in the Microsoft 365 admin center, see Add users individually or in bulk.

Complete post migration tasks

After migrating mailboxes to Microsoft 365 or Office 365, there are post-migration tasks
that must be completed.

1. Create an Autodiscover DNS record so users can easily get to their mailboxes:
After all on-premises mailboxes are migrated to Microsoft 365 or Office 365, you
can configure an Autodiscover DNS record for your Microsoft 365 or Office 365
organization to enable users to easily connect to their new Microsoft 365 or Office
365 mailboxes with Outlook and mobile clients. This new Autodiscover DNS record
has to use the same namespace that you're using for your Microsoft 365 or Office
365 organization. For example, if your cloud-based namespace is
cloud.contoso.com, the Autodiscover DNS record you need to create is
autodiscover.cloud.contoso.com.

If you keep your Exchange Server, you should also make sure that Autodiscover
DNS CNAME record has to point to Microsoft 365 or Office 365 in both internal
and external DNS after the migration so that the Outlook client will to connect to
the correct mailbox. Replace <ServerName> with the name of the Client Access
server and run the following command in the Exchange Management Shell to
prevent client connections to the server. You'll need to run the command on every
Client Access server.

PowerShell
 Set-ClientAccessServer -Identity <ServerName> -
AutoDiscoverServiceInternalUri $null

Microsoft 365 or Office 365 uses a CNAME record to implement the Autodiscover
service for Outlook and mobile clients. The Autodiscover CNAME record must
contain the following information:

Alias: autodiscover

Target: autodiscover.outlook.com

For more information, see Add DNS records to connect your domain.

2. Decommission on-premises Exchange Servers: After you've verified that all email
is being routed directly to the Microsoft 365 or Office 365 mailboxes, and no
longer need to maintain your on-premises email organization or don't plan on
implementing a single sign-on solution, you can uninstall Exchange from your
servers and remove your on-premises Exchange organization.

For more information, see the following topics:

Modify or Remove Exchange 2010

How to Remove an Exchange 2007 Organization

How to Uninstall Exchange Server 2003

７ Note

Decommissioning Exchange can have unintended consequences. Before

decommissioning your on-premises Exchange organization, we recommend
that you contact Microsoft Support.

See also
Ways to migrate email to Microsoft 365 or Office 365

Decide on a migration path

What you need to know about a staged
email migration in Exchange Online
Article • 02/22/2023

As part of a Microsoft 365 or Office 365 deployment, you can migrate the contents of
user mailboxes from a source email system to Microsoft 365 or Office 365. When you do
this over time, it's called a staged migration. A staged migration is recommended when:

Your source email system is Microsoft Exchange Server 2003 or Microsoft Exchange
Server 2007.

７ Note

Microsoft Exchange Server 2003 and Microsoft Exchange Server 2007 are
out of support. Support for Exchange 2003 ended on April 8, 2014. Support
for Exchange 2007 ended on April 11, 2017.

You can't use a staged migration to migrate Exchange 2013 or Exchange

2010 mailboxes to Microsoft 365 or Office 365. Consider using a cutover
migration or a hybrid email migration instead.

You have more than 2,000 mailboxes.

If a staged email migration won't work for you, see Ways to migrate email for other
options.

Things to consider
Here are a few items to be aware of:

You must synchronize accounts between your on-premises Active Directory

domain and Microsoft 365 or Office 365 by using Azure Active Directory sync for a
staged migration to work.

The primary domain name used for your on-premises Exchange organization must
be a domain verified to your Microsoft 365 or Office 365 organization.

You can migrate only user mailboxes and resource mailboxes. Other recipient
types, such as distribution groups, contacts, and mail-enabled users are migrated
to Microsoft 365 or Office 365 through the process of directory synchronization.
 Out of Office messages aren't migrated with user mailboxes. If a user turns on the
Out of Office feature before the migration, the feature will remain enabled on the
migrated mailbox, but the Out of Office message is blank. People who send
messages to the mailbox won't receive an Out of Office notification. To allow Out
of Office notifications to be sent, the user needs to recreate the Out of Office
message after the mailbox is migrated.

If you limited the connections to your source email system, it's a good idea to
increase them to improve migration performance. Common connection limits
include client/server total connections, per-user connections, and IP address
connections on either the server or the firewall. If you didn't limit these
connections, you can skip this task.

Impact of migration to users

Administrators can access email: To migrate email, you need access to the user
mailboxes in your source email system.

Users must create new Outlook profiles: After the mailboxes are migrated and the
on-premises accounts are converted to mail-enabled accounts, the users must
create a new Microsoft 365 or Office 365 profile in Outlook, and then Outlook
automatically connects to Microsoft 365 or Office 365.

How does staged migration work?

The main steps you perform for a staged migration, and the results for your users, are
shown in the following illustration.
Here's a description of the staged migration shown in the illustration.

1. The administrator synchronizes the list of users between their on-premises

environment and Microsoft 365 or Office 365.

See how-to steps in Prepare for a staged migration.

2. The administrator creates a comma-separated value (CSV) file that contains a row
for each user whose on-premises mailbox will be migrated in the migration batch.

See how-to steps in Create a list of mailboxes to migrate.

3. The administrator creates and runs a staged migration batch by using the
migration dashboard in the Exchange admin center.

See how-to steps in Connect Office 365 to your email system, Migrate your
mailboxes, and Start the staged migration batch.
 After the administrator starts the migration batch, Exchange Online does the
following:

Verifies that directory synchronization is enabled.

Checks that a mail-enabled user exists in the Microsoft 365 or Office 365
organization for each user listed in the CSV file. Mail-enabled users are
created in Microsoft 365 or Office 365 as a result of the directory
synchronization process.

Converts the Microsoft 365 or Office 365 mail-enabled user to an Exchange

Online mailbox for each user in the migration batch.

Begins initial synchronization. Exchange Online processes up to N migration

requests at one time. N represents the maximum number of concurrent
migrations that the administrator specified when creating the migration
endpoint used for the migration batch. By default, initial synchronization is
performed on 20 mailboxes at a time until all mailboxes in the migration
batch are migrated.

Configures mail forwarding. The TargetAddress property on the on-premises

mailbox is configured with the email address of the Exchange Online mailbox.
This process means that mail sent to the on-premises mailbox is forwarded to
the corresponding Exchange Online mailbox.

4. After it creates the Exchange Online mailbox and configures mail forwarding for
each user in the CSV file, Exchange Online sends a status email message to the
administrator. This status message lists the number of mailboxes that were
successfully migrated and how many couldn't be migrated. The message also
includes links to migration statistics and error reports that contain more detailed
information. At this point, users can start using their Exchange Online mailboxes.

5. As part of initial synchronization, Exchange Online then migrates all email

messages, contacts, and calendar items from the on-premises mailboxes to
Exchange Online mailboxes. Exchange Online sends a final migration report when
the data migration is complete.

6. After a migration batch is complete and the administrator verifies that all
mailboxes in the batch are successfully migrated, the administrator can convert the
on-premises mailboxes to mail-enabled users.

See how-to steps in Convert on-premises mailboxes to mail-enabled users so that

migrated users can get to their email.
 7. If a user opens their mailbox with Outlook, the Autodiscover service tries to
connect to the on-premises mailbox. After you convert on-premises mailboxes to
mail-enabled users, the Autodiscover service uses the mail-enabled user to
connect Outlook to the Exchange Online mailbox after the user creates a new
Outlook profile.

8. The administrator creates additional migration batches, submitting a CSV file for
each one.

9. The administrator runs additional migration batches.

10. The administrator resolves any issues. After all on-premises mailboxes in a batch
are successfully migrated, the administrator deletes the migration batch.

See how-to steps in Delete the staged migration batch.

11. Users can use their Exchange Online mailboxes.

12. The administrator, to complete the transition to Exchange Online and Microsoft
365 or Office 365, performs post-configuration tasks such as:

Assign licenses to Microsoft 365 or Office 365 users.

Configure the MX record to point to your Microsoft 365 or Office 365

organization so that email is delivered directly to Exchange Online mailboxes.

Create an Autodiscover Domain Name System (DNS) record for your

Microsoft 365 or Office 365 organization.

See how-to steps in Route your email directly to Microsoft 365 or Office 365 and
Complete post migration tasks.

The administrator can decommission the on-premises Exchange Servers (optional).

７ Note

If you implement a single sign-on solution, it is strongly recommended that

you maintain at least one Exchange Server so that you can access Exchange
System Manager (Exchange 2003) or the Exchange Management
Console/Exchange Management Shell (Exchange 2007) to manage mail-
related attributes on the on-premises mail-enabled users. For Exchange 2007,
the Exchange Server that you maintain should have the Hub Transport, Client
Access, and Mailbox server roles installed.
Ready to start?
If you're comfortable setting up a migration to Microsoft 365 or Office 365, here are the
tasks that need to be done.

Using either Microsoft Azure Active Directory Synchronization Tool or Microsoft

Azure Active Directory Sync Services (AAD Sync) to synchronize and create your
on-premises users in Microsoft 365 or Office 365.

Configuring Exchange Server by using the Exchange admin center.

Changing your organization's MX record to point to Microsoft 365 or Office 365

when the migration is complete. Your MX record is how other mail systems find the
location of your email system. Changing your MX record allows other mail systems
to begin to send email directly to the new mailboxes in Microsoft 365 or Office
365.

To finish a staged email migration successfully, it's a good idea to be comfortable doing
these tasks:

You configure or verify that directory synchronization is working.

You configure or verify that Outlook Anywhere is working.

You create one or more lists of mailboxes to migrate in Excel.

You use step-by-step wizards in Microsoft 365 or Office 365 to configure and start
the migration process.

You add or change your organization's DNS records, such as the Autodiscover and
MX records.

You mail-enable on-premises mailboxes.

If you're ready to begin a staged email migration, you can use the steps given in
Perform a staged migration email.

See also
Ways to migrate email to Microsoft 365 or Office 365

Use PowerShell to perform a staged migration to Microsoft 365 or Office 365

Perform a staged migration of email in
Exchange Online
Article • 02/22/2023

You can migrate the contents of user mailboxes from an Exchange 2003 or Exchange
2007 email to Microsoft 365 or Office 365 over time by using a staged migration.

This article walks you through the tasks involved with for a staged email migration. What
you need to know about a staged email migration gives you an overview of the
migration process. When you're comfortable with the contents of that article, use this
one to begin migrating mailboxes from one email system to another.

For Windows PowerShell steps, see Use PowerShell to perform a staged migration.

Migration Tasks
Here are the tasks to do when you're ready to get started with your staged migration.

1. Prepare for a staged migration

2. Verify you own the domain

3. Use directory synchronization to create users

4. Create a list of mailboxes to migrate

5. Connect Microsoft 365 or Office 365 to your email system

6. Migrate your mailboxes

7. Start the staged migration batch

8. Convert on-premises mailboxes to mail-enabled users so that migrated users can

get to their email

9. Route your email directly to Microsoft 365 or Office 365

10. Delete the staged migration batch

11. Complete post migration tasks

Prepare for a staged migration

Before you migrate mailboxes to Microsoft 365 or Office 365 by using a staged
migration, there are a few changes you must make first to your Exchange Server
environment.

To prepare for a staged migration:

1. Configure Outlook Anywhere on your on-premises Exchange Server: The email

migration service uses Outlook Anywhere (also known as RPC over HTTP), to
connect to your on-premises Exchange Server. For information about how to set
up Outlook Anywhere for Exchange 2007, and Exchange 2003, see the following:

Exchange 2007: How to Enable Outlook Anywhere

How to configure Outlook Anywhere with Exchange 2003

） Important

You must use a certificate issued by a trusted certification authority (CA) with
your Outlook Anywhere configuration. Outlook Anywhere can't be configured
with a self-signed certificate. For more information, see How to configure SSL
for Outlook Anywhere.

2. (Optional) Verify that you can connect to your Exchange organization using
Outlook Anywhere: Try one of the following methods to test your connection
settings.

Use Outlook from outside your corporate network to connect to your on-
premises Exchange mailbox.

Use the Microsoft Exchange Remote Connectivity Analyzer to test your

connection settings. Use the Outlook Anywhere (RPC over HTTP) or Outlook
Autodiscover tests.

Wait for the connection to automatically be tested when you Connect

Microsoft 365 or Office 365 to your email system later in this procedure.

3. Set permissions: The on-premises user account that you use to connect to your
on-premises Exchange organization (also called the migration administrator) must
have the necessary permissions to access the on-premises mailboxes that you want
to migrate to Microsoft 365 or Office 365. This user account is used when you
Connect Microsoft 365 or Office 365 to your email system later in this procedure.

4. To migrate the mailboxes, the admin must have one of the following permission
sets:
 Be assigned the FullAccess permission for each on-premises mailbox and be
assigned the WriteProperty permission to modify the TargetAddress
property on the on-premises user accounts.

or

Be assigned the Receive As permission on the on-premises mailbox database

that stores user mailboxes, and the WriteProperty permission to modify the
TargetAddress property on the on-premises user accounts.

For instructions about how to set these permissions, see Assign Exchange
permissions to migrate mailboxes to Microsoft 365 or Office 365.

5. Disable Unified Messaging (UM): If UM is turned on for the on-premises

mailboxes you're migrating, turn off UM before migration. Turn on UM for the
mailboxes after migration is complete. For how-to steps, see disable unified
messaging.

Verify you own the domain

During the migration, the Simple Mail Transfer Protocol (SMTP) address of each on-
premises mailbox is used to create the email address for a new Microsoft 365 or Office
365 mailbox. To run a staged migration, the on-premises domain must be verified as a
domain you own in your Microsoft 365 or Office 365 organization.

Use the domains wizard to verify you own the on-premises domain:

1. Sign in to Microsoft 365 or Office 365 with your work or school account.

７ Note

You must be a global admin in Microsoft 365 or Office 365 to complete these
steps.

2. Choose Setup > Domains.

3. On the Manage domains page, click Add domain to start the domain wizard.

4. On the Add a domain to Microsoft 365 or Office 365 page, choose Specify a
domain name and confirm ownership.

5. Type the domain name (for example, Contoso.com) you use for your on-premises
Exchange organization, and then choose Next.
 6. On the confirm that you own <your domain name> page, select your Domain
Name System (DNS) hosting provider from the list or select General Instructions, if
applicable.

7. Follow the instructions provided for your DNS hosting provider. The TXT record
usually is chosen to verify domain ownership.

You can also find the TXT or MX value specific to your Microsoft 365 or Office 365
organization by following instructions in Gather the information you need to
create Office 365 DNS records.

After you add your TXT or MX record, wait about 15 minutes before proceeding to
the next step.

8. In the Microsoft 365 or Office 365 domain wizard choose done, verify now, and
you should see a verification page. Choose Finish.

If you do not see the verification page, wait awhile, and try again.

Do not continue to the next step in the domain wizard. You now have verified that
you own the on-premises Exchange organization domain, and are ready to
continue with an email migration.

Use directory synchronization to create users in

Microsoft 365 or Office 365
You use directory synchronization to create all the on-premises users in your Microsoft
365 or Office 365 organization.

You will need to license the users after they're created. You have 30 days to add licenses
after the users are created. For steps to add licenses, see the Complete post migration
tasks section later in this topic.

To create new users:

You can use either the Microsoft Azure Active Directory Synchronization Tool or the
Microsoft Azure Active Directory Sync Services (AAD Sync) to synchronize and create
your on-premises users in Microsoft 365 or Office 365. After mailboxes are migrated to
Microsoft 365 or Office 365, you'll manage user accounts in your on-premises
organization and they're synchronized with your Microsoft 365 or Office 365
organization. For more information, see What is hybrid identity with Azure Active
Directory?.
Create a list of mailboxes to migrate
After you identify the users whose on-premises mailboxes you want to migrate to
Microsoft 365 or Office 365, you'll use a comma-separated value (CSV) file to create a
migration batch. Each row in the CSV file (used by Microsoft 365 or Office 365 to run the
migration) contains information about an on-premises mailbox.

７ Note

There isn't a limit for the number of mailboxes that you can migrate to Microsoft
365 or Office 365 using a staged migration. The CSV file for a migration batch can
contain a maximum of 2,000 rows. To migrate more than 2,000 mailboxes, create
additional CSV files and use each file to create a new migration batch.

Supported attributes
The CSV file for a staged migration supports the following three attributes. Each row in
the CSV file corresponds to a mailbox and must contain a value for each of these
attributes.

Attribute Description Required?

EmailAddress Specifies the primary SMTP email address, for example, Required
pilarp@contoso.com, for on-premises mailboxes.
Use the primary SMTP address for on-premises mailboxes
and not user IDs from the Microsoft 365 or Office 365. For
example, if the on-premises domain is named contoso.com
but the Microsoft 365 or Office 365 email domain is named
service.contoso.com, you would use the contoso.com
domain name for email addresses in the CSV file.

Password The password to be set for the new Microsoft 365 or Office Optional
365 mailbox. Any password restrictions that are applied to
your Microsoft 365 or Office 365 organization also apply to
the passwords included in the CSV file.

ForceChangePassword Specifies whether a user must change the password the Optional
first time they sign in to their new Microsoft 365 or Office
365 mailbox. Use True or False for the value of this
parameter. Note that if you've implemented a single sign-
on solution by deploying Active Directory Federation
Services (AD FS) 2.0 (AD FS 2.0) or greater in your on-
premises organization, you must use False for the value of
the ForceChangePassword attribute.
CSV file format
Here's an example of the format for the CSV file. In this example, three on-premises
mailboxes are migrated to Microsoft 365 or Office 365.

The first row, or header row, of the CSV file lists the names of the attributes, or fields,
specified in the rows that follow. Each attribute name is separated by a comma.

CSV

EmailAddress,Password,ForceChangePassword
pilarp@contoso.com,Pa$$w0rd,False
tobyn@contoso.com,Pa$$w0rd,False
briant@contoso.com,Pa$$w0rd,False

Each row under the header row represents one user and supplies the information that
will be used to migrate the user's mailbox. The attribute values in each row must be in
the same order as the attribute names in the header row.

Use any text editor, or an application like Excel, to create the CSV file. Save the file as a
.csv or .txt file.

７ Note

If the CSV file contains non-ASCII or special characters, save the CSV file with UTF-8
or other Unicode encoding. Depending on the application, saving the CSV file with
UTF-8 or other Unicode encoding may be easier when the system locale of the
computer matches the language used in the CSV file.

Connect Microsoft 365 or Office 365 to your

email system
A migration endpoint contains the settings and credentials needed to connect the on-
premises server that hosts the mailboxes you're migrating with Microsoft 365 or Office
365. For a staged migration, you create an Outlook Anywhere migration endpoint. One
migration endpoint is created to use for all of your migration batches.

To create a migration endpoint in Classic Exchange admin center:

1. Go to the Classic Exchange admin center, and navigate to Migration > Batch.

2. In the Exchange admin center, go to Recipients > Migration.

3. Choose More > Migration endpoints.

4. On the Migration endpoints page, choose New .

5. On the Select the migration endpoint type page, choose Outlook Anywhere >
Next.

6. On the Enter on-premises account credentials page, enter the following

information:

Email address: Type the email address of any user in the on-premises
Exchange organization that will be migrated. Microsoft 365 or Office 365 will
test the connectivity to this user's mailbox.

Account with privileges: Type the username (domain\username format or an

email address) for an account that has the necessary administrative
permissions in the on-premises organization. Microsoft 365 or Office 365 will
use this account to detect the migration endpoint and to test the permissions
assigned to this account by attempting to access the mailbox with the
specified email address.

Password of account with privileges: Type the password for the account with
privileges that is the administrator account.

7. Choose Next and then do one of the following:

If Microsoft 365 or Office 365 successfully connects to the source server, the
connection settings are displayed. Choose Next.
 If the test connection to the source server isn't successful, provide the
following information:

Exchange server: Type the fully qualified domain name (FQDN) for the on-
premises Exchange Server. This is the host name for your Mailbox server; for
example, EXCH-SRV-01.corp.contoso.com.

RPC proxy server: Type the FQDN for the RPC proxy server for Outlook
Anywhere. Typically, the proxy server is the same as your Outlook on the web
(formerly known as Outlook Web App) URL. For example, mail.contoso.com,
which is also the URL for the proxy server that Outlook uses to connect to an
Exchange Server

8. On the Enter general information page, type a Migration endpoint name, for
example, Test5-endpoint. Leave the other two boxes blank to use the default
values.
 9. Choose New to create the migration endpoint.

To validate your Exchange Online is connected to the on-premises server, you can
run the command in Example 4 of Test-MigrationServerAvailability.

７ Note

For new EAC, the Migration endpoints can be created during the creation of a new
migration batch. For more information, continue to the section, Create a staged
migration batch in new Exchange admin center (New EAC).

Migrate your mailboxes

You create and then run a migration batch to migrate mailboxes to Microsoft 365 or
Office 365.

Create a staged migration batch in new Exchange admin

center (New EAC)
1. In the new Exchange Admin center , navigate to Migration > Batch.

2. Click New Migration batch and follow the instructions in the details pane.

3. In Migration Onboarding section, enter the batch name, select the mailbox
migration path and click Next.
4. Select the migration type as Staged migration from the drop-down list and click
Next.

5. In Prerequisites section, read the following and click Next.

6. In Set endpoint section, you can either create a new migration endpoint or select
the migration endpoint from the drop-down list:

a. Select Create a new migration endpoint and follow the instructions to create
the endpoints.

b. Select the migration endpoint from the drop-down list and click Next.
 7. Select and upload a CSV file containing the set of all of the users you want to
migrate. You will need its filename below. The allowed headers are:

EmailAddress (required). Contains the primary email address for an existing

Microsoft 365 or Office 365 mailbox.

Username (optional). Contains the Gmail primary email address, if it differs

from EmailAddress.

CSV

EmailAddress
will@fabrikaminc.net
user123@fabrikaminc.net

8. In Add user mailboxes section, import the CSV file and click Next.

9. In Move configuration section, enter the details and click Next.

10. In Schedule batch migration section, verify all the details, click Save, and then click
Done.
 The batch status changes from Syncing to Synced, you can complete the batch.

11. To complete the batch, select the migration group.

12. In the details pane, select the preferred option to complete the batch and click
Save.

The batch status will then be Completed.

Create a staged migration batch in Classic Exchange

admin center (Classic EAC)
For a staged migration, you migrate mailboxes in batches: one batch for each CSV file
you created.

To create a staged migration batch:

1. In the Classic Exchange admin center, go to Recipients > Migration.

2. Choose New > Migrate to Exchange Online.

3. On the Select a migration type page, choose Staged migration > next.
4. On the Select the users page, choose Browse and select the CSV file to use for this
migration batch.

After you select a CSV file, Microsoft 365 or Office 365 checks the CSV file to make
sure that:

It isn't empty.

It uses comma-separated formatting.

It doesn't contain more than 2,000 rows.

It includes the required EmailAddress column in the header row.

All rows have the same number of columns as the header row.

If any one of these checks fails, you'll get an error that describes the reason for the
failure. At this point, you must fix any errors in the CSV file and resubmit it to
create a migration batch. After the CSV file is validated, the number of users listed
in the CSV file is displayed as the number of mailboxes to migrate.

5. Choose next.

6. On the Confirm the migration endpoint page, verify the migration endpoint
information that is listed and then choose next.

7. On the Move configuration page, type the name (no spaces or special characters)
of the migration batch, and then choose next. This name is displayed in the list of
migration batches on the Migration page after you create the migration batch.

8. On the Start the batch page, choose one of the following:

Automatically start the batch: The migration batch is started as soon as you
save the new migration batch. The batch starts with a status of Syncing.
 Manually start the batch later: The migration batch is created but not
started. The status of the batch is set to Created. To start a migration batch,
select it on the migration dashboard and then choose Start.

9. Choose new to create the migration batch.

The new migration batch is displayed on the migration dashboard.

Start the staged migration batch

In Classic Exchange admin center, if you created a migration batch and configured it to
be manually started, you can start it by using the Exchange Admin center.

To start a staged migration batch:

1. In the new Exchange admin center, go to Migration > Batch. On the migration
dashboard, select the batch, and then click Start Migration.

2. In the Classic Exchange admin center, go to Recipients > Migration. On the

migration dashboard, select the batch, and then click Start.

3. If a migration batch starts successfully, its status on the migration dashboard

changes to Syncing.

Verify the migration step worked:

You'll be able to follow the sync status in the migration dashboard. If there is an issue,
you can view a log file that gives you more information about the errors.

You can also verify that the users get created in the Microsoft 365 admin center as the
migration proceeds.

Convert on-premises mailboxes to mail-

enabled users so that migrated users can get to
their email
After you have successfully migrated a batch of mailboxes, you need some way to let
users get to their mail. A user whose mailbox has been migrated now has both a
mailbox on-premises and one in Microsoft 365 or Office 365. Users who have a mailbox
in Microsoft 365 or Office 365 will stop receiving new mail in their on-premises mailbox.

Because you are not done with your migrations, you are not yet ready to direct all users
to Microsoft 365 or Office 365 for their email. So what do you do for those people who
have both? What you can do is change the on-premises mailboxes that you've already
migrated to mail-enabled users. When you change from a mailbox to a mail-enabled
user, you can direct the user to Microsoft 365 or Office 365 for their email instead of
going to their on-premises mailbox.

Another important reason to convert on-premises mailboxes to mail-enabled users is to

retain proxy addresses from the Exchange Online mailboxes by copying proxy addresses
to the mail-enabled users. This lets you manage cloud-based users from your on-
premises organization by using Active Directory. Also, if you decide to decommission
your on-premises Exchange organization after all mailboxes are migrated to Exchange
Online, the proxy addresses you've copied to the mail-enabled users will remain in your
on-premises Active Directory.

For more information and to download scripts that you can run to convert mailboxes to
mail-enabled users, see the following:

Convert Exchange 2007 mailboxes to mail-enabled users

Convert Exchange 2003 mailboxes to mail-enabled users

Optional: Repeat migration steps

You can run batches simultaneously or one by one. Do what is convenient for your
schedule and ability to help people as they complete their migration. Remember, each
migration batch has a limit of 2,000 mailboxes.

When you're done migrating everyone to Microsoft 365 or Office 365, you'll be ready to
start sending email directly to Microsoft 365 or Office 365 and decommissioning your
old email system.

Optional: Reduce email delays

You don't need to do this task, but if you skip it, it might take longer for email to start
showing up in the new Microsoft 365 or Office 365 mailboxes.

When people outside of your organization send you email, their email systems don't
double-check where to send that email every time. Instead, their systems save the
location of your email system based on a setting in your DNS server known as a time-
to-live (TTL). If you change the location of your email system before the TTL expires,
they'll try to send you email at the old location first before figuring out that the location
changed. This can result in a mail delivery delay. One way to avoid this is to lower the
TTL that your DNS server gives to servers outside of your organization. This will make
the other organizations refresh the location of your email system more often.

Using a short interval, such as 3,600 seconds (one hour) or less, means that most email
systems will ask for an updated location every hour. We recommend that you set the
interval at least this low before you start the email migration. This allows all the systems
that send you email enough time to process the change. Then, when you make the final
switch over to Office 365, you can change the TTL back to a longer interval.

The place to change the TTL setting is on your email system's mail exchanger record, also
called an MX record. This lives on your public facing DNS system. If you have more than
one MX record, you need to change the value on each record to 3,600 or less.

If you need some help configuring your DNS settings, go to our Create DNS records at
any DNS hosting provider.

Route your email directly to Microsoft 365 or

Office 365
Email systems use a DNS record called an MX record to figure out where to deliver
emails. During the email migration process, your MX record was pointing to your on-
premises email system. Now that the email migration to Microsoft 365 or Office 365 is
complete for all of your users, it's time to point your MX record to Microsoft 365 or
Office 365. This helps ensure that incoming email is delivered to your Microsoft 365 or
Office 365 mailboxes. Moving the MX record also let you turn off your old email system
when you are ready.

For many DNS providers, we have host-specific instructions. If your DNS provider isn't
included, or you want to get a sense of the general directions, we've provided general
MX record instructions as well.

It can take up to 72 hours for the email systems of your customers and partners to
recognize the changed MX record. Wait at least 72 hours before you proceed to the next
task.

Delete the staged migration batch

After you change the MX record and verify that all email is being routed to Microsoft
365 or Office 365 mailboxes, you can delete the staged migration batches. Verify the
following before you delete a migration batch:

All users in the batch are using their Microsoft 365 or Office 365 mailboxes. After
the batch is deleted, mail sent to mailboxes on the on-premises Exchange Server
isn't copied to the corresponding Microsoft 365 or Office 365 mailboxes.

Microsoft 365 and Office 365 mailboxes were synchronized at least once after mail
began being sent directly to them. To do this, make sure that the value in the Last
Synced Time box for the migration batch is more recent than when mail started
being routed directly to Microsoft 365 or Office 365 mailboxes.

When you delete a staged migration batch, the migration service cleans up any records
related to the migration batch and then deletes the migration batch. The batch is
removed from the list of migration batches on the migration dashboard.

To delete the staged migration batch:

1. In the new Exchange admin center, go to Migration > Batch. On the migration
dashboard, select the batch, and then click Delete.

2. In the Classic Exchange admin center, go to Recipients > Migration. On the

migration dashboard, select the batch, and then click Delete.

Complete post migration tasks

After migrating mailboxes to Microsoft 365 or Office 365, there are post-migration tasks
that must be completed.

To complete post-migration tasks:

1. Activate user accounts for the migrated accounts by assigning licenses: If you
don't assign a license, the mailbox is disabled when the grace period (30 days)
ends. To assign a license in the Microsoft 365 admin center, see Add users
individually or in bulk.

2. Create an Autodiscover DNS record so users can easily get to their mailboxes:
After all on-premises mailboxes are migrated to Microsoft 365 or Office 365, you
 can configure an Autodiscover DNS record for your Microsoft 365 or Office 365
organization to enable users to easily connect to their new Microsoft 365 or Office
365 mailboxes with Outlook and mobile clients. This new Autodiscover DNS record
has to use the same namespace that you're using for your Microsoft 365 or Office
365 organization. For example, if your cloud-based namespace is
cloud.contoso.com, the Autodiscover DNS record you need to create is
autodiscover.cloud.contoso.com.

Microsoft 365 or Office 365 uses a CNAME record to implement the Autodiscover
service for Outlook and mobile clients. The Autodiscover CNAME record must
contain the following information:

Alias: autodiscover

Target: autodiscover.outlook.com

For more information, see Add DNS records to connect your domain.

3. Decommission on-premises Exchange servers: After you've verified that all email
is being routed directly to the Microsoft 365 or Office 365 mailboxes, have
completed the migration, and no longer need to maintain your on-premises email
organization, you can uninstall Exchange.

For more information, see the following:

How to Remove an Exchange 2007 Organization

How to Uninstall Exchange Server 2003

７ Note

Decommissioning Exchange can have unintended consequences. Before

decommissioning your on-premises Exchange organization, we recommend
that you contact Microsoft Support.

See also
What you need to know about a staged email migration to Microsoft 365 or Office 365

Ways to migrate email to Microsoft 365 or Office 365

Convert Exchange 2007 mailboxes to
mail-enabled users in Exchange Online
Article • 02/22/2023

After you've completed a staged migration, convert the on-premises mailboxes to mail-
enabled users so the on-premises users can automatically connect to their cloud
mailboxes.

Why convert mailboxes to mail-enabled users?

You need to convert the migrated on-premises mailboxes to mail-enabled users (MEUs)
so you can manage cloud-based users from your on-premises organization using Active
Directory.

Two things happen after a mailbox is migrated to the cloud in a staged Exchange
migration:

A user has an on-premises mailbox and a cloud mailbox.

Mail sent to the user's on-premises mailbox is forwarded to their cloud mailbox.
This happens because during the migration process, the TargetAddress property
on the on-premises mailbox contains the remote routing address of the cloud
mailbox. Users need to connect to their cloud mailboxes to access their e-mail.

This behavior results in the following issues:

The user won't be able to connect to their cloud mailbox in Microsoft Outlook. The
Autodiscover service in the on-premises organization still tries to connect to their
on-premises mailbox. You can't point your on-premises Autodiscover CNAME
record to the cloud until all users have been migrated.

Messaging-related user information on cloud mailboxes is lost if you

decommission Exchange after all mailboxes have been migrated to the cloud.
Directory synchronization removes data from the cloud mailbox object (for
example, proxy addresses), because the on-premises mailbox no longer exists.
directory synchronization can't match the data to the corresponding cloud
mailbox.

The solution is to convert the user's on-premises mailbox to a mail-enabled user (MEU)
after the mailbox has been migrated to the cloud. When you convert an on-premises
mailbox to an MEU, the following actions occur:
 The proxy addresses from the cloud-based mailbox are copied to the new MEU. If
you decommission Exchange, these proxy addresses are still retained in Active
Directory.
The properties of the MEU enables directory synchronization to match the MEU
with its corresponding cloud mailbox.
The Autodiscover service uses the MEU to connect Outlook to the cloud mailbox
after the user creates a new Outlook profile.

PowerShell scripts to create MEUs

Use the scripts in this section to collect information about the cloud-based mailboxes,
and to convert the Exchange 2007 mailboxes to MEUs.

The PowerShell script collects information from your cloud mailboxes and saves it to a
CSV file. Run this script first.

Copy the script into Notepad and save the file as ExportO365UserInfo.ps1.

７ Note

Before you run the PowerShell script, you need to install the Exchange Online
PowerShell module. For instructions, see Install and maintain the Exchange
Online PowerShell module. The module uses modern authentication.

Typically, you can use the script as-is if your organization is Microsoft 365 or
Microsoft 365 GCC. If your organization is Office 365 Germany, Microsoft 365
GCC High, or Microsoft 365 DoD, you need to edit the Connect-
ExchangeOnline line in the script. Specifically, you need to use the

ExchangeEnvironmentName parameter and the appropriate value for your

organization type. For more information, see the examples in Connect to
Exchange Online PowerShell.

PowerShell

Param($migrationCSVFileName = "migration.csv")
function O365Logon
{
#Check for current open O365 sessions and allow the admin to either use
the existing session or create a new one
$session = Get-PSSession | ?{$_.ConfigurationName -eq
'Microsoft.Exchange'}
if($session -ne $null)
 {
$a = Read-Host "An open session to Exchange Online PowerShell
already exists. Do you want to use this session? Enter y to use the open
session, anything else to close and open a fresh session."
if($a.ToLower() -eq 'y')
{
Write-Host "Using existing Exchange Online Powershell session."
-ForeGroundColor Green
return
}
Disconnect-ExchangeOnline -Confirm:$false
}
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -Prefix "Cloud"
}
function Main
{
#Verify the migration CSV file exists
if(!(Test-Path $migrationCSVFileName))
{
Write-Host "File $migrationCSVFileName does not exist." -
ForegroundColor Red
Exit
}
#Import user list from migration.csv file
$MigrationCSV = Import-Csv $migrationCSVFileName

#Get mailbox list based on email addresses from CSV file

$MailBoxList = $MigrationCSV | %{$_.EmailAddress} | Get-CloudMailbox
$Users = @()

#Get LegacyDN, Tenant, and On-Premises Email addresses for the users
foreach($user in $MailBoxList)
{
$UserInfo = New-Object System.Object

$CloudEmailAddress = $user.EmailAddresses | ?{($_ -match

'onmicrosoft') -and ($_ -match 'smtp:')}
if ($CloudEmailAddress.Count -gt 1)
{
$CloudEmailAddress =
$CloudEmailAddress[0].ToString().ToLower().Replace('smtp:', '')
Write-Host "$user returned more than one cloud email address.
Using $CloudEmailAddress" -ForegroundColor Yellow
}
else
{
$CloudEmailAddress =
$CloudEmailAddress.ToString().ToLower().Replace('smtp:', '')
}

$UserInfo | Add-Member -Type NoteProperty -Name LegacyExchangeDN -

Value $user.LegacyExchangeDN
$UserInfo | Add-Member -Type NoteProperty -Name CloudEmailAddress -
Value $CloudEmailAddress
 $UserInfo | Add-Member -Type NoteProperty -Name
OnPremiseEmailAddress -Value $user.PrimarySMTPAddress.ToString()
$UserInfo | Add-Member -Type NoteProperty -Name MailboxGUID -Value
$user.ExchangeGUID
$Users += $UserInfo
}
#Check for existing csv file and overwrite if needed
if(Test-Path ".\cloud.csv")
{
$delete = Read-Host "The file cloud.csv already exists in the
current directory. Do you want to delete it? Enter y to delete, anything
else to exit this script."
if($delete.ToString().ToLower() -eq 'y')
{
Write-Host "Deleting existing cloud.csv file" -ForeGroundColor
Red
Remove-Item ".\cloud.csv"
}
else
{
Write-Host "Will NOT delete current cloud.csv file. Exiting
script." -ForeGroundColor Green
Exit
}
}
$Users | Export-CSV -Path ".\cloud.csv" -notype
(Get-Content ".\cloud.csv") | %{$_ -replace '"', ''} | Set-Content
".\cloud.csv" -Encoding Unicode
Write-Host "CSV File Successfully Exported to cloud.csv" -
ForeGroundColor Green
}
O365Logon
Main

The Visual Basic script converts on-premises Exchange 2003 mailboxes to MEUs. Run
this script after you run the PowerShell script to collect information from the cloud
mailboxes.

Copy the script into Notepad and save the file as Exchange2007MBtoMEU.vbs.

PowerShell

param($DomainController = [String]::Empty)
function Main
{
#Script Logic flow
#1. Pull User Info from cloud.csv file in the current directory
#2. Lookup AD Info (DN, mail, proxyAddresses, and legacyExchangeDN)
using the SMTP address from the CSV file
#3. Save existing proxyAddresses
#4. Add existing legacyExchangeDN's to proxyAddresses
#5. Delete Mailbox
 #6. Mail-Enable the user using the cloud email address as the
targetAddress
#7. Disable RUS processing
#8. Add proxyAddresses and mail attribute back to the object
#9. Add msExchMailboxGUID from cloud.csv to the user object (for
offboarding support)

if($DomainController -eq [String]::Empty)

{
Write-Host "You must supply a value for the -DomainController
switch" -ForegroundColor Red
Exit
}

$CSVInfo = Import-Csv ".\cloud.csv"

foreach($User in $CSVInfo)
{
Write-Host "Processing user" $User.OnPremiseEmailAddress -
ForegroundColor Green
Write-Host "Calling LookupADInformationFromSMTPAddress" -
ForegroundColor Green
$UserInfo = LookupADInformationFromSMTPAddress($User)

#Check existing proxies for On-Premises and Cloud Legacy DN's as

x500 proxies. If not present add them.
if($UserInfo.ProxyAddresses -notcontains
("X500:"+$UserInfo.CloudLegacyDN))
{
$X500Proxy = "x500:" + $UserInfo.CloudLegacyDN
Write-Host "Adding $X500Proxy to EmailAddresses" -
ForegroundColor Green
$UserInfo.ProxyAddresses.Add($X500Proxy)
}
if($UserInfo.ProxyAddresses -notcontains
("X500:"+$UserInfo.LegacyDN))
{
$X500Proxy = "x500:" + $UserInfo.LegacyDN
Write-Host "Adding $X500Proxy to EmailAddresses" -
ForegroundColor Green
$UserInfo.ProxyAddresses.Add($X500Proxy)
}

#Disable Mailbox
Write-Host "Disabling Mailbox" -ForegroundColor Green
Disable-Mailbox -Identity $UserInfo.OnPremiseEmailAddress -
DomainController $DomainController -Confirm:$false

#Mail Enable
Write-Host "Enabling Mailbox" -ForegroundColor Green
Enable-MailUser -Identity $UserInfo.Identity -ExternalEmailAddress
$UserInfo.CloudEmailAddress -DomainController $DomainController

#Disable RUS
Write-Host "Disabling RUS" -ForegroundColor Green
Set-MailUser -Identity $UserInfo.Identity -EmailAddressPolicyEnabled
$false -DomainController $DomainController

#Add Proxies and Mail

Write-Host "Adding EmailAddresses and WindowsEmailAddress" -
ForegroundColor Green
Set-MailUser -Identity $UserInfo.Identity -EmailAddresses
$UserInfo.ProxyAddresses -WindowsEmailAddress $UserInfo.Mail -
DomainController $DomainController

#Set Mailbox GUID. Need to do this via S.DS as Set-MailUser doesn't

expose this property.
$ADPath = "LDAP://" + $DomainController + "/" +
$UserInfo.DistinguishedName
$ADUser = New-Object -TypeName
System.DirectoryServices.DirectoryEntry -ArgumentList $ADPath
$MailboxGUID = New-Object -TypeName System.Guid -ArgumentList
$UserInfo.MailboxGUID

[Void]$ADUser.psbase.invokeset('msExchMailboxGUID',$MailboxGUID.ToByteArray(
))
Write-Host "Setting Mailbox GUID" $UserInfo.MailboxGUID -
ForegroundColor Green
$ADUser.psbase.CommitChanges()

Write-Host "Migration Complete for" $UserInfo.OnPremiseEmailAddress

-ForegroundColor Green
Write-Host ""
Write-Host ""
}
}

function LookupADInformationFromSMTPAddress($CSV)
{
$Mailbox = Get-Mailbox $CSV.OnPremiseEmailAddress -ErrorAction
SilentlyContinue

if($Mailbox -eq $null)

{
Write-Host "Get-Mailbox failed for" $CSV.OnPremiseEmailAddress -
ForegroundColor Red
continue
}

$UserInfo = New-Object System.Object

$UserInfo | Add-Member -Type NoteProperty -Name OnPremiseEmailAddress -

Value $CSV.OnPremiseEmailAddress
$UserInfo | Add-Member -Type NoteProperty -Name CloudEmailAddress -Value
$CSV.CloudEmailAddress
$UserInfo | Add-Member -Type NoteProperty -Name CloudLegacyDN -Value
$CSV.LegacyExchangeDN
$UserInfo | Add-Member -Type NoteProperty -Name LegacyDN -Value
$Mailbox.LegacyExchangeDN
$ProxyAddresses = New-Object
Microsoft.Exchange.Data.ProxyAddressCollection
 $ProxyAddresses = $Mailbox.EmailAddresses
$UserInfo | Add-Member -Type NoteProperty -Name ProxyAddresses -Value
$ProxyAddresses
$UserInfo | Add-Member -Type NoteProperty -Name Mail -Value
$Mailbox.WindowsEmailAddress
$UserInfo | Add-Member -Type NoteProperty -Name MailboxGUID -Value
$CSV.MailboxGUID
$UserInfo | Add-Member -Type NoteProperty -Name Identity -Value
$Mailbox.Identity
$UserInfo | Add-Member -Type NoteProperty -Name DistinguishedName -Value
(Get-User $Mailbox.Identity).DistinguishedName

$UserInfo
}
Main

Setup steps to convert on-premises mailboxes

to MEUs
Follow these steps to complete the process.

1. Copy ExportO365UserInfo.ps1, Exchange2007MBtoMEU.ps1, and the CSV file used

to run the migration batch to the same directory in your on-premises server.

2. Rename the migration CSV file to migration.csv.

3. In the Exchange Management Shell, run the following command. The script
assumes that the CSV file is in the same directory and is named migration.csv.

PowerShell

.\ExportO365UserInfo.ps1

You will be prompted to use the existing session or open a new session.

4. Type n and press Enter to open a new session.

The script runs and then saves the Cloud.csv file to the current working directory.

5. Enter the administrator credentials for your cloud-based organization and then
click OK.

6. Run the following command in a new Exchange Management Shell session. This
command assumes that ExportO365UserInfo.ps1 and Cloud.csv are located in the
same directory.
 PowerShell

.\Exchange2007MBtoMEU.ps1 <FQDN of on-premises domain controller>

For example:

PowerShell

.\Exchange2007MBtoMEU.ps1 DC1.contoso.com

The script converts on-premises mailboxes to MEUs for all users included in the
Cloud.csv.

7. Verify that the new MEUs have been created. In Active Directory Users and
Computers, do the following steps:

a. Click Action > Find.

b. Click the Exchange tab.

c. Select Show only Exchange recipients, and then select Users with external
email address.

d. Click Find Now.

The mailboxes that were converted to MEUs are listed under Search results.

8. Use Active Directory Users and Computers, ADSI Edit, or Ldp.exe to verify that
the following MEU properties are populated with the correct information.

legacyExchangeDN
mail
msExchMailboxGuid
proxyAddresses
targetAddress
Convert Exchange 2003 mailboxes to
mail-enabled users in Exchange Online
Article • 02/22/2023

After you've completed a staged migration, convert the on-premises mailboxes to mail-
enabled users so the on-premises users can automatically connect to their cloud
mailboxes.

Why convert mailboxes to mail-enabled users?

You need to convert the migrated on-premises mailboxes to mail-enabled users (MEUs)
so you can manage cloud-based users from your on-premises organization using Active
Directory.

This article includes a PowerShell script that collects information from the cloud-based
mailboxes, and a Visual Basic (VB) script that converts Exchange 2003 mailboxes to
MEUs. When you run this script, the proxy addresses from the cloud-based mailbox are
copied to the MEU, which resides in Active Directory. The properties of the MEU enables
directory synchronization to match the MEU with its corresponding cloud mailbox.

We recommended that you convert on-premises mailboxes to MEUs for a migration

batch. After a staged Exchange migration batch has finished, you've verified that all
mailboxes in the batch were successfully migrated, and the initial synchronization of
mailbox items to the cloud is complete, convert the mailboxes in the migration batch to
MEUs.

PowerShell script to collect data from cloud

mailboxes
Use the scripts in this section to collect information about the cloud-based mailboxes,
and to convert the Exchange 2003 mailboxes to MEUs.

The PowerShell script collects information from your cloud mailboxes and saves it to a
CSV file. Run this script first.

Copy the script into Notepad and save the file as ExportO365UserInfo.ps1.

７ Note
Before you run the script, you need to install the Exchange Online PowerShell
module. For instructions, see Install and maintain the Exchange Online PowerShell
module. The module uses modern authentication.

Typically, you can use the script as-is if your organization is Microsoft 365 or
Microsoft 365 GCC. If your organization is Office 365 Germany, Microsoft 365
GCC High, or Microsoft 365 DoD, you need to edit the Connect-
ExchangeOnline line in the script. Specifically, you need to use the

ExchangeEnvironmentName parameter and the appropriate value for your

organization. For more information, see the examples in Connect to Exchange
Online PowerShell.

PowerShell

Param($migrationCSVFileName = "migration.csv")
function O365Logon
{
#Check for current open O365 sessions and allow the admin to either use
the existing session or create a new one
$session = Get-PSSession | ?{$_.ConfigurationName -eq
'Microsoft.Exchange'}
if($session -ne $null)
{
$a = Read-Host "An open session to Exchange Online PowerShell
already exists. Do you want to use this session? Enter y to use the open
session, anything else to close and open a fresh session."
if($a.ToLower() -eq 'y')
{
Write-Host "Using existing Exchange Online Powershell Session."
-ForeGroundColor Green
return
}
Disconnect-ExchangeOnline -Confirm:$false
}
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline
}
function Main
{
#Verify the migration CSV file exists
if(!(Test-Path $migrationCSVFileName))
{
Write-Host "File $migrationCSVFileName does not exist." -
ForegroundColor Red
Exit
}
#Import user list from migration.csv file
$MigrationCSV = Import-Csv $migrationCSVFileName
#Get mailbox list based on email addresses from CSV file
 $MailBoxList = $MigrationCSV | %{$_.EmailAddress} | Get-Mailbox
$Users = @()
#Get LegacyDN, Tenant, and On-Premises Email addresses for the users
foreach($user in $MailBoxList)
{
$UserInfo = New-Object System.Object
$CloudEmailAddress = $user.EmailAddresses | ?{($_ -match
'onmicrosoft') -and ($_ -cmatch 'smtp:')}
if ($CloudEmailAddress.Count -gt 1)
{
$CloudEmailAddress =
$CloudEmailAddress[0].ToString().ToLower().Replace('smtp:', '')
Write-Host "$user returned more than one cloud email address.
Using $CloudEmailAddress" -ForegroundColor Yellow
}
else
{
$CloudEmailAddress =
$CloudEmailAddress.ToString().ToLower().Replace('smtp:', '')
}
$UserInfo | Add-Member -Type NoteProperty -Name LegacyExchangeDN -
Value $user.LegacyExchangeDN
$UserInfo | Add-Member -Type NoteProperty -Name CloudEmailAddress -
Value $CloudEmailAddress
$UserInfo | Add-Member -Type NoteProperty -Name
OnPremiseEmailAddress -Value $user.PrimarySMTPAddress.ToString()
$Users += $UserInfo
}
#Check for existing csv file and overwrite if needed
if(Test-Path ".\cloud.csv")
{
$delete = Read-Host "The file cloud.csv already exists in the
current directory. Do you want to delete it? Enter y to delete, anything
else to exit this script."
if($delete.ToString().ToLower() -eq 'y')
{
Write-Host "Deleting existing cloud.csv file" -ForeGroundColor
Red
Remove-Item ".\cloud.csv"
}
else
{
Write-Host "Will NOT delete current cloud.csv file. Exiting
script." -ForeGroundColor Green
Exit
}
}
$Users | Export-CSV -Path ".\cloud.csv" -notype
(Get-Content ".\cloud.csv") | %{$_ -replace '"', ''} | Set-Content
".\cloud.csv" -Encoding Unicode
Write-Host "CSV File Successfully Exported to cloud.csv" -
ForeGroundColor Green
}
O365Logon
Main
The Visual Basic script converts on-premises Exchange 2003 mailboxes to MEUs. Run
this script after you run the PowerShell script to collect information from the cloud
mailboxes.

Copy the script into Notepad and save the file as Exchange2003MBtoMEU.vbs.

VB.net

'Globals/Constants
Const ADS_PROPERTY_APPEND = 3
Dim UserDN
Dim remoteSMTPAddress
Dim remoteLegacyDN
Dim domainController
Dim csvMode
csvMode = FALSE
Dim csvFileName
Dim lastADLookupFailed
Class UserInfo
public OnPremiseEmailAddress
public CloudEmailAddress
public CloudLegacyDN
public LegacyDN
public ProxyAddresses
public Mail
public MailboxGUID
public DistinguishedName
Public Sub Class_Initialize()
Set ProxyAddresses = CreateObject("Scripting.Dictionary")
End Sub
End Class
'Command Line Parameters
If WScript.Arguments.Count = 0 Then
'No parameters passed
WScript.Echo("No parameters were passed.")
ShowHelp()
ElseIf StrComp(WScript.Arguments(0), "-c", vbTextCompare) = 0 And
WScript.Arguments.Count = 2 Then
WScript.Echo("Missing DC Name.")
ShowHelp()
ElseIf StrComp(WScript.Arguments(0), "-c", vbTextCompare) = 0 Then
'CSV Mode
csvFileName = WScript.Arguments(1)
domainController = WScript.Arguments(2)
csvMode = TRUE
WScript.Echo("CSV mode detected. Filename: " & WScript.Arguments(1) &
vbCrLf)
ElseIf wscript.Arguments.Count <> 4 Then
'Invalid Arguments
WScript.Echo WScript.Arguments.Count
Call ShowHelp()
Else
 'Manual Mode
UserDN = wscript.Arguments(0)
remoteSMTPAddress = wscript.Arguments(1)
remoteLegacyDN = wscript.Arguments(2)
domainController = wscript.Arguments(3)
End If
Main()
'Main entry point
Sub Main
'Check for CSV Mode
If csvMode = TRUE Then
UserInfoArray = GetUserInfoFromCSVFile()
Else
WScript.Echo "Manual Mode Detected" & vbCrLf
Set info = New UserInfo
info.CloudEmailAddress = remoteSMTPAddress
info.DistinguishedName = UserDN
info.CloudLegacyDN = remoteLegacyDN
ProcessSingleUser(info)
End If
End Sub
'Process a single user (manual mode)
Sub ProcessSingleUser(ByRef UserInfo)
userADSIPath = "LDAP://" & domainController & "/" &
UserInfo.DistinguishedName
WScript.Echo "Processing user " & userADSIPath
Set MyUser = GetObject(userADSIPath)
proxyCounter = 1
For Each address in MyUser.Get("proxyAddresses")
UserInfo.ProxyAddresses.Add proxyCounter, address
proxyCounter = proxyCounter + 1
Next
UserInfo.OnPremiseEmailAddress =
GetPrimarySMTPAddress(UserInfo.ProxyAddresses)
UserInfo.Mail = MyUser.Get("mail")
UserInfo.MailboxGUID = MyUser.Get("msExchMailboxGUID")
UserInfo.LegacyDN = MyUser.Get("legacyExchangeDN")
ProcessMailbox(UserInfo)
End Sub
'Populate user info from CSV data
Function GetUserInfoFromCSVFile()
CSVInfo = ReadCSVFile()
For i = 0 To (UBound(CSVInfo)-1)
lastADLookupFailed = false
Set info = New UserInfo
info.CloudLegacyDN = Split(CSVInfo(i+1), ",")(0)
info.CloudEmailAddress = Split(CSVInfo(i+1), ",")(1)
info.OnPremiseEmailAddress = Split(CSVInfo(i+1), ",")(2)
WScript.Echo "Processing user " & info.OnPremiseEmailAddress
WScript.Echo "Calling LookupADInformationFromSMTPAddress"
LookupADInformationFromSMTPAddress(info)
If lastADLookupFailed = false Then
WScript.Echo "Calling ProcessMailbox"
ProcessMailbox(info)
End If
 set info = nothing
Next
End Function
'Populate user info from AD
Sub LookupADInformationFromSMTPAddress(ByRef info)
'Lookup the rest of the info in AD using the SMTP address
Set objRootDSE = GetObject("LDAP://RootDSE")
strDomain = objRootDSE.Get("DefaultNamingContext")
Set objRootDSE = nothing
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand = CreateObject("ADODB.Command")
BaseDN = "<LDAP://" & domainController & "/" & strDomain & ">"
adFilter = "(&(proxyAddresses=SMTP:" & info.OnPremiseEmailAddress & "))"
Attributes =
"distinguishedName,msExchMailboxGUID,mail,proxyAddresses,legacyExchangeDN"
Query = BaseDN & ";" & adFilter & ";" & Attributes & ";subtree"
objCommand.CommandText = Query
Set objCommand.ActiveConnection = objConnection
On Error Resume Next
Set objRecordSet = objCommand.Execute
'Handle any errors that result from the query
If Err.Number <> 0 Then
WScript.Echo "Error encountered on query " & Query & ". Skipping
user."
lastADLookupFailed = true
return
End If
'Handle zero or ambiguous search results
If objRecordSet.RecordCount = 0 Then
WScript.Echo "No users found for address " &
info.OnPremiseEmailAddress
lastADLookupFailed = true
return
ElseIf objRecordSet.RecordCount > 1 Then
WScript.Echo "Ambiguous search results for email address " &
info.OnPremiseEmailAddress
lastADLookupFailed = true
return
ElseIf Not objRecordSet.EOF Then
info.LegacyDN = objRecordSet.Fields("legacyExchangeDN").Value
info.Mail = objRecordSet.Fields("mail").Value
info.MailboxGUID = objRecordSet.Fields("msExchMailboxGUID").Value
proxyCounter = 1
For Each address in objRecordSet.Fields("proxyAddresses").Value
info.ProxyAddresses.Add proxyCounter, address
proxyCounter = proxyCounter + 1
Next
info.DistinguishedName =
objRecordSet.Fields("distinguishedName").Value
objRecordSet.MoveNext
End If
objConnection = nothing
objCommand = nothing
 objRecordSet = nothing
On Error Goto 0
End Sub
'Populate data from the CSV file
Function ReadCSVFile()
'Open file
Set objFS = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFS.OpenTextFile(csvFileName, 1, false, -1)
'Loop through each line, putting each line of the CSV file into an array
to be returned to the caller
counter = 0
Dim CSVArray()
Do While NOT objTextFile.AtEndOfStream
ReDim Preserve CSVArray(counter)
CSVArray(counter) = objTextFile.ReadLine
counter = counter + 1
Loop
'Close and return
objTextFile.Close
Set objTextFile = nothing
Set objFS = nothing
ReadCSVFile = CSVArray
End Function
'Process the migration
Sub ProcessMailbox(User)
'Get user properties
userADSIPath = "LDAP://" & domainController & "/" &
User.DistinguishedName
Set MyUser = GetObject(userADSIPath)
'Add x.500 address to list of existing proxies
existingLegDnFound = FALSE
newLegDnFound = FALSE
'Loop through each address in User.ProxyAddresses
For i = 1 To User.ProxyAddresses.Count
If StrComp(address, "x500:" & User.LegacyDN, vbTextCompare) = 0 Then
WScript.Echo "x500 proxy " & User.LegacyDN & " already exists"
existingLegDNFound = true
End If
If StrComp(address, "x500:" & User.CloudLegacyDN, vbTextCompare) = 0
Then
WScript.Echo "x500 proxy " & User.CloudLegacyDN & " already
exists"
newLegDnFound = true
End If
Next
'Add existing leg DN to proxy list
If existingLegDnFound = FALSE Then
WScript.Echo "Adding existing legacy DN " & User.LegacyDN & " to
proxy addresses"
User.ProxyAddresses.Add (User.ProxyAddresses.Count+1),("x500:" &
User.LegacyDN)
End If
'Add new leg DN to proxy list
If newLegDnFound = FALSE Then
'Add new leg DN to proxy addresses
 WScript.Echo "Adding new legacy DN " & User.CloudLegacyDN & " to
existing proxy addresses"
User.ProxyAddresses.Add (User.ProxyAddresses.Count+1),("x500:" &
User.CloudLegacyDN)
End If
'Dump out new list of addresses
WScript.Echo "Original proxy addresses updated count: " &
User.ProxyAddresses.Count
For i = 1 to User.ProxyAddresses.Count
WScript.Echo " proxyAddress " & i & ": " & User.ProxyAddresses(i)
Next
'Delete the Mailbox
WScript.Echo "Opening " & userADSIPath & " as CDOEXM::IMailboxStore
object"
Set Mailbox = MyUser
Wscript.Echo "Deleting Mailbox"
On Error Resume Next
Mailbox.DeleteMailbox
'Handle any errors deleting the mailbox
If Err.Number <> 0 Then
WScript.Echo "Error " & Err.number & ". Skipping User." & vbCrLf &
"Description: " & Err.Description & vbCrLf
Exit Sub
End If
On Error Goto 0
'Save and continue
WScript.Echo "Saving Changes"
MyUser.SetInfo
WScript.Echo "Refeshing ADSI Cache"
MyUser.GetInfo
Set Mailbox = nothing
'Mail Enable the User
WScript.Echo "Opening " & userADSIPath & " as CDOEXM::IMailRecipient"
Set MailUser = MyUser
WScript.Echo "Mail Enabling user using targetAddress " &
User.CloudEmailAddress
MailUser.MailEnable User.CloudEmailAddress
WScript.Echo "Disabling Recipient Update Service for user"
MyUser.PutEx ADS_PROPERTY_APPEND, "msExchPoliciesExcluded", Array("
{26491CFC-9E50-4857-861B-0CB8DF22B5D7}")
WScript.Echo "Saving Changes"
MyUser.SetInfo
WScript.Echo "Refreshing ADSI Cache"
MyUser.GetInfo
'Add Legacy DN back on to the user
WScript.Echo "Writing legacyExchangeDN as " & User.LegacyDN
MyUser.Put "legacyExchangeDN", User.LegacyDN
'Add old proxies list back on to the MEU
WScript.Echo "Writing proxyAddresses back to the user"
For j=1 To User.ProxyAddresses.Count
MyUser.PutEx ADS_PROPERTY_APPEND, "proxyAddresses",
Array(User.ProxyAddresses(j))
MyUser.SetInfo
MyUser.GetInfo
Next
 'Add mail attribute back on to the MEU
WScript.Echo "Writing mail attribute as " & User.Mail
MyUser.Put "mail", User.Mail
'Add msExchMailboxGUID back on to the MEU
WScript.Echo "Converting mailbox GUID to writable format"
Dim mbxGUIDByteArray
Call ConvertHexStringToByteArray(OctetToHexString(User.MailboxGUID),
mbxGUIDByteArray)
WScript.Echo "Writing property msExchMailboxGUID to user object with
value " & OctetToHexString(User.MailboxGUID)
MyUser.Put "msExchMailboxGUID", mbxGUIDByteArray
WScript.Echo "Saving Changes"
MyUser.SetInfo
WScript.Echo "Migration Complete!" & vbCrLf
End Sub
'Returns the primary SMTP address of a user
Function GetPrimarySMTPAddress(Addresses)
For Each address in Addresses
If Left(address, 4) = "SMTP" Then GetPrimarySMTPAddress = address
Next
End Function
'Converts Hex string to byte array for writing to AD
Sub ConvertHexStringToByteArray(ByVal strHexString, ByRef pByteArray)
Set FSO = CreateObject("Scripting.FileSystemObject")
Set Stream = CreateObject("ADODB.Stream")
Temp = FSO.GetTempName()
Set TS = FSO.CreateTextFile(Temp)
For i = 1 To (Len (strHexString) -1) Step 2
TS.Write Chr("&h" & Mid (strHexString, i, 2))
Next
TS.Close
Stream.Type = 1
Stream.Open
Stream.LoadFromFile Temp
pByteArray = Stream.Read
Stream.Close
FSO.DeleteFile Temp
Set Stream = nothing
Set FSO = Nothing
End Sub
'Converts raw bytes from AD GUID to readable string
Function OctetToHexString (arrbytOctet)
OctetToHexStr = ""
For k = 1 To Lenb (arrbytOctet)
OctetToHexString = OctetToHexString & Right("0" &
Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
Next
End Function
Sub ShowHelp()
WScript.Echo("This script runs in two modes, CSV Mode and Manual Mode."
& vbCrLf & "CSV Mode allows you to specify a CSV file from which to pull
usernames." & vbCrLf& "Manual mode allows you to run the script against a
single user.")
WSCript.Echo("Both modes require you to specify the name of a DC to use
in the local domain." & vbCrLf & "To run the script in CSV Mode, use the
 following syntax:")
WScript.Echo(" cscript Exchange2003MBtoMEU.vbs -c
x:\csv\csvfilename.csv dc.domain.com")
WScript.Echo("To run the script in Manual Mode, you must specify the
users AD Distinguished Name, Remote SMTP Address, Remote Legacy Exchange DN,
and Domain Controller Name.")
WSCript.Echo(" cscript Exchange2003MBtoMEU.vbs " & chr(34) &
"CN=UserName,CN=Users,DC=domain,DC=com" & chr(34) & " " & chr(34) &
"user@cloudaddress.com" & chr(34) & " " & chr(34) & "/o=Cloud Org/ou=Cloud
Site/ou=Recipients/cn=CloudUser" & chr(34) & " dc.domain.com")
WScript.Quit
End Sub

What do the scripts do?

ExportO365UserInfo.ps1
ExportO365UserInfo.ps1 is a PowerShell script that you run in your cloud based
organization to collect information about the cloud mailboxes that you migrated during
the staged Exchange migration. It uses a CSV file to scope the batch of users. We
recommended that you use the same migration CSV file that you used to migrate a
batch of users.

When you run the ExportO365UserInfo script, the following actions occur:

The following properties are collected from the cloud mailboxes for users listed in
the input CSV file:
Primary SMTP address.
Primary SMTP address of the corresponding on-premises mailbox.
Other proxy addresses for the cloud mailbox.
LegacyExchangeDN
The collected properties are saved to a CSV file named Cloud.csv.

Exchange2003MBtoMEU.vbs
Exchange2003MBtoMEU.vbs is a VB script that you run in your on-premises Exchange
2003 organization to convert mailboxes to MEUs. It uses the Cloud.csv file that was
produced by the ExportO365UserInfo.ps1 PowerShell script.

When you run the Exchange2003MBtoMEU.vbs script, the following actions occur for
each mailbox listed in input CSV file:

Collects information from the input CSV file and from the on-premises mailbox.
 Creates a list of proxy addresses from the on-premises and cloud mailbox to add
to the MEU.
Deletes the on-premises mailbox.
Creates a MEU with the following properties:

legacyExchangeDN: Value from the on-premises mailbox.

mail: The primary SMTP of the cloud mailbox.

msExchMailboxGuid: Value from the on-premises mailbox.

proxyAddresses: Values from both the on-premises mailbox and the cloud
mailbox.

targetAddress: Read from the on-premises mailbox; the value is the primary
SMTP of the cloud mailbox.

） Important

To enable off-boarding from Exchange Online back to Exchange 2003, you

need to replace the msExchMailboxGuid property value on the MEU with
the GUID from the cloud-based mailbox. To get the GUID values for the
cloud-based mailboxes and save them to a CSV file, run the following
Exchange Online PowerShell command:

PowerShell

Get-Mailbox | Select PrimarySmtpAddress,Guid | Export-csv -Path

.\guid.csv

This command extracts the primary SMTP address and Guid for all cloud
mailboxes into the guid.csv file, and then saves this file to the current
directory.

Instead of using the input CSV file to convert a batch of mailboxes, you can run the
Exchange2003MBtoMEU.vbs script in manual mode to convert one mailbox at a time. If
you choose this method, you need to provide the following input parameters:

The distinguished name (DN)of the on-premises mailbox.

The primary SMTP address of the cloud mailbox.
The Exchange Legacy DN for the cloud mailbox.
A domain controller name in your Exchange 2003 organization.
Steps to convert on-premises mailboxes to
MEUs
1. Run ExportO365UserInfo.ps1 in your Exchange Online organization. Use the CSV
file for the migration batch as the input file. The script creates a CSV file named
Cloud.csv.

PowerShell

cd <location of the script>

.\ExportO365UserInfo.ps1 <CSV input file>

For example:

PowerShell

cd c:\data\scripts

.\ExportO365UserInfo.ps1 .\MigrationBatch1.csv

2. Copy Exchange2003MBtoMEU.vbs and Cloud.csv to the same directory in your on-

premises organization.

3. In your on-premises organization, run the following command:

Visual Basic Script

cscript Exchange2003MBtoMEU.vbs -c .\Cloud.csv <FQDN of on-premises

domain controller>

For example:

Visual Basic Script

cscript Exchange2003MBtoMEU.vbs -c .\Cloud.csv DC1.contoso.com

To run the script in manual mode, enter the following command. Use spaces
between each value.

Visual Basic Script

cscript Exchange2003MBtoMEU.vbs "<DN of on-premises mailbox>" "<Primary

SMTP of cloud mailbox>" "<ExchangeLegacyDN of cloud mailbox>" <FQDN of
 on-premises domain controller>

For example:

Visual Basic Script

cscript Exchange2003MBtoMEU.vbs "CN=Ann

Beebe,CN=Users,DC=contoso,DC=com" "annb@contoso.onmicrosoft.com"
"/o=First Organization/ou=Exchange Administrative Group
(FYDIBOHF23SPDLT)/cn=Recipients/cn=d808d014cec5411ea6de1f70cc116e7b-
annb" DC1.contoso.com

4. Verify that the new MEUs have been created. In Active Directory Users and
Computers, do the following steps:

a. Click Action > Find.

b. Click the Exchange tab.

c. Select Show only Exchange recipients, and then select Users with external
email address.

d. Click Find Now.

The mailboxes that were converted to MEUs are listed under Search results.

5. Use Active Directory Users and Computers, ASI Edit, or Ldp.exe to verify that the
following MEU properties are populated with the correct information:

legacyExchangeDN
mail
msExchMailboxGuid*
proxyAddresses
targetAddress

* As previously explained, the Exchange2003MBtoMEU.vbs script retains the

msExchMailboxGuid value from the on-premises mailbox. To enable off-boarding
from Microsoft 365 or Office 365 to Exchange 2003, you need to replace the
msExchMailboxGuid property value on the MEU with the GUID from the cloud-
based mailbox.
What you need to know about
migrating your IMAP mailboxes to
Microsoft 365 or Office 365
Article • 02/22/2023

） Important

Effective from December 2022, the classic Exchange Admin Center will be
deprecated for worldwide customers. Microsoft recommends using the new
Exchange Admin Center , if not already doing so.

While most of the features have been migrated to new EAC, some have been
migrated to other admin centers and remaining ones will soon be migrated to New
EAC. Find features that are not yet there in new EAC at Other Features or use
Global Search that will help you navigate across new EAC.

You can migrate the contents of user mailboxes from your source email system to
Microsoft 365 or Office 365. Use the Internet Message Access Protocol (IMAP) to
migrate email when:

Your source email system supports IMAP.

If this option won't work for you, see Ways to migrate email to Microsoft 365 or Office
365 for other options.

For Windows PowerShell steps, see Use PowerShell to perform an IMAP migration to
Microsoft 365 or Office 365.

Things to consider
Here are a few limitations to be aware of:

Microsoft's data migration tool is currently unaware of tools enforcing messaging

records management (MRM) or archival policies. Because of this, any messages
that are deleted or moved to archive by these policies will result in the migration
process flagging these items as "missing". The result is perceived data loss rather
than actual data loss, which makes it much harder to identify actual data loss
during any content verification checks.
 Therefore, Microsoft strongly recommends disabling all MRM and archival policies
before attempting any data migration to mailboxes.

You can only migrate items in a user's inbox or other mail folders. This type of
migration doesn't migrate contacts, calendar items, or tasks.

You can migrate a maximum of 500,000 items from a user's mailbox (emails are
migrated from newest to oldest).

The biggest email you can migrate is 35 MB.

If you limited the connections to your source email system, it's a good idea to
increase them to improve migration performance. Common connection limits
include client/server total connections, per-user connections, and IP address
connections on either the server or the firewall.

Impact of migration to users

To migrate email, you need access to the user mailboxes in your source email system. If
you know the user passwords or can access their mailboxes by using administrator
credentials, there won't be any impact to users until you shut down your source email
system.

If you can't access user mailboxes, you'll have to reset the passwords. This lets you
access the user mailboxes by using a new password that you know. If users don't know
the new passwords, they won't be able to get to their old mailboxes during or after the
email migration. You can distribute the new passwords after the migration if you want
users to get to their old mailboxes.

How does IMAP migration work?

The main steps you perform for an IMAP email migration are shown in the following
illustration.
These general steps apply whether you are migrating from Gmail or another IMAP
system.

1. First you have to create your users in Microsoft 365 or Office 365 and assign
licenses to them. The mailboxes have to exist in Microsoft 365 or Office 365 to use
IMAP migration.

2. Prepare your IMAP source email system and get the information you need to
migrate. If you plan to migrate your domain to Microsoft 365 or Office 365, verify
that you own your domain with your domain registrar.

Depending on which type of email service you are migrating from, you might need
to configure some settings or record the name of your email server or service to
use later. You also need to verify your domain in your domain registry system if
you have a custom domain.
3. Communicate changes to users.

It's a good idea to let users know about the email migration and how it impacts
them. Give users information about what tasks need to be done before, during,
and after migration.

4. Set up admin credentials or get or reset user email passwords.

To perform the migration, you need an administrator account that has permissions,
or the username and password to each mailbox.

5. If you are using the steps described in Migrate Google Apps mailboxes to
Microsoft 365 or Office 365 or Migrate other types of IMAP mailboxes to Microsoft
365 or Office 365, you will create a list of mailboxes to migrate (CSV file). These
migrations instructions start from the Exchange admin center, and you will need to
create a CSV file that lists the email addresses, usernames, and passwords for the
mailboxes you want to migrate.

You can also use the migrations page or setup instructions in the Admin center
preview to migrate from IMAP systems such as Gmail, Hotmail.com, or
Outlook.com. These steps are the best if you plan to migrate mail for only a few
users (less than 50). If you are migrating mail for more users, it is easier to use a
CSV file to enter all the information for the accounts.

6. Connect Microsoft 365 or Office 365 to the source email system.

To migrate email successfully, Microsoft 365 or Office 365 needs to connect and
communicate with the source email system. To do this, Microsoft 365 or Office 365
uses a migration endpoint, the settings that are used to create the connection.

7. Migrate mailboxes and then verify the migration.

To migrate mailboxes, you create a migration batch, and then start the migration.
After the migration batch is run, verify that the email was migrated successfully.

8. Optimize email settings (optional).

There are some settings you can configure so that it doesn't take as long for email
to start showing up in your new Microsoft 365 or Office 365 mailboxes. See Tips
for optimizing IMAP migrations.

9. Begin routing email to Microsoft 365 or Office 365.

You need to change a DNS record called an MX record so that your email system
can start routing mail to Office 365.
 10. Verify routing and then stop email synchronization.

After you verify that all email is being routed to Microsoft 365 or Office 365, you
can delete the migration batch to stop the synchronization between your source
email system and Microsoft 365 or Office 365.

11. Send a welcome letter to users.

Let your users know about Microsoft 365 or Office 365 and how to sign in to their
new mailboxes.

Ready to start?
To finish an email migration successfully, it's a good idea to be comfortable doing these
tasks:

You create a list of mailboxes to migrate in Excel. You add your users' email
addresses, usernames, and passwords to this file.

You use step-by-step wizards in Microsoft 365 or Office 365 to configure and start
the migration process.

After the mail has been migrated, you change your organization's MX record to
point to Microsoft 365 or Office 365 when the migration is complete. Your MX
record is how other mail systems find the location of your email system. Changing
your MX record allows other mail systems to begin to send email directly to the
new mailboxes in Microsoft 365 or Office 365. To learn how to update your MX
record, see Create DNS records at any DNS hosting provider as well.

If you're comfortable with what's involved in migrating mailboxes to Microsoft 365 or

Office 365, you're ready to get started. The first step is to determine which source email
system you're migrating from:

Gmail

This procedure uses the Exchange admin center steps for an IMAP migration.

Some other IMAP enabled email system

This procedure uses the Exchange admin center steps for an IMAP migration.

IMAP migration in the Admin center

Use PowerShell to perform an IMAP migration to Microsoft 365 or Office 365

See also
Tips for optimizing IMAP migrations

Learn more about setting up your IMAP server connection

Migrate Google Workspace mailboxes
to Microsoft 365 or Office 365
Article • 02/22/2023

） Important

Effective from December 2022, the classic Exchange Admin Center will be
deprecated for worldwide customers. Microsoft recommends using the new
Exchange Admin Center , if not already doing so.

While most of the features have been migrated to new EAC, some have been
migrated to other admin centers and remaining ones will soon be migrated to New
EAC. Find features that are not yet there in new EAC at Other Features or use
Global Search that will help you navigate across new EAC.

７ Note

This article explains how to migrate consumer Gmail mailboxes to Microsoft 365 or
Office 365. For organizations and enterprises interested in migrating Google
Workspace content, including calendar and contacts information in addition to
mailbox data, see Perform a Google Workspace migration.

Migrate your IMAP mailboxes to Microsoft 365 or Office 365 gives you an overview of
the migration process. Read it first and when you're familiar with the contents of that
article, return to this topic to learn how to migrate mailboxes from Google Workspace
Gmail to Microsoft 365 or Office 365. You must be a global admin in Microsoft 365 or
Office 365 to complete IMAP migration steps.

Looking for Windows PowerShell commands? See User PowerShell to perform an IMAP
migration to Microsoft 365 or Office 365.

Want to migrate other types of IMAP mailboxes? See Migrate other types of IMAP
mailboxes to Microsoft 365 or Office 365.

Migration from Google Workspace mailboxes

using the Microsoft 365 admin center
You can use the setup wizard in the Microsoft 365 admin center for an IMAP migration.
See IMAP migration in the Microsoft 365 admin center for instructions.

） Important

IMAP migration will only migrate emails, not calendar, and contact information.
Users can import their own email, contacts, and other mailbox information to
Microsoft 365 or Office 365. See Migrate email and contacts to Microsoft 365 to
learn how.

Before Microsoft 365 or Office 365 can connect to Gmail or Google Workspace, all
account owners must create an app password to access their account. This is because
Google considers Outlook to be a less secure app and will not allow a connection to it
with a password alone. For instructions, see Prepare your Google Workspace account for
connecting to Outlook and Microsoft 365 or Office 365. You'll also need to make sure
your Google Workspace users can turn on 2-step verification.

Gmail Migration tasks

The following list contains the migration tasks given in the order in which you should
complete them.

Step 1: Verify you own your domain

In this task, you'll first verify to Microsoft 365 or Office 365 that you own the domain
you used for your Google Workspace accounts.

７ Note

Another option is to use the your company name.onmicrosoft.com domain that is

included with your Microsoft 365 or Office 365 subscription instead of using your
own custom domain. In that case, you can just add users as described in Add users
individually or in bulk and omit this task. Most people, however, prefer to use their
own domain.

Domain verification is a task you will go through as you set up Microsoft 365 or Office
365. During setup, the setup wizard provides you with a TXT record you will add at your
domain host provider. See Add a domain to Microsoft 365 for the steps to complete in
Microsoft 365 admin center, and choose a domain registrar from the two following
options to see how to complete add the TXT record that your DNS host provider.
 Your current DNS host provider is Google: If you purchased your domain from
Google and they are the DNS hosting provider, follow these instructions: Create
DNS records when your domain is managed by Google (Go Daddy).
You purchased your domain from another domain registrar: If you purchased
your domain from a different company, we provide instructions for many popular
domain hosting providers.

Step 2: Add users to Microsoft 365 or Office 365

You can add your users either one at a time, or several users at a time. When you add
users, you also add licenses to them. Each user has to have a mailbox on Microsoft 365
or Office 365 before you can migrate email to it. Each user also needs a license that
includes an Exchange Online plan to use his or her mailbox.

） Important

At this point you have verified that you own the domain and created your Google
Workspace users and mailboxes in Microsoft 365 or Office 365 with your custom
domain. Close the wizard at this step. Do not proceed to Set up domain, until your
Gmail mailboxes are migrated to Microsoft 365 or Office 365. You'll finish the setup
steps in task 7, Step 6: Update your DNS records to route Gmail directly to
Microsoft 365 or Office 365.

Step 3: Create a list of Gmail mailboxes to migrate

For this task, you create a migration file that contains a list of Gmail mailboxes to
migrate to Microsoft 365 or Office 365. The easiest way to create the migration file is by
using Excel, so we use Excel in these instructions. You can use Excel 2013, Excel 2010, or
Excel 2007.

When you create the migration file, you need to know the app password of each Gmail
mailbox that you want to migrate. We're assuming you don't know the user passwords,
so you'll probably need to assign temporary passwords (by resetting the passwords) to
all mailboxes during the migration. You must be an administrator in Google Workspace
to reset passwords.

You don't have to migrate all Gmail mailboxes at once. You can do them in batches at
your convenience. You can include up to 50,000 mailboxes (one row for each user) in
your migration file. The file can be as large as 10 MB.
1. Sign in to Google Workspace admin console using your administrator username
and password.

2. After you're signed in, choose Users.

3. Select each user to identify each user's email address. Write down the address.

4. Open the Microsoft 365 admin center , and go to Users > Active users. Keep an
eye on the Username column. You'll use this information in a minute. Keep the
Microsoft 365 admin center window open, too.
5. Start Excel.

6. Use the following screenshot as a template to create the migration file in Excel.
Start with the headings in row 1. Make sure they match the picture exactly and
don't contain spaces. The exact heading names are:

EmailAddress in cell A1.

UserName in cell B1.
Password in cell C1.

7. Next enter the email address, username, and app password for each mailbox you
want to migrate. Enter one mailbox per row.

Column A is the email address of the Microsoft 365 or Office 365 mailbox.
This is what's shown in the username column in Users > Active users in the
Microsoft 365 admin center.
Column B is the sign-in name for the user's Gmail mailbox (for example,
aaronharper@lemonteatest.com).
 Column C is the app password for the user's Gmail mailbox. Creating the app
password is described in Migration from Google Workspace mailboxes using
the Microsoft 365 admin center.

8. Save the file as a CSV file type, and then close Excel.

Step 4: Connect Microsoft 365 or Office 365 to Gmail

To migrate Gmail mailboxes successfully, Microsoft 365 or Office 365 needs to connect
and communicate with Gmail. To do this, Microsoft 365 or Office 365 uses a migration
endpoint. Migration endpoint is a technical term that describes the settings that are
used to create the connection so you can migrate the mailboxes. Do the following to
create the migration endpoint in Classic Exchange admin center.

1. Go to the Classic Exchange admin center.

2. In the EAC, go to Recipients > Migration > More > Migration endpoints.

3. Click New to create a new migration endpoint.

4. On the Select the migration endpoint type page, choose IMAP.

5. On the IMAP migration configuration page, set IMAP server to imap.gmail.com

and keep the default settings the same.

6. Click Next. The migration service uses the settings to test the connection to Gmail
system. If the connection works, the Enter general information page opens.
 7. On the Enter general information page, type a Migration endpoint name, for
example, Test5-endpoint. Leave the other two boxes blank to use the default
values.

8. Click New to create the migration endpoint.

７ Note

For new EAC, the Migration endpoints can be created during the creation of a new
migration batch.

Step 5: Create a migration batch and start migrating

Gmail mailboxes in Classic Exchange admin center
(Classic EAC)
You use a migration batch to migrate groups of Gmail mailboxes to Microsoft 365 or
Office 365 at the same time. The batch consists of the Gmail mailboxes that you listed in
the migration file in the previous Step 4: Connect Microsoft 365 or Office 365 to Gmail.

７ Note

IMAP migration is not available for new EAC.

 Tip
It's a good idea to create a test migration batch with a small number of mailboxes
to first test the process. > Use migration files with the same number of rows, and
run the batches at similar times during the day. Then compare the total running
time for each test batch. This helps you estimate how long it could take to migrate
all your mailboxes, how large each migration batch should be, and how many
simultaneous connections to the source email system you should use to balance
migration speed and internet bandwidth.

1. In the Microsoft 365 admin center, navigate to Admin centers > Exchange.

2. In the Exchange admin center, go to Recipients > Migration.

3. Click New > Migrate to Exchange Online.

4. Choose IMAP migration > Next.

5. On the Select the users page, click Browse to specify the migration file you
created. After you select your migration file, Microsoft 365 or Office 365 checks it
to make sure:

It isn't empty.
It uses comma-separated formatting.
It doesn't contain more than 50,000 rows.
It includes the required attributes in the header row.
It contains rows with the same number of columns as the header row.
 If any one of these checks fails, you'll get an error that describes the reason for the
failure. If you get an error, you must fix the migration file and resubmit it to create
a migration batch.

6. After Microsoft 365 or Office 365 validates the migration file, it displays the
number of users listed in the file as the number of Gmail mailboxes to migrate.

7. Click Next.

8. On the Set the migration endpoint page, select the migration endpoint that you
created in the previous step, and click Next.

9. On the IMAP migration configuration page, accept the default values, and click
Next.

10. On the Move configuration page, type the name (no spaces or special characters)
of the migration batch in the box (for example, Test5-migration). The default
migration batch name that's displayed is the name of the migration file that you
specified. The migration batch name is displayed in the list on the migration
dashboard after you create the migration batch.

You can also enter the names of the folders you want to exclude from migration.
For example, Shared, Junk Email, and Deleted. Click Add to add them to the
excluded list. You can also click Edit to change a folder name and Delete to
delete the folder name.
11. Click Next

12. On the Start the batch page, do the following:

Choose Browse to send a copy of the migration reports to other users. By

default, migration reports are emailed to you. You can also access the
migration reports from the properties page of the migration batch.

Choose Automatically start the batch > new. The migration starts
immediately with the status Syncing.

７ Note

If you have large user mailboxes and the status shows Syncing for a long time, you
may be experiencing bandwidth limits set by Google. For more information, see
Bandwidth limits and Sync limits . You can try to unlock the Gmail user or use
alternative method to migrate the users. For more information, see Use network
upload to import your organization PST files to Microsoft 365 or Office 365 and
Third-party tools for Microsoft 365 or Office 365 migrations.
Verify that the migration worked
In the new Exchange admin center, go to Migration > Batch. Verify that the batch
is displayed in the migration dashboard. If the migration completed successfully,
the status is Synced.

In the Classic Exchange admin center, go to Recipients > Migration. Verify that the
batch is displayed in the migration dashboard. If the migration completed
successfully, the status is Synced.

If this task fails, check the associated Mailbox status reports for specific errors, and
double-check that your migration file has the correct Microsoft 365 or Office 365
email address in the EmailAddress column.

Verify a successful mailbox migration to Microsoft 365 or Office

365

Ask your migrated users to complete the following tasks:

Go to the Microsoft 365 or Office 365 sign-in page and sign in with your
username and temporary password.
Update your password, and set your time zone. It's important that you select
the correct time zone to make sure your calendar and email settings are correct.
When Outlook on the web (formerly known as Outlook Web App) opens, send
an email message to another Microsoft 365 or Office 365 user to verify that you
can send email.
Choose Outlook, and check that your email messages and folders are all there.

Optional: Reduce email delays

Although this task is optional, doing it can help avoid delays in the receiving email in the
new Microsoft 365 or Office 365 mailboxes.

When people outside of your organization send you email, their email systems don't
double-check where to send that email every time. Instead, their systems save the
location of your email system based on a setting in your DNS server known as a time-
to-live (TTL). If you change the location of your email system before the TTL expires, the
sender's email system tries to send email to the old location before figuring out that the
location changed. This can result in a mail delivery delay. One way to avoid this is to
lower the TTL that your DNS server gives to servers outside of your organization. This
will make the other organizations refresh the location of your email system more often.
Most email systems ask for an update each hour if a short interval such as 3,600 seconds
(one hour) is set. We recommend that you set the interval at least this low before you
start the email migration. This setting allows all the systems that send you email enough
time to process the change. Then, when you make the final switch over to Microsoft 365
or Office 365, you can change the TTL back to a longer interval.

The place to change the TTL setting is on your email system's mail exchanger record,
also called an MX record. This lives in your public facing DNS. If you have more than one
MX record, you need to change the value on each record to 3,600 seconds or less.

Don't worry if you skip this task. It might take longer for email to start showing up in
your new Microsoft 365 or Office 365 mailboxes, but it will get there.

If you need some help configuring your DNS settings, see Add DNS records to connect
your domain.

Step 6: Update your DNS records to route Gmail directly

to Microsoft 365 or Office 365
Email systems use a DNS record called an MX record to figure out where to deliver
email. During the email migration process, your MX record was pointing to your Gmail
system. Now that you've completed your email migration to Microsoft 365 or Office 365,
it's time to point your MX record to Microsoft 365 or Office 365. After you change your
MX record following these steps, email sent to users at your custom domain is delivered
to Microsoft 365 or Office 365 mailboxes

For many DNS providers, there are specific instructions to change your MX record, see
Add DNS records to connect your domain for instructions. If your DNS provider isn't
included, or if you want to get a sense of the general directions, general MX record
instructions are provided as well. See Add DNS records to connect your domain for
instructions.

1. Sign in to Microsoft 365 or Office 365 with your work or school account.

2. Choose Setup > Domains.

3. Select your domain and then choose Fix issues.

The status shows Fix issues because you stopped the wizard partway through so
you could migrate your Gmail email to Microsoft 365 or Office 365 before
switching your MX record.
 4. For each DNS record type that you need to add, choose What do I fix?, and follow
the instructions to add the records for Microsoft 365 or Office 365 services.

5. After you've added all the records, you'll see a message that your domain is set up
correctly: Contoso.com is set up correctly. No action is required.

It can take up to 72 hours for the email systems of your customers and partners to
recognize the changed MX record. Wait at least 72 hours before you proceed to
stopping synchronization with Gmail.

Step 7: Stop synchronization with Gmail

During the last task, you updated the MX record for your domain. Now it's time to verify
that all email is being routed to Microsoft 365 or Office 365. After verification, you can
delete the migration batch and stop the synchronization between Gmail and Microsoft
365 or Office 365. Before you take this step:

Make sure that your users are using Microsoft 365 or Office 365 exclusively for
email. After you delete the migration batch, email that is sent to Gmail mailboxes
isn't copied to Microsoft 365 or Office 365. This means your users can't get that
email, so make sure that all users are on the new system.

Let the migration batch run for at least 72 hours before you delete it. This makes
the following two things more likely:
Your Gmail mailboxes and Microsoft 365 or Office 365 mailboxes have
synchronized at least once (they synchronize once a day).
The email systems of your customers and partners have recognized the changes
to your MX records and are now properly sending email to your Microsoft 365
or Office 365 mailboxes.

When you delete the migration batch, the migration service cleans up any records
related to the migration batch and removes it from the migration dashboard.

Delete a migration batch

 1. In the new Exchange admin center, go to Migration > Batch. On the migration
dashboard, select the batch, and then click Delete.

2. In the Classic Exchange admin center, go to Recipients > Migration. On the

migration dashboard, select the batch, and then click Delete.

Step 8: Users migrate their calendar and contacts

After migration of mailboxes, you can import your Gmail calendar and contacts to
Outlook:

Import contacts to Outlook

Import Google Calendar to Outlook

Leave us a comment
Were these steps helpful? If so, please let us know at the bottom of this topic. If they
weren't, and you're still having trouble migrating your email, tell us about it and we'll
use your feedback to double-check our steps.

Related Topics
IMAP migration in the Microsoft 365 admin center

Migrate your IMAP mailboxes to Microsoft 365 or Office 365

Ways to migrate email to Microsoft 365 or Office 365

Tips for optimizing IMAP migrations

Migrate other types of IMAP mailboxes
to Microsoft 365 or Office 365
Article • 02/22/2023

As part of the process of deploying Microsoft 365 or Office 365, you can choose to
migrate the contents of user mailboxes from an Internet Mail Access Protocol (IMAP)
email service to Microsoft 365 or Office 365.

Looking for PowerShell commands for general IMAP migrations? See Use PowerShell to
perform an IMAP migration to Microsoft 365 or Office 365.

Migration tasks for IMAP mailboxes

Here are the tasks to do when you're ready to get started with migrating your IMAP
mailboxes.

Notes:

You need to create your users in Microsoft 365 or Office 365 before you migrate
their IMAP mailboxes from the source email environment. Each user must have a
target Microsoft 365 or Office 365 mailbox for the IMAP migration.

If you use an email domain in your IMAP email environment, and you also want to
use the email domain in Microsoft 365 or Office 365, you need to add the domain
to Microsoft 365 or Office 365 as an accepted domain before you create users in
Microsoft 365 or Office 365. For instructions, see Add a domain to Microsoft 365.

If you are using Office 365 operated by 21Vianet in China, see Add a domain to
Microsoft 365.

To add users, see Add users individually or in bulk.

Step 1: Find the full name of your current email server

Microsoft 365 or Office 365 needs the name of the source email server to migrate
mailboxes from. There are many ways to get the name of your email system. The easiest
way is by using an email client that's connected to your email system. In this task, we
describe how to get the name of the system by using Outlook on the web (formerly
known as Outlook Web App). If your email client isn't described here, contact support
for your source email system.
Get the name of your source email server using Outlook on the
web

1. Open your mailbox in Outlook on the web.

2. On the toolbar, choose Settings .

3. In the Search all settings box, start typing "pop", and in the results, select POP and
IMAP.

4. In POP and IMAP settings, your IMAP server name is listed in the IMAP setting
section.

For more information about IMAP connections in Microsoft 365 or Office 365, see POP
and IMAP account settings .

Step 2: Create the list of mailboxes to migrate

You need access to user mailboxes before you can migrate them to Microsoft 365 or
Office 365. The steps that are required to create the target mailboxes depend on how
you access the mailboxes.

You either know the password of each user's mailbox, or you need to reset the
passwords to new passwords that you do know. Follow the steps in Create the list
of user mailboxes when you know the user passwords, or you'll reset the
passwords.

Your source email system lets you use mailbox admin credentials to access user
mailboxes, which means you don't need to know the passwords or reset them.
 Follow the steps in Create a list of user mailboxes using admin credentials to
access them to learn how to access user mailboxes.

Create the list of user mailboxes when you know the user
passwords, or you'll reset the passwords
For this task, you create a migration file that contains a list of mailboxes to migrate to
Microsoft 365 or Office 365. We use Excel in the instructions because it's the easiest way
to create the migration file. You can use Excel 2013, Excel 2010, or Excel 2007.

When you create the migration file, you must know the password of each mailbox to be
migrated. We're assuming you don't know user passwords, so you'll probably need to
assign temporary passwords (by resetting the passwords) to all mailboxes during the
migration.

You don't have to migrate all mailboxes at once. You can do them in batches at your
convenience. You can include up to 50,000 mailboxes (one row for each user) in your
migration file, which can be as large as 10 MB.

For more information, see CSV files for IMAP migration batches.

1. Go to your source email system (the one you're migrating from), and navigate to
the list of mailboxes you want to migrate.

We'd give you the exact steps if we could, but there are so many different email
systems out there that you need to find this out on your own. When you find the
list of mailboxes, keep this window open.

2. Go to the Microsoft 365 admin center.

3. Navigate to Users > Active users. Keep an eye on the username column. You'll use
this information in a minute. Keep the admin center open, too.
4. Start Excel.

5. Use the following screenshot as a template to create the migration file in Excel.
Start with the headings in row 1. Make sure they match the picture exactly and
don't contain spaces. The exact heading names are:

EmailAddress in cell A1.

UserName in cell B1.

Password in cell C1.

6. Next, enter the email address, username, and password for each mailbox you want
to migrate. Enter one mailbox per row:

Column A is the email address of the Microsoft 365 or Office 365 mailbox.
This is what is shown in the username column under Users > Active users in
the Microsoft 365 admin center.

Column B is the sign-in name (for example, alberta, or often,

alberta@contoso.com) for the user's mailbox on the source email system.
 ７ Note

A lot of email systems use the entire email address as the sign-in name.
Note also, if you are using the same domain in Microsoft 365 or Office
365 and your source email system, the columns A and B can be identical.

Column C is the password for the user's mailbox.

If you don't know the users' passwords, you'll need to reset them to
passwords that you do know, and then enter those passwords in the
migration file. This is inconvenient for users, but there's no way around this
unless your source email system supports using superuser credentials.

If you want users to have access to the source email system, you can
distribute new passwords to the source email system after the migration is
finished. We'll deal with getting the new passwords distributed after the
migration is finished.

7. Reset the passwords, and note the new passwords in your migration file. The exact
steps will depend on your source email system. You can probably find the option
to reset a password when you view the user's email account.

8. Save the file as a CSV file type, and close Excel.

Create a list of user mailboxes using admin credentials to access

them
For this task, you create a migration file that contains a list of mailboxes to migrate to
Microsoft 365 or Office 365. The easiest way to create the migration file is by using
Excel, so we use Excel in these instructions. You can use Excel 2013, Excel 2010, or Excel
2007.

When you create a migration file in this task, you type your mailbox admin credentials
and usernames using a special format. This allows you to access user mailboxes without
knowing or resetting the user passwords. We provide the format used by Exchange,
Dovecot, and Mirapoint IMAP servers. If your source email system isn't listed here and
you don't know the correct format, you still have the option of resetting user passwords.
Skip this task and go to Create the list of user mailboxes when you know the user
passwords, or you'll reset the passwords.

You don't have to migrate all mailboxes at once. You can migrate them in batches at
your convenience. You can include up to 50,000 mailboxes (one row for each user) in
your migration file, which can be as large as 10 MB.

1. Go to your source email system (the one you're migrating from), and navigate to
the list of mailboxes you want to migrate. We'd give you the exact steps if we
could, but there are so many different email systems out there that you need to
find out these steps on your own. When you find the list of mailboxes, keep the
window open so you can refer to them.

2. Go to the Microsoft 365 admin center.

3. Navigate to Users > Active users. Keep an eye on the username column. You'll use
this information in a minute. Keep the Microsoft 365 admin center page open, too.

4. Start Excel.

5. Use the following screenshot as a template to create the migration file in Excel.
Start with the headings in row 1. Make sure they match the screenshot exactly and
 don't contain spaces. The exact heading names are:

EmailAddress in cell A1.

UserName in cell B1.

Password in cell C1.

6. Next, enter the email address, username, and password for each mailbox you want
to migrate. Enter one mailbox per row.

Column A is the email address of the user's Microsoft 365 or Office 365
mailbox. This is what's shown in the username column under Users > Active
users in the Microsoft 365 admin center.

Column B is the combination of the mailbox admin name and username

that's specific to your source email system. See Format mailbox admin
credentials for different IMAP servers for formatting instructions.

Column C is the password for the mailbox admin account.

7. Save the file as a CSV file type, and then close Excel.

Format mailbox admin credentials for different IMAP servers

In the migration file, each cell in the UserName column consists of two combined
names: the username of the person whose email is being migrated, and the username of
the mailbox admin account. The supported format for mailbox admin credentials is
different depending on your source email system. Here are the formats for several types
of source email systems.

Microsoft Exchange

If you're migrating email from the IMAP implementation for Exchange, use the format
Domain/Admin_UserName/User_UserName for the UserName attribute in the
migration file.

Let's say you're migrating email from Exchange for Alberta Greene, Bobby Overby, Irwin
Hume, Katrina Hernandez, and Mathew Slattery. You have a mailbox admin account,
where the username is mailadmin and the password is P@ssw0rd. Here's what your
migration file would look like:

Dovecot
Source email systems such as a Dovecot IMAP server that support Simple Authentication
and Security Layer (SASL), use the format User_UserName*Admin_UserName. Let's say
you're migrating email from a Dovecot IMAP server using the mailbox admin credentials
mailadmin and P@ssw0rd. Here's what your migration file would look like:

Mirapoint
If you're migrating email from Mirapoint Message Server, use the format
#user@domain#Admin_UserName#. Let's say you're migrating email using the mailbox
admin credentials mailadmin and P@ssw0rd. Here's what your migration file would look
like:
Courier IMAP and Oracle IMAP
Some source email systems such as Courier IMAP and Oracle IMAP don't support using
mailbox admin credentials to migrate mailboxes to Microsoft 365 or Office 365. Instead,
you can set up your source email system to use virtual shared folders. Virtual shared
folders allow you to use the mailbox admin credentials to access user mailboxes on the
source email system. For more information about how to configure virtual shared
folders for Courier IMAP, see Shared Folders .

To migrate mailboxes after you set up virtual shared folders on your source email
system, you have to include the optional attribute UserRoot in the migration file. This
attribute specifies the location of each user's mailbox in the virtual shared folder
structure on the source email system. For example, the path to Alberta's mailbox is
/users/alberta.

Here's an example of a migration file that contains the UserRoot attribute:

Step 3: Connect Microsoft 365 or Office 365 to your email

system (classic EAC only)
To migrate email successfully, Microsoft 365 or Office 365 needs to connect and
communicate with the source email system. To do this, Microsoft 365 or Office 365 uses
a migration endpoint. This is a technical term that describes the settings that are used to
create the connection. You create the migration endpoint in this task.

1. Open the Exchange admin center.

2. Go to Recipients > Migration > More > Migration endpoints.

3. Click New to create a new migration endpoint.

 4. On the Select the migration endpoint type page, choose IMAP.

5. On the IMAP migration configuration page, enter the following information:

* IMAP server: Type the messaging server name (for example,

imap.contoso.com) of the source email server.

Leave the remaining information as the default settings; these will work for
most cases.

6. Click Next. The migration service uses the settings to test the connection to your
email server. If the connection works, the Enter general information page appears.

7. On the Enter general information page, type a Migration endpoint name, for
example, Test5-endpoint. Leave the other two boxes blank to use the default
values.

8. Click New to create the migration endpoint.

Step 4: Create a migration batch and migrate your

mailboxes

Using classic EAC

You use a migration batch to migrate groups of email to Microsoft 365 or Office 365
mailboxes at the same time. The batch consists of the mailboxes that you listed in the
migration file in the previous task.
 Tip

We recommend that you create a test migration batch with a small number of
mailboxes to first test the process. > Use migration files with the same number of
rows, and run the batches at similar times during the day. Then compare the total
running time for each test batch. This comparison helps you estimate how long it
could take to migrate all your mailboxes, how large each migration batch should
be, and how many simultaneous connections to the source email system you
should use to balance migration speed and internet bandwidth.

1. In the Exchange admin center, go to Recipients > Migration.

2. Click New > Migrate to Exchange Online.

3. Choose IMAP migration > Next.

4. On the Select the users page, click Browse to specify the migration file you
created. After you select your migration file, Microsoft 365 or Office 365 checks it
to make sure of the following:

It isn't empty.

It uses comma-separated formatting.

It doesn't contain more than 50,000 rows.

It includes the required attributes in the header row.

It contains rows with the same number of columns as the header row.

If any one of these checks fails, you'll get an error that describes the reason
for the failure. If you get an error, you have to fix the migration file and
resubmit it to create a migration batch.

5. After Microsoft 365 or Office 365 validates the migration file, it displays the
number of users listed in the file as the number of mailboxes to migrate.
6. Click Next.

7. On the IMAP migration configuration page, click Next.

8. On this page, select the migration endpoint that you created in Step 3: Connect
Microsoft 365 or Office 365 to your email system.

9. On the Move configuration page, type the *name (no spaces or special characters)
of the migration batch, for example, Test5-migration, and then click Next.

The default migration batch name that's displayed is the name of the migration file
that you specified. The migration batch name is displayed in the list on the
migration dashboard after you create the migration batch.

You can also optionally enter the names of the folders you want to exclude from
migrating, for example Shared, Junk Email, and Deleted. Click New to add them
to the excluded list. You can also click Edit to change a folder name and Delete
to delete a folder name.

） Important

If you're migrating email from Microsoft Exchange Server, we recommend that

you exclude public folders from the migration. If you don't, the contents of
the public folders are copied to the Microsoft 365 or Office 365 mailbox of
every user in the migration file.
 10. Click Next.

11. On the Start the batch page, do the following:

Click Browse to send a copy of the migration reports to other users. By

default, migration reports are emailed to you. You can also access the
migration reports from the properties page of the migration batch.

Choose Automatically start the batch. The migration starts as soon as you
save the new migration batch. The batch status is first Created and changes
to Syncing after the migration starts.

Verify that this task worked (classic EAC)

In the Exchange admin center, go to Recipients > Migration. Verify that the batch
is displayed in the migration dashboard. If the migration completed successfully,
the Status is Synced.

If this step task fails, check the associated Mailbox status reports for specific errors,
and double-check that your migration file has the correct Microsoft 365 or Office
365 email address in the EmailAddress column.
Using new EAC
To migrate email successfully, Microsoft 365 or Office 365 needs to connect and
communicate with the source email system. To do this, Microsoft 365 or Office 365 uses
a migration endpoint. This is a technical term that describes the settings that are used to
create the connection. You create the migration endpoint and migration batch in this
task.

1. Open the new Exchange admin center.

2. Go to Migration.

3. Click Add migration batch.

4. On the Add migration batch page, type the name (no spaces or special characters)
of the migration batch in the Give migration batch a unique name field, for
example, Test5-migration.

5. Select Migrate to Exchange Online in the dropdown Select the mailbox migration
path, and then click Next.

6. In the Select the migration type page, select IMAP migration in the Select the
migration type dropdown and then click Next.

7. In the Prerequisites for IMAP migration page, check to see if you completed all
the prerequisites and then click Next.

8. In the Set a migration endpoint, select Create a new migration endpoint and then
click Next.

9. In the Migration endpoint name page , type a Migration endpoint name, for
example, Test5-endpoint. Leave the other two boxes as-is to use the default values
and then click Next.

10. In the IMAP migration configuration page:

IMAP server: Type the messaging server name (for example,

imap.contoso.com) of the source email server.
Leave the remaining information as the default settings; these will work for
most cases.

11. Click Next.

12. In the Check endpoint setup status, verify that the new endpoint created message
appears and then Click Next.
 13. In the Add user mailboxes page, , click Browse to specify the migration file you
created and then Click Next.

14. In the Select configuration settings page, click Next.

15. In the Schedule batch migration page, select the desired options for reporting and
start and end migration batch modes and then click Save , and then click Done.

Verify that this task worked (new EAC)

In the new Exchange admin center, navigate to Migration > Batch, select the
migration batch and then in the details pane, under Migration details, click View
details. For more information, see Migration users status report.

If this step task fails, check the associated Mailbox status reports for specific errors,
and double-check that your migration file has the correct Microsoft 365 or Office
365 email address in the EmailAddress column.

Verify a successful mailbox migration to Microsoft 365 or Office

365

Ask users with migrated mailboxes to complete the following tasks:

Sign in to Microsoft 365 or Office 365 with your work or school account. Use
your temporary password.

Update your password, and set your time zone. It's important that you select
the correct time zone to make sure your calendar and email settings are correct.

When Outlook on the web opens, send an email message to another Microsoft
365 or Office 365 user to verify that you can send email.

Choose Outlook, and check that your email messages and folders are all there.

Optional: Reduce email delays

This task is optional. You don't need to do this task, but if you skip it, it might take
longer for email to start showing up in your new Microsoft 365 or Office 365 mailboxes.

When people outside of your organization send you email, their email systems don't
double-check where to send that email every time. Instead, their systems save the
location of your email system based on a setting in your DNS server known as a time-
to-live (TTL). If you change the location of your email system before the TTL expires,
they'll try to send you email at the old location first before figuring out that the location
changed. This can result in a mail delivery delay. One way to avoid this is to lower the
TTL that your DNS server gives to servers outside of your organization. This will make
the other organizations refresh the location of your email system more often.

Using a short interval, such as 3,600 seconds (one hour) or less, means that most email
systems will ask for an updated location every hour. We recommend that you set the
interval at least this low before you start the email migration. This allows all the systems
that send you email enough time to process the change. Then, when you make the final
switch over to Microsoft 365 or Office 365, you can change the TTL back to a longer
interval.

The place to change the TTL setting is on your email system's mail exchanger record,
also called an MX record. This lives on your public facing DNS system. If you have more
than one MX record, you need to change the value on each record to 3,600 or less.

Don't worry if you skip this task. It might take longer for email to start showing up in
your new Microsoft 365 or Office 365 mailboxes, but it will get there.

If you need some help configuring your DNS settings, head over to Add DNS records to
connect your domain. If you are using Office 365 operated by 21Vianet in China, see this
version of the article instead: Create DNS records for Office 365 when you manage your
DNS records.

Step 5: Route your email directly to Microsoft 365 or

Office 365
Email systems use a DNS record called an MX record to figure out where to deliver
emails. During the email migration process, we left your MX record pointing to your
source email system. Now that the email migration to Microsoft 365 or Office 365 is
complete, it's time to point your MX record at Microsoft 365 or Office 365. This helps
ensure that email is delivered to your Microsoft 365 or Office 365 mailboxes. Moving the
MX record will also let you turn off your old email system when you are ready.

For many DNS providers, we have specific instructions to change your MX records, see
Add DNS records to connect your domain. If you are using Office 365 operated by
21Vianet in China, see this version of the article instead: Create DNS records for Office
365 when you manage your DNS records. If your DNS provider isn't included, or you
want to get a sense of the general directions, we've provided general MX record
instructions as well, see Add DNS records to connect your domain, or for Office 365 in
China, see this version of the article: Add DNS records to connect your domain.
It can take up to 72 hours for the email systems of your customers and partners to
recognize the changed MX record. Wait at least 72 hours before you proceed to the next
task to stop email synchronization.

Step 6: Stop email synchronization

During the last task, you changed the MX record. Now it's time to verify that all your
email is being routed to Microsoft 365 or Office 365, and then you can go ahead and
delete the migration batch. Doing this stops the synchronization between your source
email system and Microsoft 365 or Office 365. Before you do, make sure of a few things:

Your users are using Microsoft 365 or Office 365 exclusively for email. After you
delete the migration batch, email that is sent to mailboxes on your source email
system isn't copied to Microsoft 365 or Office 365. This means your users can't get
that email, so make sure that users are all on the new system.

Let the migration batch run for at least 72 hours before you delete it. This makes
the following two things much more likely:

Your source email system and Microsoft 365 or Office 365 mailboxes were
synchronized at least once (they synchronize once a day).

The email systems of your customers and partners have recognized the changes
to your MX records and are now properly sending email to your Microsoft 365
or Office 365 mailboxes.

When you delete the migration batch, the migration service cleans up any records
related to the migration batch and removes it from the migration dashboard.

Delete a migration batch

Delete a migration batch using classic EAC

1. In the Exchange admin center, go to Recipients > Migration.

2. On the migration dashboard, select the batch, and then click Delete.
Delete a migration batch using new EAC

1. In the new Exchange admin center, go to Migration > Batch.

2. On the migration dashboard, select the batch, and then click Delete.

Confirm that the deletion worked

Confirmed that the deletion worked using classic EAC

In the Exchange admin center, go to Recipients > Migration. Verify that the
migration batch is no longer listed on the migration dashboard.

Confirm that the deletion worked using new EAC

In the new Exchange admin center, go to Migration > Batch. Verify that the
migration batch is no longer listed on the migration dashboard.

See also
Migrate your IMAP mailboxes to Microsoft 365 or Office 365

Ways to migrate email to Microsoft 365 or Office 365

Tips for optimizing IMAP migrations

IMAP migration in the Microsoft 365
admin center
Article • 02/22/2023

After you've added your users to Microsoft 365 or Office 365, you can use Internet
Message Access Protocol (IMAP) to migrate email for those users from their IMAP-
enabled email servers.

） Important

Before you can use an IMAP migration for your users, they must have been first
added to your Microsoft 365 or Office 365 organization. For instructions, see Add
users individually or in bulk.

Before you migrate, read What you need to know about migrating your IMAP mailboxes
to Microsoft 365 or Office 365.

） Important

IMAP migration in the Microsoft 365 admin center has been replaced by IMAP
migration by using the Exchange admin center (EAC). To perform an IMAP
migration by using the EAC, see Migrate other types of IMAP mailboxes to
Microsoft 365 or Office 365.

To migrate Exchange mail to Microsoft 365 or Office 365, see Use express migration to
migrate Exchange mailboxes to Microsoft 365 or Office 365

Related Topics
Prepare your Gmail or Google Apps account for connecting to Outlook and Microsoft
365 or Office 365

Prepare your Outlook.com or Hotmail.com account for IMAP migration

Learn more about setting up your IMAP
server connection in Exchange Online
Article • 02/22/2023

To migrate your email by using Internet Message Access Protocol (IMAP) migration,
Microsoft 365 or Office 365 needs to know the name and connection settings of your
IMAP server.

Find your IMAP server name

Microsoft 365 or Office 365 needs the name of the source email server to migrate
mailboxes from. In this task, we describe how to get the name of the email server by
using Outlook on the web (formerly known as Outlook Web App). If you don't have
access to Outlook on the web, or if your IMAP server name isn't listed there, either
contact support or consult the help documentation for your source email system.

To get the name of your source email server by using

Outlook on the web
1. Open your mailbox in Outlook on the web.

2. On the toolbar, choose Settings .

3. In the Search all settings box, start typing "pop", and in the results, select POP and
IMAP.

4. In POP and IMAP settings, your IMAP server name is listed in the IMAP setting
section.
 Note: The IMAP server for Gmail is: imap.gmail.com.

For more information about IMAP connections in Microsoft 365 or Office 365, see POP
and IMAP email settings for Outlook .

Values for security and port

Microsoft 365 or Office 365 also needs the values for the encryption method and the
Transmission Control Protocol (TCP) port number that's used by the source email IMAP
server.

Security: This is the encryption method used by the IMAP server. The default value
for secure sockets layer (SSL) is appropriate for most IMAP servers.

Port: This is the TCP port number that's used to connect to the IMAP server. In
Microsoft 365 or Office 365, the only available value is 993 for SSL connections.
Port 993 is appropriate for most IMAP servers.
Tips for optimizing IMAP migrations in
Exchange Online
Article • 02/22/2023

When you undertake an Internet Message Access Protocol (IMAP) migration from an
on-premises Exchange Server to Microsoft 365 or Office 365, you have a few choices for
optimizing the migration performance.

Optimize IMAP migrations

Here are some tips for optimizing an IMAP migration:

Increase the connection limits to your IMAP server: Many firewalls and email
servers have per-user limits, per-IP address limits, and overall connection limits.
Before you migrate mailboxes, make sure that your firewall and IMAP server are
configured to allow a large, or maximum, number of connections for the following
settings:

The total number of connections to the IMAP server.

The number of connections by a particular user. This is important if you use an

administrator account in the comma-separated value (CSV) migration file
because all connections to the IMAP server are made by this user account.

The number of connections from a single IP address. This limit is typically

enforced by the firewall or the email server.

If your IMAP server is running Microsoft Exchange Server 2010 or Exchange

2007, the default settings for connection limits are low. Be sure to increase
these limits before you migrate email. By default, Exchange 2003 doesn't limit
the number of connections.

For more information, see:

Exchange 2013: Set connection limits for IMAP4

Exchange 2010: View or Configure IMAP4 Properties

Exchange 2007: How to Set Connection Limits for IMAP4

Exchange 2003: How to Set Connection Limits

Change the DNS Time-to-Live (TTL) setting on your MX record: Before you start
migrating mailboxes, change the Domain Name System (DNS) TTL setting on your
current MX record to a shorter interval, such as 3,600 seconds (one hour). Then,
when you change the MX record to point to your Microsoft 365 or Office 365 email
organization after all mailboxes are migrated, the updated MX record should
propagate more quickly because of the shortened TTL interval.

Run one or more test migration batches: Run a few small IMAP migration batches
before you migrate larger numbers of users. In a test migration, you can do the
following:

Verify the format of the CSV file.

Test the migration endpoint used to connect to the IMAP server.

Verify that you can successfully migrate email by using administrator

credentials, if applicable.

Determine the optimal number of simultaneous connections to the IMAP server

that minimize the impact on your internet bandwidth.

Verify that folders you exclude aren't migrated to Microsoft 365 or Office 365
mailboxes.

Determine how long it takes to migrate a batch of users.

Use CSV files with the same number of rows and run the batches at similar
times during the day. Then compare the total running time for each test batch.
This comparison will help you estimate how long it will take to migrate all your
mailboxes, how large each migration batch should be, and how many
simultaneous connections to the IMAP server you should use to balance
migration speed and internet bandwidth.

Use administrator credentials in the CSV file to migrate email: This method is the
least disruptive and inconvenient for users, and it will help minimize
synchronization errors caused when users change the password on their on-
premises account. It also saves you from having to obtain or change user
passwords. If you use this method, be sure to verify that the administrator account
you use has the necessary permissions to access the mailboxes you're migrating.

７ Note

If you decide to use user credentials in the CSV file, consider globally
changing users' passwords, and then preventing users from changing their
 password on their on-premises account before you migrate their mailboxes. If
users change their password before their mailbox is migrated to the cloud-
based mailbox, the migration will fail. If they change their password after the
mailbox is migrated, new email sent to their mailbox on the IMAP server won't
be migrated to their Microsoft 365 or Office 365 mailbox.

Don't delete mailboxes or change their SMTP addresses during migration: The
migration system will report an error when it can't find a mailbox that's been
migrated. Be sure to complete the migration and delete the migration batch
before you delete or change the SMTP address of a Microsoft 365, Office 365, or
on-premises mailbox that's been migrated.

Communicate with your users: Let users know ahead of time that you'll be
migrating the content of their on-premises mailboxes to your Microsoft 365 or
Office 365 organization. Consider the following:

Tell users that email messages larger than 35 MB won't be migrated. Ask users
to save very large messages and attachments to their local computer or to a
removable USB drive.

Ask users to delete old or unnecessary email messages from their on-premises
mailboxes before migration. This helps reduce the amount of data that has to
be migrated and can help reduce the overall migration time. Or you can clean
up their mailboxes yourself.

Suggest that users back up their Inboxes.

Tell users which folders won't be migrated, if applicable.

Folders with a forward slash ( / ) in the folder name aren't migrated. If users
want to migrate folders that contain forward slashes in their names, they have
to rename the folders or replace the forward slashes with a different character,
such as an underscore character ( _ ) or a dash ( - ).
CSV files for IMAP migration batches in
Exchange Online
Article • 02/22/2023

The comma-separated values (CSV) file that you use to migrate the contents of users'
mailboxes in an IMAP migration contains a row for each user. Each row contains
information about the user's Office 365 mailbox and IMAP mailbox, and Office 365 uses
this information to process the migration.

Required attributes
Here are the required attributes for each user:

EmailAddress specifies the user ID for the user's Office 365 mailbox.

UserName specifies the user logon name for the user's mailbox on the IMAP
server. You can use either the username or domain\username format. For example,
hollyh or contoso\hollyh .

Password is the password for the user's account in the IMAP messaging system.

The migration will fail if any one of these attributes isn't included in the header row of
the CSV file. Also, be sure to type the attributes exactly as they're shown. Attributes can't
contain spaces. They must be a single word. For example, Email Address is invalid. You
must use EmailAddress.

CSV file format

Here's an example of the format for the CSV file. In this example, user credentials are
used to migrate three mailboxes:

CSV

EmailAddress,UserName,Password
terrya@contoso.edu,contoso\terry.adams,1091990
annb@contoso.edu,contoso\ann.beebe,2111991
paulc@contoso.edu,contoso\paul.cannon,3281986

The first row, or header row, of the CSV file lists the names of the attributes, or fields,
specified in the rows that follow. Each attribute name is separated by a comma.
Each row under the header row represents one user and supplies the information that
will be used to migrate the user's mailbox. The attribute values in each row must be in
the same order as the attribute names in the header row. Each attribute value is
separated by a comma.

Use any text editor, or an application like Microsoft Excel, to create the CSV file. Save the
file as a .csv or .txt file.

 Tip

If the CSV file contains non-ASCII or special characters, save the CSV file with UTF-8
or other Unicode encoding. Depending on the application, saving the CSV file with
UTF-8 or other Unicode encoding might be easier when the system locale of the
computer matches the language used in the CSV file.

Divide a large migration into several batches

The CSV file can contain up to 50,000 rows, one row for each user, and can be as large
as 10 MB. But it's a good idea to migrate users in several smaller batches.

If you plan to migrate lots of users, decide which ones to include in each batch. For
example, if you have 10,000 accounts to migrate, you could run four batches with 2,500
users each. You could also divide the batches alphabetically; by user type, such as
faculty, students, and alumni; by class, such as freshman, sophomore, junior, and senior;
or in other ways that meet your organization's needs.

 Tip

One strategy is to create Office 365 mailboxes and migrate email for the same
group of users. For example, if you import 100 new users to your Microsoft 365 or
Office 365 organization, create a migration batch for those same 100 users. This is
an effective way to organize and manage your migration from an on-premises
messaging system to Office 365.

Provide user or administrator credentials

In the CSV file, you have to provide the username and password for the user's on-
premises account. This enables the migration process to access the account. There are
two ways to do this:
 Use user credentials: This requires that you obtain users' passwords or that you
change their passwords to a value that you know so you can include it in the CSV
file.

 Tip

If you use this option, prevent users from changing the passwords of their on-
premises accounts. If users change their passwords after the initial migration,
subsequent synchronizations between the mailboxes on the IMAP server and
Office 365 mailboxes will fail.

Use super-user or administrator credentials: This requires that you use an account
in your IMAP messaging system that has the necessary rights to access all user
mailboxes. In the CSV file, you use the credentials for this account for each row. To
learn whether your IMAP server supports this approach and how to enable it, see
the documentation for your IMAP server.

７ Note

It's a good idea to use administrator credentials because it doesn't affect or

inconvenience users. For example, it won't matter if users change their
passwords after the initial migration.

Format for the administrator credentials for

different IMAP servers
You can use the username and password of an administrator account in the UserName
and Password fields for each row of the CSV file. The username for administrator
credentials is a combination of the username for the person whose email is being
migrated and the username for an administrator account that has permission to access
all user mailboxes. The supported format for administrator credentials is different
depending on the IMAP server you're migrating email from. For more information about
how to use administrator credentials, see the documentation for your IMAP server.

７ Note

When you submit a new migration request, the CSV file is uploaded to the
Microsoft datacenter over a Secure Sockets Layer (SSL) connection. The information
 from the CSV file is encrypted and stored on the Microsoft Exchange servers at the
Microsoft datacenter.

The following sections explain how to format the administrator credentials in the CSV
file that you use to migrate email from different types of IMAP servers.

Microsoft Exchange
If you're migrating email from the IMAP implementation for Microsoft Exchange, use the
format Domain/Admin_UserName/User_UserName for the UserName attribute in the
CSV file. Let's say you're migrating email from Exchange for Terry Adams, Ann Beebe,
and Paul Cannon. You have a mail administrator account, where the username is
mailadmin and the password is P@ssw0rd. Here's what your CSV file would look like:

CSV

EmailAddress,UserName,Password
terrya@contoso.edu,contoso-students/mailadmin/terry.adams,P@ssw0rd
annb@contoso.edu,contoso-students/mailadmin/ann.beebe,P@ssw0rd
paulc@contoso.edu,contoso-students/mailadmin/paul.cannon,P@ssw0rd

Dovecot
For IMAP servers that support Simple Authentication and Security Layer (SASL), such as
a Dovecot IMAP server, use the format User_UserName*Admin_UserName, where the
asterisk ( * ) is a configurable separator character. Let's say you're migrating those same
users' email from a Dovecot IMAP server using the administrator credentials mailadmin
and P@ssw0rd. Here's what your CSV file would look like:

CSV

EmailAddress,UserName,Password
terrya@contoso.edu,terry.adams*mailadmin,P@ssw0rd
annb@contoso.edu,ann.beebe*mailadmin,P@ssw0rd
paulc@contoso.edu,paul.cannon*mailadmin,P@ssw0rd

Mirapoint
If you're migrating email from Mirapoint Message Server, use the format
#user@domain#Admin_UserName# for the administrator credentials. To migrate email
from Mirapoint using the administrator credentials mailadmin and P@ssw0rd, your CSV
file would look like this:
 CSV

EmailAddress,UserName,Password
terrya@contoso.edu,#terry.adams@contoso-students.edu#mailadmin#,P@ssw0rd
annb@contoso.edu,#ann.beebe@contoso-students.edu#mailadmin#,P@ssw0rd
paulc@contoso.edu,#paul.cannon@contoso-students.edu#mailadmin#,P@ssw0rd

Use the optional UserRoot attribute

Some IMAP servers, such as Courier IMAP, don't support using administrator credentials
to migrate mailboxes to Office 365. To use administrator credentials to migrate
mailboxes, you can configure your IMAP server to use virtual shared folders. Virtual
shared folders allow administrators to use the administrator's logon credentials to
access user mailboxes on the IMAP server. For more information about how to configure
virtual shared folders for Courier IMAP, see Shared Folders.

To migrate mailboxes after you set up virtual shared folders on your IMAP server, you
have to include the optional attribute UserRoot in the CSV file. This attribute specifies
the location of each user's mailbox in the virtual shared folder structure on the IMAP
server.

Here's an example of a CSV file that contains the UserRoot attribute:

EmailAddress,UserName,Password,UserRoot
terrya@contoso.edu,mailadmin,P@ssw0rd,/users/terry.adams
annb@contoso.edu,mailadmin,P@ssw0rd,/users/ann.beebe
paulc@contoso.edu,mailadmin,P@ssw0rd,/users/paul.cannon
Prepare your Gmail or Google
Workspace (formerly G Suite) account
for connecting to Outlook and
Microsoft 365 or Office 365
Article • 02/22/2023

） Important

The ability to add new accounts to Outlook on the web using the Connected
accounts feature was removed in September 2018.

Before you connect to your Gmail account from Outlook on the web, or add a
Gmail account to Outlook, you need to prepare your Gmail account. You need to turn
on 2-step verification for Gmail and then create an app password that Office 365 will use
with your Gmail address to make the connection.

You'll also have to do this if your admin is planning to migrate your Gmail or Google
Workspace Gmail to Microsoft 365 or Office 365.

Enable IMAP for Gmail and Google Workspace

Accounts
Please make sure that you have enabled IMAP before you start the migration process.
Failure to do so will result in migration-related issues.

To enable IMAP for Gmail or Google Workspace Accounts:

1. Sign in to your Gmail/Google Workspace account using a supported browser.

2. Select the gear icon located at the top right of the screen.

3. In the drop-down menu that appears, select Settings.

4. Switch to the Forwarding and POP/IMAP tab.

5. Scroll down to the IMAP access, and make sure that Enable IMAP is selected.

6. Scroll to the bottom. Select Save Changes.

Enable your Gmail to be connected by
Microsoft 365 or Office 365
To use an app password with Gmail, you have to first turn on 2-step verification, and
then obtain the app password. Once you have an app password, you can use that in
combination with your username to connect to Gmail.

To turn on 2-step verification

1. Sign in to your Gmail account

2. Select Google apps > My Account.

3. On the My Account page, choose Sign-in & security.

4. Under the Password & sign-in method, choose the arrow next to the 2-Step
verification, and provide your password if asked.
 ７ Note

If you have a google apps account and you can't see this setting, your admin
has to first turn it on. For instructions (for admin), see Enable 2-step
verification for your Google Workspace users.

5. On the Signing in with 2-step verification page, choose Start setup.

6. Re-enter your password if asked, and in the Set up your phone step, enter or verify
your cell phone. On the next step, enter the verification number sent to your cell
phone and choose Verify.

7. In the Trust this computer step, choose Next, and in the Turn on 2-step
verification step choose Confirm.

To create an app password

1. Sign in to your Gmail account

2. Select Google apps > My Account.

3. On the My Account page, choose Sign-in & security.

4. Under the Password & sign-in method, choose the arrow next to the App
passwords, and provide your password if asked.

5. On the App passwords page, in the Select app drop-down choose Other (custom
name).

6. Type in a name, for example Myconnection > GENERATE.

Note the app password under Your app password for your device. You can use
this with your Gmail address in the app you're connecting to your Gmail account
 (or adding you Gmail account to). This combination grants complete access to
your Gmail account by the app that is using it.

After you've entered the app password, you don't have to remember it.

） Important

The 16-character app password is displayed with spaces so it is easier to read.

When you enter it to the app you want to connect, ignore the spaces and
enter it as an unbroken string of 16 characters.

7. Now you're ready to add your Gmail account to Outlook. When you're prompted
for a password, you enter this app password for your Gmail account. Don't enter
your Gmail password. For instructions on adding your Gmail account to Outlook,
see these articles:

Add an email account to Outlook

Connect email accounts in Outlook on the web (Microsoft 365)

Optionally revoke the app password

If you need the Gmail connection for a brief time only, for example for an IMAP mailbox
migration that your admin is running, you can later revoke the App password.
To revoke the app password code:

1. Sign in to you Gmail account

2. Select Google apps > My Account.

3. On the My Account page, choose Sign-in & security.

4. Under the Password & sign-in method, choose the arrow next to the App
passwords, and provide your password if asked.

5. On the App passwords page, select REVOKE next to the app password you want to
revoke.

Related Topics
Migrate email and contacts to Microsoft 365

Ways to migrate multiple email accounts to Microsoft 365 or Office 365

Migrating your Outlook.com account to
Microsoft 365 or Office 365
Article • 02/22/2023

If you are migrating your Outlook.com or Hotmail.com account to Microsoft 365 or

Office 365, you'll need to enable two-step verification (also known as two-factor
authentication).

Two-step verification helps protect you by making it more difficult for someone else to
sign in to your email account. It uses two different forms of identity: your password, and
a contact method. Even if someone else finds your password, they'll be stopped if they
don't have access to your other devices or accounts.

You set up two-step verification with an email address, phone number, or authenticator
app. When you sign in on a new device or from a new location, we'll send you a security
code that you enter on the sign-in page as a second form of authentication in addition
to your password.

After you have setup two-step verification, you can also obtain an app password that
you will have to use in order to use Internet Message Access Protocol (IMAP) migration
to copy email from your Outlook.com or Hotmail.com account to your Microsoft 365 or
Office 365 for business account. If your Microsoft 365 or Office 365 admin is moving
email messages from your Outlook.com or Hotmail.com account to Microsoft 365 or
Office 365 on your behalf, you'll need to give them your app password.

Turn on two-step verification and create an app

password in Outlook.com or Hotmail.com
1. Sign in to Outlook.com or Hotmail.com at https://outlook.live.com/owa/ .

2. Go to the Security settings page. Enter your password if prompted.

If you want to navigate to the Security settings page, in Outlook.com click or tap
your profile picture on the upper right > View account and on the Account page,
On your Account page, choose Security on the blue bar and then, more security
options.

3. Scroll down the page and choose Set up two-step verification under Two-step
verification.
4. Choose Next to start the setup wizard.

5. On the Set up your smart phone with an app password page, under the Update
your Windows Phone 8 (or earlier) with an app password list, note the 16-digit
app password in the list:
 ） Important

Even though the page indicates this is for Windows Phone 8 (or earlier), this
list contains the app password your admin needs to migrate you
hotmail.com or outlook.com email to Office 365 for business. You will need
this app password even if you set up two-step verification by using an
Android or iPhone.

This is also the app password you or your admin will use to migrate your
hotmail.com or outlook.com email to Microsoft 365 or Office 365 for business.

6. On your mobile device, download the Microsoft Authenticator from your app
store.

Microsoft Authenticator app is available for Android or iOS .

7. Open the Microsoft Authenticator app on your mobile device, and choose +. Scan
the code on the Set up an authenticator app page.

8. In step 4 on the Set up an authenticator app page, type the six-digit code that's
displayed on your mobile device (for example, 555111; you don't need to include
any spaces).

You don't need to memorize this password; it changes constantly and a new one is
sent to you via the Microsoft Authenticator app. This is why it's so secure.
Whenever you sign in to your email account from a new device or location, look at
your Microsoft Authenticator app and sign in using latest app password that's
been sent to you instead of using your old static password.

9. You'll get a message that two-step verification is turned on. Print your new
recovery code (this isn't your app password). If you ever need to recover, access to
this account, this recovery code will help. It's a good idea to keep it tucked away in
a safe place.

10. Choose Next.

After you turn on two-step verification and create an app password, continue with the
IMAP migration in the Microsoft 365 admin center.
Enable 2-step verification for your
Google apps users in Exchange Online
Article • 02/22/2023

If you want to migrate email for your Google app users to Microsoft 365 or Office 365,
the users need to create an app password that you will use together with their Google
apps password to connect to their Gmail. Before they can create an app password, you
will have to allow them to turn on two-step verification in the Google Admin console.

Enable two-step verification

In order for your users to create an app password, they will have to first enable two-step
verification.

To enable two-step verification for your Google apps domain

1. Sign in to the Google Admin console.

2. On the console, choose Security.

3. On the Security page, choose Basic settings.

 And then check the check-box next to Allow users to turn on 2-step verification.

4. Your users can now turn on two-step verification and create an app password as
described here: Prepare your Gmail account for connecting to Outlook and
Microsoft 365 or Office 365.
Perform a Google Workspace (formerly
G Suite) migration to Microsoft 365 or
Office 365
Article • 06/09/2023

） Important

Effective from December 2022, the classic Exchange Admin Center will be
deprecated for worldwide customers. Microsoft recommends using the new
Exchange Admin Center , if not already doing so.

While most of the features have been migrated to new EAC, some have been
migrated to other admin centers and remaining ones will soon be migrated to New
EAC. Find features that are not yet there in new EAC at Other Features or use
Global Search that will help you navigate across new EAC.

Watch: Overview of automated batch migration

from Google Workspace
Check out this video and others on our YouTube channel .
https://www.microsoft.com/en-us/videoplayer/embed/RW130ct?
autoplay=false&postJsllMsg=true

You can migrate the following functionalities from Google Workspace to Microsoft 365
or Office 365:

Mail & Rules

Calendar
Contacts

You can migrate batches of users from Google Workspace to Microsoft 365 or Office
365, allowing a migration project to be done in stages. This migration requires that you
provision all of your users who will be migrated as mail-enabled users outside of the
migration process. You must specify a list of users to migrate for each batch.

All procedures in this article assume that your Microsoft 365 or Office 365 domain is
verified and that your TXT records have been set up. For more information, see Set up
your domain (host-specific instructions).
 ７ Note

Google Workspace migration is not currently available for Office 365 US

Government GCC High or DoD.

Select your method of migration

You can migrate from Google Workspace using any of the following methods:

Automated - through the New Exchange admin center

Manual - through the New Exchange admin center as well as Classic Exchange
admin center
PowerShell

Migration limitations

７ Note

The largest single email message that can be migrated is based on the transport
configuration for your configuration. The default limit is 35 MB. To increase this
limit, see Office 365 now supports larger email messages .

Throughput limitations for contacts and calendars completely depend on the quota
restrictions for your tenant's service account on the Google Workspace side.

Other migration limitations are described in the following table:

Data type Limitations

Mail Vacation settings, Automatic reply settings

Meeting rooms Room bookings will not be migrated

Calendar Shared calendars and event colors will not be migrated

Contacts A maximum of three email addresses per contact are migrated over

Contacts Gmail tags, contact URLs, and custom tags will not be migrated

 Tip
 Rules will be migrated and remain turned off by default. We advise users to verify
the rules on Outlook before enabling them.

If you will be starting your migration batch with Exchange Online Powershell, as
described later in this article, use the -ExcludeFolder parameter to prevent certain
folders from being migrated. This reduces the amount of data in your migration,
and the size of a user's new Exchange Online mailbox. You can identify folders you
don't want to migrate by name, and you can also identify Gmail labels that apply to
multiple messages in order to exclude those messages from the migration. For
more information on using -ExcludeFolder , see New-MigrationBatch.

To skip the migration of Gmail filters, use the -SkipRules parameter to prevent the
migration of Outlook rules. For more information on using -SkipRules , see New-
MigrationBatch.

Prerequisites
Ensure you complete the following prerequisites before initiating either manual or
automated Google Workspace migration:

1. Ensure you have been assigned a project creator role and you are signed into
Google Workspace with the project creator credentials.
2. Ensure you complete the following procedures before initiating the migration
process:
a. Create a subdomain for mail routing to Microsoft 365 or Office 365
b. Create a subdomain for mail routing to your Google Workspace domain
c. Provision users in Microsoft 365 or Office 365

For detailed information on these steps, see Google Workspace migration prerequisites.
Google Workspace migration
prerequisites in Exchange Online
Article • 04/24/2023

７ Note

Before you start the migration to Microsoft 365, ensure that as an administrator, as
minimum privileges, you have the "Recipient Management" role group assigned.
For more information, see Exchange Admin Center > Roles > Admin Roles.

The following procedures must be performed (in the order mentioned) before you start
the process of Google Workspace migration:

1. Create a subdomain for mail routing to Microsoft 365 or Office 365

2. Create a subdomain for mail routing to your Google Workspace domain
3. Provision users in Microsoft 365 or Office 365

Watch: Prerequisites for automated batch

migration from Google Workspace
Check out this video and others on our YouTube channel .
https://www.microsoft.com/en-us/videoplayer/embed/RW10Wot?
autoplay=false&postJsllMsg=true

Create a subdomain for mail routing to

Microsoft 365 or Office 365
1. Go to the Google Workspace Admin page and sign in as a Google Workspace
administrator for your tenant.

2. Select Add a domain.

７ Note

The option Add a domain won't be available if using the legacy free edition of
G Suite.
3. Enter the domain that you'll use for routing mails to Microsoft 365 or Office 365,
select User alias domain, and then select ADD DOMAIN & START VERIFICATION.
A subdomain of your primary domain is recommended (for example,
"o365.fabrikaminc.net", when "fabrikaminc.net" is your primary domain) so that it
will be automatically verified. If another domain (such as
"fabrikaminc.onmicrosoft.com") is set, Google will send emails to each individual
address with a link to verify the permission to route mail. Migration won't
complete until the verification is completed.

Keep track of the name of the domain you enter because you'll need it for the
subsequent steps, and for using it as the Target Delivery Domain in the process of
Creating a migration batch in Microsoft 365 or Office 365.

７ Note

If you see an error GmailForwardingAddressRequiresVerificationException

has occurred during the batch, skip this step of creating a subdomain for
forwarding emails from the gmail side.

4. Follow any subsequent steps that are then required to verify your domain till the
status is shown as Active. If you chose a subdomain of your primary domain
(created in step 3), your new domain may have been verified automatically.
 5. Sign in to your DNS provider and update your DNS records so that you have an
MX record at the domain you created (in step 3), pointing to Microsoft 365 or
Office 365. Ensure that this domain (created in step 3) is an accepted domain in
Microsoft 365 or Office 365. Follow the instructions in Add a domain to Microsoft
365 to add the Microsoft 365 or Office 365 routing domain
("o365.fabrikaminc.net") to your organization and to configure DNS to route mail
to Microsoft 365 or Office 365.

７ Note

The migration process won't be able to complete if an unverified routing domain is

used. Choosing the built-in "tenantname.onmicrosoft.com" domain for routing mail
to Office 365 instead of a subdomain of the primary Google Workspace domain
occasionally causes issues that Microsoft is not able to assist with, besides causing
Microsoft to recommend that the user manually verify the forwarding address or
contact Google support.

Create a subdomain for mail routing to your

Google Workspace domain
1. Go to the Google Workspace Admin page and sign in as a Google Workspace
administrator for your tenant.
2. Select Add a domain.

3. Enter the domain that you'll use for routing mails to Google Workspace, select
User alias domain, and then select ADD DOMAIN & START VERIFICATION. A
subdomain of your primary domain is recommended (for example,
"gsuite.fabrikaminc.net", when "fabrikaminc.net" is your primary domain) so that it
will be automatically verified.

4. Follow any subsequent steps that are then required to verify your domain till your
domain's status is shown as Active. If you chose a subdomain of your primary
domain (created in step 3), your new domain may have been verified automatically.
 5. Follow Google's instructions to Set up MX records for Google Workspace Gmail
for this domain.

７ Note

It may take up to 24 hours for Google to propagate this setting to all the
users in your organization.

） Important

If you are using non-default Transport settings in your Microsoft 365 or Office
365 organization, you should check whether the mail flow will work from
Office 365 to Google Workspace. Ensure that either your default Remote
Domain ("*") has Automatic Forwarding enabled, or that there is a new
Remote Domain for your Google Workspace routing domain (for example,
"gsuite.fabrikaminc.net") that has Automatic Forwarding enabled.

Check Google Cloud platform permissions

An automated scenario requires the Google Migration administrator to be able to
perform the following steps:

1. Create a Google Workspace project.

 2. Create a Google Workspace service account in the project.
3. Create a service key.
4. Enable all APIs - Gmail, Calendar, and Contacts.

The Google Migration administrator needs the following permissions to complete these
steps:

resourcemanager.projects.create
iam.ServiceAccounts.create

The most secure way to achieve completion of these four steps is to assign the following
roles to the Google Migration administrator:

Projector Creator
Service Accounts Creator

Here's how you do it:

1. Navigate to https://console.developers.google.com .

2. Expand the hamburger menu in the upper right-hand corner.

3. Select IAM & Admin.

4. Select Manage Resources.

5. Select the appropriate resource and in the right-hand pane under the Permissions
tab, select Add Principal.

6. Enter your Google Migration administrator credentials, enter Project Creator in the
filter, and select Project Creator.

7. Select Add Another Role, enter Create Service Accounts in the filter, and select
Create Service Accounts.

8. Select Save.

７ Note

It might take up to 15 minutes to propagate role assignment changes across the

globe.
Provision users in Microsoft 365 or Office 365
Once your Google Workspace environment has been properly configured, you can
complete your migration in the Exchange admin center or through the Exchange Online
PowerShell.

Before proceeding with either method, ensure that Mail Users have been provisioned for
every user in the organization who will be migrated (either now or eventually). If any
users aren't provisioned, provision them using the instructions in Manage mail users.

For more advanced scenarios, you may be able to deploy Azure Active Directory (Azure
AD) Connect to provision your Mail Users. For more information, see Deploy Microsoft
365 Directory Synchronization in Microsoft Azure for an overview, and Set up directory
synchronization for Microsoft 365 for setup instructions. Then, you need to deploy an
Exchange server in your on-premises environment for user management, and mail-
enable your users using this server. For more information, see How and when to
decommission your on-premises Exchange servers in a hybrid deployment and Manage
mail users. Once the Mail Users have been created in Microsoft 365, the Azure AD
Connect may need to be disabled to allow the migration process to convert these users
into mailboxes. For more information, see Turn off directory synchronization for
Microsoft 365.

We recommend that the primary address (sometimes referred to as the "User ID") for
each user be at the primary domain (for example, "will@fabrikaminc.net"). Typically, this
requirement means that the primary email address should match between Microsoft 365
or Office 365 and Google Workspace. If any user is provisioned with a different domain
for their primary address, then that user should atleast have a proxy address at the
primary domain. Each user should have their ExternalEmailAddress point to the user in
their Google Workspace routing domain ("will@gsuite.fabrikaminc.net"). The users
should also have a proxy address that will be used for routing to their Microsoft 365 or
Office 365 routing domain (for example, "will@o365.fabrikaminc.net").

７ Note

We recommend that the Default MRM Policy and Archive policies be disabled for
these users until their migration has been completed. When such features remain
enabled during migration, there is a chance that some messages will end up being
considered "missing" during the content verification process.
Perform an automated Google
Workspace migration to Microsoft 365
or Office 365 in the new EAC in
Exchange Online
Article • 01/26/2023

With the new Exchange admin center (EAC), the migration of mails, contacts, and
calendar from Google Workspace to Microsoft 365 or Office 365 has been automated.
The process has now been simplified to the extent that several of the manual steps that
a user had to perform manually are no longer required.

７ Note

The new EAC continues to offer manual migration of Google Workspace to

Microsoft 365 or Office 365.

） Important

You have to implement all the steps specified in Google Workspace migration
prerequisites in Exchange Online prior to starting the migration process.
Otherwise, the Google Workspace migration to Microsoft 365 or Office 365 won't
be successful.

Watch: Migrate email, calendars, and contacts

from Google Workspace through an automated
batch migration
Check out this video and others on our YouTube channel .
https://www.microsoft.com/en-us/videoplayer/embed/RW11RRY?
autoplay=false&postJsllMsg=true

Start an automated Google Workspace

migration batch in the new EAC
） Important

Microsoft's data migration tool is currently unaware of tools enforcing messaging

records management (MRM) or archival policies. Because of this unawareness, any
messages that are deleted or moved to archive by these policies will result in the
migration process flagging these items as "missing." The result is perceived data
loss rather than actual data loss, which makes it much harder to identify actual data
loss during any content verification checks.

Therefore, Microsoft strongly recommends disabling all MRM and archival policies
before attempting any data migration to mailboxes.

1. In the new Exchange Admin center at https://admin.exchange.microsoft.com/#/ ,

go to Migration and then select Add migration batch.

The Add migration batch page appears.

2. Configure the following settings:

Give migration batch a unique name: Enter a unique name.

Select the mailbox migration path: Verify that Migration to Exchange Online
is selected.
 

When you're finished, select Next. The Select the migration type page appears.

3. Select Google Workspace (Gmail) migration, and then select Next.

The Prerequisites for Google Workspace migration page appears.

4. Verify that the Automate the configuration of your Google Workspace for
migration section is expanded, and then select Start in that section to automate
 the four required prerequisite steps.

5. In the Google sign-in page that appears, sign in to your Google account to validate
your APIs. Once the APIs are successfully validated, the following things happen:

A JSON file (projectid-*.json) is downloaded to your local system.

The link to add the ClientID and the Scope is provided. The ClientID and
Scope are also listed for your reference.

6. Select the API access link. You'll be redirected to Google Admin API Controls page.

7. Select Add new. Copy the ClientID and Scope from the EAC, paste it here, and then
select Authorize.

8. Once the four prerequisites-related steps are completed, select Next. The Set a
migration endpoint page appears.

9. Select one of the following options:

Select the migration endpoint: Select the existing migration endpoint from
the drop-down list.
Create a new migration endpoint: Select this option if you're a first-time
user.
 

７ Note

To migrate Gmail mailboxes successfully, Microsoft 365 or Office 365 needs to

connect and communicate with Gmail. To do this connection-communication,
Microsoft 365 or Office 365 uses a migration endpoint. Migration endpoint is
a technical term that describes the settings that are used to create the
connection so you can migrate the mailboxes.

If you've selected Create a new migration endpoint, do the following steps:

a. On the General Information page, configure the following settings:

Migration Endpoint Name: Enter a value.

Maximum concurrent migrations: Leave the default value 20 or change
the value as required.
Maximum concurrent incremental syncs: Leave the default value 10 or
change the value as required.

When you're finished, select Next.

b. On the Gmail migration configuration page, configure the following settings:

Email address: Enter the email address that you use to sign in to the
Google Workspace.
JSON key: Select Import JSON. In the dialog box that appears, find and
select the downloaded JSON file, and then select Open.
 Once the endpoint is successfully created, it will be listed in the Select
migration endpoint drop-down list.

Select the endpoint from the drop-down list, and select Next. The Add
user mailboxes page appears.

10. Select Import CSV file and navigate to the folder where you've saved the CSV file.

If you haven't already saved or created the CSV file, create a CSV file containing the
set of names of the users you want to migrate. You'll need its filename below. The
allowed headers are:

EmailAddress (required): Contains the primary email address for an existing

Microsoft 365 or Office 365 mailbox.
Username (optional). Contains the Gmail primary email address, if it differs
from EmailAddress.

CSV

EmailAddress
will@fabrikaminc.net
user123@fabrikaminc.net

When you're finished, select Next. The Move configuration page appears.
11. From the Target delivery domain drop-down list, select the target delivery domain
(the subdomain) that was created as part of fulfilling the Google Workspace
migration prerequisites in Exchange Online.

７ Note

The target delivery domain (the subdomain) you select in this step can be
either an existing one or the one that you've created in Google Workspace
migration prerequisites in Exchange Online.

If you don't see the target delivery domain that you want to select in the
Target delivery domain drop-down list, you can manually enter the name of
the target delivery domain in the text box.

The text box in which you manually enter the name of the target delivery
domain is Target delivery domain. That is, the text box is effectively the
Target delivery domain drop-down list which is taking the role of a text box
when you manually enter text into it.

Filtering options have been introduced for the migration of Google Workspace to
Microsoft 365 or Office 365. For more information on these filtering options, see
Filtering Options for Google Workspace migration.
 12. On the Schedule batch migration page, verify all the details, select Save, and then
select Done.

Once the batch status changes from Syncing to Synced, you need to complete the
batch.

To learn more, see the following topics:

Completion of migration batch: See Completion of migration batch in new EAC.

How the migration happens on the backend: See Overview of the process.

Filtering Options for Google Workspace migration

Filtering options enable you to determine what are the mail-related components to be
migrated from the Google Workspace.

The filter options for the Google Workspace migration are:

Mail
Calendar
Contacts
Rules
Perform manual migration of Google
Workspace in Exchange Online
Article • 01/26/2023

You can perform manual migration of Google Workspace to Microsoft 365 or Office 365
in new EAC and Classic EAC.
Perform a manual Google Workspace
Migration to Microsoft 365 or Office
365 in the new EAC
Article • 01/26/2023

The migration process takes several steps and can take from several hours to a couple
of days depending on the amount of data you are migrating.

Prerequisites
Before you begin Google Workspace migration:

1. Ensure you are signed into Google Workspace as a project creator.

2. You have completed the following procedures:
a. Create a subdomain for mail routing to Microsoft 365 or Office 365
b. Create a subdomain for mail routing to your Google Workspace domain
c. Provision users in Microsoft 365 or Office 365

For more information, see Prerequisites.

Start a Google Workspace migration batch with

the new Exchange admin center (New EAC)

） Important

Microsoft's data migration tool is currently unaware of tools enforcing messaging

records management (MRM) or archival policies. Because of this, any messages that
are deleted or moved to archive by these policies will result in the migration
process flagging these items as "missing". The result is perceived data loss rather
than actual data loss, which makes it much harder to identify actual data loss
during any content verification checks.

Therefore, Microsoft strongly recommends disabling all MRM and archival policies
before attempting any data migration to mailboxes.

1. In the new Exchange Admin center at https://admin.exchange.microsoft.com/#/ ,

go to Migration and then click Add migration batch.
2. The migration batch wizard opens. On the first page, configure the following
settings:

Give migration batch a unique name: Enter a unique name.

Select the mailbox migration path: Verify that Migration to Exchange Online
is selected.

When you're finished, click Next.

3. On the Select the migration type page, select Google Workspace (Gmail)
migration, and then click Next

4. On the Prerequisites for Google Workspace migration page, expand the Manually
configure your Google Workspace for migration. As described in the section,
configure the following steps:
a. Create a Google Service Account
b. Enable API Usage in your project
c. Grant access to the service account for your Google tenant

When you're finished, click Next.

5. On the Set a migration endpoint page of the wizard, select one of the following
options:

Select the migration endpoint: Select the existing migration endpoint from
the drop down list.
Create a new migration endpoint: Select this option if you're a first-time
user.
 ７ Note

To migrate Gmail mailboxes successfully, Microsoft 365 or Office 365 needs to

connect and communicate with Gmail. To do this, Microsoft 365 or Office 365
uses a migration endpoint. Migration endpoint is a technical term that
describes the settings that are used to create the connection so you can
migrate the mailboxes.

If you selected Create a new migration endpoint, do the following steps:

a. On the General Information page, configure the following settings:

Migration Endpoint Name: Enter a value.

Maximum concurrent migrations: Leave the default value 20 or change
the value as required.
Maximum concurrent incremental syncs: Leave the default value 10 or
change the value as required.

When you're finished, click Next.

b. On the Gmail migration configuration page, configure the following settings:

Email address: Enter the email address that you use to sign in to the
Google Workspace.
JSON key: Click Import JSON. In the dialog that appears, find and select
the downloaded JSON file, and then click Open.

Once the endpoint is successfully created, it will be listed under Select

migration endpoint drop-down.

Select the endpoint from the drop-down list, and click Next.

6. On the Add user mailboxes page, click Import CSV file and navigate to the folder
where you have saved the CSV file.

If you haven't already, create a CSV file containing the set of all of the users you
want to migrate. You will need its filename below. The allowed headers are:

EmailAddress (required): Contains the primary email address for an existing

Microsoft 365 or Office 365 mailbox.
Username (optional). Contains the Gmail primary email address, if it differs
from EmailAddress.

CSV
 EmailAddress
will@fabrikaminc.net
user123@fabrikaminc.net

When you're finished, click Next.

7. On the Move configuration page, enter the details and then click Next.

8. On the Schedule batch migration page, verify all the details, click Save, and then
click Done.

Once the batch status changes from Syncing to Synced, you need to complete the
batch.

To learn more, see the following topics:

Completion of migration batch: See Completion of migration batch in new EAC.

How the migration happens on the backend: See Overview of the process.
Perform Google Workspace Migration
to Microsoft 365 or Office 365 in Classic
EAC in Exchange Online
Article • 01/26/2023

The migration process takes several steps and can take from several hours to a couple
of days depending on the amount of data you are migrating.

Prerequisites
Before you begin Google Workspace migration:

1. Ensure you are signed into Google Workspace as a project creator.

2. You have completed the following procedures:
a. Create a subdomain for mail routing to Microsoft 365 or Office 365
b. Create a subdomain for mail routing to your Google Workspace domain
c. Provision users in Microsoft 365 or Office 365

For more information, see Prerequisites.

Manual Google Workspace migration process

The process to manually migrate Google Workspace involves following steps:

1. Create a Google Service Account

2. Enable API Usage in your project
3. Grant access to the service account for your Google tenant
4. Start a Google Workspace migration batch with the Classic Exchange admin center
(Classic EAC)

Create a Google Service Account

1. Using a Chrome browser, sign into your Google Workspace admin console at
admin.google.com .

2. In a new tab or window, navigate to the Service Accounts page.

3. Select Create project, name the project and choose Create.

4. Select + Create service account, enter a name, choose Create and then Done.
 5. Open the Actions menu, select Edit, and take note of the Unique ID. You'll need
this ID later in the process.

6. Open the Show domain-wide delegation section.

7. Select Enable G Suite Domain-wide Delegation, enter a product name for the
consent screen, and choose Save.

７ Note

The product name is not used by the migration process, but is needed to save
in the dialog.

8. Open the Actions menu again and select Create key.

9. Choose JSON, then Create. The private key is saved to the download folder on
your device.

10. Select Close.

Enable API usage in your project

If your project doesn't already have all of the required APIs enabled, you must enable
them.

1. Go to the Developer page for API Library and sign in as the Google user you
used above in Create a Google Service Account.

2. Select the project that you used above.

3. Search for the following APIs; each one must be enabled. Select Enable to enable
them for your project:

Gmail API
Google Calendar API
Contacts API
People API

Grant access to the service account for your Google

tenant
1. Go to the Google Workspace Admin page and sign in as Google Workspace
admin for your tenant.
2. Click Security, then click API Controls, and then click Manage Domain Wide
Delegation.

3. Next to the API Clients list, click Add new.

4. In Client ID, type the ClientId for the service account you created in the Create a
Google Service Account section above.

5. In OAuth Scopes, add the required scopes in comma-separated format, with no

spaces in between. For example:

https://mail.google.com/,https://www.googleapis.com/auth/calendar,https://www.

google.com/m8/feeds/,https://www.googleapis.com/auth/gmail.settings.sharing,ht

tps://www.googleapis.com/auth/contacts

If the OAuth Scopes are entered incorrectly, the resulting list won't match and the
migration process will fail later, after you start the migration batch.

6. Click Authorize. Verify that the resulting list shows the expected four (4) OAuth
scopes.

） Important
 It may take anywhere from 15 minutes to 24 hours for these settings to
propogate.

Start a Google Workspace migration batch with the

Classic Exchange admin center (Classic EAC)
1. In the Exchange Admin center, click recipients, and then click migration.

2. Click "New" to create a new migration batch, and then click Migrate to
Exchange Online.

3. In the New Migration Batch window, select G Suite (Gmail) migration, and then
click Next.

4. Create a CSV file containing the set of all of the users you want to migrate. You will
need its filename below. The allowed headers are:

EmailAddress (required). Contains the primary email address for an existing

Microsoft 365 or Office 365 mailbox.

Username (optional). Contains the Gmail primary email address, if it differs

from EmailAddress.

CSV

EmailAddress
will@fabrikaminc.net
 user123@fabrikaminc.net

5. Under Select the users, click Choose File and navigate to the CSV file of all the
users you are migrating in this batch. If your CSV file contains more columns
besides the two mentioned above, click to select Allow unknown columns in the
CSV file.

6. After selecting the CSV file, click Open. Back on the new migration batch page,
click Next.

7. Enter the email address for the super admin within the Google Workspace
environment. This is not the service account you just created, it should be the
email address of the Google Workspace admin. This email address will be used to
test connectivity between Google Workspace and Microsoft 365 or Office 365.

8. Under Specify the service account credentials using the JSON key file, click
Choose File, and then select the JSON file that was downloaded automatically
when you created your service account. This file contains the private key for the
service account. Click Open to select the file, and then, back on the new migration
batch page, click Next.
 ７ Note

Click to select Skip verification if you don't want to verify the migration
endpoint.

9. In the fields under Move configuration, name your migration batch, and enter the
target delivery domain, which is the domain you created for routing mail to the
Microsoft 365 or Office 365 target organization from the Google Workspace
source organization. Optionally, you can also specify any folders that should be
excluded from the migration. When done, click Next.
 ７ Note

The target delivery domain you will want to use will not automatically show
up in the dropdown - instead you should click within the text box and type it
in. The target delivery domain must be different from the primary domain of
the users in Google Workspace.

10. Decide how you want to begin and complete the migration batch.

To learn more about:

Completion of migration batch, see Completion of migration batch in Classic EAC.

How the migration happens in backend, see Overview of the process.
Manually configuring G-Suite for
migration to Microsoft 365 or Office
365
Article • 01/26/2023

Following procedures are to be performed, if you are attempting manual migration of

Google Workspace with either Classic or New EAC:

1. Create a Google Service Account

2. Enable API usage in your project
3. Grant access to the service account for your Google Tenant

Create a Google Service Account

1. Using a Chrome browser, sign into your Google Workspace admin console at
admin.google.com .

2. In a new tab or window, navigate to the Service Accounts page.

3. Select Create project, name the project and choose Create.

4. Select + Create service account, enter a name, choose Create and then Done.

5. Open the Actions menu, select Edit, and take note of the Unique ID. You'll need
this ID later in the process.

6. Open the Show domain-wide delegation section.

7. Select Enable G Suite Domain-wide Delegation, enter a product name for the
consent screen, and choose Save.

７ Note

The product name is not used by the migration process, but is needed to save
in the dialog.

8. Open the Actions menu again and select Create key.

9. Choose JSON, then Create. The private key is saved to the download folder on
your device.
 10. Select Close.

Enable API usage in your project

If your project doesn't already have all of the required APIs enabled, you must enable
them.

1. Go to the Developer page for API Library and sign in as the Google user you
used above in Create a Google Service Account.

2. Select the project that you used above.

3. Search for the following APIs; each one must be enabled. Select Enable to enable
them for your project:

Gmail API
Google Calendar API
Contacts API
People API

Grant access to the service account for your

Google tenant
1. Go to the Google Workspace Admin page and sign in as Google Workspace
admin for your tenant.

2. Click Security, then click API Controls, and then click Manage Domain Wide
Delegation.

3. Next to the API Clients list, click Add new.

4. In Client ID, type the ClientId for the service account you created in the Create a
Google Service Account section above.
5. In OAuth Scopes, add the required scopes in comma-separated format, with no
spaces in between. For example:

https://mail.google.com/,https://www.googleapis.com/auth/calendar,https://www.
google.com/m8/feeds/,https://www.googleapis.com/auth/gmail.settings.sharing,ht

tps://www.googleapis.com/auth/contacts

If the OAuth Scopes are entered incorrectly, the resulting list won't match and the
migration process will fail later, after you start the migration batch.

6. Click Authorize. Verify that the resulting list shows the expected four (4) OAuth
scopes.

） Important

It may take anywhere from 15 minutes to 24 hours for these settings to

propagate.
Perform Google Workspace migration
to Microsoft 365 or Office 365 using
Exchange Online PowerShell
Article • 01/27/2023

Create a migration endpoint in Microsoft 365

or Office 365
1. Connect to Exchange Online PowerShell.

2. Find the email address for the super admin within the Google Workspace
environment. This email address will be used to test connectivity between Google
Workspace and Microsoft 365 or Office 365. The following steps use 'admin123' as
an example.

3. Run the following command:

PowerShell

Test-MigrationServerAvailability -Gmail -ServiceAccountKeyFileData

$([System.IO.File]::ReadAllBytes("C:\\somepath\\yourkeyfile.json")) -
EmailAddress admin123@fabrikaminc.net

4. Verify the test is successful.

5. If successful, run the following command:

PowerShell

New-MigrationEndpoint -Gmail -ServiceAccountKeyFileData

$([System.IO.File]::ReadAllBytes("C:\\somepath\\yourkeyfile.json")) -
EmailAddress admin123@fabrikaminc.net -Name gmailEndpoint

Create a migration batch in Microsoft 365 or

Office 365
1. Connect to Exchange Online PowerShell.
 2. Create a CSV file containing the set of all of the users you want to migrate. You will
need its filename below. The allowed headers are:

EmailAddress (required). Contains the primary email address for an existing

Microsoft 365 or Office 365 mailbox.

Username (optional). Contains the Gmail primary email address, if it differs

from EmailAddress.

CSV

EmailAddress
will@fabrikaminc.net
user123@fabrikaminc.net

3. Run the following command:

PowerShell

New-MigrationBatch -SourceEndpoint gmailEndpoint -Name gmailBatch -

CSVData $([System.IO.File]::ReadAllBytes("C:\\somepath\\gmail.csv")) -
TargetDeliveryDomain "o365.fabrikaminc.net"

 Tip

See New-MigrationBatch for an explanation of all of the individual

parameters you can use with this cmdlet.

4. Run the following command to start the migration batch:

PowerShell

Start-MigrationBatch -Identity gmailBatch

７ Note

When the batch starts, all the users to be migrated will be converted from
MailUsers to Mailboxes. The Microsoft 365 or Office 365 Exchange license
must be assigned only after this moment. You have 30 days to assign the
license.

To learn more about:

Completion of migration batch, see Completion of migration batch in PowerShell
How the migration happens in the backend, see Overview of the process
Completion of migration batch in
Exchange Online
Article • 01/26/2023

Based on whether you are using New EAC, Classic EAC, or PowerShell cmdlets to
perform the migration, the completion process differs.

Finalizing your migration

After you have successfully migrated all of your Google Workspace users to Microsoft
365 or Office 365, you can switch your primary MX record to point to Microsoft 365 or
Office 365. The update to the MX record will propagate slowly, taking up to the length
of time in the record's previous TTL (time to live). At this point, you are free to
decommission your source Google Workspace tenant.
Completion of migration batch in new
EAC in Exchange Online
Article • 01/26/2023

In new EAC, when the migration batch has reached the state of Synced, it needs to be
completed.

７ Note

When the batch starts, all the users to be migrated will be converted from
MailUsers to Mailboxes. The Microsoft 365 or Office 365 Exchange license must be
assigned only after this moment. You have 30 days to assign the license

1. To complete the batch select the migration group.

2. In the Details pane, select preferred option to complete the batch, and click Save.

The batch status will then be Completed.

During completion, another incremental sync is run to copy any changes that have been
made to the Google Workspace mailbox. Additionally, during completion, the
forwarding address that routes mail from Microsoft 365 or Office 365 to Google
Workspace is removed, and a forwarding address that routes mail from Google
Workspace to Microsoft 365 or Office 365 is added. This ensures that any messages
received by migrated users at their Google Workspace mailboxes will be sent to their
new Microsoft 365 or Office 365 address. Similarly, if any user who has not yet been
migrated receives a message at their Microsoft 365 or Office 365 address, the message
will get routed to their Google Workspace mailbox.
Completion of migration batch in
Classic EAC in Exchange Online
Article • 01/26/2023

In Classic EAC, when the migration batch has reached the state of Synced, it needs to be
completed.

７ Note

When the batch starts, all the users to be migrated will be converted from
MailUsers to Mailboxes. The Microsoft 365 or Office 365 Exchange license must be
assigned only after this moment. You have 30 days to assign the license.

To complete the migration:

1. Under Start the batch, fill in the names or aliases of anyone who should be
notified about the batch progress. Then select how you want to begin and
complete the batch. When done, click new.
 2. After the batch status changes from Syncing to Synced, you need to complete the
batch.

The batch status will then be Completed.

During completion, another incremental sync is run to copy any changes that have been
made to the Google Workspace mailbox. Additionally, during completion, the
forwarding address that routes mail from Microsoft 365 or Office 365 to Google
Workspace is removed, and a forwarding address that routes mail from Google
Workspace to Microsoft 365 or Office 365 is added. This ensures that any messages
received by migrated users at their Google Workspace mailboxes will be sent to their
new Microsoft 365 or Office 365 address. Similarly, if any user who has not yet been
migrated receives a message at their Microsoft 365 or Office 365 address, the message
will get routed to their Google Workspace mailbox.
Completion of migration batch in
Exchange Online PowerShell
Article • 01/26/2023

In PowerShell, when the migration batch has reached the state of Synced, it needs to be
completed by running the Complete-MigrationBatch cmdlet.

７ Note

When the batch starts, all the users to be migrated will be converted from
MailUsers to Mailboxes. The Microsoft 365 or Office 365 Exchange license must be
assigned only after this moment. You have 30 days to assign the license.

During completion, another incremental sync is run to copy any changes that have been
made to the Google Workspace mailbox. Additionally, the forwarding address that
routes mail from Office 365 to Google Workspace is removed, and a forwarding address
that routes mail from Google Workspace to Office 365 is added.

７ Note

Forwarding addresses are not needed when doing a cutover migration from
Google Workspace to Exchange Online.
Overview of the G Suite migration
process in Exchange Online
Article • 01/26/2023

Before beginning your migration, review the following diagrams to understand how a
Google Workspace staged migration works. The diagrams show how a fictitious
company named Fabrikam, Inc., with the domain name fabrikaminc.net performed their
migration.

Prior to their migration, the MX record for the base "fabrikaminc.net" domain points to
the Google Workspace tenant or mail server where all or most of Fabrikam, Inc.'s users
are. Note that users have their primary email addresses at that domain.
The MX record for the primary domain "fabrikaminc.net" still points to Google
Workspace, where all the primary mailboxes reside. To prepare for the migration, new
routing domains have been created: the gsuite.fabrikaminc.net domain points to Google
Workspace and the o365.fabrikaminc.net domain points to Microsoft 365 or Office 365.

On the Google Workspace side, aliases have been added for all of the users in the
Google Workspace routing domain. On the Microsoft 365 or Office 365 side, MailUsers
have been provisioned for all of the users from the Google Workspace tenant. The
ExternalEmailAddress field for MailUsers on the Microsoft 365 or Office 365 side were
configured to point back to the primary mailbox using the address at the routing
domain for the Google Workspace side. Additionally, there should be aliases for the user
in the Microsoft 365 or Office 365 routing domain.

The green arrow indicates how, at this point in the migration, User 2 still contacts User 1
through their Google Workspace email addresses.
User 1 and User 2 are part of the first migration batch to Microsoft 365 or Office 365,
while User 3 and User 4 will be part of a later batch. The MX record for the primary
domain "fabrikaminc.net" still points to Google Workspace, where all the primary
mailboxes still reside. Because User 1 and User 2 have had their migrations started,
they've been converted from MailUsers to Mailboxes on the Microsoft 365 or Office 365
side.

The ExternalEmailAddress for each user has been moved to a ForwardingSmtpAddress,

so that messages sent to User 1 and User 2 will be delivered back to their source
mailboxes on the Google Workspace side by rerouting the message back to the Google
Workspace routing domain. This is indicated by the red arrows in the above diagram.
Mail is still being synced from the source Google Workspace side to the Microsoft 365
or Office 365 side.
The MX record for the primary domain "fabrikaminc.net" still points to Google
Workspace. Now that User 1 and User 2 have been fully migrated to Microsoft 365 or
Office 365, they should start working out of Microsoft 365 or Office 365. On the Google
Workspace side, automatic mail forwarding has been set up for migrated users, so that
new emails sent to their Google Workspace address will be delivered instead to the
Microsoft 365 or Office 365 address via the routing domain. This is shown by the green
arrows in the above diagram.

） Important

If your organization has disabled a user's ability to set a forwarding address, the
Google Workspace migration tool will also be unable to set the forwarding address.
You must enable permissions to set SMTP forwarding in order for forwarding to be
set successfully during your migration.

Meanwhile, the forwarding address has been removed from the Microsoft 365 or Office
365 user object, so emails will be delivered to that user in the Microsoft 365 or Office
365 routing domain (as shown by the red arrows above).

After all migration batches have been completed, all users can use their migrated
mailboxes on Microsoft 365 or Office 365 as their primary mailbox. A manual MX record
update for the primary domain "fabrikaminc.net" then points to the Microsoft 365 or
Office 365 organization instead of the Google Workspace tenant. The routing domains
and extra aliases can now be removed, as can the Google Workspace tenant. The
migration of mail, calendar, and contacts from Google Workspace to Microsoft 365 or
Office 365 is now complete.
Track and prevent migration data loss in
Exchange Online
Article • 02/22/2023

When migrating to Exchange Online, the migration process might reveal inconsistencies
that pose a risk of data loss. Such inconsistencies can occur during almost any
migration, whether from on-premises Exchange Server, Public Folders, PST file imports,
Google Workspace (formerly G Suite), or third-party IMAP servers. The migration
process tracks and reports on any possible instances of data loss by generating a
DataConsistencyScore.

Migration and DataConsistencyScore

When you attempt a migration, any inconsistencies between the source and target data
stores will count towards the DataConsistencyScore. This score is then used to
determine whether an Exchange Online migration will complete successfully or if
intervention is needed.

There are 4 possible grades that are derived from the DataConsistencyScore.

Grade Description Approval Required?

Perfect No inconsistencies noted during No approval is required.

migration.

Good At least 1 inconsistency noted, but the No approval is required

data loss wasn't impactful. For
example, if only metadata or folder
permissions were lost during
migration.

Investigate A small amount of noticeable data loss Approval of skipped items is required for
was detected, caused by some migration types that have a built-in
common inconsistency types. finalization phase, such as Hybrid
migrations or Google Workspace
onboarding.

Poor Major data loss was detected. Contact Microsoft Support for assistance.
Approval of skipped items is required for
migration types that have a built-in
finalization phase.
You can view the DataConsistencyScore for your migration in the classic Exchange
admin center at a per-user and per-batch level. You can also find it using PowerShell
cmdlets; the DataConsistencyScore property exists on MigrationBatch, MigrationUser,
and RequestStatistics objects.

How the DataConsistencyScore is calculated

There are various thresholds used to determine the DataConsistencyScore. Microsoft is
constantly tuning these thresholds to ensure that problematic data loss doesn't occur
during migrations. The details of these thresholds aren't presented to Exchange Online
administrators.

For batches, the DataConsistencyScore is equal to the worst DataConsistencyScore of

any user within that batch. This behavior helps administrators know immediately
whether there's any data loss that should be investigated.

Guidance for grades of Investigate or Poor

For migrations from third-party IMAP servers, PST file imports, or on-premises Exchange
Server using Cutover or Staged Exchange Migration, there's no need to approve the set
of skipped items. Approval of migrations with a score of Investigate or worse is required
for the completion of Remote Move, Public Folder, and Google Workspace migrations.

If the migration receives a grade of Investigate, then you can approve skipped items
manually to allow the migration to succeed.

If you're using batches, then run:

PowerShell

Set-MigrationBatch -ApproveSkippedItems or Set-MigrationUser -

ApproveSkippedItems

If you're using MoveRequests directly, then run:

PowerShell

Set-MoveRequest -SkippedItemApprovalTime $([DateTime]::UtcNow)

For a batch scored as Investigate, approving the migration allows you to complete all
migrations in the batch with a score of Perfect, Good, or Investigate.
For a batch scored as Poor, approving the migration allows you to complete all
migrations in the batch with a score of Perfect, Good, or Investigate, but won't approve
any migration in the batch with a score of Poor.

If the migration fails with a grade of Poor, you can't force the migration to succeed.
Please contact Microsoft Support for assistance.

How to see which items weren't migrated

In the Classic Exchange admin center (Classic EAC)

1. In the Exchange Admin center, select recipients, and then select migration.

2. Select the batch you would like to inspect. Select View details in the information
pane on the right.

3. Select the user you would like to inspect. Select Skipped item details in the
information pane on the right.

Using Exchange Online PowerShell

1. Connect to Exchange Online PowerShell.

2. Determine the identity of the user you wish to investigate.

3. Run the following commands:

PowerShell

$userStats = Get-MigrationUserStatistics -Identity user@fabrikaminc.net

-IncludeSkippedItems
$userStats.SkippedItems | ft -a Subject, Sender, DateSent,
ScoringClassifications

4. Inspect the information about skipped items provided in the SkippedItems

property on the userStats object.

How to opt in or opt out of using

DataConsistencyScore
The BadItemLimit and LargeItemLimit parameters are still currently available as options.
You can specify a value for the BadItemLimit and LargeItemLimit parameters when using
cmdlets or you can fill in the BadItemLimit or LargeItemLimit box in the EAC. When you
specify a BadItemLimit or LargeItemLimit, the old migration method is used and the
DataConsistencyScore isn't calculated.

If neither the BadItemLimit parameter nor the LargeItemLimit parameter is specified, or if

the boxes in the classic EAC wizard are left blank, then the new migration method and
DataConsistencyScore are used.
How to migrate mailboxes from one
Microsoft 365 or Office 365
organization to another
Article • 02/22/2023

） Important

Effective from December 2022, the classic Exchange Admin Center will be
deprecated for worldwide customers. Microsoft recommends using the new
Exchange Admin Center , if not already doing so.

While most of the features have been migrated to new EAC, some have been
migrated to other admin centers and remaining ones will soon be migrated to New
EAC. Find features that are not yet there in new EAC at Other Features or use
Global Search that will help you navigate across new EAC.

７ Note

At this time, we have a Public Preview of the native Cross-tenant mailbox migration
located at https://aka.ms/CrossTenantMailboxMigration

This article explains how to migrate mailboxes and service settings from one Microsoft
365 or Office 365 organization to another Microsoft 365 or Office 365 organization in a
business-merger scenario. If you have more than 500 users to migrate or a large amount
of SharePoint data to migrate, it's a good idea to work with a Microsoft solution
provider .

The scenario in this article is based on two fictional companies - Contoso.com and
Fabrikam.com - using two separate Office 365 organizations. Contoso has purchased
Fabrikam and is moving the Fabrikam users and data to the contoso.com Office 365
organization.

Domain Tenant 1 (Target) Tenant 2 (Source)

Custom email domain: contoso.com fabrikam.com

Office 365 initial domain: contoso.onmicrosoft.com fabrikam.onmicrosoft.com

Scenario: Migrate using a third-party migration
tool
This scenario assumes that user, group and other objects from the Fabrikam Company
will be manually created in Office 365, imported into the portal via script, or merged into
the Contoso Active Directory through Active Directory Domain Services (AD DS)
consolidation.

When complete, all Fabrikam accounts will exist in the Contoso.com Office 365
organization, and will all use @fabrikam.com for the UPN. The final addressing scheme
was chosen for simplicity and brevity but can of course be modified to meet your
requirements.

Planning: Two weeks before you migrate

If using a third-party migration tool to migrate your users, purchase the needed licenses
for your migration.

Client considerations

For Outlook 2010 or above, you only need to remove the Outlook user profile and
create it again .

For Outlook 2007 and Outlook 2010, when you are restarting the client, auto-discover
will configure the client and rebuild the .OST file.

For the Skype for Business client, once migration is complete, since the process creates a
new profile, you will need to add contacts .
Tenant preparation and licensing
The source tenant is the Fabrikam Office 365 organization from which you are migrating
users and data. The target tenant is the Contoso Office 365 organization to which you
are migrating.

1. Increase licenses in Target Office 365 organization to accommodate all mailboxes

that will be migrated from the source tenant.

2. Create Administrator accounts in source and target tenants for use in migrating
from Office 365 to another Office 365. Some migration tools may require more
than one admin account in the source tenant to optimize the data throughput.

Room, resource, distribution group, and user object creation in the

target tenant
To create the resources in the target (Contoso) tenant:

1. If the Azure AD Connect tool will be used to sync all objects from the Contoso
Active Directory Domain Services (AD DS), the objects from the source (Fabrikam)
tenant AD DS must be created in the target tenant (Contoso) AD DS through
consolidation.

a. AD DS consolidation can be done using various AD DS tools. Consolidation can

take extra time and planning depending on how many objects are being moved,
so it can be completed ahead of the migration project.

b. Verify that all new users and groups are synced to the Contoso.com target
tenant via directory synchronization. The objects should appear as
user@contoso.onmicrosoft.com in the new tenant since the Fabrikam domain
has not been moved over at this time. The primary email address for the users
and groups can be updated to @fabrikam.com after the domain move is
complete.

2. If directory synchronization will not be used, or if any Rooms, Resources, Groups or

Users are managed in the Microsoft 365 admin center of the source tenant; these
objects must be created in the target tenant. Objects can be created manually in
the Microsoft 365 admin center or for larger numbers import a CSV file by using
the bulk add feature in the Microsoft 365 admin center, or by using Windows
PowerShell.

End-user communications
To communicate the migration to the end users in your organization:

1. Create a communication plan and begin to notify users of the upcoming migration
and service changes.

2. After migration, the Auto-Complete List (also known as the nickname cache) will
have to be cleared on all Outlook clients. To remove all recipients from your Auto-
Complete list in Outlook 2010 later, see Manage suggested recipients in the To, Cc,
and Bcc boxes with Auto-Complete .

3. Make users aware of how to connect to Outlook on the web (formerly known as
Outlook Web App) with their new sign on information in case they have a problem
after migration.

Preparation and pre-migration activities: Three days

before you migrate

Domain preparation
To prepare the domain for migration, complete the following steps.

1. Begin domain verification process on target (Contoso) tenant for the Fabrikam.com
email domain.

2. In the contoso.com Microsoft 365 admin center, add the Fabrikam.com domain
and create TXT records in Domain Name Systems (DNS) for verification.

７ Note

The verification will fail because the domain is still in use in the other tenant.

Performing this step now will allow the DNS record time to propagate as it can
take up to 72 hours. Final validation will occur later in the process.

Migration scheduling

To schedule the migration:

1. Create master list of user mailboxes you want to migrate.

2. Create mailbox mapping .CSV file for the third-party migration tool you are using.
This mapping file will be used by the migration tool to match the source mailbox
 with the target tenant mailbox when migration occurs. We recommend that you use
the *.onmicrosoft.com 'initial' domain for mapping the source accounts since the
custom email domain will be constantly changing.

Mail exchanger record (MX record) time to live (TTL) test

Next, you'll schedule the TTL test.

1. In DNS, change the TTL value on the MX record for the primary email domain you
wish to transfer to a small number (i.e. 5 minutes). If the TTL cannot be lowered to
5 minutes, make note of the lowest value. Example, if the lowest value is 4 hours,
the MX record will have to be changed 4 hours before your migration begins.

2. Mx Lookup can be used to verify MX and DNS changes.

Disable directory sync in source tenant

In the source tenant Microsoft 365 admin center, disable directory sync. This process can
take 24 hours or more so it must be done ahead of the migration. Once disabled in the
portal, any changes to the source tenant AD DS will no longer sync to the Office 365
organization. Adjust your existing user and group provisioning process accordingly.

Migration: The day you migrate

These are the steps you'll need the day you perform the migration.

MX record change - Stop inbound mail flow

Change your primary MX record from Office 365 to domain that is not reachable, i.e.
"unreachable.example.com". Internet mail servers attempting to deliver new mail will
queue the mail and attempt redelivery for 24 hours. Using this method, some email may
return a non-delivery report (NDR) depending on the server attempting to deliver the
email. If this is a problem use an MX record backup service. There are many third-party
services that will queue your email for days or weeks. Once your migration is complete,
these services will deliver the queued mail to your new Office 365 organization.

 Tip

If your TTL is short, for example, five minutes, this step can be done at the end of
the work day to cause less disruption. If you have a larger TTL, you must change the
MX record ahead of time to allow the TTL to expire. Example, a four hour TTL must
be changed before 2 PM if you plan to begin migrations at 6 PM.

Verify your MX and DNS changes if necessary. Nslookup or a service like MxToolbox
can be used to verify MX and DNS changes.

Source tenant preparation

The primary email domain, fabrikam.com, must be removed from all objects in the
source tenant before the domain can be moved to the target tenant.

1. If you had also set up your domain with a SharePoint Online public website, then
before you can remove the domain, you first have to set the website's URL back to
the initial domain.

2. Remove all Lync licenses from the users in the source tenant using Lync admin
portal. This will remove the Lync Sip address connected to Fabrikam.com.

3. Reset default email addresses on Office 365 source mailboxes to the initial domain
(fabrikam.onmicrosoft.com).

4. Reset default email addresses on all Distribution Lists, Rooms and Resources to the
initial domain (fabrikam.onmicrosoft.com) in source tenant.

5. Remove all secondary email (proxy addresses) from user objects that are still using
@fabrikam.com.

6. Set default domain in source tenant to fabrikam.onmicrosoft.com routing domain

(in the admin portal, click your company name in the upper right corner).

7. Use Windows PowerShell command Get-MsolUser -DomainName Fabrikam.com to

retrieve a list of all objects that are still using the domain and blocking removal.

8. For common domain removal issues, see You get an error message when you try
to remove a domain from Office 365.
Target tenant preparation
Complete the verification of the Fabrikam.com domain in the contoso.com tenant. You
may have to wait one hour after removing the domain from the old tenant.

1. Configure auto-discover CNAME (internal/External) optional.

2. If you are using AD FS, configure the new domain in target tenant for AD FS.

3. Begin mailbox activation in the contoso.com tenant > Assign licenses to all of the
new user accounts.

4. Set the Fabrikam.com email domain as the primary address on the new users. This
can be done by selecting/editing multiple unlicensed users in the portal or by
using Windows PowerShell.

5. If you are not using the password hash sync feature, pass-through authentication
or AD FS, set password on all mailboxes in the target (Contoso) tenant. If you are
not using a common password, notify users of the new password.

6. Once mailboxes are licensed and active, transition the mail routing. Point the
Fabrikam MX record to Office 365 target (Contoso) tenant. When the MX TTL
expires, mail will begin to flow into the new empty mailboxes. If you are using an
MX backup service, you can release the email to the new mailboxes.

7. Perform verification testing of mail flow to/from new mailboxes in the target
tenant.

8. If you are using Exchange Online Protection (EOP): In the target tenant recreate
mail flow rules (also known as transport rules), connectors, block lists, allow lists,
etc. from source tenant.

Begin migration
To minimize downtime and user inconvenience, determine the best method for
migration.

Migration for 500 users or less: Migrate Mail Calendar and contact data to target
tenant mailboxes. Limit mail migration by date if possible; for example, the last 6
months of data.

Migration for more than 500 users: Use a multi-pass approach where you migrate
contacts, calendars and only 1 week of email for all users, then on succeeding days
or weeks, do multiple passes to fill in the mailboxes with older email data.
Start your mail migration via the third-party migration tool.

1. Monitor migration progress with the tools provided by the vendor. Send out
periodic progress reports during migration to management and migration team.

2. Do second or third pass migrations, optional after all migrations are complete.

At the end of migration, Outlook 2007 and 2010 will sync the entire mailbox for each
user, consuming considerable bandwidth depending on how much data you migrated
into each mailbox. Outlook 2013 will only cache 12 months of data by default. This
setting can be configured to more or less data, for example, only 3 months of data,
which can lighten bandwidth usage.

Post migration: Cleanup

User may receive NDRs when replying to migrated email messages. The Outlook Auto-
Complete List (also known as the nickname cache) needs to be cleared. To remove all
recipients from your Auto-Complete list in Outlook 2010 later, see Manage suggested
recipients in the To, Cc, and Bcc boxes with Auto-Complete . Alternatively, add the old
legacy DN as an x.500 proxy address to all users.

Sample Windows PowerShell scripts

Use the following sample Windows PowerShell scripts as a starting point for creating
your own scripts.

Office 365 bulk password reset

1. Create a CSV file named password.csv.

2. Insert "upn" and "newpassword" columns in this file (Example:

johnsmith@contoso.com,Password1)

3. Use the Windows PowerShell command:

PowerShell

Import-Csv password.csv|%{Set-MsolUserPassword -userPrincipalName

$_.upn -NewPassword $_.newpassword -ForceChangePassword $false}

Copy all Office 365 accounts with a specific proxy address

into a CSV file
 PowerShell

##########################################################################
# Script: showproxies.ps1
# Copies all accounts in Microsoft 365 that contain/don't contain a specific
# proxyaddress to a .CSV file (addresses.csv)
#
# Change the following variable to the proxy address string you want to
find:
# $proxyaddr = "onmicrosoft.com"
############################################################################
####
$proxyaddr = "onmicrosoft.com"
# Create an object to hold the results
$addresses = @()
# Get every mailbox in the Exchange Organization
$Mailboxes = Get-Mailbox -ResultSize Unlimited
# Loop through the mailboxes
ForEach ($mbx in $Mailboxes) {
# Loop through every address assigned to the mailbox
Foreach ($address in $mbx.EmailAddresses) {
# If it contains XXX, Record it
if ($address.ToString().ToLower().contains($proxyaddr)) {
# This is an email address. Add it to the list
$obj = "" | Select-Object Alias,EmailAddress
$obj.Alias = $mbx.Alias
$obj.EmailAddress = $address.ToString() #.SubString(10)
$addresses += $obj
}
}
}
# Export the final object to a csv in the working directory

$addresses | Export-Csv addresses.csv -NoTypeInformation

# Open the csv with the default handler
Invoke-Item addresses.csv

##### END OF SHOWPROXIES.PS1

Bulk Create room mailboxes in Microsoft 365

７ Note

Before you run the following script, you need to install the Exchange Online
PowerShell module. For instructions, see Install and maintain the Exchange
Online PowerShell module. The module uses modern authentication.

Typically, you can use the script as-is if your organization is Microsoft 365 or
Microsoft 365 GCC. If your organization is Office 365 Germany, Microsoft 365
 GCC High, or Microsoft 365 DoD, you need to edit the Connect-
ExchangeOnline line in the script. Specifically, you need to use the

ExchangeEnvironmentName parameter and the appropriate value for your

organization type. For more information, see the examples in Connect to
Exchange Online PowerShell.

PowerShell

############################################################################
####
# Script: create-rooms.ps1
# Description:*** RUN THIS SCRIPT FROM A WINDOWS POWERSHELL SESSION ***
# This script creates room mailboxes in Microsoft 365.
# Syntax:Create-Rooms.ps1 -InputFile "file name.csv"
#
# Dependencies: Input file should contain 3 columns: RoomName,
RoomSMTPAddress, RoomCapacity
#
############################################################################
####
param( $inputFile )
Function Usage
{
$strScriptFileName =
($MyInvocation.ScriptName).substring(($MyInvocation.ScriptName).lastindexofa
ny("\") + 1).ToString()
@"
NAME:
$strScriptFileName
EXAMPLE:
C:\PS> .\$strScriptFileName -InputFile `"file name.csv`"
"@
}
If (-not $InputFile) {Usage;Exit}

If ($ExchRemoteCmdlets.State -ne "Opened")

{
Write-Host
Write-Host Connecting to Exchange Online PowerShell...
Write-Host
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline
$Global:ExchRemoteCmdlets = Get-PSSession -Name
ExchangeOnlineInternalSession*
}
# Import the CSV file in Exchange Online
$csv = Import-CSV $inputfile
# Create Rooms contained in the CSV file in Exchange Online
$csv | foreach-object{
New-Mailbox -Name $_.RoomName -Room -PrimarySmtpAddress $_.RoomSMTPAddress -
ResourceCapacity $_.RoomCapacity
 }
##### END OF CREATE-ROOMS.PS1

Bulk remove secondary email address from mailboxes

７ Note

Before you run the following script, you need to install the Exchange Online
PowerShell module. For instructions, see Install and maintain the Exchange
Online PowerShell module. The module uses modern authentication.

Typically, you can use the script as-is if your organization is Microsoft 365 or
Microsoft 365 GCC. If your organization is Office 365 Germany, Microsoft 365
GCC High, or Microsoft 365 DoD, you need to edit the Connect-
ExchangeOnline line in the script. Specifically, you need to use the

ExchangeEnvironmentName parameter and the appropriate value for your

organization type. For more information, see the examples in Connect to
Exchange Online PowerShell.

PowerShell

##########################################################################
# Script: remove-proxy.ps1
# Description:*** RUN THIS SCRIPT FROM A WINDOWS POWERSHELL SESSION ***
# This script will remove a secondary email address from many users
#
# Syntax:remove-proxy.ps1 -InputFile "filename.csv"
#
# Dependencies:Input file should contain 2 columns: Username, Emailsuffix
# Example: Username=tim, Emailsuffix=fabrikam.com
# Script will remove the address tim@fabrikam.com from the mailbox for Tim.
# NOTE: Address must be secondary; it will not remove primary email address.
#
############################################################################
####
param( $inputFile )
Function Usage
{
$strScriptFileName =
($MyInvocation.ScriptName).substring(($MyInvocation.ScriptName).lastindexofa
ny
("\") + 1).ToString()
@"
NAME:
$strScriptFileName
EXAMPLE:
C:\PS> .\$strScriptFileName -inputfile `"file name.csv`"
"@
}
If (-not $inputFile) {Usage;Exit}

If ($ExchRemoteCmdlets.State -ne "Opened")

{
Write-Host
Write-Host Connecting to Exchange Online PowerShell...
Write-Host
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline
$Global:ExchRemoteCmdlets = Get-PSSession -Name
ExchangeOnlineInternalSession*
}
# Import the CSV file and change primary smtp address in Exchange Online
$csv = Import-CSV $inputfile
$csv | foreach-object{
# Set variable for email address to remove in Exchange Online
$removeaddr = $_.username + "@" + $_.emailsuffix
Write-Host ("Processing User: " + $_.UserName +" - Removing " + $removeaddr)
Set-Mailbox $_.Username -EmailAddresses @{Remove=$removeaddr}
}
##### END OF REMOVE-PROXY.PS1
Migrate from Lotus Notes to Microsoft
365 or Office 365
Article • 02/22/2023

When planning to migrate email from IBM Lotus Notes to Microsoft 365 or Office 365,
use the Microsoft Online Notes Inspector (MONTI) application. This tool will assist you
in evaluating the amount data to be migrated from a customer's Lotus Notes
environment to Microsoft 365 or Office 365.

Here's what MONTI does:

It processes mail files to determine the total database size, document count
(calendar, contacts, groups, mail, and tasks), and size by days.

It processes Mail-In Databases to determine the total database size, and Size by
Days.

It posts results under the People, Mail-In Databases, and Logs views. You can
create these reports manually or on a scheduled basis.

Download the MONTI application and accompanying documentation from the

Microsoft Download Center.

To directly download only the application: MONTI application

The documentation describes how to deploy, configure, and run the MONTI application
in a customer's Domino environment.
Add an SSL certificate to Exchange 2013
for migration to Exchange Online
Article • 02/22/2023

Some services, such as Outlook Anywhere, Cutover migration to Microsoft 365 or Office
365, and Exchange ActiveSync, require certificates to be configured on your Exchange
2013 server. This article shows you how to configure an SSL certificate from a third-party
certificate authority (CA).

What permissions do you need?

In order to add certificates, you need to be assigned the Organization Management role
group on the Exchange Server 2013.

Tasks for adding an SSL certificate

Adding an SSL certificate to Exchange Server 2013 is a three-step process.

1. Create a certificate request

2. Submit the request to certificate authority

3. Import the certificate

Create a certificate request

To create a certificate request:

1. Open the Exchange admin center (EAC) by browsing to the URL of your Client
Access server, for example, https://Ex2013CAS/ECP.

2. Enter your username and password by using the domain\username format for
username, and choose Sign in.

3. Go to Servers > Certificates. On the Certificates page, make sure your Client
Access server is selected in the Select server field, and then choose New .

4. In the New Exchange certificate wizard, select Create a request for a certificate
from a certification authority and then choose Next.

5. Specify a name for this certificate, and then choose Next.

 6. If you want to request a wildcard certificate, select Request a wild-card certificate,
and then specify the root domain of all subdomains in the Root domain field. If
you don't want to request a wildcard certificate and instead want to specify each
domain that you want to add to the certificate, leave this page blank. Choose Next.

7. Choose Browse, and specify an Exchange server to store the certificate on. The
server you select should be the internet-facing Client Access server. Choose Next.

8. For each service in the list shown, verify that the external or internal server names
that users will use to connect to the Exchange server are correct. For example:

If you configured your internal and external URLs to be the same, Outlook
Web App (when accessed from the internet) and Outlook Web App (when
accessed from the intranet) should show owa.contoso.com. Offline Address
Book (OAB) (when accessed from the internet) and OAB (when accessed from
the intranet) should show mail.contoso.com.

If you configured the internal URLs to be internal.contoso.com, Outlook Web

App (when accessed from the internet) should show owa.contoso.com, and
Outlook Web App (when accessed from the intranet) should show
internal.contoso.com.

These domains will be used to create the SSL certificate request. Choose Next.

9. Add any additional domains you want included on the SSL certificate.

10. Select the domain that you want to be the common name for the certificate > Set
as common name. For example, contoso.com. Choose Next.

11. Provide information about your organization. This information will be included
with the SSL certificate. Choose Next.

12. Specify the network location where you want this certificate request to be saved.
Choose Finish.

Submit the request to certificate authority

After you've saved the certificate request, submit the request to your certificate
authority (CA). This can be an internal CA or a third-party CA, depending on your
organization. Clients that connect to the Client Access server must trust the CA that you
use. You can search the CA website for the specific steps for submitting your request.

Import the certificate

After you receive the certificate from the CA, complete the following steps.

To import the certificate request:

1. On the Server > Certificates page in the EAC, select the certificate request you
created in the previous steps.

2. In the certificate request details pane, choose Complete under Status.

3. On the complete pending request page, specify the path to the SSL certificate file
> OK.

4. Select the new certificate you just added, and then choose Edit .

5. On the certificate page, choose Services.

6. Select the services you want to assign to this certificate. At a minimum, you should
select SMTP and IIS. Choose Save.

7. If you receive the warning Overwrite the existing default SMTP certificate?,
choose Yes.
Add an SSL certificate to Exchange 2010
for migration to Exchange Online
Article • 02/22/2023

Some services, such as Outlook Anywhere, Cutover migration to Microsoft 365 or Office
365, and Exchange ActiveSync, require certificates to be configured on your Exchange
2010 server. This article shows you how to configure an SSL certificate from a third-party
certificate authority (CA).

What permissions do you need?

In order to add certificates, you need to be assigned the Organization Management role
group on the Exchange 2010.

Tasks for adding an SSL certificate

Adding an SSL certificate to Exchange 2010 is a three step process.

1. Create a certificate request

2. Submit the request to certificate authority

3. Import the certificate

Create a certificate request

To create a certificate request:

1. Open the Exchange Management Console (EMC).

2. Select the server to which you want to add the certificate.

3. In the Actions pane, choose New Exchange Certificate.

4. In the New Exchange certificate wizard, specify a name for this certificate, and
then choose Next.

5. In the Domain Scope page, specify the root domain for all subdomains in the Root
domain field. If you want to request a wildcard, select Enable wildcard certificate.
If you don't want to request a wildcard certificate, you will specify each domain
you want to add to the certificate on the next page. Choose Next.
 6. On the Exchange Configuration page for each service in the list shown, verify that
the external or internal server names that users will use to connect to the Exchange
server are correct. For example:

If you configured your internal and external URLs to be the same, Outlook
Web App (when accessed from the internet) and Outlook Web App (when
accessed from the intranet) should show owa.contoso.com. Offline Address
Book (OAB) (when accessed from the internet) and OAB (when accessed from
the intranet) should show mail.contoso.com.

If you configured the internal URLs to be internal.contoso.com, Outlook Web

App (when accessed from the internet) should show owa.contoso.com, and
Outlook Web App (when accessed from the intranet) should show
internal.contoso.com.

7. These domains will be used to create the SSL certificate request. Choose Next.

8. On the Certificate Domains page, add any additional domains you want included
on the SSL certificate.

Select the domain that you want to be the common name for the certificate > Set
as common name. For example, contoso.com. Choose Next.

9. On the Organization and Location page, provide information about your

organization. This information will be included with the SSL certificate.

Specify the network location where you want this certificate request to be saved.
Choose Next.

10. On the Certificate Configuration page, review the summary information, choose
New to create the certificate, and then choose Finish on the Completion page.

Submit the request to certificate authority

After you've saved the certificate request, submit the request to your certificate
authority (CA). This can be an internal CA or a third-party CA, depending on your
organization. Clients that connect to the Client Access server must trust the CA that you
use. You can search the CA website for the specific steps for submitting your request.

Import the certificate

After you receive the certificate from the CA, complete the following steps.
To import the certificate request:

1. Open the EMC.

2. Select the server to which you want to import the certificate.

3. In the Exchange Certificates pane, select the request you created earlier, and in
the Actions pane, choose Complete Pending Request.

4. On the Complete Pending Request page, specify the path to the SSL certificate file
you received from your CA > Complete.

5. On the Completion page, choose Finish.

6. To assign services to this certificate, on the EMC, select the Exchange server, and
then select the certificate in the Exchange Certificates tab.

In the Actions pane, choose Assign Services to Certificate.

7. On the Select Servers page of the Assign Services to Certificate wizard, select the
name of the server to which you're adding the certificate > Next.

8. On the Select Services page, select the services you want to assign to this
certificate. At a minimum, you should select SMTP and IIS. Choose Next.

9. On the Assign Services page, choose Assign.

If you receive the warning Overwrite the existing default SMTP certificate?,
choose Yes > Finish.
Add an SSL certificate to Exchange 2007
for migration to Exchange Online
Article • 02/22/2023

Some services, such as Outlook Anywhere, Cutover migration to Microsoft 365 or Office
365, and Exchange ActiveSync, require certificates to be configured on your Microsoft
Exchange Server 2007 server. This article shows you how to configure an SSL certificate
from a third-party certificate authority (CA).

Tasks for adding an SSL certificate

Adding an SSL certificate to Microsoft Exchange Server 2007 is a three step process.

1. Create a certificate request

2. Submit the request to certificate authority

3. Import the certificate

Create a certificate request

To create a certificate request in Microsoft Exchange Server 2007, use the New-
ExchangeCertificate command. To run the New-ExchangeCertificate command, the
account you use must be in the Exchange Server Administrator role and local
Administrators group for the target server.

To create a certificate request

1. Open the Exchange Management Shell on the local server.

2. On the command line, type:

PowerShell

New-ExchangeCertificate -DomainName
"owa.servername.contoso.com","mail.servername.contoso.com","autodiscove
r.servername.contoso.com","sts.servername,contoso.com","oos.servername.
contoso.com","mail12.servername.contoso.com","edge.servername.contoso.c
om" -FriendlyName "Exchange 2007 Certificate" -GenerateRequest:$true -
KeySize 2048 -Path "C:\certlocation" -PrivateKeyExportable $true -
SubjectName "c=us, o=ContosoCorporation, cn=servername,contoso.com"
 In the command example above, servername is the name of your server,
contoso.com is an example of a domain name, and certlocation is a file path to the
location where you want to store the request once it is generated. Replace all these
placeholders with the information that appropriate for yourMicrosoft Exchange
Server 2007.

In the DomainName parameter, add the domain names for the certificate request.
For example, if you configured your internal and external URLs to be the same, the
domain name for Outlook Web Access when accessed from the internet or intranet
should look like owa.servername.contoso.com.

Use the SubjectName parameter to specify the Subject Name on the resulting
certificate. This field is used by DNS-aware services and binds a certificate to a
particular domain name.

You must specify the GenerateRequest parameter as $true . Otherwise, you will
create a self-signed certificate.

3. After you run the above command, a certificate request is saved in the file location
you specified by using the Path parameter.

The New-ExchangeCertificate command also creates a Thumbprint output

parameter that you use when you submit the request to a third-party certificate
authority in the next step.

Submit the request to certificate authority

After you've saved the certificate request, submit the request to your CA. This can be an
internal CA or a third-party CA, depending on your organization. Clients that connect to
the Client Access server must trust the CA that you use. You can search the CA website
for the specific steps for submitting your request.

Import the certificate

After you receive the certificate from the CA, use the Import-ExchangeCertificate
command to import it.

To import the certificate request

1. Open the Exchange Management Shell on local server.

2. On the command line, type:

 PowerShell

Import-ExchangeCertificate C:\filepath

The filepath parameter above specifies the location where you saved the certificate
file that was provided by the third-party CA.

When you run this command, it creates a Thumbprint output parameter that you
use to enable to certificate in the next step.

To enable the certificate

1. To enable the certificate, you use the Enable-ExchangeCertificate command. On the

command line, type:

PowerShell

Enable-ExchangeCertificate -Thumbprint
5113ae0233a72fccb75b1d0198628675333d010e -Services iis,smtp,pop,imap

The Thumbprint parameter specifies the one you received as output when you ran
the Import-ExchangeCertificate command.

In the Services parameter, specify the services you want to assign to this certificate.
At a minimum, you should specify SMTP and IIS.

2. If you receive the warning Overwrite the existing default SMTP certificate?, type
in A (yes for all).

See also
Blog article on adding an SSL to Exchange Server 2007
Enable your Gmail account for IMAP in
Exchange Online
Article • 02/22/2023

Internet Message Access Protocol (IMAP) is a protocol that allows you to download
messages from a mail provider's servers, such as those for Gmail, onto your computer so
you can use Microsoft Outlook to view and edit your email, even when aren't connected
to the internet.

Enable IMAP on for your Gmail account

To make your Gmail messages accessible by Microsoft Outlook, you need to enable it
for IMAP.

1. Sign in to your Gmail account by using a browser that is supported (Google

Chrome, Firefox, Internet Explorer, or Safari).

2. Choose or click the gear icon ( ) on the top right.

3. Choose Settings > Forwarding and POP/IMAP.

4. Select Enable IMAP, and then choose Save Changes.

Microsoft 365 and Office 365 email
migration performance and best
practices
Article • 02/22/2023

There are many paths to migrate email data for an organization hosted on-premises to
Microsoft 365 or Office 365. When planning a migration to Microsoft 365 or Office 365,
a clear understanding of data migration process and velocity helps the admins to plan
better.

Overview of migrating email to Microsoft 365

or Office 365
Microsoft 365 or Office 365 supports several methods to migrate email, calendar, and
contact data from your existing messaging environment to Microsoft 365 or Office 365
as described in Ways to migrate multiple email accounts to Microsoft 365 or Office 365.

For networking and performance related questions on Microsoft 365 or Office 365, see
Network planning and performance tuning for Microsoft 365 or Office 365.

Frequently used migration methods

Migration Description Resources

method

Internet You can use the Exchange admin center or Migrate your IMAP mailboxes
Message Exchange Online PowerShell to migrate the to Microsoft 365 or Office 365
Access contents of users' mailboxes from an IMAP
Protocol messaging system to their Microsoft 365 or
(IMAP) Office 365 mailboxes. This includes migrating
migration your mailboxes from other hosted email services,
such as Gmail or Yahoo Mail. Note that Exchange
Online now offers a highly specialized process in
Modern EAC for migrating emails from an
organizations existing Gmail/G Suite/Google
WorkSpace (GWS) deployment to Exchange
Online.
Migration Description Resources
method

Cutover Use cutover migration to migrate all on-premises Cutover migration to Microsoft
migration mailboxes to Microsoft 365 or Office 365 over a 365 or Office 365
few days. Use cutover migration if you plan to
move your entire email organization to Microsoft
365 or Office 365 and manage user accounts in
Microsoft 365 or Office 365. You can migrate a
maximum of 2,000 mailboxes from your on-
premises Exchange organization to Microsoft 365
or Office 365 using a cutover migration. The
recommended number of mailboxes, however, is
150. Performance may likely degrade with
numbers higher than that. The mail contacts and
distribution groups in your on-premises
Exchange organization are also migrated.

Staged Use Staged migration if you plan to eventually What you need to know about
migration migrate your organization's all mailboxes to a staged email migration to
Microsoft 365 or Office 365, over time. Using a Microsoft 365 or Office 365
staged migration, you migrate batches of on-
premises mailboxes to Microsoft 365 or Office
365 over the course of a few weeks or months.

Hybrid Hybrid deployment offers organizations the Microsoft 365 and Office 365
deployment ability to extend the feature-rich experience and Mail migration advisor
administrative control they have with their
existing on-premises Exchange organization to Exchange Server Hybrid
the cloud. A hybrid deployment provides the Deployments
seamless look and feel of a single Exchange
organization between an on-premises Exchange Mail migration advisor
organization and Exchange Online in Microsoft
365 or Office 365. In addition, a hybrid Exchange Deployment
deployment can serve as an intermediate step to Assistant for Exchange on-
moving completely to a Microsoft 365 or Office premises 2013/2016/2019
365 organization.
Exchange Server 2013 hybrid
deployments

Minimal Hybrid
Configuration

Third-party There are many tools available from third parties. Here are some third-party
migration They use distinctive protocols and approaches to migration tools and partners
conduct email migrations from email platforms that can assist with Exchange
like GWS, GoDaddy, Yahoo, IBM Lotus Notes and migrations from third-party
Novell GroupWise. platforms:
Binary Tree / Quest /
QuadroTech : Binary Tree and
Migration Description Resources
method

QuadroTech are now part of

Quest. Quest is a provider of
cross-platform messaging
migration and coexistence
software, with products for
analysis, co-existence, and
migration between multiple
platforms to Exchange Online.
Quest solutions synchronize
mailboxes, public folders and
calendar information while
maintaining coexistence
throughout the migration.

BitTitan : Provides automated

solution for migrations to
Microsoft 365 or Office 365
from a wide range of
platforms.

CodeTwo : Provider of
Microsoft 365 and Office 365
migration solutions for secure
and automated data
migrations to Microsoft 365
(Office 365) from Exchange
On-Prem, IMAP servers, and
between Microsoft 365
tenants.

Transvault : Provider of Cloud

Office migration solutions to
Microsoft 365 from Exchange
and Notes. Transvault supports
dozens of sources for
migration and offers products
which deliver any size of
project, complex email archive
migrations and PST
management. The enterprise
migration solutions are secure,
compliant, efficient, and user-
focused, and can be run both
on-premises and in the Cloud.

SkyKick : Provider of
automated migration solutions
to move from multiple source
 Migration Description Resources
method

types to Microsoft 365 or

Office 365. The end-to-end
migration tools help partners
with the sales, planning,
migration, management, and
onsite phases of the migration
project.

BCC : Helping companies by

supporting their collaboration
migration strategy. Best in
class supplier of migration
tools based on Domino
platform, for migrating to
Microsoft Exchange, Microsoft
365, and Office 365.

Performance for Migration methods

The following sections compare mailbox migration workloads and the observed
performance results for the different migration methods for migrating mailboxes and
mailbox data to Microsoft 365 or Office 365. These results are based on internal testing
and actual customer migrations to Microsoft 365 or Office 365.

） Important

Because of differences in how migrations are performed and when they're

performed, your actual migration velocity may vary.

Customer migration workloads

The following table describes the different workloads involved in a typical migration,
and the challenges and options for each.

Workload Notes
 Workload Notes

Onboarding Microsoft offers data migration capability and tools for customers to use to
(Migrating migrate their data from Exchange Server On-premises (via Cutover/Staged/Hybrid)
to or from Gmail/S Suite/GWS aka Google Work Space (via EAC, PowerShell) or from
Microsoft Other IMAP sources(PowerShell, Gmail via IMAP) or Cross Tenant migrations to
365 or Exchange Online in Microsoft 365 or Office 365.
Office 365)

Multi-Geo Multinational companies with offices around the world often have a need to store
their employee data at-rest in specific regions, in order to meet their data
residency requirements. Multi-Geo enables a single Microsoft 365 or Office 365
organization to span across multiple Microsoft 365 or Office 365 datacenter
geographies (geos), which gives you the ability to store Exchange data, at-rest, on a
per-user basis, in your chosen geos. For more details, see Get enterprise-grade
global data location controls with Multi-Geo .

Encryption Service Encryption with Customer Key is a feature that allows a customer to
provision and manage the root keys that are used to encrypt data at-rest at the
application layer in Microsoft 365 or Office 365. For a mailbox to become
encrypted the first time, a mailbox move is required. For more details, see Service
encryption with Microsoft Purview Customer Key.

GoLocal Microsoft continues to open new datacenters in new regions, or geos. Existing
customers, when eligible, can request to have their customer data from their
original datacenter moved to a new geo. The period in which you can make this
request is usually one or two years, depending on the overall demand for the
service. Note that this period during which you can request to have your customer
data moved becomes shorter once a datacenter (DC) for the new geo launches (at
that point you have approximately three to six months to request a move). Details
are available in Moving core data to new Microsoft 365 datacenter geos.

When mailboxes are migrated within Microsoft 365 data centers, every mailbox move or
bulk-mailbox move requires time for the operation to complete. There are a number of
factors, such as Microsoft 365 service activity, that can affect exactly how much time. The
service is designed to throttle discretionary workloads like mailbox moves, to ensure
that the service runs optimally for all users. You can still expect mailbox moves to be
processed, however, depending on the service's discretionary resource availability. More
details about resource throttling can be found in this blog post .

Duration estimates for mailbox migration in Exchange

Online
To help you plan your migration, the following tables present guidelines about when to
expect bulk mailbox migrations or individual migrations to complete. These estimates
are based on a data analysis of previous customer migrations. Because every
environment is unique, your exact migration velocity may vary.

Mailbox migration duration based on mailbox size profiles:

GoLocal/Multi-Geo /Encryption in Exchange Online

Workload Mailbox P50 (50th percentile P90 (90th percentile

size (GB) duration) (days) duration) (days)

GoLocal/Multi- 0 - 10 1 1
Geo/Encryption

GoLocal/Multi- 10 - 50 2 6
Geo/Encryption

GoLocal/Multi- 50 - 100 4 11
Geo/Encryption

GoLocal/Multi- 100 - 200 6 14

Geo/Encryption

GoLocal/Multi- > 200 Not supported Not supported

Geo/Encryption

Onboarding to Exchange Online from On-Premises Exchange Servers

(Cutover/Staged/Hybrid)

Workload Mailbox P50 (50th percentile P90 (90th percentile

size (GB) duration) (days) duration) (days)

Onboarding from 0 - 10 1 3
On-Premises

Onboarding from 10 - 50 2 6
On-Premises

Onboarding from 50 - 100 4 13

On-Premises

Onboarding from 100 - 200 10 31

On-Premises

Onboarding from > 200 Not supported Not supported

On-Premises

Cross Tenant Migration to Exchange Online (use Microsoft first party solution or
use Third party solutions).
 Workload Mailbox size P50 (50th percentile P90 (90th percentile
(GB) duration) (days) duration) (days)

Cross 0 - 10 1 1
Tenant

Cross 10 - 50 1 2
Tenant

Cross 50 - 100 2 5
Tenant

Cross 100 - 200 3 6

Tenant

Cross > 200 Not supported Not supported

Tenant

Specialized Onboarding to Exchange Online from Gmail/G Suite/GWS (EAC,

PowerShell)

Workload Mailbox P50 (50th percentile P90 (90th percentile

size (GB) duration) (days) duration) (days)

Specialized Gmail 0 - 10 1 2
Onboarding

Specialized Gmail 10 - 50 1 8
Onboarding

Specialized Gmail 50 - 100 3 12

Onboarding

Specialized Gmail 100 - 200 5 19

Onboarding

Specialized Gmail > 200 Not supported Not supported

Onboarding

Onboarding to Exchange Online from IMAP sources (Other IMAP sources,

PowerShell, Gmail via IMAP)

Workload Mailbox P50 (50th percentile P90 (90th percentile

size (GB) duration) (days) duration) (days)

Generic IMAP 0 - 10 1 1
Onboarding
 Workload Mailbox P50 (50th percentile P90 (90th percentile
size (GB) duration) (days) duration) (days)

Generic IMAP 10 - 50 1 2
Onboarding

Generic IMAP 50 - 100 1 8

Onboarding

Generic IMAP 100 - 200 3 29

Onboarding

Generic IMAP > 200 Not supported Not supported

Onboarding

Onboarding to Exchange Online via PST Import

Workload Mailbox size P50 (50th percentile P90 (90th percentile

(GB) duration) (days) duration) (days)

PST 0 - 10 1 1
Import

PST 10 - 50 1 3
Import

PST 50 - 100 2 5
Import

PST 100 - 200 3 6

Import

PST > 200 Not supported Not supported

Import

７ Note

Some outlier mailboxes would take longer to complete based on the mailbox
profile. Also, if a tenant has larger mailboxes on average, this can also contribute to
the extended duration of migration.

Migration performance factors

Mailbox/Email migration have several common factors that affect migration
performance.
Common migration performance factors
The following table provides a list of common factors that affect migration performance.
More details are covered in the sections describing the individual migration methods.

Factor Description Example

Data The device or service that hosts the data to be Gmail limits how much data can
source migrated. Many limitations might apply to the be extracted during a specific
data source because of hardware specifications, period of time.
end-user workload, and back-end maintenance
tasks.

Data type Because of the unique nature of a customer's One 4-GB mailbox with 400
and business, the type and mix of mail items within items, each with 10 megabytes
density mailboxes vary greatly. (MB) of attachments, will
migrate faster than one 4-GB
mailbox with 100,000 smaller
items.

Migration Many migration solutions use a "jump box" type Customers often use a low-
server of migration server or workstation to complete performance virtual machine to
the migration. host the MRSProxy service for
hybrid deployments or for
client PC non-hybrid
migrations.

Migration The data migration engine responsible for pulling MRSProxy service has its own
engine data from the source server converts data, if capabilities and limitations.
necessary. The engine then transmits the data
over the network and injects the data into the
Microsoft 365 or Office 365 mailbox. mailbox.

On- The end-to-end network performance (from the Firewall configuration and
premises data source to Exchange Online client access specifications on the on-
network servers) affects migration performance. premises organization.
appliances

Microsoft Microsoft 365 and Office 365 have built-in The user-throttling policy has
365 or support and features to manage the migration default settings and limits the
Office 365 workload. overall maximum data transfer
service rate.

Network performance factors

This section describes best practices for improving network performance during
migration. The discussion is general because the biggest impact on network
performance during migration is related to third-party hardware and Internet service
providers (ISPs).

Use the Exchange Analyzer to get a deeper understanding of your network connectivity
with Microsoft 365 or Office 365. To run the Exchange Analyzer tests in Microsoft
Support and Recovery Assistant , go to Advanced Diagnostics > Exchange Online >
Check Exchange Online network connectivity > Yes. Read about the Microsoft Support
and Recovery Assistant to learn more about Microsoft Support and Recovery
Assistant .

Factor Description Best practices

Network The amount of time it takes to migrate Identify your available network capacity and
capacity mailboxes to Microsoft 365 or Office determine the maximum upload capacity.
365 is determined by the available and Contact your ISP to confirm your allocated
maximum capacity of your network. bandwidth and to get details about
restrictions, such as the total amount of data
that can be transferred in a specific period of
time.
Use tools to evaluate your actual network
capacity. Make sure you test the end-to-end
flow of data from your on-premises data
source to the Microsoft datacenter gateway
servers.
Identify other loads on your network (for
example, backup utilities and scheduled
maintenance) that can affect your network
capacity.

Network A fast network doesn't always result in Network hardware and driver issues often
stability fast migrations. If the network isn't cause network stability problems. Work with
stable, data transfer takes longer your hardware vendors to understand your
because of error correction. network devices and apply the vendor's
Depending on the migration type, latest recommended drivers and software
error correction can significantly affect updates.
migration performance.
 Factor Description Best practices

Network Intrusion detection functionality Evaluate network delays to all potential

delays configured on a network firewall often Microsoft datacenters to help ensure that
causes significant network delays and the result is consistent. (This also helps
affects migration performance. ensure a consistent experience for end
Migrating data to Microsoft 365 or users.) Work with your ISP to address
Office 365 mailboxes relies on your internet-related issues.
internet connection. Internet delays Add IP addresses for Microsoft datacenter
affect overall migration performance. servers to your allow list, or bypass all
Also, users in the same company might migration-related traffic from your network
have cloud mailboxes that reside in firewall. For more information about the
datacenters in different geographical Microsoft 365 or Office 365 IP ranges, see
locations. Depending on the Microsoft 365 and Office 365 URLs and IP
customer's ISP, migration performance address ranges.
may vary.

For a deeper analysis of migrations within your environment, check out our Mailbox
Migration Performance Analysis . The post includes a script to help you analyze move
requests.

Microsoft 365 and Office 365 throttling

Microsoft 365 and Office 365 use various throttling mechanisms to help ensure security
and service availability. The following three types of throttling can affect migration
performance:

User throttling
Migration-service throttling
Resource health-based throttling

７ Note

The three types of Microsoft 365 and Office 365 throttling don't affect all migration
methods.

Microsoft 365 and Office 365 user throttling

User throttling affects most third-party migration tools and the client-uploading
migration method. These migration methods use client access protocols, such as the
Remote Procedure Call (RPC) over HTTP Protocol, to migrate mailbox data to Microsoft
365 or Office 365 mailboxes. These tools are used to migrate data from platforms such
as IBM Lotus Domino and Novell GroupWise.
User throttling is the most restrictive throttling method in Microsoft 365 and Office 365.
Because user throttling is set up to work against an individual end user, any application-
level usage will easily exceed the throttling policy and result in slower data migration.

Microsoft 365 and Office 365 migration-service throttling

Migration-service throttling affects all Microsoft 365 or Office 365 migration tools.
Migration-service throttling manages migration concurrency and service resource
allocation for Microsoft 365 or Office 365 migration solutions.

Migration-service throttling affects migrations performed by using the following

migration methods:

IMAP migration
Cutover Exchange migration
Staged Exchange migration
Hybrid migrations (MRSProxy service-based moves in a hybrid environment)

） Important

The aforementioned migration methods are not affected by user throttling.

An example of migration-service throttling is controlling the number of mailboxes that

are migrated simultaneously during simple Exchange migrations and IMAP migrations.
The default value is 20. This means that a maximum of 20 mailboxes from all migration
batches are migrated at any time. You can increase the number of concurrent mailbox
migrations for a migration batch in either the Exchange admin center or Windows
PowerShell. To learn more about how to optimize this setting, see Manage migration
batches in Microsoft 365 or Office 365.

Microsoft 365 or Office 365 resource health-based

throttling
All migration methods are subject to the governance of availability throttling. Microsoft
365 or Office 365 service throttling, however, doesn't affect Microsoft 365 or Office 365
migrations as much as the other types of throttling described previously.

Resource health-based throttling is the least aggressive throttling method. It occurs to

prevent a service availability issue that could affect end users and critical service
operations.
Before performance of the service degrades to the point where end-user performance
could be impacted, hybrid migrations will be stalled until performance is recovered and
the service returns to a level below the throttling threshold.

The following shows what the customers will see regarding stall durations using Get –
MoveRequestStatistics - <> -IncludeReport cmdlet :

$R.REPORT.TARGETTHROTTLES
NETWORKTHROTTLE : 00:00:00
CPUTHROTTLE : 00:02:07.6222549
REMOTESERVERTHROTTLE : 00:00:00
MDBREPLICATIONTHROTTLE : 00:38:41.7018480
CONTENTINDEXINGTHROTTLE : 00:00:00
BIGFUNNELTHROTTLE : 00:00:00
MDBAVAILABILITYTHROTTLE : 00:26:34.6588104
DISKLATENCYTHROTTLE : 1.15:45:37.7873632

$R.REPORT.SOURCETHROTTLES
NETWORKTHROTTLE : 00:00:00
CPUTHROTTLE : 3.03:21:07.7192848
REMOTESERVERTHROTTLE : 00:00:00
MDBREPLICATIONTHROTTLE : 00:00:00

CONTENTINDEXINGTHROTTLE : 00:00:00
BIGFUNNELTHROTTLE : 00:00:00
MDBAVAILABILITYTHROTTLE : 00:00:00
DISKLATENCYTHROTTLE : 00:20:47.1101552
MDBMAINTENANCETHROTTLE : 00:00:00

Solution and practice:

If you experience a comparable situation, wait for the Microsoft 365 or Office 365
resources to become available.

Performance factors and best practices for

non-hybrid deployment migrations
This section describes factors that affect migrations using the IMAP, cutover, or staged
migration methods. It also identifies best practices to improve migration performance.

Factor 1: Data source for non-hybrid deployment

migrations
The following table describes the impact on migration by the source servers in your
current email organization and the best practices for mitigating the impact on
migration.

Checklist Description Best practices

System Data extraction is an intensive task. Monitor system performance during a

performance The source system needs to have pilot migration test. If the system is busy,
sufficient resources, such as CPU we recommend avoiding an aggressive
time and memory, to provide migration schedule for the specific system
optimal migration performance. because of potential migration slowness
During migration, the source system and service availability issues. If possible,
is often close to full capacity in terms enhance the source system performance
of the regular end-user workload. If by adding hardware resources and reduce
system resources are inadequate, the the load on the system by moving tasks
additional workload that results from and users to other servers that aren't
migration can affect end users. involved in the migration.
For more information, see: Server Health
and Performance of Exchange Server
(2007, 2010, 2013, 2016, 2019)

Note: Exchange Servers 2007 and 2010 are

no longer actively supported. Exchange
2013 Server end of support is scheduled
for April, 2023 . Exchange Server 2016
and 2019 are in extended support until
October 2025. See the Exchange Server
supportability matrix for more details.

When migrating from an on-premises

Exchange organization where there are
multiple mailbox servers, we recommend
that you create a migration-user list that is
evenly distributed across multiple mailbox
servers. Based on individual server
performance, the list can be further fine-
tuned to maximize throughput.

For example, if server A has 50 percent

more resource availability than server B,
it's reasonable to have 50 percent more
users from server A in the same migration
batch. Similar practices can be applied to
other source systems. Perform migrations
when servers have maximum resource
availability such as after hours or on
weekends and holidays.
 Checklist Description Best practices

Back-end Other back-end tasks that are Review other system tasks that might be
tasks running during migration time. running during migration. We recommend
Because it's a best practice to that you perform data migration when no
perform migration after business other resource-intensive tasks are running.
hours, it's common that migrations Note: For customers using on-premises
conflict with maintenance tasks (such Exchange, the common back-end tasks are
as data backup) running on your on- backup solutions and Exchange store
premises servers. maintenance (2013, 2016, 2019).

Throttling It is a common practice to protect Verify the throttling policy deployed for
policy email systems with a throttling policy your email system. For example, Google
that sets a specific limit on how fast Mail limits how much data can be
and how much data can be extracted extracted in a certain period. Depending
from the system during a certain on the version, Exchange has policies that
amount of time. restrict IMAP access to the on-premises
mail server (used by IMAP migrations) and
RPC over HTTP Protocol access (used by
cutover Exchange migrations and staged
Exchange migrations).
To check the throttling settings, run the
Get-ThrottlingPolicy cmdlet. For more
information about throttling, see: (2007,
2010, 2013, 2016, 2019).

For more information about IMAP

throttling, see Migrate your IMAP
mailboxes to Microsoft 365 or Office 365.

Factor 2: Migration server for non-hybrid deployment

migrations
IMAP, cutover, and staged migrations are cloud-initiated data-pull migration methods,
so there's no need for a dedicated migration server. The internet-facing protocol hosts
(IMAP or RPC over HTTP Protocol), however, function as the migration server for
migrating mailboxes and mailbox data to Microsoft 365 or Office 365. Therefore, the
migration performance factors and best practices, described in the previous section
about the data source server for your current email organization, also apply to the
internet edge servers. For Exchange 2007, Exchange 2010, and Exchange 2013,
organizations, the client access server functions as a migration server.

For more information, see:

Exchange Server 2007: Monitoring Client Access Servers

 Exchange Server 2010: Client Access Server Counters

Exchange Server 2013: Exchange workload management

Exchange Server 2016: User workload management in Exchange Server

Exchange Server 2019: User workload management in Exchange Server

Factor 3: Migration engine for non-hybrid deployment

migrations
IMAP, cutover, and staged Exchange migrations are performed by using the Migration
dashboard in the Exchange admin center. This is subject to Microsoft 365 or Office 365
migration-service throttling.

Solution and practice:

Customers now can specify migration concurrency (for example, the number of
mailboxes to migrate simultaneously) by using Windows PowerShell. The default is 20
mailboxes. After you create a migration batch, you can use the following Windows
PowerShell cmdlet to increase this to a maximum of 100.

PowerShell

Set-MigrationEndPoint <Identity> -MaxConcurrentMigrations <value between 1

and 100>

For more information, see Manage migration batches in Microsoft 365 or Office 365.

７ Note

If your data source doesn't have sufficient resources to manage all the connections,
we recommend avoiding high concurrency. Start with a small concurrency value, for
example, 10. Increase this number while monitoring the data source performance
to avoid end-user access issues.

Factor 4: Network for non-hybrid deployment migrations

Verification tests:

Depending on the migration method, you can try the following verification tests:
 IMAP migrations: Prepopulate a source mailbox with sample data. Then from the
internet (outside your on-premises network), connect to the source mailbox by
using a standard IMAP email client such as Microsoft Outlook, and then measure
network performance by determining how long it takes to download all the data
from the source mailbox. The throughput should be similar to what customers can
get by using the IMAP migration tool in Microsoft 365 or Office 365, given that
there are no other constraints.

Cutover and staged Exchange migrations: Prepopulate a source mailbox with

sample data. Then, from the internet (outside of your on-premises network),
connect to the source mailbox with Outlook by using RPC over HTTP Protocol.
Make sure that you're connecting by using cached mode. Measure network
performance by checking how long it takes to synchronize all data from the source
mailbox. The throughput should be similar to what customers can get by using the
simple Exchange migration tools in Microsoft 365 or Office 365, given that there
are no other constraints.

There is some overhead during an actual IMAP, cutover, or staged Exchange migration.
The actual throughput, however, should be similar to the results of these verification
tests.

Factor 5: Microsoft 365 and Office 365 service for non-

hybrid deployment migrations
Microsoft 365 or Office 365 resource health-based throttling affects migrations using
the native Microsoft 365 or Office 365 simple migration tools. See the Microsoft 365 or
Office 365 resource health-based throttling section.

Move requests in the Microsoft 365 or Office

365
For general information about getting status information for move requests, see View
Move Request Properties:

Move-Mailbox

[Get-MoveRequestStatistics]](/powershell/module/exchange/get-
moverequeststatistics)

In the Microsoft 365 or Office 365 service the migration queue and the service resources
allocated for migrations are shared among tenants and affects how move requests are
managed in each stage of the move process.

There are two types of move requests in Microsoft 365 and Office 365:

Onboarding "move" requests: The new customer migrations are considered

onboarding move requests. These requests have regular priority.

Datacenter internal "move" requests: These are mailbox move requests initiated
by datacenter operation teams. These requests have a lower priority because the
end-user experience isn't affected if the move request is delayed.

Potential impact and delays to move requests with a

status of "Queued" and "In Progress"
Queued move requests: This status specifies that the move has been queued and
is waiting for Exchange Mailbox Replication Service to pick it up. For Exchange
2003 move requests, users can still access their mailboxes at this stage.

Two factors influence which request will be picked up by the Mailbox Replication
Service:

Priority: Queued move requests with a higher priority are picked up before
lower-priority move requests. This helps ensure that customer-migration move
requests always get processed before datacenter internal move requests.

Position in the queue: If move requests have the same priority, the earlier the
request gets into the queue, the earlier it will be picked up by the Mailbox
Replication Service. Because there might be multiple customers performing
mailbox migrations at the same time, it's normal that new move requests
remain in the queue before they're processed.

Often, the time that mailbox requests wait in the queue before being processed isn't
considered during migration planning. This results in customers not being allocated
enough time to complete all planned migrations.

In-progress move requests: This status specifies that the move is still in progress.
If this is an online mailbox move, the user will still be able to access the mailbox.

After the mailbox move request has a status of "In Progress," the priority no longer
matters and a new move request won't be processed until an existing "In Progress"
move request is completed, even if the new move request has a higher priority.

Best practices
Planning: As previously mentioned, because Exchange 2003 users lose access during a
hybrid migration, Exchange 2003 customers are usually more concerned about when to
schedule migrations and how long they will take.

When planning how many mailboxes to migrate during a specific time period, consider
the following:

Include the amount of time the move request waits in the queue. Use the following
to calculate this:

(total number of mailboxes to migrate) = ((total time) - (average queue time)) *

(migration throughput)

where the migration throughput equals the total number of mailboxes that can be
migrated per hour.

For example, assume you have a six-hour window to migrate mailboxes. If the average
queue time is one hour and you have a migration throughput of 100 mailboxes per
hour, you can migrate 500 mailboxes in the six-hour time frame: 500 = (6 - 1) * 100.

Start the migration sooner than initially planned to mitigate time in the queue.
When mailboxes are queued, Exchange 2003 users can still access their mailboxes.

Determine queue time: The queue time is always changing because Microsoft doesn't
manage customers' migration schedules.

To determine the potential queue time, a customer can try to schedule a test move
several hours before the actual migration starts. Then, based on the observed amount of
time the request is in the queue, the customer can better estimate when to start the
migration and how many mailboxes can be moved in a specific period of time.

For example, if a test migration was completed four hours before the start of a planned
migration. The customer determines the queue time for the test migration was about
one hour. Then, the customer should consider starting the migration one hour earlier
than originally planned to make sure there is enough time to complete all migrations.

Third-party tools for Microsoft 365 or Office

365 migrations
Third-party tools are mostly used in migration scenarios that don't involve Exchange,
such as those from Gmail/G Suite/GWS (Google Workspace), IBM Lotus, Domino, and
Novell GroupWise. This section focuses on the migration protocols used by third-party
migration tools, rather than on the actual products and migration tools. The following
table provides a list of factors that apply to third-party tools for Microsoft 365 or Office
365 migration scenarios.

） Important

For issues with data consistency or integrity after performing a migration using
third-party tools, please contact the vendor who provided the tool for support.

Factor 1: Data source for third-party tool migrations

Checklist Description Best practices

Checklist Description Best practices

System Data extraction is an intensive task. Monitor system performance during a

performance The source system must have pilot migration test. If the system is busy,
sufficient resources, such as CPU we recommend avoiding an aggressive
time and memory, to provide migration schedule for the specific system
optimal migration performance. because of potential migration slowness
During migration, the source system and service availability issues. If possible,
is often close to full capacity in terms enhance the source system performance
of the regular end-user workload. If by adding hardware resources and reduce
system resources are inadequate, the the load on the system by moving tasks
additional workload that results from and users to other servers that aren't
migration can affect end users. involved in the migration.
For more information, see: Server Health
and Performance of Exchange Server
(2007, 2010, 2013, 2016, 2019).

Note: Exchange Servers 2007 and 2010 are

no longer actively supported. Exchange
2013 Server end of support is scheduled
for April, 2023 . Exchange Server 2016
and 2019 are in extended support until
October 2025. See the Exchange Server
supportability matrix for more details.

When migrating from an on-premises

Exchange organization where there are
multiple mailbox servers, we recommend
that you create a migration user list that's
evenly distributed across multiple mailbox
servers. Based on individual server
performance, the list can be further fine-
tuned to maximize throughput.

For example, if server A has 50 percent

more resource availability than server B, it
is reasonable to have 50 percent more
users from server A in the same migration
batch. A similar practice can be applied to
other source systems.

Perform migrations when servers have

maximum resource availability such as
after hours or on weekends and holidays.
 Checklist Description Best practices

Back-end Other back-end tasks usually run Review other system tasks that might be
tasks during migration time. Because it's a running during migration. We recommend
best practice to perform migration that you perform data migration when no
after business hours, it's common other resource-intensive tasks are running.
that migrations conflict with other Note: For customers using on-premises
maintenance tasks running on your Exchange, the common back-end tasks are
on-premises servers, such as data backup solutions and Exchange store
backup. maintenance (2013, 2016, 2019).

Throttling It's a common practice to protect Verify the throttling policy deployed for
policy email systems with a throttling your email system. For example, Google
policy, which sets a specific limit on Mail limits how much data can be
how fast and how much data can be extracted in a certain period. Depending
extracted from the system within a on the version, Exchange has policies that
certain amount of time and by using restrict IMAP access to the on-premises
a specific migration method. mail server (used by IMAP migrations) and
RPC over HTTP Protocol access (used by
cutover Exchange migrations and staged
Exchange migrations).
To check the throttling settings, run the
Get-ThrottlingPolicy cmdlet. For more
information about throttling, see: (2007,
2010, 2013, 2016, 2019).

For more information about IMAP

throttling, see Migrate your IMAP
mailboxes to Microsoft 365 or Office 365.

Factor 2: Migration server for third-party tool migrations

Most third-party tools for Microsoft 365 or Office 365 migrations are client initiated and
push data to Microsoft 365 or Office 365. These tools typically require a migration
server. Factors such as system performance, back-end tasks, and throttling policies for
the source servers apply to these migration servers.

７ Note

Some third-party migration solutions are hosted on the internet as cloud-based

services and don't require an on-premises migration server.

Solution and practice:

To improve migration performance when using a migration server, apply the same best
practices as the ones described in the Factor 1: Data source for third-party tool
migrations section.

Factor 3: Migration engine for third-party tool migrations

For third-party migration tools, the most common protocols used are Exchange Web
Services and RPC over HTTP Protocol.

Exchange Web Services:

Exchange Web Services is the recommended protocol to use for migrating to Microsoft
365 or Office 365 because it supports large data batches and has better service-oriented
throttling. In Microsoft 365 or Office 365, when used in impersonation mode, migrations
using Exchange Web Services don't consume the user's budgeted amount of Microsoft
365 or Office 365 Exchange Web Services resources, consuming instead a copy of the
budgeted resources:

All Exchange Web Services impersonating calls made by the same administrator
account are calculated separately from the budget applied to this administrator
account.

For each impersonation session, a shadow copy of the actual user's budget is
created. All migrations for this particular session will consume this shadow copy.

Throttling under impersonation is isolated to each user migration session.

Exchange Web Services throttling policy can be temporarily changed in the tenant
(for a duration of 30, 60, or 90 days) to allow migration to complete. This can be
requested from the Help section of the Microsoft 365 admin center.

Best practices:

Migration performance for customers using third-party migration tools that use
EWA impersonation competes with Exchange Web Services-based migrations and
service resource usage by other tenants. Therefore, migration performance will
vary.

Whenever possible, customers should use third-party migration tools that use
Exchange Web Services impersonation because it's usually faster and more
efficient than using client protocols such as RPC over HTTP Protocol.

RPC over HTTP Protocol:

Traditional migration solutions use the RPC over HTTP Protocol. This method is
completely based on a client access model such as that of Outlook, and scalability and
performance are limited because the Microsoft 365 or Office 365 service throttles access
on the assumption that usage is by a user instead of by an application.

Best practices:

For migration tools that use RPC over HTTP Protocol, it's a common practice to
increase migration throughput by adding more migration servers and using
multiple Microsoft 365 or Office 365 administrative user accounts. This practice can
gain data injection parallelism and achieve higher data throughput because each
administrative user is subject to Microsoft 365 and Office 365 user throttling. We
have received reports that many enterprise customers had to set up more than 40
migration servers to obtain 20-30 GB/hour of migration throughput.

In a migration tool development phase, it's critical to consider the number of RPC
operations needed to migrate a message. To illustrate this, we have collected logs
captured by Microsoft 365 or Office 365 services for two third-party migration
solutions (developed by third-party companies) used by customers to migrate
mailboxes to Microsoft 365 or Office 365. We compared two migration solutions
developed by third-party companies. We compared the migration of two
mailboxes for each migration solution, and we also compared them to uploading a
.pst file in Outlook. Here are the results.

Method Mailbox Item Time to Total RPC Average AvgCasRPCProcessingTime

size count migrate transactions client (ms)
latency
(ms)

Solution 376.9 4,115 4:24:33 132,040 48.4395 18.0807

A MB
(mailbox
1)

Solution 249.3 12,779 10:50:50 423,188 44.1678 4.8444

A MB
(mailbox
2)

Solution 618.1 4,322 1:54:58 12,196 37.2931 8.3441

B MB
(mailbox
1)

Solution 56.7 MB 2,748 0:47:08 5,806 42.1930 7.4439

B
(mailbox
2)
 Method Mailbox Item Time to Total RPC Average AvgCasRPCProcessingTime
size count migrate transactions client (ms)
latency
(ms)

Outlook 201.9MB 3,297 0:29:47 15,775 36.9987 5.6447

７ Note

The client and service process times are similar, but solution A takes a lot more RPC
operations to migrate data. Because each operation consumes client-latency time
and server-process time, solution A is much slower to migrate the same amount of
data compared to Solution B and to Outlook.

Factor 4: Network for third-party tool migrations

Best practice:

For third-party migration solutions that use the RPC over HTTP Protocol, here's a good
way to measure potential migration performance:

1. From the migration server, connect to the Microsoft 365 or Office 365 mailbox with
Outlook by using RPC over HTTP Protocol. Make sure that you aren't connecting
by using cached mode.

2. Import a large .pst file with sample data to the Microsoft 365 or Office 365
mailbox.

3. Measure migration performance by timing how long it takes to upload the .pst file.
The migration throughput should be similar to what customers can get from a
third-party migration tool that uses RPC over HTTP Protocol, given no other
constraints. There's overhead during an actual migration, so the throughput might
be slightly different.

Factor 5: Microsoft 365 and Office 365 service

Microsoft 365 and Office 365 resource health-based throttling affects migrations using
third-party migration tools. See Microsoft 365 and Office 365 resource health-based
throttling for more details.
Assign Exchange permissions to migrate
mailboxes to Microsoft 365 or Office
365
Article • 02/22/2023

When you migrate on-premises Exchange mailboxes to Microsoft 365 or Office 365,
certain permissions to access and, in some cases, modify those mailboxes, are required.
The user account used to connect to your on-premises Exchange organization during
the migration needs those permissions. Known as the migration administrator, the user
account is used to create a migration endpoint to your on-premises organization.

The migration administrator must have the necessary administrative privileges in your
on-premises Exchange organization to successfully create a migration endpoint. Those
same administrative privileges are required if the migration administrator wants to
create a migration batch if your organization has no migration endpoints. The following
list shows the administrative privileges required for the migration administrator account
to migrate mailboxes to Microsoft 365 or Office 365 by using the different types of
migration:

Staged Exchange migration

For a staged migration, the migration administrator account must be:

A member of the Domain Admins group in Active Directory Domain Services

(AD DS) in the on-premises organization.

or

Assigned the FullAccess permission for each on-premises mailbox AND the
WriteProperty permission to modify the TargetAddress property on the on-
premises user account.

or

Assigned the Receive As permission on the on-premises mailbox database that

stores the user mailboxes AND the WriteProperty permission to modify the
TargetAddress property for the on-premises user account.

Cutover Exchange migration

For a cutover migration, the migration administrator account must be:

 A member of the Domain Admins group in Active Directory Domain Services
(AD DS) in the on-premises organization.

or

Assigned the FullAccess permission for each on-premises mailbox.

or

Assigned the Receive As permission on the on-premises mailbox database that

stores the user mailboxes.

Remote move (Hybrid) Exchange migration

For a remote move migration, the migration administrator account must be:

A member of the Domain Admins group in Active Directory Domain Services

(AD DS) in the on-premises organization.

or

A member of the Exchange Recipient Administrators group in Active Directory

in the on-premises organization.

or

A member of the Organization Management or Recipient Management group in

Exchange 2010 or above.

Internet Message Access Protocol 4 (IMAP4) migration

For an IMAP4 migration, the comma-separated value (.csv) file for the migration
batch must contain:

The username and password for each mailbox that you want to migrate.

or

The username and password for an account in your IMAP4 messaging system
that has the necessary administrative privileges to access all user mailboxes. To
learn whether your IMAP4 server supports this approach and how to enable it,
see the documentation for your IMAP4 server.

You can use Exchange Online PowerShell in your on-premises organization to quickly
assign the necessary permissions to migrate mailboxes to Microsoft 365 or Office 365.

７ Note
 Because Exchange Server 2003 doesn't support Exchange Online PowerShell, you
have to use Active Directory Users and Computers to assign the FullAccess
permission and Exchange Server Manager to assign the Receive As permission.

For information about migrating mailboxes to Office 365 by using different migration
types, see Ways to migrate multiple email accounts to Office 365.

What do you need to know before you begin?

Estimated time to complete each procedure: 2 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Permissions and
delegation" entry in the "Recipient Provisioning Permissions" entry in the Feature
permissions in Exchange Online topic.

Assign the FullAccess permission

The following examples show different ways to use the Exchange Online PowerShell
Add-MailboxPermission cmdlet to assign the FullAccess permission to the migration
administrator account for mailboxes in your on-premises organization.

Example 1

FullAccess permission to the mailbox of Terry Adams is assigned to the migration

administrator account (for example, migadmin).

PowerShell

Add-MailboxPermission -Identity "Terry Adams" -User migadmin -AccessRights

FullAccess -InheritanceType all

Example 2

FullAccess permission for all members of the distribution group MigrationBatch1 is

assigned to the migration administrator account.

PowerShell

Get-DistributionGroupMember MigrationBatch1 | Add-MailboxPermission -User

migadmin -AccessRights FullAccess -InheritanceType all
Example 3

FullAccess permission for all mailboxes that have the value of MigBatch2 for
CustomAttribute10 is assigned to the migration administrator.

PowerShell

Get-Mailbox -ResultSize unlimited -Filter "CustomAttribute10 -eq

'MigBatch2'" | Add-MailboxPermission -User migadmin -AccessRights FullAccess
-InheritanceType all

Example 4

FullAccess permission to all user mailboxes in the on-premises organization is assigned

to the migration administrator account.

PowerShell

Get-Mailbox -ResultSize unlimited -Filter "RecipientTypeDetails -eq

'UserMailbox'" | Add-MailboxPermission -User migadmin -AccessRights
FullAccess -InheritanceType all

For detailed syntax and parameter information, see the following topics:

Add-MailboxPermission

Filterable Properties for the Filter Parameter

How do you know the assignment of permission worked?

Run one of the following commands to verify you successfully assigned FullAccess
permission to the migration administrator account in each example.

PowerShell

Get-MailboxPermission -Identity <mailbox> -User migadmin

PowerShell

Get-DistributionGroupMember MigrationBatch1 | Get-MailboxPermission -User

migadmin

PowerShell
 Get-Mailbox -ResultSize unlimited -Filter "CustomAttribute10 -eq
'MigBatch2'" | Get-MailboxPermission -User migadmin

PowerShell

Get-Mailbox -ResultSize unlimited -Filter "RecipientTypeDetails -eq

'UserMailbox'" | Get-MailboxPermission -User migadmin

Assign the Receive As permission

The following example shows how to use the Exchange Online PowerShell Add-
ADPermission cmdlet to assign the Receive As permission to the migration
administrator account for "Mailbox Database 1900992314."

PowerShell

Add-ADPermission -Identity "Mailbox Database 1900992314" -User migadmin -

ExtendedRights receive-as

For detailed syntax and parameter information, see Add-ADPermission.

How do you know the assignment of permission worked?

Verify you successfully assigned ReceiveAs permission to the migration administrator
account in the example. Run the following command.

PowerShell

Get-ADPermission -Identity "Mailbox Database 1900992314" -User migadmin

Assign the WriteProperty permission

The following examples show different ways to use the Exchange Online PowerShell
Add-ADPermission cmdlet to assign the migration administrator account the
WriteProperty permission to modify the TargetAddress property for on-premises user
accounts. This capability is required to perform a staged Exchange migration if the
migration administrator isn't a member of the Domain Admins group.

Example 1
WriteProperty permission to modify the TargetAddress property for the user account of
Rainer Witte is assigned to the migration administrator account (for example,
migadmin).

PowerShell

Add-ADPermission -Identity "Rainer Witte" -User migadmin -AccessRights

WriteProperty -Properties TargetAddress

Example 2

WriteProperty permission to modify the TargetAddress property for all members of the
distribution group StagedBatch1 is assigned to the migration administrator account.

PowerShell

Get-DistributionGroupMember StagedBatch1 | Add-ADPermission User migadmin -

AccessRights WriteProperty -Properties TargetAddress

Example 3

WriteProperty permission to modify the TargetAddress property for all user accounts
that have the value of StagedMigration for CustomAttribute15 is assigned to the
migration administrator account.

PowerShell

Get-User -ResultSize unlimited -Filter "CustomAttribute15 -eq

'StagedMigration'" | Add-ADPermission -User migadmin -AccessRights
WriteProperty -Properties TargetAddress

Example 4

WriteProperty permission to modify the TargetAddress property for user mailboxes in

the on-premises organization is assigned to the migration administrator account.

PowerShell

Get-User -ResultSize unlimited -Filter "RecipientTypeDetails -eq

'UserMailbox'" | Add-ADPermission -User migadmin -AccessRights WriteProperty
-Properties TargetAddress

For detailed syntax and parameter information, see the following topics:

Add-ADPermission
 Filterable Properties for the Filter Parameter

How do you know the assignment of permission worked?

Verify you successfully assigned the WriteProperty permission to the administrator
account, Run one of the following commands to confirm the permission was given to
modify the TargetAddress property by using the command in each example.

PowerShell

Get-ADPermission -Identity <mailbox> -User migadmin

PowerShell

Get-DistributionGroupMember MigrationBatch1 | Get-ADPermission -User

migadmin

PowerShell

Get-Mailbox -ResultSize unlimited -Filter "CustomAttribute15 -eq

'StagedMigration'" | Get-MailboxPermission -User migadmin

PowerShell

Get-Mailbox -ResultSize unlimited -Filter "RecipientTypeDetails -eq

'UserMailbox'" | Get-ADPermission -User migadmin
Manage migration batches in Exchange
Online
Article • 02/22/2023

You can use the Migration dashboard in the Microsoft 365 or Office 365 Exchange
admin center (EAC) to manage mailbox migration to Microsoft 365 or Office 365 using a
cutover or staged Exchange migration. You can also use the Migration dashboard to
migrate the contents of users' mailboxes from an on-premises IMAP server, or the
contents of Google Workspace (formerly G Suite) users' mailboxes, calendars, and
contacts to existing Microsoft 365 or Office 365 mailboxes. The Migration dashboard
displays statistics about the overall migration in addition to statistics about a specific
migration batch. You can create, start, stop, pause, and edit migration batches.

The Migration dashboard for new Exchange

admin center (New EAC)
To access the Migration dashboard in the new EAC, go to new Exchange admin center ,
navigate to Migration > Batch. The following screenshot identifies the different areas of
the Migration dashboard that you can use to get migration information and manage
migration batches.

Migration batches
Migration batches that are created are listed in the migration queue. The following
columns display information about each migration batch.
Column Description

Name The name of the migration batch that was defined when it was created.

Status The status of the migration batch. The following is a list of the different status states
for migration batches, along with what you can do with migration batches in each
of these states:
Stopped: Either the migration batch has been created but hasn't been started, or it
has been stopped after running for some period of time. In this state, you can start,
edit, or delete it.

Syncing: The migration batch has been started, and mailboxes in the migration
batch are being actively migrated. When a migration batch is in this state, you can
stop it.

Stopping: Immediately after you run Stop-MigrationBatch cmdlet.

Starting: Immediately after you run Start-MigrationBatch cmdlet.

Completing: Immediately after you run Complete-MigrationBatch cmdlet.

Removing: Immediately after you run Remove-MigrationBatch cmdlet.

Synced: The migration batch has completed an initial sync of the data. A migration
batch in this state may contain errors if mailboxes weren't migrated. For most types
of migrations, the remote/on-premises mailboxes and the corresponding Microsoft
365 or Office 365 mailboxes are synchronized every 24 hours during incremental
synchronization.

Completed: The migration batch is complete.

Synced with errors: The migration batch has completed an initial sync of the data,
but some mailboxes failed migration. Mailboxes that were successfully migrated in
migration batches with errors are still synchronized every 24 hours during
incremental synchronization.

Percentage Indicates the percentage of mailboxes that were successfully migrated in migration
synced batches.

Total Indicates the number of mailboxes in the migration batch.

Synced Indicates the number of mailboxes that were successfully migrated.

Finalized The number of mailboxes in the migration batch that have been finalized.
Finalization is performed only for migration batches for remote move migrations in
an Exchange hybrid deployment. For more information about the finalization
process, see Complete-MigrationBatch.

Failed The number of mailboxes in the migration batch for which the migration failed. You
can display information about specific mailboxes that have migration errors. For
more information, see Migration users status report.
 ） Important

Migration batches with a status of Synced that have no administrator-initiated

activity (for example, no administrator has stopped and restarted a migration batch
or edited a migration batch) for the last 60 days will be stopped. All batches with
Stopped or Failed status will be removed after 90 days. All batches with Completed
status will be removed after 60 days.

The Migration dashboard contains a set of commands that you can use to manage
migration batches. After you create a migration batch, you can select it, and then click
one of the following commands.

Command Description

New Create a new migration batch. Use this command to migrate on-premises mailboxes
migration to Microsoft 365 or Office 365 (also called onboarding) or to migrate Microsoft 365
batch or Office 365 mailboxes back to your on-premises Exchange organization in a hybrid
deployment.

Start Start a migration batch that's been created. After the batch is started, the status is
migration changed to Syncing.

Stop Stop the migration of mailboxes. After the batch is stopped, the status is changed to
migration Stopped.

Delete Delete a migration batch after you verify that all mailboxes in the migration batch
have been successfully migrated. Verify also that mail is being routed directly to
cloud-based mailboxes after you've configured your MX record to point to
Microsoft 365 or Office 365. When you delete a migration batch, Microsoft 365 or
Office 365 cleans up any records related to the migration batch and removes it from
the list.

Edit Batch Edit an existing migration batch. You can change the finalization semantics of
batches that support finalization. You can also change the migration endpoint used
for the migration batch.

Resume Resume the running of a migration batch that was paused and has a status of
migration Stopped. If there are errors for a migration batch, you can restart it with this
command, and Microsoft 365 or Office 365 will attempt to migrate the mailboxes
that failed.

Refresh Refresh the Migration dashboard to update the information displayed for the overall
migration statistics, the list of migration batches, and the statistics for the selected
migration batch.

Migration batch statistics

The details pane in the Migration dashboard displays the following information about
the selected migration batch.

Field Description

Type Indicates the migration type of the selected migration batch. The value of this field
also denotes the type of migration endpoint associated with the migration batch.
Exchange Outlook Anywhere: The migration batch is either a cutover Exchange
migration or a staged Exchange migration.

ExchangeRemoteMove: The migration batch is either an onboarding or offboarding

remote move migration in an Exchange hybrid deployment.

Gmail: The migration batch is a Google Workspace migration.

Direction Indicates if mailboxes are being migrated to Microsoft 365 or Office 365 or to your
on-premises Exchange organization.
Onboarding: Indicates that mailboxes are being migrated to Microsoft 365 or Office
365. Onboarding migration types are staged migrations, cutover migrations, IMAP
migrations, Google Workspace migrations, and onboarding remote move
migrations.

Offboarding: Indicates that Microsoft 365 or Office 365 mailboxes are being
migrated to your on-premises Exchange organization. Offboarding remote move
migrations are the only type of offboarding migration.
Field Description

Status The current state of the selected migration batch.

Completed

Syncing

Stopped

Synced

Synced with errors

See the previous description of each of these states.

View Click View details to display status information for each mailbox in the migration
details batch. For more information, see Migration users status report.

Synced The number of mailboxes out of the total number of mailboxes in the migration
mailboxes batch that have successfully completed initial synchronization. This field is updated
during the migration.

Finalized The number of mailboxes out of the total number of mailboxes in the migration
mailboxes batch that have successfully been finalized. Finalization only occurs in onboarding
and offboarding remote move migrations.

Failed The number of mailboxes that failed initial synchronization.

mailboxes

Created by The email address of the Microsoft 365 or Office 365 administrator who created the
migration batch.

Created The date and time when the migration batch was created.
time

Start time The date and time when the migration batch was started.

Complete The date and time when the migration batch is completed.
after

Last The last time the migration batch was restarted or the last time that incremental
synced synchronization was performed for the batch. As previously stated, incremental
time synchronization occurs every 24 hours.

Associated The name of the migration endpoint being used by the migration batch. You can
endpoint click View details to view the migration endpoint settings. You can also edit the
settings if none of the migration batches using the endpoint are currently running.

The Migration dashboard for Classic Exchange

admin center (Classic EAC)
To access the Migration dashboard in the Classic EAC, select Recipients > Migration.
The following screenshot identifies the different areas of the Migration dashboard that
you can use to get migration information and manage migration batches.

Overall migration statistics

Click Status for all batches to display the overall statistics about all migration batches
that have been created. The following fields display cumulative information about all
migration batches.

Field Description

Total The total number of mailboxes from all current migration batches.
mailboxes

Synced The number of mailboxes from all migration batches that were successfully migrated.
mailboxes

Finalized The number of mailboxes from all migration batches that have been finalized.
mailboxes Finalization occurs only when you use remote move migrations to migrate mailboxes
between your on-premises Exchange organization and Microsoft 365 or Office 365 in
an Exchange hybrid deployment. Mailboxes can be finalized after the initial
synchronization is successfully completed. For more information about finalizations
in remote move migrations, see Complete-MigrationBatch.

Failed The number of mailboxes from all migration batches for which migration failed.
mailboxes

Migration batches
Migration batches that are created are listed in the migration queue. The following
columns display information about each migration batch.

Column Description

Name The name of the migration batch that was defined when it was created.

Status The status of the migration batch. The following is a list of the different status states
for migration batches, along with what you can do with migration batches in each of
these states:
Stopped: Either the migration batch has been created but hasn't been started, or it
has been stopped after running for some period of time. In this state, you can start,
edit, or delete it.

Syncing: The migration batch has been started, and mailboxes in the migration batch
are being actively migrated. When a migration batch is in this state, you can stop it.

Stopping: Immediately after you run Stop-MigrationBatch cmdlet.

Starting: Immediately after you run Start-MigrationBatch cmdlet.

Completing: Immediately after you run Complete-MigrationBatch cmdlet.

Removing: Immediately after you run Remove-MigrationBatch cmdlet.

Synced: The migration batch has completed an initial sync of the data. A migration
batch in this state may contain errors if mailboxes weren't migrated. For most types of
migrations, the remote/on-premises mailboxes and the corresponding Microsoft 365
or Office 365 mailboxes are synchronized every 24 hours during incremental
synchronization.

Completed: The migration batch is complete.

Synced with errors: The migration batch has completed an initial sync of the data, but
some mailboxes failed migration. Mailboxes that were successfully migrated in
migration batches with errors are still synchronized every 24 hours during incremental
synchronization.

Total Indicates the number of mailboxes in the migration batch.

Synced Indicates the number of mailboxes that were successfully migrated.

Finalized The number of mailboxes in the migration batch that have been finalized. Finalization
is performed only for migration batches for remote move migrations in an Exchange
hybrid deployment. For more information about the finalization process, see
Complete-MigrationBatch.

Failed The number of mailboxes in the migration batch for which the migration failed. You
can display information about specific mailboxes that have migration errors. For more
information, see Migration users status report.
 ） Important

Migration batches with a status of Synced that have no administrator-initiated

activity (for example, no administrator has stopped and restarted a migration batch
or edited a migration batch) for the last 60 days will be stopped. All batches with
Stopped or Failed status will be removed after 90 days. All batches with Completed
status will be removed after 60 days.

The Migration dashboard contains a set of commands that you can use to manage
migration batches. After you create a migration batch, you can select it, and then click
one of the following commands. If a migration batch is in a status state that isn't
supported by a command, the command is either dimmed or not displayed because it's
unavailable.

Command Description

New Create a new migration batch. Use this command to migrate on-premises mailboxes
to Microsoft 365 or Office 365 (also called onboarding) or to migrate Microsoft 365
or Office 365 mailboxes back to your on-premises Exchange organization in a hybrid
deployment.

Edit Edit an existing migration batch. You can change the finalization semantics of
batches that support finalization. You can also change the migration endpoint used
for the migration batch.

Start Start a migration batch that's been created. After the batch is started, the status is
changed to Syncing.

Resume Resume the running of a migration batch that was paused and has a status of
Stopped. If there are errors for a migration batch, you can restart it with this
command, and Microsoft 365 or Office 365 will attempt to migrate the mailboxes
that failed.

Pause Stop a migration batch that's currently running or that's been started but has a
status of Queued. You can also stop a migration batch that's completed the
initiation synchronization phase and has a status of Synced. This will stop
incremental synchronizations. You can resume incremental synchronizations by
selecting the migration batch and clicking Resume.

Delete Delete a migration batch after you verify that all mailboxes in the migration batch
have been successfully migrated. Verify also that mail is being routed directly to
cloud-based mailboxes after you've configured your MX record to point to
Microsoft 365 or Office 365. When you delete a migration batch, Microsoft 365 or
Office 365 cleans up any records related to the migration batch and removes it from
the list.
 Command Description

More Click this command, and then click Migration endpoints to create new migration
endpoints or view and edit existing migration endpoints.

Refresh Refresh the Migration dashboard to update the information displayed for the overall
migration statistics, the list of migration batches, and the statistics for the selected
migration batch.

Migration batch statistics

The details pane in the Migration dashboard displays the following information about
the selected migration batch.

Field Description

Type Indicates the migration type of the selected migration batch. The value of this field
also denotes the type of migration endpoint associated with the migration batch.
Exchange Outlook Anywhere: The migration batch is either a cutover Exchange
migration or a staged Exchange migration.

IMAP: The migration batch is an IMAP migration.

Remote move migration: The migration batch is either an onboarding or

offboarding remote move migration in an Exchange hybrid deployment.

Gmail: The migration batch is a Google Workspace migration.

Direction Indicates if mailboxes are being migrated to Microsoft 365 or Office 365 or to your
on-premises Exchange organization.
Onboarding: Indicates that mailboxes are being migrated to Microsoft 365 or Office
365. Onboarding migration types are staged migrations, cutover migrations, IMAP
migrations, Google Workspace migrations, and onboarding remote move
migrations.

Offboarding: Indicates that Microsoft 365 or Office 365 mailboxes are being
migrated to your on-premises Exchange organization. Offboarding remote move
migrations are the only type of offboarding migration.
Field Description

Status The current state of the selected migration batch.

Completed

Syncing

Stopped

Synced

Synced with errors

See the previous description of each of these states.

Requested The number of mailboxes to be migrated in the migration batch. This number
corresponds to the number of rows in the migration CSV file for IMAP, Google
Workspace, staged, or remote move migrations, or the number of on-premises
mailboxes in a cutover Exchange migration.

Synced The number of mailboxes out of the total number of mailboxes in the migration
mailboxes batch that have successfully completed initial synchronization. This field is updated
during the migration.

Finalized The number of mailboxes out of the total number of mailboxes in the migration
batch that have successfully been finalized. Finalization only occurs in onboarding
and offboarding remote move migrations.

Failed The number of mailboxes that failed initial synchronization.

mailboxes

View Click View details to display status information for each mailbox in the migration
details batch. For more information, see Migration users status report.

Created by The email address of the Microsoft 365 or Office 365 administrator who created the
migration batch.

Create The date and time when the migration batch was created.
time

Start time The date and time when the migration batch was started.

Initial sync The date and time when the migration batch completed initial synchronization.
time

Initial sync The amount of time it took to complete the initial synchronization for all mailboxes
duration in the migration batch.

Last sync The last time the migration batch was restarted or the last time that incremental
time synchronization was performed for the batch. As previously stated, incremental
synchronization occurs every 24 hours.
Field Description

Associated The name of the migration endpoint being used by the migration batch. You can
endpoint click View details to view the migration endpoint settings. You can also edit the
settings if none of the migration batches using the endpoint are currently running.
Migration users status report in
Exchange Online
Article • 02/22/2023

You can use the Migration dashboard in the Exchange administration center (EAC) to
display the migration status information for all users in a migration batch. You can also
display detailed migration information for each user in a migration batch. This
information, also called migration user statistics, can help you troubleshoot issues that
might prevent the migration of a user's mailbox or mailbox items. You can display this
migration status information for migration batches that are currently running, that have
been stopped, or that are complete.

You can also use Exchange Online PowerShell to display migration user statistics. For
more information, see:

Get-MigrationUser

Get-MigrationUserStatistics

Migration users report in new Exchange admin

center (New EAC)
To access the migration users report for a migration batch, go to new Exchange Admin
center , navigate to Migration > Batch, select the migration batch and then in the
details pane, under Migration details, click View details.

The name of the migration batch and the following commands are displayed at the top
of the window.
 Command Description

Delete Delete the selected user from the list of migration users.

Refresh Refresh the list of migration users to update the information displayed for the users
in the migration batch.

Columns in the list of migration users

Column Description

Name The user's email address.

Status The user's migration status. See the status descriptions in the table in the next section.

Items The number of items in the user's on-premises mailbox that were successfully
Synced migrated to the Microsoft 365 or Office 365 mailbox.

Items The number of items in the user's on-premises mailbox that weren't migrated to the
Skipped Microsoft 365 or Office 365 mailbox.

Migration user statistics for a specific user in

new Exchange admin center (New EAC)
To view status information (also called migration user statistics) for a specific mailbox,
mail contact, or distribution group, click the mailbox, contact, or distribution group in
the list. Status information for the selected mail object is displayed in the details pane.
The following table describes each field displayed in the details pane.

Field Description
Field Description

Status Identifies the specific point in the migration process for each mail object in the
migration batch. This status is more specific than the high-level status summary
displayed in the list of migration users. The following list describes each status state.
Completed: The migration process is successfully completed and all mailbox
items were migrated to the cloud-based mailbox.
Queued: The object is in a migration batch that is running, but the migration
of the object hasn't started yet. Objects typically have a status of Queued
when all of the connections in the migration endpoint associated with the
migration batch are being used.
Synced: The migration process successfully provisioned the Microsoft 365 or
Office 365 mailbox and completed the initial synchronization where all mailbox
items were copied to the cloud-based mailbox. For cutover Exchange
migrations and IMAP migrations, this status can also indicate that incremental
synchronization completed successfully.
Failed: The provisioning or the initial synchronization of the mail object failed.
If a Microsoft 365 or Office 365 mailbox is successfully created for a user, but
the migration of mailbox items fails, the status for the user will be Failed.

Skipped Click Skipped item details to display information about each item that was skipped
item for the selected user. The following information about each skipped item is
details displayed:

Date: The time stamp of the mailbox item.

Subject: The subject line of the message.
Kind: The type of error that caused the item to be skipped.
Folder name: The folder where the skipped item is located.

Data The total amount of data (in bytes and megabytes (MB)) for the mailbox items that
migrated have been migrated to the Microsoft 365 or Office 365 mailbox. This number
includes items migrated in both the initial and incremental synchronizations. This
field doesn't have a value for IMAP migrations.

Migration The average transfer rate (in bytes or MB per minute) of data copied to the Microsoft
rate 365 or Office 365 mailbox. This field doesn't have a value for IMAP migrations.

Error If the migration for the user failed, this field displays a description of the error. This
error description is also included in the Migration Errors report.

Report Click Download the report for this user to open or save a detailed migration report
that contains diagnostic information about the migration status of the user. You or
Microsoft Support can use the information in this report to troubleshoot failed
migrations.

Last The last time that any new items in the on-premises mailbox were copied to the
successful cloud-based mailbox.
sync date
Migration users report in Classic Exchange
admin center (Classic EAC)
To access the migration users report for a migration batch, select Recipients >
Migration, select the migration batch, and then in the details pane, under Mailbox
status, click View details.

The name of the migration batch and the following commands are displayed at the top
of the window.

Command Description

Delete Delete the selected user from the list of migration users.

Refresh Refresh the list of migration users to update the information displayed for the users
in the migration batch.

Columns in the list of migration users

Column Description

Identity The user's email address.

Status The user's migration status. See the status descriptions in the table in the next section.
 Column Description

Items The number of items in the user's on-premises mailbox that were successfully
Synced migrated to the Microsoft 365 or Office 365 mailbox.

Items The number of items in the user's on-premises mailbox that weren't migrated to the
Skipped Microsoft 365 or Office 365 mailbox.

Migration user statistics for a specific user in

Classic Exchange admin center (Classic EAC)
To view status information (also called migration user statistics) for a specific mailbox,
mail contact, or distribution group, click the mailbox, contact, or distribution group in
the list. Status information for the selected mail object is displayed in the details pane.
The following table describes each field displayed in the details pane.

Field Description

Status Identifies the specific point in the migration process for each mail object in the
migration batch. This status is more specific than the high-level status summary
displayed in the list of migration users. The following list describes each status state.
Queued: The object is in a migration batch that is running, but the migration
of the object hasn't started yet. Objects typically have a status of Queued
when all of the connections in the migration endpoint associated with the
migration batch are being used.
Provisioning: The migration process has started for the mail object, but it isn't
provisioned yet.
Provision updating: The mail object has been provisioned, but not all the
object's properties were migrated. For example, after a distribution group has
been migrated, this state occurs when members of the group haven't been
migrated yet or there's a problem migrating a user who is a member of the
group. In this case, the status indicates the migration process can't update the
group membership because not all group members have been migrated.
Synced: The migration process successfully provisioned the Microsoft 365 or
Office 365 mailbox and completed the initial synchronization where all mailbox
items were copied to the cloud-based mailbox. For cutover Exchange
migrations and IMAP migrations, this status can also indicate that incremental
synchronization completed successfully.
Failed: The provisioning or the initial synchronization of the mail object failed.
If a Microsoft 365 or Office 365 mailbox is successfully created for a user, but
the migration of mailbox items fails, the status for the user will be Failed.
 Field Description

Skipped Click Skipped item details to display information about each item that was skipped
item for the selected user. The following information about each skipped item is
details displayed:

Date: The time stamp of the mailbox item.

Subject: The subject line of the message.
Kind: The type of error that caused the item to be skipped.
Folder name: The folder where the skipped item is located.

Data The total amount of data (in bytes and megabytes (MB)) for the mailbox items that
migrated have been migrated to the Microsoft 365 or Office 365 mailbox. This number
includes items migrated in both the initial and incremental synchronizations. This
field doesn't have a value for IMAP migrations.

Migration The average transfer rate (in bytes or MB per minute) of data copied to the Microsoft
rate 365 or Office 365 mailbox. This field doesn't have a value for IMAP migrations.

Error If the migration for the user failed, this field displays a description of the error. This
error description is also included in the Migration Errors report.

Report Click Download the report for this user to open or save a detailed migration report
that contains diagnostic information about the migration status of the user. You or
Microsoft Support can use the information in this report to troubleshoot failed
migrations.

Last The last time that any new items in the on-premises mailbox were copied to the
successful cloud-based mailbox.
sync date

Click More details to display the following additional information about the selected
migration user.

Field Description

Queued duration The length of time the user had a status of Queued.

In-progress duration The length of time the user was actively being migrated.

Synced duration The length of time the migration user had a status of Synced.

Stalled duration The length of time the migration process was stalled for the user.

Migration phases
To help you understand the migration status states described in the previous sections,
it's helpful to be familiar with the phases of the migration process. The following table
describes these phases and indicates whether the phase is included in each type of
migration.

Migration phase Cutover Staged IMAP

Exchange Exchange migration
migration migration

Provisioning: The migration process creates the new Yes (includes Yes No
Microsoft 365 or Office 365 mailbox. distribution (includes
groups and mail
mail contacts) contacts)

Initial synchronization: After Microsoft 365 or Office Yes (includes Yes Yes
365 mailboxes are provisioned, the migration calendar times (includes
process migrates mailbox items to the newly and contacts) calendar
provisioned cloud-based mailboxes. times and
contacts)

Incremental synchronization: The migration process Yes No Yes

synchronizes the on-premises and the
corresponding Microsoft 365 or Office 365 mailbox
every 24 hours.
CSV files for Mailbox migration in
Exchange Online
Article • 02/22/2023

You can use a comma-separated values (CSV) file to bulk migrate a large number of user
mailboxes. You can specify a CSV file when you use the Exchange admin center (EAC) or
the New-MigrationBatch cmdlet in Exchange Online PowerShell to create a migration
batch. Using a CSV to specify multiple users to migrate in a migration batch is
supported in the following migration scenarios:

Onboarding and offboarding in Microsoft 365 or Office 365

Onboarding remote move migration: In an Exchange hybrid deployment, you

can move mailboxes from an on-premises Exchange organization to Microsoft
365 or Office 365. This is also known as an onboarding remote move migration
because you onboard mailboxes to Microsoft 365 or Office 365.

Offboarding remote move migration: You can also perform an offboarding

remote move migration, where you migrate Microsoft 365 or Office 365
mailboxes to your on-premises Exchange organization.

７ Note

Both onboarding and offboarding remote move migrations are initiated

from your Microsoft 365 or Office 365 organization.

Staged Exchange migration: You can also migrate a subset of mailboxes from
an on-premises Exchange organization to Microsoft 365 or Office 365. This is
another type of onboarding migration. You can migrate only Exchange 2003
and Exchange 2007 mailboxes using a staged Exchange migration. Migrating
Exchange 2010 and Exchange 2013 mailboxes isn't supported using a staged
migration. Prior to running a staged migration, you have to use directory
synchronization or some other method to provision mail users in your Microsoft
365 or Office 365 organization.

IMAP migration: This onboarding migration type migrates mailbox data from
an IMAP server (including Exchange) to Microsoft 365 or Office 365. For an
IMAP migration, you must provision mailboxes in Microsoft 365 or Office 365
before you can migrate mailbox data.
 ７ Note

A cutover Exchange migration doesn't support using a CSV file because all on-
premises user mailboxes are migrated to Microsoft 365 or Office 365 in a single
batch.

Supported attributes for CSV files for bulk

moves or migrations
The first row, or header row, of a CSV file used for migrating users lists the names of the
attributes, or fields, specified on the rows that follow. Each attribute name is separated
by a comma. Each row under the header row represents an individual user and supplies
the information required for the migration. The attributes in each individual user row
must be in the same order as the attribute names in the header row. Each attribute value
is separated by a comma. If the attribute value for a particular record is null, don't type
anything for that attribute. However, make sure that you include the comma to separate
the null value from the next attribute.

Attribute values in the CSV file override the value of the corresponding parameter when
that same parameter is used when creating a migration batch with the EAC or Exchange
Online PowerShell. For more information and examples, see the section Attribute values
in the CSV file override the values for the migration batch.

 Tip

You can use any text editor to create the CSV file, but using an application like
Microsoft Excel will make it easier to import data and configure and organize CSV
files. Be sure to save CSV files as a .csv or .txt file.

The following sections describe the supported attributes for the header row of a CSV file
for each migration type. Each section includes a table that lists each supported attribute,
whether it's required, an example of a value to use for the attribute, and a description.

７ Note

In the following sections, source environment denotes the current location of

a user mailbox or a database. Target environment denotes the location that
 the mailbox will be migrated to or the database that the mailbox will be
moved to.

All mailboxes that are specified in the CSV file will be migrated, even if they
are outside of the RBAC scope (for example, an OU) that gives the admin
permissions to migrate mailboxes.

Staged Exchange migrations

You have to use a CSV file to identify the group of users for a migration batch when you
want to use a staged Exchange migration to migrate Exchange 2003 and Exchange 2007
on-premises mailboxes to Microsoft 365 or Office 365. There isn't a limit for the number
of mailboxes that you can migrate to the cloud using a staged Exchange migration.
However, the CSV file for a migration batch can contain a maximum of 2,000 rows. To
migrate more than 2,000 mailboxes, you have to create additional CSV files and then
use each one to create a new migration batch. For more information about staged
Exchange migrations, see What you need to know about a staged email migration to
Microsoft 365 or Office 365.

The following table describes the supported attributes for a CSV file for a staged
Exchange migration.

Attribute Required Accepted Description

or values
optional

EmailAddress Required SMTP Specifies the email address for the mail-
address for enabled user (or a mailbox if you're retrying
the user the migration) in Microsoft 365 or Office
365 that corresponds to the on-premises
user mailbox that will be migrated. Mail-
enabled users are created in Microsoft 365
or Office 365 as a result of directory
synchronization or another provisioning
process. The email address of the mail-
enabled user must match the
WindowsEmailAddress property for the
corresponding on-premises mailbox.
 Attribute Required Accepted Description
or values
optional

Password Optional A password This password is set on the user account

has to have a when the corresponding mail-enabled user
minimum in Microsoft 365 or Office 365 is converted
length of to a mailbox during the migration.
eight
characters,
and satisfy
any password
restrictions
that are
applied to
your
Microsoft 365
or Office 365
organization.

ForceChangePassword Optional True or Specifies whether a user must change the

False password the first time they sign in to their
Microsoft 365 or Office 365 mailbox.
Note: If you've implemented a single sign-
on (SSO) solution by deploying Active
Directory Federation Services 2.0 (AD FS 2.0)
in your on-premises organization, you must
use False for the value of this attribute.

IMAP migrations
A CSV file for an IMAP migration batch can have maximum of 50,000 rows. But it's a
good idea to migrate users in several smaller batches. For more information about IMAP
migrations, see the following topics:

Migrate your IMAP mailboxes to Microsoft 365 or Office 365

CSV files for IMAP migration batches

The following table describes the supported attributes for a CSV file for an IMAP
migration.

Attribute Required Accepted Description

or values
optional
 Attribute Required Accepted Description
or values
optional

EmailAddress Required SMTP address Specifies the user ID for the user's Microsoft 365 or
for the user. Office 365 mailbox

UserName Required String that Specifies the logon name for the user's account in
identifies the the IMAP messaging system (the source
user on the environment). In addition to the username, you can
IMAP use the credentials of an account that has been
messaging assigned the necessary permissions to access
system, in a mailboxes on the IMAP server. For more
format information, see CSV files for IMAP migration
supported by batches.
the IMAP
server.

Password Required Password Specifies the password for the user account
string. specified by the UserName attribute.

Attribute values in the CSV file override the

values for the migration batch
Attribute values in the CSV file override the value of the corresponding parameter when
that same parameter is used when creating a migration batch with the EAC or Exchange
Online PowerShell. If you want the migration batch value to be applied to a user, you
would leave that cell blank in the CSV file. This lets you mix and match certain attribute
values for selected users in one migration batch.

In this example, let's say you create a batch for an onboarding remote move migration
in a hybrid deployment to move archive mailboxes to Microsoft 365 or Office 365 with
the following New-MigrationBatch command.

PowerShell

New-MigrationBatch -Name OnBoarding1 -SourceEndpoint RemoteEndpoint1 -

TargetDeliveryDomain cloud.contoso.com -CSVData
([System.IO.File]::ReadAllBytes("C:\Users\Administrator\Desktop\OnBoarding1.
csv")) -ArchiveOnly:$true -AutoStart

But you also want to move the primary mailboxes for selected users, so a portion of the
OnBoarding1.csv file for this migration batch would look like this:

PowerShell
 EmailAddress,MailboxType
user1@contoso.com,
user2@contoso.com,
user3@cloud.contoso.com,PrimaryAndArchive
user4@cloud.contoso.com,PrimaryAndArchive
...

Because the value for mailbox type in the CSV file overrides the values for the
MailboxType parameter in the command to create the batch, only the archive mailbox
for user1 and user2 is migrated to Microsoft 365 or Office 365. But the primary and
archive mailboxes for user3 and user4 are moved to Microsoft 365 or Office 365.
Plan for third-party email coexistence
with Microsoft 365 or Office 365 and
Azure Active Directory
Article • 02/22/2023

Most Microsoft email migration information assumes that you're running Exchange
Server in your on-premises organization. This topic is for organizations that use Active
Directory as their on-premises identity platform and a third-party messaging system (for
example, IBM Lotus Notes or Novell GroupWise) for email.

In this scenario, the goal is to support cross-premises email coexistence. A third-party

messaging system remains in the on-premises organization and shares an email
namespace (domain) with the Exchange Online messaging system in the cloud. A unified
address book in the cloud shows all users in both the on-premises and cloud
organizations. This email coexistence might be a short-term or long-term solution.

As you plan for this third-party email coexistence, consider the Azure Active Directory
hybrid identity options and the authentication choices for synchronization and end user
authentication options.

Scenario goals:

Users with on-premises mailboxes should be represented in the Exchange Online

global address list (GAL) as mail-enabled users.

Mail routing from the cloud to the on-premises organization uses a shared domain
namespace.

Or, as part of a migration strategy, the mail-enabled users in the cloud might be
licensed with Exchange Online mailboxes.

Cross-premises coexistence might last indefinitely. The cloud address list, proper
mail routing, and message format fidelity all meet business-class requirements

Requirements:

A subscription to Microsoft 365 or Office 365 (must be an enterprise subscription).

The on-premises organization is running Active Directory with the Microsoft

Exchange 2016 or later schema updates.
 The Exchange Management Shell and the Exchange Server Active Directory schema
are required for managing email-related users. To meet these requirements, install
the Exchange 2016 Mailbox server role on a server in the on-premises
organization.

Every recipient object from the third-party system needs to have corresponding
user object in local Active Directory. The users will need mail-enabled as part of the
coexistence process.

Technical Overview
To enable any cross-premises messaging scenario, you need to determine how you will
route email between the on-premises organization and the cloud. From an
implementation perspective, the choice comes down to where inbound mail goes first:
to the on-premises messaging system or to the cloud. The one you choose depends on
the goals of the cross-premises deployment.

Shared namespace configuration

Generally speaking, if you plan to move all your messaging to the cloud (employing a
cross-premises deployment as part of a longer-term mail migration strategy),
configuring your mail exchanger (MX) record to direct inbound email to the cloud first is
a logical choice. In this configuration, you can take advantage of Exchange Online
Protection (EOP), for all inbound email to your organization.

Otherwise, if your long-term goal is to maintain a cross-premises messaging

environment indefinitely, and you are not interested in Exchange Online Protection, you
can choose to leave the MX record as it is currently configured.

Email routing in a cross-premises environment

Regardless of where your inbound mail enters the cross-premises deployment, mail-
routing requires that users with mailboxes in your on premise messaging system are
represented by mail-enabled users in the cloud messaging system. The mail-enabled
user object in the cloud directory is the target SMTP address of the corresponding
recipient mailbox in the on-premises organization.

The process of synchronizing mail-enabled users with the correct target address
requires installing the Azure Active Directory Connect tool in your on-premises Active
Directory. The Azure Active Directory Connect tool synchronizes the on-premises mail-
enabled user in the Active Directory with a target address value that matches the shared
namespace and need to be a verified domain in Microsoft 365 or Office 365.

For example, if you've verified the domain in your Microsoft 365 deployment (for
example, domino.contoso.com), the Azure Active Directory Connect tool synchronizes
mail-enabled user objects in your Active Directory that have a target address with
domino.contoso.com in the target address property. This is used to route email cross
premises. The user's primary SMTP address in this scenario would remain contoso.com,
provided contoso.com is a verified domain in Microsoft 365.

The use of the Exchange admin center and Exchange Management Shell is required to
manage all the Exchange recipient properties in the Active Directory.

Mail formatting
Because you will be configuring Exchange Online to send email to your on-premises
mail system, you'll have to make an additional configuration in the cloud to avoid mail
formatting issues.

By default, Exchange Online sends messages back to the on-premises email system in
rich text or Transport Neutral Encapsulation Format (TNEF), which might result in your
users receiving plain text emails with Winmail.dat attachments. As a result, you need to
configure Exchange Online to send all mail to your on-premises system in non-TNEF
format (HTML or text). To do this, you need to specify the on-premises primary SMTP
domain as a remote domain in Exchange Online. You can then disable TNEF formatting
for all email that is sent to the remote domain.

Implementation
In many cases, the links refer to configuration particulars for an on-premises Exchange
messaging system. You will have to translate the goals of the Exchange Server
configurations to specific configurations of your third-party messaging solution. As an
example, mail-forwarding is a straightforward goal, but it's an area where configuration
differs widely across messaging systems.

The following steps outline the process for implementing third-party messaging
coexistence with Microsoft 365 or Office 365:

Step 1: Sign up for Microsoft 365 or Office 365

Step 2: Install Exchange Server 2016

Step 3: Execute the Exchange Hybrid Configuration Wizard

 Step 4: Enable mail-enabled users in your on-premises Active Directory

Step 5: Install and Configure Azure Active Directory Connect to synchronize mail-
enabled users into Azure Active Directory (Microsoft 365 or Office 365)

Step 6: Configure shared namespace routing

Step 7: Disable TNEF to your on-premises messaging system

Step 1: Sign up for Microsoft 365 or Office 365

You need to subscribe to Microsoft 365 or Office 365 to create a service tenant that is
used in the deployment with your on-premises email system. Microsoft 365 and Office
365 provide you with an Exchange Online organization in the cloud.

When you subscribe, be sure to verify the primary SMTP domain in your organization
with Microsoft 365 or Office 365. The process of verifying a domain proves that you own
the domain. The verified domain is also the domain that the Azure Active Directory Sync
tool uses to provision objects in the cloud. Then add the mail routing domain
representing the third-party system.

Learn more at Sign up for Microsoft 365 .

Step 2: Install Exchange Server 2016

1. Read the system requirements and Active Directory Schema Prep/Domain Prep
information.

2. Complete the appropriate Schema and Domain Prep instructions.

3. Prepare a server to support the installation of an Exchange 2016 Mailbox Server.

4. Configure the Accepted Domains to match the existing SMTP address domains
from the third-party system.

5. Configure a mail routing domain to share the namespace. Typically, a subdomain

like domino.contoso.com is a common choice.

6. Create e-mail address policies to map the existing naming conventions of the
company smtp addresses for primary domains and the mail routing domain.
Step 3: Execute the Exchange Hybrid
Configuration Wizard
1. Use the Exchange Hybrid Configuration Wizard, specifically in Classic mode with
the Hybrid Minimal Configuration. In this topic, only do Step 2: Start express
migration.

2. Complete the Hybrid Configuration Wizard. Do not use the Express Settings option
in the Wizard, AADConnect will be configured later. Do not license the users or
migrate any data.

Step 4: Enable mail-enabled users in your on-

premises Active Directory
After you've updated your Active Directory with the Exchange schema, you can now
mail-enable existing users in your Active Directory. In the context of this scenario, mail-
enabled users represent the users (that have mailboxes) in your on-premises messaging
system that you want to represent in the cloud address book.

Using the Exchange Management Shell, run Enable-MailUser for each user that you want
to be displayed in the cloud address book and who has a mailbox in your on-premises
messaging organization.

The Enable-MailUser cmdlet only takes the ExternalEmailAddress parameter. This is also
referred to as the target address of the mail-enabled user object. This parameter updates
the target SMTP address for the mail-enabled user, which enables cross-premises mail
flow.

The ExternalEmailAddress parameter is an email address that you enter for the user. The
email address must meet the following criteria:

It must be the valid primary SMTP email address of the user in your on-premises
organization.

The domain part of the email address (to the right of the @ sign) must match the
verified domain in Microsoft 365.

The domain part of the email address must match the UPN domain for the user in
the on-premises directory.

Here's an example of an Enable-MailUser command:

 PowerShell

Enable-MailUser -Identity "Gabriela Laureano" -ExternalEmailAddress

glaureano@domino.contoso.com -PrimarySMTPAddress glaureano@contoso.com

To learn more about how to install, configure, and run Exchange Management Shell, see
Exchange Management Shell.

If you need to create or modify users in your on-premises Active Directory, see the
following topics:

Create new users: New-MailUser

Modify existing users: Set-MailUser

Step 5: Install and Configure Azure Active

Directory Connect to synchronize mail-enabled
users into Azure Active Directory (Microsoft
365 or Office 365)
1. Download and install Azure AD Connect.

2. View the prerequisites and choose the Customize option.

3. In the optional features section, select Exchange Hybrid Deployment.

The Exchange Hybrid Deployment feature allows for the co-existence of Exchange
mailboxes in both on-premises and Microsoft 365 or Office 365. Azure AD Connect is
synchronizing a specific set of attributes from Azure AD back into your on-premises
directory.

Step 6: Configure shared namespace routing

In the context of this cross-premises email scenario, a shared namespace refers to an
SMTP addressing namespace. When you configure a shared namespace, you define how
messages will be routed between your on-premises mail system and the cloud, and how
messages will be routed between your on-premises system, the cloud, and the internet.

The procedure for implementing a shared namespace depends on:

You on-premises email system.

 Whether you will be configuring your MX record to point to your on-premises
email system or to Microsoft 365 or Office 365.

In either case, the cloud-based Exchange Online configurations are similar. After you've
configured a shared namespace, you should be able to send email between the two
messaging systems. If free busy is required as part of the coexistence strategy, work with
the software vendor to ensure the namespace planning will work with their free busy
application.

Step 7: Disable TNEF to your on-premises

messaging system
As previously mentioned, Exchange Online will, by default, send TNEF-encoded
messages to the on-premises system. To disable this functionality, see Manage remote
domains in Exchange Online

Mailbox migration
This section provides links to more information about migrating mailboxes from your
on-premises organization to the cloud.

Moving messaging-related data

As previously stated, the majority of messaging migration tools that are included with
Microsoft 365 and Office 365 are designed to work with Exchange Server. However,
Microsoft 365 and Office 365 also include the IMAP migration tool for generic email
data migration.

For organizations that use Outlook as an email client, you can also use the PST Capture
tool to migrate messaging data to the cloud.

For other messaging migration solutions, you might need to work with a third-party
solution provider.

Here are some third-party migration tools and partners that can assist with Exchange
migrations from third-party platforms:

Binary Tree : Provider of cross-platform messaging migration and coexistence

software, with products that provide for the analysis of and the coexistence and
migration between on-premises and online enterprise messaging and
 collaboration environments based on IBM Lotus Notes and Domino and Microsoft
Exchange and Microsoft SharePoint.

BitTitan : Provider of migration solutions to Exchange Online.

Quest : Provider of on-premises and hosted migration and coexistence software,

including pre-migration analysis and complete user and application coexistence.
Full-featured migrations from on-premises Microsoft Exchange, IBM Domino,
Novell GroupWise, Zimbra and other environments to Microsoft 365, Office 365,
Exchange Online, and SharePoint Online.

Transvault : Provider of cloud office migration solutions to Microsoft 365 from

Exchange and Notes. Transvault supports 23 different sources for migration and
has products that deliver any size of project, complex email archive migrations, and
PST management. The enterprise migration solutions are secure, compliant,
efficient, and user-focused, and can be run both on-premises and in the cloud.

Converting cloud users to mailbox-enabled users

If you've already deployed a cross-premises mail routing environment as described in
this topic, the users that you've created in the cloud with directory synchronization are
mail-enabled users.

To provision mailboxes for these users, license them for Exchange Online in the
Microsoft 365 admin console. For more information, see Sync with existing users in
Azure AD.
Collaboration in Exchange Online
Article • 02/22/2023

Microsoft 365 or Office 365 and Exchange Online provide several features that can help
your end users easily collaborate in email.

Each of these features, described in the following sections, has a different user
experience and feature set and should be used based on what your users need to
accomplish and what your organization can provide.

This topic compares these collaboration features to help you decide which features to
offer your users.

Public folders
Public folders are designed for shared access and provide an easy and effective way to
collect, organize, and share information with other people in your workgroup or
organization.

Public folders organize content in a deep hierarchy that's easy to browse. Users discover
interesting and relevant content by browsing through branches of the hierarchy that are
relevant to them. Users always see the full hierarchy in their Outlook folder view. Public
folders are a great technology for distribution group archiving. A public folder can be
mail-enabled and added as a member of the distribution group. Email sent to the
distribution group is automatically added to the public folder for later reference. Public
folders also provide simple document sharing and don't require SharePoint to be
installed in your organization. Finally, end users can use public folders with the following
supported Outlook clients: Outlook 2010 or later and Outlook on the web (formerly
known as Outlook Web App), but with some limitations.

To learn more, see Public folders in Microsoft 365 or Office 365 and Exchange Online.

Shared mailboxes
A shared mailbox is a mailbox that multiple designated users can access to read and
send email messages and to share a common calendar. Shared mailboxes can provide a
generic email address (such as info@contoso.com or sales@contoso.com) that
customers can use to inquire about your company. If the shared mailbox has the Send
As permission assigned when a delegated user responds to the email message, it can
appear as though the mailbox (for example, sales@contoso.com) is responding, not the
actual user.

To learn more, see Shared mailboxes in Exchange Online.

Groups
Groups (also called distribution groups) are a collection of two or more recipients that
appears in the shared address book. When an email message is sent to a group, it's
received by all members of the group. Distribution groups can be organized by a
particular discussion subject (such as "Dog Lovers") or by users who share a common
work structure that requires them to communicate frequently.

To learn more, see Recipients in Exchange Online.

Which one to use?

The following table gives you a quick glance at each of the collaboration features to
help you decide which one to use.

Public folders Shared mailboxes Groups

Type of With the proper Delegates working on behalf Users who need to
group permissions, everyone in of a virtual identity, and they send email to a
your organization can can respond to email as that group of recipients
access and search public shared mailbox identity. with a common
folders. Public folders are Example: interest or
ideal for maintaining support@tailspintoys.com characteristic.
history or distribution
group conversations.

Ideal Large Small1 Large

group size

Access Accessible by anyone in Users can be granted Full For distribution

your organization. Access and/or Send As groups, members
permissions. If granted Full must be manually
Access permissions, users added. For dynamic
must also add the shared distribution groups,
mailbox to their Outlook members are added
profile to access the shared based on filtering
mailbox. criteria.

Shared Yes Yes No

calendar?
 Public folders Shared mailboxes Groups

Email No. Email arrives in the No. Email arrives in the Inbox Yes. Email arrives in
arrives in public folder. of the shared mailbox. the Inbox of a
user's distribution group
personal member.
Inbox?

Supported Outlook 2010 or later Outlook 2010 or later Outlook 2010 or

clients Outlook on the web Outlook on the web later
Outlook on the web

７ Note

1 Depending on workload, the ideal group size may be very small (not more than
25). If more than a few users need to access a Shared mailbox at the same time,
consider one of the other options.
Public folders in Microsoft 365, Office
365, and Exchange Online
Article • 02/22/2023

Public folders are designed for shared access and provide an easy and effective way to
collect, organize, and share information with other people in your workgroup or
organization. Public folders help organize content in a deep hierarchy that's easy to
browse. Users will see the full hierarchy in Outlook, which makes it easy for them to
browse for the content they're interested in.

７ Note

Public folders are available in the following Outlook clients: Outlook on the web
(formerly known as Outlook Web App), Outlook 2007 or later, and Outlook for Mac.

Public folders can also be used as an archiving method for distribution groups. When
you mail-enable a public folder and add it as a member of the distribution group, email
sent to the group is automatically added to the public folder for later reference.

７ Note

Public folders functionality of the Classic Exchange admin center experience is

available in the new Exchange admin center as we continue to work on updated
versions. If you're using Edge incognito and this page isn't working, enable the
third-party cookies .

Public folders aren't designed for the following purposes:

Data archiving. Users who have mailbox limits sometimes use public folders
instead of mailboxes to archive data. This practice isn't recommended because it
affects storage in public folders and undermines the goal of mailbox limits. Instead,
we recommend that you use In-Place Archiving as your archiving solution.

Document sharing and collaboration. Public folders don't provide versioning or

other document management features, such as controlled check-in and check-out
functionality and automatic notifications of content changes. Instead, we
recommend that you use SharePoint Online as your documentation sharing
solution.
For more information about public folders and other collaboration methods in Microsoft
365, Office 365, and Exchange Online, see Collaboration in Exchange Online.

For more information about public folder quotas in Microsoft 365, Office 365, and
Exchange Online, see the service description articles Sharing and collaboration and
Exchange Online limits.

For a list of public folder management tasks, see Public folder procedures in Microsoft
365, Office 365, and Exchange Online.

For more information about the public folder limits in Microsoft 365, Office 365, and
Exchange Online, see Exchange Online limits.

Looking for the Exchange Server version of this article? See Public folders in Microsoft
365, Office 365, and Exchange Online.

Public folder architecture

Public folder architecture uses specially designed mailboxes to store both the public
folder hierarchy and the content. The main architectural components of public folders
are the public folder mailboxes.

Public folder mailboxes

There are two types of public folder mailboxes: the primary hierarchy mailbox and
secondary hierarchy mailboxes. Both types of mailboxes can contain content:

Primary hierarchy mailbox: The primary hierarchy mailbox is the one writable copy
of the public folder hierarchy. The public folder hierarchy is copied to all other
public folder mailboxes, but these will be read-only copies.

Secondary hierarchy mailboxes: Secondary hierarchy mailboxes contain public

folder content as well and a read-only copy of the public folder hierarchy.

There are two ways you can manage public folder mailboxes:

In the Exchange admin center (EAC), navigate to Public folders > Public folder
mailboxes.

In Exchange Online PowerShell, use the *-Mailbox set of cmdlets.

Public folder hierarchy

The public folder hierarchy contains the folders' properties and organizational
information, including tree structure. Each public folder mailbox contains a copy of the
public folder hierarchy. There's only one writeable copy of the hierarchy, which is in the
primary public folder mailbox. For a specific folder, the hierarchy information is used to
identify the following:

Permissions on the folder

The folder's position in the public folder tree, including its parent and child folders

７ Note

The hierarchy doesn't store information about email addresses for mail-enabled
public folders. Email addresses are stored in the directory.

Hierarchy synchronization
The public folder hierarchy synchronization process uses Incremental Change
Synchronization (ICS), which provides a mechanism to monitor and synchronize changes
to an Exchange store hierarchy or content. The changes include creating, modifying, and
deleting folders and messages. When users are connected to and using content
mailboxes, synchronization occurs every 15 minutes. If no users are connected to
content mailbox, synchronization will be triggered less often (every 24 hours). If a write
operation such as a creating a folder is performed on the primary hierarchy,
synchronization is triggered immediately (synchronously) to the content mailbox.

） Important

Because there's only one writeable copy of the hierarchy, folder creation is proxied
to the hierarchy mailbox by the content mailbox users are connected to.

For more information, see Update the public folder hierarchy.

Public folder content

Public folder content can include email messages, posts, documents, and eForms. The
content is stored in the public folder mailbox but isn't replicated across multiple public
folders mailboxes. All users access the same public folder mailbox for the same set of
content. Although a full text search of public folder content is available, public folder
content isn't searchable across public folders (except when using the Content Search
eDiscovery tool in the Microsoft Purview compliance portal) and the content isn't
indexed by Exchange Search.

Considerations
Although there are many advantages to using public folders in Microsoft 365, Office
365, and Exchange Online, there are some things to consider before implementing them
in your organization:

Outlook on the web is supported, but with limitations. You can add and remove
favorite public folders and perform item-level operations such as creating, editing,
deleting posts, and replying to posts. However, you can't create or delete public
folders from Outlook on the web.

Although a full text search of public folder content is available, public folder
content isn't searchable across public folders and the content isn't indexed by
Exchange Search.

You must use Exchange Online supported Outlook client or later to access public
folders in Microsoft 365, Office 365, and Exchange Online.

Migrating public folders to Microsoft 365 or

Office 365 and Exchange Online
When you migrate your public folders, you'll use a process called batch public folder
migration. Batch public folder migration (or simply batch migration) creates a mailbox
migration request for each public folder mailbox that will exist in Exchange Online.
Using multiple requests means the migration will move along much faster because it's
able to make more efficient use of available network bandwidth. It's also more reliable
because it reduces the possibility of a single failure or bottleneck affecting the entire
migration.

While batch migrations need to be started using the New-MigrationBatch cmdlet in

Exchange Online PowerShell, the progress and completion of the migration can be
viewed and managed in the EAC. Because the New-MigrationBatch cmdlet initiates a
mailbox migration request for each public folder mailbox, you can view the status of
these requests using the mailbox migration page. You can get to the mailbox migration
page, and create migration reports that can be emailed to you, by opening the EAC in
Exchange Online and navigating to Mailbox > Migration.
To use batch migration to migrate your public folders to Exchange Online, your legacy
Exchange server needs to meet the requirements in the following list. If it does, and
you're ready to start, check out Use batch migration to migrate legacy public folders to
Microsoft 365 or Office 365 and Exchange Online.

Exchange supports moving your public folders to Microsoft 365 or Office 365 and
Exchange Online from the following legacy versions of Exchange Server:

Exchange Server 2010 SP3 RU8 or later

See Use batch migration to migrate Exchange Server public folders to Exchange Online
to migrate your Exchange Server public folders.

We recommend that you use batch migration instead of Outlook's PST export feature to
migrate public folders to Microsoft 365 or Office 365 and Exchange Online. Microsoft
365 and Office 365 public folder mailbox growth is managed using an auto-split feature
that splits the public folder mailbox when it exceeds size quotas. Auto-split can't handle
the sudden growth of public folder mailboxes when you use PST export to migrate your
public folders and you might have to wait for up to two weeks for auto-split to move
the data from the primary mailbox. We provide batch migration instructions in Use
batch migration to migrate legacy public folders to Microsoft 365 or Office 365 and
Exchange Online and Use batch migration to migrate Exchange Server public folders to
Exchange Online. However, if you've elected to do a PST migration and have run into an
issue where the primary mailbox is full, you have two options for recovering the PST
migration:

1. Wait for the auto-split to move the data from the primary mailbox. This may take
up to two weeks. However, all the public folders in a completely filled public folder
mailbox won't be able to receive new content until the auto-split completes.

2. Create a public folder mailbox and then use the New-PublicFolder cmdlet with the
Mailbox parameter to create the remaining public folders in the secondary public
folder mailbox. This example creates a new public folder named PF201 in the
secondary public folder mailbox.

PowerShell

New-PublicFolder -Name PF201 -Mailbox SecondaryPFMbx

Public folder procedures in Office 365,
Microsoft 365, and Exchange Online
Article • 02/22/2023

Use batch migration to migrate legacy public folders to Microsoft 365 or Office 365 and
Exchange Online

Use batch migration to migrate Exchange Server public folders to Exchange Online

Configure legacy on-premises public folders for a hybrid deployment

Configure Exchange Server public folders for a hybrid deployment

Configure Exchange Online public folders for a hybrid deployment

Set up public folders in a new organization

Access public folders with Outlook 2016 for Mac

Create a public folder mailbox

Create a public folder

Recover a deleted public folder mailbox

Use favorite public folders in Outlook on the web

Mail-enable or mail-disable a public folder

Update the public folder hierarchy

Remove a public folder

Restore a deleted public folder

Restore deleted items from public folder

View statistics for public folders and public folder items

Use batch migration to migrate legacy
public folders to Microsoft 365 or Office
365
Article • 02/22/2023

Summary: Use these procedures to move your Exchange 2010 public folders to
Microsoft 365 or Office 365.

This topic describes how to migrate your public folders in a cutover or staged migration
from Update Rollup 8 for Exchange Server 2010 Service Pack 3 (SP3) to Microsoft 365 or
Office 365 and Exchange Online.

This topic refers to the Exchange 2010 SP3 RU8 server as the legacy Exchange server.
Also, the steps in this topic apply to both Exchange Online and Microsoft 365 or Office
365. The terms may be used interchangeably in this topic.

We recommend that you don't use Outlook's PST export feature to migrate public
folders to Microsoft 365 or Office 365 or Exchange Online. Microsoft 365, Office 365,
and Exchange Online public folder mailbox growth is managed using an auto-split
feature that splits the public folder mailbox when it exceeds size quotas. Auto-split can't
handle the sudden growth of public folder mailboxes when you use PST export to
migrate your public folders and you may have to wait for up to two weeks for auto-split
to move the data from the primary mailbox. We recommend that you use the cmdlet-
based instructions in this document to migrate public folders to Microsoft 365, Office
365, or Exchange Online. However, if you elect to migrate public folders using PST
export, see the Migrate Public Folders to Microsoft 365 or Office 365 by using Outlook
PST export section later in this topic.

You'll perform the migration using the *-MigrationBatch cmdlets, in addition to the
following PowerShell scripts:

SourceSideValidations.ps1 : Source Side Validation script scans the public folders

at source and reports issues found along with action to fix the issues. You'll run this
script on the legacy Exchange server On-Premises.

Export-PublicFolderStatistics.ps1 : This script creates the folder name-to-folder

size mapping file. You'll run this script on the legacy Exchange server.

Export-PublicFolderStatistics.psd1 : This support file is used by the Export-

PublicFolderStatistics.ps1 script and should be downloaded to the same

 location.

PublicFolderToMailboxMapGenerator.ps1 : This script creates the public folder-to-

mailbox mapping file by using the output from the Export-
PublicFolderStatistics.ps1 script. You'll run this script on the legacy Exchange
server.

PublicFolderToMailboxMapGenerator.strings.psd1 : This support file is used by the

PublicFolderToMailboxMapGenerator.ps1 script and should be downloaded to the

same location.

Create-PublicFolderMailboxesForMigration.ps1 : This script creates the target

public folder mailboxes for the migration. In addition, this script calculates the
number of mailboxes necessary to handle the estimated user load, based on the
guidelines for the number of user logons per public folder mailbox recommended
in Limits for Public Folders.

Create-PublicFolderMailboxesForMigration.strings.psd1 : This support file is used

by the Create-PublicFolderMailboxesForMigration.ps1 script and should be
downloaded to the same location.

Sync-MailPublicFolders.ps1 : This script synchronizes mail-enabled public folder

objects between your local Exchange deployment and Microsoft 365 or Office 365.
You'll run this script on the legacy Exchange server.

SyncMailPublicFolders.strings.psd1 : This is a support file used by the Sync-

MailPublicFolders.ps1 script and should be copied to the same location as the

preceding scripts.

Step 1: Download the migration scripts provides details about where to download these
scripts. Make sure all scripts are downloaded to the same location.

What versions of Exchange are supported for

migrating public folders to Microsoft 365 or
Office 365 and Exchange Online?
Exchange supports moving your public folders to Microsoft 365 or Office 365 and
Exchange Online from the following legacy versions of Exchange Server:

Exchange 2010 SP3 RU8 or later

If you need to move your public folders to Exchange Online but your on-premises
servers aren't running the minimum support versions of Exchange 2010, we strongly
recommend that you upgrade your on-premises servers and use batch migration, which
is the only supported public folder migration method.

You can't migrate public folders directly from Exchange 2003 or Exchange 2007. If you're
running Exchange 2007 or earlier in your organization, you need to move all public
folder databases and replicas to Exchange 2010 SP3 RU8 or later. No public folder
replicas can remain on Exchange 2007 or earlier. Additionally, mail destined for an
Exchange 2013 or later public folder can't be routed through an Exchange 2003 or
Exchange 2007 server.

What do you need to know before you begin?

The Exchange 2010 server needs to be running Exchange 2010 SP3 RU8 or later.

In Microsoft 365 or Office 365 and Exchange Online, you need to be a member of
the Organization Management role group. This role group is different from the
permissions assigned to you when you subscribe to Microsoft 365, Office 365, or
Exchange Online. For details about how to enable the Organization Management
role group, see Manage role groups in Exchange Online.

In Exchange 2010, you need to be a member of the Organization Management or

Server Management RBAC role groups. For details, see Add Members to a Role
Group.

Before you begin the public folder migration, if any single public folder in your
organization is larger than 25 GB, we recommend that you delete content from
that folder to make it smaller. Or, we recommend that you divide the public
folder's content into multiple, smaller public folders. Note that the 25 GB limit cited
here only applies to the public folder and not to any child or sub-folders the folder
in question may have. If neither option is feasible, we recommend that you do not
move your public folders to Exchange Online. See Exchange Online Limits for more
information. Note: If your current public folder quotas in Exchange Online are less
than 25 GB, you can use the Set-OrganizationConfig cmdlet to increase them with
the DefaultPublicFolderIssueWarningQuota and
DefaultPublicFolderProhibitPostQuota parameters.

If you use a firewall and access control lists (ACLs), ensure that the IP ranges used by
Microsoft 365 or Office 365 in your region are permitted through your firewall.
 In Microsoft 365, Office 365, and Exchange Online, you can create a maximum of
1,000 public folder mailboxes.

Before you migrate your public folders, we recommend that you first move all user
mailboxes to Microsoft 365 or Office 365 and Exchange Online. For details, see
Ways to migrate multiple email accounts to Microsoft 365 or Office 365. However,
you will still need to keep in the on-premises environment the mailbox for PF
admin performing migration or create new PF admin account and assign a mailbox
hosted on the legacy Exchange server.

Outlook Anywhere needs to be enabled on the legacy Exchange server. For details
about enabling Outlook Anywhere on Exchange 2010 servers, see Enable Outlook
Anywhere.

You can't use the Exchange admin center (EAC) or the Exchange Management
Console (EMC) to perform this procedure. On the legacy Exchange servers, you
need to use the Exchange Management Shell. For Exchange Online, you need to
use Exchange Online PowerShell. For more information, see Connect to Exchange
Online PowerShell.

You must use a single migration batch to migrate all of your public folder data.
Exchange allows creating only one migration batch at a time. If you attempt to
create more than one migration batch simultaneously, the result will be an error.

Before you begin, we recommend that you read this topic in its entirety as
downtime is required for some steps.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

Please verify if the DefaultPublicFolderAgeLimit is configured on the organization

level ( Get-OrganizationConfig | Format-List DefaultPublicFolderAgeLimit ) or if
you have any AgeLimit ( Get-PublicFolder <FolderPath> | Format-List AgeLimit )
configured for the individual Public Folders, so that automatic deletions of the
content to be prevented.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Step 1: Download the migration scripts

 1. Download all scripts and supporting files from Public Folders Migration Scripts .

2. Save the scripts to the local computer on which you'll be running PowerShell. For
example, C:\PFScripts. Make sure all scripts are saved in the same location.

3. Download the following files from Mail-enabled Public Folders - directory sync
script :

Sync-MailPublicFolders.ps1

SyncMailPublicFolders.strings.psd1

4. Download the source side validation script from

https://www.microsoft.com/download/confirmation.aspx?id=100414

5. Save the scripts to the same location you did for step 2. For example, C:\PFScripts.

Step 2: Prepare for the migration

Perform the following prerequisite steps before you begin the migration.

７ Note

We strongly recommend running the Source Side Validation script from an On-
Premises Exchange Server2010 with mailbox role. The script will scan and report
issues that are known to cause migration to be slow, along with guidance to fix
these issues. Please use the examples as documented here .

General prerequisite steps

Make sure that there are no orphaned public folder mail objects in Active
Directory, meaning objects in Active Directory without a corresponding Exchange
object.
Confirm that SMTP email address configured for public folders in Active Directory
match the SMTP email addresses on the Exchange objects.
Make sure that there are no duplicate public folder objects in Active Directory, to
avoid a situation where two or more Active Directory objects are pointing to the
same mail-enabled public folder.

Prerequisite steps on the legacy Exchange server

７ Note

We strongly recommend running the Source Side Validation script from an On-
Premises Exchange Server2010 with mailbox role. The script will scan and report
issues that are known to cause migration to be slow, along with guidance to fix
these issues. Please use the examples as documented here . The script will
perform all the following prerequisites.

1. On the legacy Exchange server, make sure that routing to the mail-enabled public
folders that will exist in Microsoft 365 or Office 365 or Exchange Online continues
to work until all DNS caches over the internet are updated to point to the
Microsoft 365, Office 365, or Exchange Online DNS where your organization now
resides. To do this, run the following command to configure an accepted domain
with a well-known name that will properly route email messages to the Microsoft
365, Office 365, or Exchange Online domain.

PowerShell

New-AcceptedDomain -Name
"PublicFolderDestination_78c0b207_5ad2_4fee_8cb9_f373175b3f99" -
DomainName <target domain> -DomainType InternalRelay

Example:

PowerShell

New-AcceptedDomain -Name
PublicFolderDestination_78c0b207_5ad2_4fee_8cb9_f373175b3f99 -
DomainName 'contoso.mail.onmicrosoft.com' -DomainType InternalRelay

If the accepted domain already exists in your on-premises environment, rename it

to PublicFolderDestination_78c0b207_5ad2_4fee_8cb9_f373175b3f99 and leave the
other attributes intact.

To check if the accepted domain is already present in your on-premises

environment, run the following:

PowerShell

Get-AcceptedDomain | Where {$_.DomainName -eq "<target domain>"}

 To rename the accepted domain to
PublicFolderDestination_78c0b207_5ad2_4fee_8cb9_f373175b3f99, run the
following:

PowerShell

Get-AcceptedDomain | Where {$_.DomainName -eq "<target domain>"} | Set-

AcceptedDomain -Name
PublicFolderDestination_78c0b207_5ad2_4fee_8cb9_f373175b3f99

If you're expecting your mail-enabled public folders in Exchange Online to receive

external emails from the Internet, you have to disable Directory Based Edge
Blocking (DBEB) in Exchange Online and Exchange Online Protection (EOP). See
Use Directory Based Edge Blocking to reject messages sent to invalid recipients for
more information.

If the name of a public folder contains a backslash ( \ ) or a forward slash ( / ), the

public folders might be created in the parent public folder when migration occurs.
Before you migrate, we recommend that you rename any public folders that have a
backslash or a forward slash in the name.

In Exchange 2010, to locate public folders that have a backslash in the name, run
the following command:

PowerShell

Get-PublicFolderStatistics -ResultSize Unlimited | Where {($_.Name -

like "*\*") -or ($_.Name -like "*/*") } | Format-List Name,Identity

2. If any public folders are returned, you can rename them by running the following
command:

PowerShell

Set-PublicFolder -Identity <public folder identity> -Name <new public

folder name>

3. Make sure there isn't a previous record of a successful migration. If there is, you'll
need to set that value to $false . If the value is set to $true , the migration request
will fail.

The following example checks the public folder migration status.

PowerShell
 Get-OrganizationConfig | Format-List
PublicFoldersLockedforMigration,PublicFolderMigrationComplete

4. (Note that this step is only necessary if you are re-attempting a migration that
failed previously.) If the status of the PublicFoldersLockedforMigration or
PublicFolderMigrationComplete properties is $true , run the following command to
set the value to $false .

PowerShell

Set-OrganizationConfig -PublicFoldersLockedforMigration:$false -
PublicFolderMigrationComplete:$false

Ｕ Caution

After resetting these properties, you need to wait for Exchange to detect the
new settings. This may take up to two hours to complete.

5. For verification purposes at the end of migration, we recommend that you first run
the following Exchange Management Shell commands on the legacy Exchange
server to take snapshots of your current public folder deployment.

Run the following command to take a snapshot of the original source folder
structure.

PowerShell

Get-PublicFolder -Recurse -ResultSize Unlimited | Export-CliXML

C:\PFMigration\Legacy_PFStructure.xml

Run the following command to take a snapshot of public folder statistics such as
item count, size, and owner.

PowerShell

Get-PublicFolderStatistics -ResultSize Unlimited | Export-CliXML

C:\PFMigration\Legacy_PFStatistics.xml

Run the following command to take a snapshot of the permissions.

PowerShell
 Get-PublicFolder -Recurse -ResultSize Unlimited | Get-
PublicFolderClientPermission | Select-Object Identity,User -
ExpandProperty AccessRights | Export-CliXML
C:\PFMigration\Legacy_PFPerms.xml

Save the information from the preceding commands for comparison at the end of
the migration.

6. If you are using Microsoft Azure Active Directory Connect (Azure AD Connect) to
synchronize your on-premises directories with Azure Active Directory, you need to
do the following (if you are not using Azure AD Connect, you can skip this step):

a. On an on-premises computer, open Microsoft Azure Active Directory Connect,

and then select Configure.

b. On the Additional tasks screen, select Customize synchronization options, and

then click Next.

c. On the Connect to Azure AD screen, enter the appropriate credentials, and then
click Next. Once connected, keep clicking Next until you are on the Optional
Features screen.

d. Make sure that Exchange Mail Public Folders is not selected. If it isn't selected,
you can continue to the next section, Prerequisite steps in Microsoft 365, Office
365, or Exchange Online. If it is selected, click to clear the check box, and then
click Next.

７ Note

If you don't see Exchange Mail Public Folders as an option on the

Optional Features screen, you can exit Microsoft Azure Active Directory
Connect and proceed to the next section, Prerequisite steps in Microsoft
365, Office 365, or Exchange Online.

7. After you have cleared the Exchange Mail Public Folders selection, keep clicking
Next until you are on the Ready to configure screen, and then click Configure.

For detailed syntax and parameter information, see the following topics:

New-AcceptedDomain
Get-PublicFolder
Get-PublicFolderDatabase
Set-PublicFolder
 Get-PublicFolderStatistics
Get-PublicFolderClientPermission
Get-OrganizationConfig
Set-OrganizationConfig

Prerequisite steps in Microsoft 365, Office 365, or

Exchange Online
1. Make sure there are no existing public folder migration requests. If there are, clear
them or your own migration request will fail. This step isn't required in all cases; it's
only required if you think there may be an existing migration request in the
pipeline.

） Important

Before removing a migration request, it is important to understand why there

was an existing one. Running the following commands will determine when a
previous request was made and help you diagnose any problems that may
have occurred. You may need to communicate with other administrators in
your organization to determine why the change was made.

The following example will discover any existing batch migration requests:

PowerShell

$batch = Get-MigrationBatch | ?{$_.MigrationType.ToString() -eq

"PublicFolder"}

The following example removes any existing public folder batch migration
requests.

PowerShell

$batch | Remove-MigrationBatch -Confirm:$false

2. Make sure no public folders or public folder mailboxes exist in Microsoft 365 or
Office 365.

） Important
 If you do see public folders in Microsoft 365, Office 365, or Exchange Online, it
is important to determine why they are there, and who in your organization
started a public folder hierarchy, before you remove the public folders and
public folder mailboxes.

a. In Exchange Online PowerShell, run the following command to see if any public
folders mailboxes exist:

PowerShell

Get-Mailbox -PublicFolder

b. If the command didn't return any public folder mailboxes, continue to Step 3:
Generate the .csv files. If the command returned any public folders mailboxes,
run the following command to see if any public folders exist:

PowerShell

Get-PublicFolder

c. If you have any public folders in Microsoft 365, Office 365, or Exchange Online,
run the following PowerShell command to remove them. Make sure you've
saved any information that was in the public folders in Microsoft 365 or Office
365.

Ｕ Caution

All information contained in the public folders will be permanently deleted

when you remove the public folders.

PowerShell

Get-MailPublicFolder | where {$_.EntryId -ne $null}| Disable-

MailPublicFolder -Confirm:$false
Get-PublicFolder -GetChildren \ | Remove-PublicFolder -Recurse -
Confirm:$false

d. After the public folders are removed, run the following commands to remove all
public folder mailboxes.

PowerShell
 $hierarchyMailboxGuid = $(Get-
OrganizationConfig).RootPublicFolderMailbox.HierarchyMailboxGuid
Get-Mailbox -PublicFolder:$true | Where-Object {$_.ExchangeGuid -ne
$hierarchyMailboxGuid} | Remove-Mailbox -PublicFolder -Confirm:$false
Get-Mailbox -PublicFolder:$true | Where-Object {$_.ExchangeGuid -eq
$hierarchyMailboxGuid} | Remove-Mailbox -PublicFolder -Confirm:$false

For detailed syntax and parameter information, see the following topics:

Get-MigrationBatch
Get-PublicFolderMailboxMigrationRequest
Remove-PublicFolderMailboxMigrationRequest
Get-Mailbox
Get-PublicFolder
get-MailPublicFolder
Disable-MailPublicFolder
remove-PublicFolder
Remove-Mailbox

Step 3: Generate the .csv files

1. On the legacy Exchange server, run the Export-PublicFolderStatistics.ps1 script
to create the folder name-to-folder size mapping file. This script needs to always
be run by a local administrator. The file will contain two columns: FolderName and
FolderSize. The values for the FolderSize column will be displayed in bytes. For
example, \PublicFolder01,10000.

PowerShell

.\Export-PublicFolderStatistics.ps1 <Folder to size map path> <FQDN of

source server>

FQDN of source server equals the fully qualified domain name of the Mailbox
server where the public folder hierarchy is hosted.

Folder to size map path equals the file name and path on a network shared
folder where you want the .csv file saved. Later in this topic, you'll need to use
the Exchange Online PowerShell to access this file. If you specify only the file
name, the file will be generated in the current PowerShell directory on the
local computer.
 If necessary, remove any mail-enabled system folders from the script output
before proceeding.

2. Run the PublicFolderToMailboxMapGenerator.ps1 script to create the public folder-

to-mailbox mapping file. This file is used to calculate the correct number of public
folder mailboxes in Exchange Online.

PowerShell

.\PublicFolderToMailboxMapGenerator.ps1 <Maximum mailbox size in bytes>

<Folder to size map path> <Folder to mailbox map path>

Before you run the script, use the following command to check the current
public folder limits in your Exchange Online tenant. Then, note the current
quota values for public folders.

PowerShell

Get-OrganizationConfig | Format-List *quota*

In Exchange Online, the default value is 1.7 GB for

DefaultPublicFolderIssueWarningQuota and 2 GB for
DefaultPublicFolderProhibitPostQuota.

Maximum mailbox size in bytes equals the maximum size that you want to set
for the new public folder mailboxes. In Exchange Online, the maximum size of
public folder mailboxes is 100 GB. We recommend that you use a setting of
75 GB so that each public folder mailbox has room to grow. Fewer public
folder mailboxes will mean fewer connections for the Outlook clients, which
might help to avoid performance issues; for the users it is transparent where
the information is hosted, as they will further see the same hierarchy on the
client side. Exchange Online has a default public folder "prohibit post" quota
of 2 GB. If you have individual public folders that are larger than 2 GB, you
can use any of the following options to fix this issue:

Before you start the migration batch, increase the default public folder
"prohibit post" quota by running the following command:

PowerShell

Set-OrganizationConfig -DefaultPublicFolderProhibitPostQuota <size

value> -DefaultPublicFolderIssueWarningQuota <size value>
 Before you start the migration batch, delete public folder content to reduce
the size of the content to 2 GB or less.

Before you start the migration batch, split the public folder into multiple
public folders that are each 2 GB or less.

７ Note

If the public folder is larger than 30 GB, and if it isn't feasible to delete
content or split it into multiple public folders, we recommend that you
don't move your public folders to Exchange Online.

Folder to size map path equals the file path of the .csv file that you created
when you ran the Export-PublicFolderStatistics.ps1 script.

Folder to mailbox map path equals the file name and path of the folder-to-
mailbox .csv file that you create in this step. If you specify only the file name,
the file is generated in the current PowerShell directory on the local
computer.

７ Note

After the scripts are run and the .csv files are generated, any new public folders or
updates to existing public folders will not be collected.

Step 4: Create the public folder mailboxes in

Exchange Online
Run the following command to create the target public folder mailboxes. The script will
create a target mailbox for each mailbox in the .csv file that you generated previously in
Step 3, by running the PublicFoldertoMailboxMapGenerator.ps1 script.

PowerShell

.\Create-PublicFolderMailboxesForMigration.ps1 -FolderMappingCsv Mapping.csv

-EstimatedNumberOfConcurrentUsers:<estimate>

Mapping.csv is the file generated by the PublicFoldertoMailboxMapGenerator.ps1 script

in Step 3. The estimated number of simultaneous user connections browsing a public
folder hierarchy is usually less than the total number of users in an organization.
 ７ Note

Use Exchange Online PowerShell for running this script. For more information, see
Connect to Exchange Online PowerShell.

Step 5: Start the migration request

1. Perform the following steps on the Exchange server to fulfill the prerequisite for
running the Sync-MailPublicFolders.ps1 script.

a. Sign in with the account that has Enterprise administrator permissions.

b. Install EXO PowerShell. For information on how to install EXO PowerShell, see
here.

c. Launch PowerShell in administrator mode.

d. Run the following commands to start the synchronization:

PowerShell

Add-PSSnapin *exchange* | .\Sync-MailPublicFolders.ps1 -

CsvSummaryFile:sync_summary.csv

e. Once prompted, enter the credentials for your Microsoft 365 tenant
administrator account.

2. On the legacy Exchange server, get the following information that's needed to run
the migration request:

a. Find the LegacyExchangeDN of the user's account who is a member of the Public
Folder Administrator role. This will be the same user whose credentials you need
in step 3 of this procedure.

７ Note

The account used must be mailbox enabled in the on-premises Exchange

Server. Create a new on-premises mailbox for the Public Folder
Administrator account if one doesn't exist there.

PowerShell
 Get-Mailbox <PublicFolder_Administrator_Account> | Select-Object
LegacyExchangeDN

b. Find the LegacyExchangeDN of any Mailbox server that has a public folder
database.

PowerShell

Get-ExchangeServer <public folder server> | Select-Object -Expand

ExchangeLegacyDN

c. Find the FQDN of the Outlook Anywhere host name. If you have multiple
instances of Outlook Anywhere, we recommend that you select the instance
that is either closest to the migration endpoint or the one that is closest to the
public folder replicas in the legacy Exchange organization. The following
command will find all instances of Outlook Anywhere:

PowerShell

Get-OutlookAnywhere | Format-Table Identity,ExternalHostName

3. In Exchange Online PowerShell, run the following commands to pass the

information that was returned in the previous step to variables that will then be
used in the migration request.

a. Pass the credential of a user who has administrative permissions on the legacy
Exchange server into the variable $Source_Credential . The migration request
that's run in Exchange Online will use this credential to gain access to your
legacy Exchange servers to copy the content over.

PowerShell

$Source_Credential = Get-Credential
<source_domain\PublicFolder_Administrator_Account>

b. Use the ExchangeLegacyDN of the migration user on the legacy Exchange server
that you found in step 2a and pass it into the variable
$Source_RemoteMailboxLegacyDN .

PowerShell

$Source_RemoteMailboxLegacyDN = "<paste the value here>"

 c. Use the ExchangeLegacyDN of the public folder server that you found in step 2b
above and pass it into the variable $Source_RemotePublicFolderServerLegacyDN .

PowerShell

$Source_RemotePublicFolderServerLegacyDN = "<paste the value here>"

d. Use the External Host Name of Outlook Anywhere that you found in step 2c
above and pass it into the variable $Source_OutlookAnywhereExternalHostName .

PowerShell

$Source_OutlookAnywhereExternalHostName = "<paste the value here>"

4. Finally, in Exchange Online PowerShell, run the following commands to create the
migration request.

７ Note

The authentication method in the following example needs to match your

Outlook Anywhere settings. Otherwise, the command will fail.

PowerShell

$PfEndpoint = New-MigrationEndpoint -PublicFolder -Name

PublicFolderEndpoint -RPCProxyServer
$Source_OutlookAnywhereExternalHostName -Credentials $Source_Credential
-SourceMailboxLegacyDN $Source_RemoteMailboxLegacyDN -
PublicFolderDatabaseServerLegacyDN
$Source_RemotePublicFolderServerLegacyDN -Authentication Basic
$bytes = [System.IO.File]::ReadAllBytes('folder_mapping.csv')
New-MigrationBatch -Name PublicFolderMigration -CSVData $bytes -
SourceEndpoint $PfEndpoint.Identity -NotificationEmails <email
addresses for migration notifications>

Where folder_mapping.csv is the map file that was generated in Step 3: Generate
the .csv files.

７ Note

You may notice the above command failing with the error "Cannot find a
recipient that has mailbox GUID" error, with the GUID mentioned of public
 folder mailbox in EXO. This can happen because of AD replication latency. In
such case, wait for an hour and retry the command again.

5. Start the migration using the following command:

PowerShell

Start-MigrationBatch PublicFolderMigration

While batch migrations need to be created using the New-MigrationBatch cmdlet in

the Exchange Management Shell, the progress and completion of the migration can be
viewed and managed in the EAC. Because the New-MigrationBatch cmdlet initiates a
mailbox migration request for each public folder mailbox, you can view the status of
these requests using the mailbox migration page. You can get to the mailbox migration
page, and create migration reports that can be emailed to you, by doing the following:

1. Log into Exchange Online and open the EAC.

2. Navigate to Mailbox > Migration.

3. Select the migration request that was just created and then click View Details in
the Details pane.

For detailed syntax and parameter information, see the following topics:

Get-Mailbox

Get-ExchangeServer

Get-OutlookAnywhere

New-MigrationBatch

Get-PublicFolderDatabase

Get-PublicFolderMailboxMigrationRequest

Get-PublicFolderMailboxMigrationRequestStatistics

Step 6: Lock down the public folders on the

legacy Exchange server for final migration
(downtime required)
Until this point in the migration process, users have been able to access public folders.
The next steps will log users off from the legacy public folders and lock the folders while
the migration completes its final synchronization. Users won't be able to access public
folders during this process. Also, any mail sent to mail-enabled public folders will be
queued and won't be delivered until the public folder migration is complete.

７ Note

The final sync may take substantial amount of time, depending on the changes
made on the source environment, size of public folder deployment, server capacity
etc. If the folder hierarchy had lots of corrupt ACLs and those were not cleaned up
before starting migration, this can cause significant delay in the completion. It is
recommended to plan for a minimum of 48 hours of downtime for the final sync to
complete.

Ensure the migration batch and individual migration requests have successfully synced.

Run the following commands in Exchange Online PowerShell to get the details:

PowerShell

Get-MigrationBatch |?{$_.MigrationType -like "*PublicFolder*"} | Format-

Table *last*sync*

PowerShell

Get-PublicFolderMailboxMigrationRequest | Get-
PublicFolderMailboxMigrationRequestStatistics | Format-Table
targetmailbox,*last*sync*

The LastSyncedDate (on migration batch) and LastSuccessfulSyncTimestamp (on

individual jobs) should be within last 7 days. If it is too far off, like older than a month or
so, you may want to take a look at public folder migration requests and ensure all the
requests were synced recently.

Once you have confirmed the batch and all migration requests have successfully synced,
on the legacy Exchange server, run the following command to lock the legacy public
folders for finalization.

PowerShell

Set-OrganizationConfig -PublicFoldersLockedForMigration:$true
For detailed syntax and parameter information, see set-OrganizationConfig.

If your organization has multiple public folder databases, you'll need to wait until public
folder replication is complete to confirm that all public folder databases have picked up
the PublicFoldersLockedForMigration flag and any pending changes users recently
made to folders have converged across the organization. This may take several hours.

Step 7: Finalize the public folder migration

(downtime required)
To complete the public folder migration, run the following command:

PowerShell

Complete-MigrationBatch PublicFolderMigration

） Important

After a migration batch is completed, no additional data can be synchornized from

Exchange servers on-premises and Exchange Online.

When you complete the migration, Exchange will perform a final synchronization
between the legacy Exchange server and Exchange Online. If the final synchronization is
successful, the public folders in Exchange Online will be unlocked and the status of the
migration batch will change to Completed. It is common for the status of migration
batch to remain on "Synced" for few hours before it switches to Completing. For
migrations involving large number of target mailboxes, it is normal to see the status
remain "Synced" state for more than 24 hours, provided none of underlying public
folder migration requests have Failed or were quarantined.

If you've configured a hybrid deployment between your on-premises Exchange servers

and Microsoft 365 or Office 365, you need to run the following command in Exchange
Online PowerShell after migration is complete:

PowerShell

Set-OrganizationConfig -RemotePublicFolderMailboxes $Null -

PublicFoldersEnabled Local
Step 8: Test and unlock the public folder
migration
After you finalize the public folder migration, you should run the following test to make
sure that the migration was successful. This allows you to test the migrated public folder
hierarchy before you switch to using Microsoft 365, Office 365, or Exchange Online
public folders.

1. In Exchange Online PowerShell, assign some test mailboxes to use any newly
migrated public folder mailbox as the default public folder mailbox.

PowerShell

Set-Mailbox -Identity <Test User> -DefaultPublicFolderMailbox <Public

Folder Mailbox Identity>

2. Log on to Outlook 2010 or later with the test user identified in the previous step,
and then perform the following public folder tests:

View the hierarchy.

Check permissions.
Create and delete public folders.
Post content to and delete content from a public folder.

3. If you run into any issues, see Roll back the migration later in this article. If the
public folder content and hierarchy is acceptable and functions as expected,
continue to the next step.

4. On the legacy Exchange server, run the following command to indicate that the
public folder migration is complete:

PowerShell

Set-OrganizationConfig -PublicFolderMigrationComplete:$true

5. After you've verified that migration is complete, run the following command in
Exchange Online PowerShell to make sure that the PublicFoldersEnabled parameter
on Set-OrganizationConfig is set to Local :

PowerShell

Set-OrganizationConfig -PublicFoldersEnabled Local

For detailed syntax and parameter information, see the following topics:

Set-Mailbox

Get-Mailbox

Set-OrganizationConfig

How do I know this worked?

In Step 2: Prepare for the migration, you were instructed to take snapshots of the public
folder structure, statistics, and permissions before the migration began. The following
steps will help verify that your public folder migration was successful by taking the same
snapshots after the migration is complete. You can then compare the data in both files
to verify success.

1. In Exchange Online PowerShell, run the following command to take a snapshot of

the new folder structure.

PowerShell

Get-PublicFolder -Recurse -ResultSize Unlimited | Export-CliXML

C:\PFMigration\Cloud_PFStructure.xml

2. In Exchange Online PowerShell, run the following command to take a snapshot of

the public folder statistics such as item count, size, and owner.

PowerShell

Get-PublicFolderStatistics | Export-CliXML
C:\PFMigration\Cloud_PFStatistics.xml

3. In Exchange Online PowerShell, run the following command to take a snapshot of

the permissions.

PowerShell

Get-PublicFolder -Recurse -ResultSize Unlimited | Get-

PublicFolderClientPermission | Select-Object Identity,User -
ExpandProperty AccessRights | Export-CliXML
C:\PFMigration\Cloud_PFPerms.xml
Remove public folder databases from the
legacy Exchange servers
After the migration is complete, and you have verified that your Exchange Online public
folders are working as expected, you should remove the public folder databases on the
legacy Exchange servers.

） Important

Since all of your mailboxes have been migrated to Microsoft 365 or Office 365 prior
to the public folder migration, we strongly recommend that you route the traffic
through Microsoft 365 or Office 365 (decentralized mail flow) instead of centralized
mail flow through your on-premises environment. If you choose to keep mail flow
centralized, it could cause delivery issues to your public folders, since you've
removed the public folder mailbox databases from your on-premises organization.

For details about how to remove public folder databases from Exchange 2010
servers, see Remove Public Folder Databases.

Roll back the migration

If you run into issues with the migration and need to reactivate your legacy Exchange
public folders, perform the following steps.

Ｕ Caution

If you roll your migration back to the legacy Exchange servers, you will lose any
email that was sent to mail-enabled public folders or content that was posted to
public folders after the migration. To save this content, you need to export the
public folder content to a .pst file and then import it to the legacy public folders
when the rollback is complete.

1. On the legacy Exchange server, run the following command to unlock the legacy
Exchange public folders. This process may take several hours.

PowerShell

Set-OrganizationConfig -PublicFoldersLockedForMigration:$False
 2. In Exchange Online PowerShell, run the following commands to remove all
Exchange Online public folders.

PowerShell

$hierarchyMailboxGuid = $(Get-
OrganizationConfig).RootPublicFolderMailbox.HierarchyMailboxGuid
Get-Mailbox -PublicFolder:$true | Where-Object {$_.ExchangeGuid -ne
$hierarchyMailboxGuid} | Remove-Mailbox -PublicFolder -Confirm:$false -
Force
Get-Mailbox -PublicFolder:$true | Where-Object {$_.ExchangeGuid -eq
$hierarchyMailboxGuid} | Remove-Mailbox -PublicFolder -Confirm:$false -
Force

3. On the legacy Exchange server, run the following command to set the
PublicFolderMigrationComplete flag to $false .

PowerShell

Set-OrganizationConfig -PublicFolderMigrationComplete:$False

Migrate Public Folders to Microsoft 365 or

Office 365 by using Outlook PST export
We recommend that you don't use Outlook's PST export feature to migrate public
folders to Microsoft 365, Office 365, or Exchange Online if your on-premises public
folder hierarchy is greater than 30 GB. Microsoft 365 and Office 365 online public folder
mailbox growth is managed using an auto-split feature that splits the public folder
mailbox when it exceeds size quotas. Auto-split can't handle the sudden growth of
public folder mailboxes when you use PST export to migrate your public folders and you
may have to wait for up to two weeks for auto-split to move the data from the primary
mailbox. In addition, consider the following before using Outlook PST to export public
folders to Microsoft 365, Office 365, or Exchange Online:

Public folder permissions will be lost during this process. Capture the current
permissions before migration and manually add them back once the migration is
completed.

If you use complex permissions or have many folders to migrate, we recommend

that you use the cmdlet method for migration.

Any item and folder changes made to the source public folders during the PST
export migration will be lost. Therefore, we recommend that you use the cmdlet
 method if this export and import process will take a long time to complete.

If you still want to migrate your public folders by using PST files, follow these steps to
ensure a successful migration.

1. Use the instructions in Step 1: Download the migration scripts to download the
migration scripts. You only need to download the
PublicFolderToMailboxMapGenerator.ps1 file.

2. Follow step 2 of Step 3: Generate the .csv files to create the public folder-to-
mailbox mapping file. This file is used to calculate the correct number of public
folder mailboxes in Exchange Online.

3. Create the public folder mailboxes that you'll need based on the mapping file. For
more information, see Create a public folder mailbox.

4. Use the New-PublicFolder cmdlet to create the top-most public folder in each of
the public folder mailboxes by using the Mailbox parameter.

5. Export and import the PST files using Outlook.

6. Set the permissions on the public folders using the EAC. For more information, see
Step 3: Assign permissions to the public folder.

Ｕ Caution

If you've already started a PST migration and have run into an issue where the
primary mailbox is full, you have two options for recovering the PST migration. The
first option is to wait for the auto-split to move the data from the primary mailbox.
This may take up to two weeks. However, all the public folders in a completely filled
public folder mailbox won't be able to receive new content until the auto-split
completes. The other option is to create a public folder mailbox and then use the
New-PublicFolder cmdlet with the Mailbox parameter to create the remaining
public folders in the secondary public folder mailbox.

Troubleshoot public folder migrations

Select the following button for common issues during public folder migration:

Run Tests: Troubleshoot public folder migration

A flyout page opens in the Microsoft 365 admin center, login with your tenant admin
account and select appropriate option.
Use batch migration to migrate
Exchange Server public folders to
Exchange Online
Article • 02/22/2023

Applies to: Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019

Migrating your Exchange Server public folders to Exchange Online requires Exchange
Server 2013 CU15 or later, or Exchange Server 2016 CU4 or later, to be running in your
on-premises environment. All versions of Exchange Server 2019 are supported for batch
migrations of public folders.

If you have a mixed environment of both Exchange 2013 and Exchange 2016/2019
public folders in your organization, and you want to move them all to Exchange Online,
the instructions in this article will work for you, provided your Exchange 2013 servers
have CU15 or later installed.

For instructions on migrating Exchange Server 2010 public folders to Exchange Online,
see Use batch migration to migrate legacy public folders to Exchange Online.

What do you need to know before you begin?

We strongly recommend you review FAQ: Public folders before you attempt a
migration.

When you upgrade to Exchange Server 2013 CU15 or later, or to Exchange Server
2016 CU4 or later, you must also prepare Active Directory or your public folder
migration will fail. This Active Directory preparation ensures that all relevant
PowerShell cmdlets and parameters are available to you for preparing for and
running the migration. See Prepare Active Directory and domains for more
information.

In Exchange Online, you need to be a member of the Organization Management

role group. This role group is different from the permissions assigned to you when
you subscribe to Microsoft 365, Office 365, or Exchange Online. For details about
how to enable the Organization Management role group, see Manage role groups.

In Exchange Server, you need to be a member of the Organization Management or

Server Management RBAC role groups. For details, see Add Members to a Role
Group.
Before you begin the public folder migration, if any single public folder in your
organization is larger than 25 GB, we recommend that you delete content from
that folder to make it smaller, or divide the public folder's content into multiple,
smaller public folders. Note that the 25 GB limit cited here only applies to the
public folder and not to any child or sub-folders the folder in question may have. If
neither option is feasible, we recommend that you do not move your public folders
to Exchange Online. See Exchange Online Limits for more information.

７ Note

If your current public folder quotas in Exchange Online are less than 25 GB,
you can use the Set-OrganizationConfig cmdlet to increase them with the
DefaultPublicFolderIssueWarningQuota and
DefaultPublicFolderProhibitPostQuota parameters.

In Microsoft 365, Office 365, and Exchange Online, you can create a maximum of
1000 public folder mailboxes. However, a maximum of 100 public folder mailboxes
is supported for migration from Exchange Server.

If you intend to migrate users to Microsoft 365 or Office 365, you should complete
your user migration prior to migrating your public folders. For more information,
see Ways to migrate multiple email accounts to Microsoft 365 or Office 365.

MRS Proxy needs to be enabled on at least one Exchange server, a server that is
also hosting public folder mailboxes. See Enable the MRS Proxy endpoint for
remote moves for details.

To perform the migration procedures in this article, you can't use the Exchange
admin center (EAC). Instead, you need to use the Exchange Management Shell on
your Exchange servers. In Exchange Online, you need to use Exchange Online
PowerShell. For more information, see Connect to Exchange Online PowerShell.

To run the migration scripts in this article, you must use an account that has basic
authentication enabled. Accounts that use multi-factor authentication (MFA) are
currently not supported.

Skipping the migration of deleted items and deleted folders from Exchange Server
to Exchange Online is supported. For more information, see the Exchange Team
blog post about modern public folder migrations without dumpster data .

You must use a single migration batch to migrate all of your public folder data.
Exchange allows creating only one migration batch for public folders migration. If
you attempt to create more than one public folder migration batch simultaneously,
 the result will be an error. Also note that once the migration batch has a status of
"Completed," no more data can be copied over from the source environment.

We recommend that you don't use Outlook's PST export feature to migrate public
folders to Microsoft 365, Office 365, or Exchange Online. Public folder mailbox
growth in Exchange Online is managed using an auto-split feature that splits the
public folder mailbox when it exceeds size quotas. Auto-split can't handle the
sudden growth of public folder mailboxes when you use PST export to migrate
your public folders, and you may have to wait for up to two weeks for auto-split to
move the data from the primary mailbox. We recommend that instead you use the
cmdlet-based instructions in this article to migrate your public folders. If you still
decide to migrate public folders using PST export, see Migrate Public Folders to
Office 365 by using Outlook PST export later in this article.

Please verify if the DefaultPublicFolderAgeLimit is configured on the organization

level ( Get-OrganizationConfig | Format-List DefaultPublicFolderAgeLimit ) or if
you have any AgeLimit ( Get-PublicFolder <FolderPath> | Format-List AgeLimit )
configured for the individual Public Folders, so that automatic deletions of the
content to be prevented.

Before you begin, please read this article in its entirety. For some steps there is
downtime required. During this downtime, public folders will not be accessible by
anyone. Please also review the list of known issues. Also, read best practices for
public folder migration to plan your migration.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at:
Exchange Server or Exchange Online .

Step 1: Download the migration scripts

1. Download all scripts and supporting files from Exchange 2013/2016/2019 Public
Folders Migration Scripts and Exchange 2010/2013/2016/EXO Public Folders to
Microsoft 365 or Office 365 Pre-Migration Scripts .

2. Save the scripts to the local computer on which you'll be running PowerShell. For
example, C:\PFScripts. Make sure all scripts are saved in the same location.

The scripts and files you're downloading are:

 SourceSideValidations.ps1 : Source Side Validation script scans the public

folders at source and reports issues found along with actions required to fix
the issues. You'll run this script on the Exchange server on-premises.

Sync-ModernMailPublicFolders.ps1 This script synchronizes mail-enabled

public folder objects between your Exchange on-premises environment and
Microsoft 365 or Office 365. You'll run this script on an on-premises Exchange
server.

SyncModernMailPublicFolders.strings.psd1 This support file is used by the

Sync-ModernMailPublicFolders.ps1 script and should be downloaded to the

same location.

Export-ModernPublicFolderStatistics.ps1 This script creates the folder

name-to-folder size and deleted item size mapping file. You'll run this script
on an on-premises Exchange server.

Export-ModernPublicFolderStatistics.strings.psd1 This support file is used

by the Export-ModernPublicFolderStatistics.ps1 script and should be
downloaded to the same location.

ModernPublicFolderToMailboxMapGenerator.ps1 This script creates the public

folder-to-mailbox mapping file by using the output from the Export-
ModernPublicFolderStatistics.ps1 script. You'll run this script on an on-
premises Exchange server.

ModernPublicFolderToMailboxMapGenerator.strings.psd1 This support file is

used by the ModernPublicFolderToMailboxMapGenerator.ps1 script and
should be downloaded to the same location.

SetMailPublicFolderExternalAddress.ps1 This script updates the

ExternalEmailAddress of mail-enabled public folders in your on-premises

environment to that of their Exchange Online counterparts, so that emails

addressed to your mail-enabled public folders post-migration are properly
routed to Exchange Online. You need to run this script on an on-premises
Exchange server.

SetMailPublicFolderExternalAddress.strings.psd1 This support file is used

by the Create-PublicFolderMailboxesForMigration.ps1 script and should be

downloaded to the same location.

Step 2: Prepare for the migration

 ７ Note

We strongly recommend running the Source Side Validation script from an on-
premises Exchange Mailbox server. The script will scan and report issues that are
known to cause migration to be slow, along with guidance to fix these issues. The
script will perform all the following prerequisites.

Perform all prerequisite steps in the following sections before you begin the public
folder migration.

General prerequisite steps

For your migration to be successful, you should:

Make sure that there are no orphaned public folder mail objects in Active
Directory. These are objects in Active Directory without a corresponding Exchange
object.

Confirm that the SMTP email addresses configured for public folders in Active
Directory match the SMTP email addresses on the Exchange objects.

Confirm that there are no duplicate public folder objects in Active Directory. This is
necessary to avoid having two or more Active Directory objects that are pointing
to the same mail-enabled public folder.

Prerequisite steps in the on-premises Exchange 2013,

Exchange 2016, or Exchange 2019 server environment
In Exchange Management Shell (on-premises) perform the following steps:

1. Once your migration is complete, it will take some time for DNS caches across the
Internet to direct messages to your mail-enabled public folders in their new
location in Exchange Online. You can ensure that your newly migrated mail-
enabled public folders receive messages during this DNS transition period by
creating an accepted domain with a well-known name. To do this, run the
following command in your Exchange on-premises environment. In this example,
target domain is your Microsoft 365, Office 365, or Exchange Online domain, for

which a send connector has already been configured by the Hybrid Configuration
Wizard.

PowerShell
 New-AcceptedDomain -Name
PublicFolderDestination_78c0b207_5ad2_4fee_8cb9_f373175b3f99 -
DomainName <target domain> -DomainType InternalRelay

Example:

PowerShell

New-AcceptedDomain -Name
PublicFolderDestination_78c0b207_5ad2_4fee_8cb9_f373175b3f99 -
DomainName "contoso.mail.onmicrosoft.com" -DomainType InternalRelay

If the accepted domain already exists in your on-premises environment, rename it

to PublicFolderDestination_78c0b207_5ad2_4fee_8cb9_f373175b3f99 and leave the
other attributes intact.

To check if the accepted domain is already present in your on-premises

environment, run the following:

PowerShell

Get-AcceptedDomain | Where {$_.DomainName -eq "<target domain>"}

To rename the accepted domain to

PublicFolderDestination_78c0b207_5ad2_4fee_8cb9_f373175b3f99 , run the

following:

PowerShell

Get-AcceptedDomain | Where {$_.DomainName -eq "<target domain>"} | Set-

AcceptedDomain -Name
PublicFolderDestination_78c0b207_5ad2_4fee_8cb9_f373175b3f99

７ Note

If you're expecting your mail-enabled public folders in Exchange Online to

receive external emails from the Internet, you have to disable Directory Based
Edge Blocking (DBEB) in Exchange Online and Exchange Online Protection
(EOP). See Use Directory Based Edge Blocking to Reject Messages Sent to
Invalid Recipients for more information.

2. If the name of a public folder contains a backslash \ or a forward slash /, it may not
get migrated to its designated mailbox during the migration process. Before you
 migrate, rename any such folders to remove these characters.

a. To locate public folders that have a backslash in the name, run the following
command:

PowerShell

Get-PublicFolder -Recurse -ResultSize Unlimited | Where {$_.Name -like

"*\*" -or $_.Name -like "*/*"} | Format-List Name, Identity, EntryId

b. If any public folders are returned, you can rename them by running the
following command:

PowerShell

Set-PublicFolder -Identity "<public folder EntryId>" -Name "<new public

folder name>"

3. (This step is only required only if you are re-doing a previous migration attempt for
some reason. If this is not the case, skip to the next step.) Run the following
cmdlets to confirm there isn't a record of a previous, successful migration in your
organization. If there is, you need to set that value to $false .

Before changing the values, please confirm that the previous migration attempt
can be discarded so that you don't accidentally perform a second migration.

a. Run the following command to check for any previous migrations, and the status
of those migrations:

PowerShell

Get-OrganizationConfig | Format-List
PublicFolderMailboxesLockedForNewConnections,
PublicFolderMailboxesMigrationComplete

b. If any of the above is returned with a value set to $true , make them $false by
running:

PowerShell

Set-OrganizationConfig -
PublicFolderMailboxesLockedForNewConnections:$false -
PublicFolderMailboxesMigrationComplete:$false
4. For the purpose of verifying the success of the migration upon its completion, we
recommend that you run the following commands on all appropriate Exchange
2016 or Exchange 2019 servers. This will take snapshots of your current public
folder deployment that you can later use to compare with your newly migrated
public folders.

７ Note

Depending on the size of your Exchange organization, it could take some time
for these commands to run.

Run the following command to take a snapshot of the original source folder
structure.

PowerShell

Get-PublicFolder -Recurse -ResultSize Unlimited | Export-CliXML

OnPrem_PFStructure.xml

Run the following command to take a snapshot of public folder statistics such
as item count, size, and owner.

PowerShell

Get-PublicFolderStatistics -ResultSize Unlimited | Export-CliXML

OnPrem_PFStatistics.xml

Run the following command to take a snapshot of public folder permissions.

PowerShell

Get-PublicFolder -Recurse -ResultSize Unlimited | Get-

PublicFolderClientPermission | Select-Object
Identity,User,AccessRights -ExpandProperty AccessRights | Export-
CliXML OnPrem_PFPerms.xml

Run the following command to take a snapshot of your mail-enabled public

folders:

PowerShell

Get-MailPublicFolder -ResultSize Unlimited | Export-CliXML

OnPrem_MEPF.xml
 Save the files generated from the preceding commands in a safe place in
order to make a comparison at the end of the migration.

5. If you're using Microsoft Azure Active Directory Connect (Azure AD Connect) to

synchronize your on-premises directories with Azure Active Directory, you need to
do the following (if you aren't using Azure AD Connect, you can skip this step):

a. On an on-premises computer, open Microsoft Azure Active Directory Connect,

and then select Configure.

b. On the Additional tasks screen, select Customize synchronization options, and

then click Next.

c. On the Connect to Azure AD screen, enter the appropriate credentials, and then
click Next. Once connected, keep clicking Next until you're on the Optional
Features screen.

d. Make sure that Exchange Mail Public Folders is not selected. If it isn't selected,
you can continue to the next section, Prerequisite steps in Exchange Online. If it
is selected, click to clear the check box, and then click Next.

７ Note

If you don't see Exchange Mail Public Folders as an option on the

Optional Features screen, you can exit Microsoft Azure Active Directory
Connect and proceed to the next section, Prerequisite steps in Exchange
Online.

e. After you have cleared the Exchange Mail Public Folders selection, keep
clicking Next until you're on the Ready to configure screen, and then click
Configure.

Prerequisite steps in Exchange Online

In Exchange Online PowerShell, do the following steps:

1. Make sure there are no existing public folder migration requests. If there are, clear
them or your own migration request will fail. This step is only required if you think
there may be an existing migration request in the pipeline (one that has failed or
that you wish to abort).

The following example will discover any existing batch migration requests:
 PowerShell

Get-MigrationBatch | ?{$_.MigrationType.ToString() -eq "PublicFolder"}

The following example removes any existing public folder batch migration
requests:

PowerShell

Remove-MigrationBatch <name of migration batch> -Confirm:$false

2. Make sure there aren't any existing public folders or public folder mailboxes in
Exchange Online. If you do discover public folders in Exchange Online after
following the steps below, it's important to determine why they are there and who
in your organization started a public folder hierarchy before you begin removing
any public folders and public folder mailboxes.

a. In Exchange Online PowerShell, run the following command to see if any public
folders mailboxes exist:

PowerShell

Get-Mailbox -PublicFolder

b. If the command doesn't return any public folder mailboxes, continue to Step 3:
Generate the .csv files. If the command does return any public folders mailboxes,
run the following command to see if any public folders exist:

PowerShell

Get-PublicFolder -Recurse

3. If you do have any public folders in Microsoft 365 or Office 365 or Exchange
Online, run the following PowerShell command to remove them (after confirming
that they are not needed). Make sure that you've saved any information within
these public folders before deleting them, because all information will be
permanently deleted when you remove the public folders.

PowerShell

Get-MailPublicFolder -ResultSize Unlimited | where {$_.EntryId -ne

$null}| Disable-MailPublicFolder -Confirm:$false
Get-PublicFolder -GetChildren \ -ResultSize Unlimited | Remove-
PublicFolder -Recurse -Confirm:$false
 4. After the public folders are removed, run the following commands to remove all
public folder mailboxes:

PowerShell

$hierarchyMailboxGuid = $(Get-
OrganizationConfig).RootPublicFolderMailbox.HierarchyMailboxGuid
Get-Mailbox -PublicFolder | Where-Object {$_.ExchangeGuid -ne
$hierarchyMailboxGuid} | Remove-Mailbox -PublicFolder -Confirm:$false -
Force
Get-Mailbox -PublicFolder | Where-Object {$_.ExchangeGuid -eq
$hierarchyMailboxGuid} | Remove-Mailbox -PublicFolder -Confirm:$false -
Force
Get-Mailbox -PublicFolder -SoftDeletedMailbox | % {Remove-Mailbox -
PublicFolder $_.PrimarySmtpAddress -PermanentlyDelete:$true -force -
Confirm:$false}
$soft=Get-Mailbox -PublicFolder -SoftDeletedMailbox; foreach ($mbx in
$soft){if ($mbx.Name -like "*CNF:*" -or $mbx.identity -like "*CNF:*")
{Remove-Mailbox -PublicFolder $mbx.ExchangeGUID.GUID -
RemoveCNFPublicFolderMailboxPermanently -Force -Confirm:$false}}

Repeat the above command block for couple of times, at interval of 5-10 minutes
to ensure the SoftDeletedMailboxes are cleared up and there are no CNF objects
left behind.

７ Note

The above command block may return error like "The operation couldn't be
performed because object <MailboxName> couldn't be found on", which can
be safely ignored because of AD replication latency.

5. Run following command again to ensure there are no SoftDeleted or CNF

mailboxes left behind.

PowerShell

Get-Mailbox -PublicFolder -SoftDeletedMailbox

If you see list of soft deleted mailboxes, repeat the command block from step 4,
else proceed to the next step

Step 3: Generate the .csv files

Use the previously downloaded scripts to generate the .csv files that will be used in the
migration.

1. From the Exchange Management Shell (on-premises), run the Export-

ModernPublicFolderStatistics.ps1 script to create the folder name-to-folder size
mapping file. You must have local administrator permissions to run this script. The
resulting file will contain three columns: FolderName, FolderSize, and
DeletedItemSize. The values for the FolderSize and DeletedItemSize columns will
be displayed in bytes. For example, \PublicFolder01,10240, 100 means the public
folder in the root of your hierarchy named PublicFolder01 is 10240 bytes (10 KB) in
size and there are 100 bytes of recoverable items in it.

PowerShell

.\Export-ModernPublicFolderStatistics.ps1 <Folder-to-size map path>

Example:

PowerShell

.\Export-ModernPublicFolderStatistics.ps1 stats.csv

2. Run the ModernPublicFolderToMailboxMapGenerator.ps1 script to create a .csv file

that maps source public folders to public folder mailboxes in your Exchange Online
destination. This file is used to calculate the correct number of public folder
mailboxes in Exchange Online.

Note that the file generated by ModernPublicFolderToMailboxMapGenerator.ps1 will not

contain the name of every public folder in your organization. It will contain references to
the parent folders of larger folder trees, or the names of folders which themselves are
significantly large. You can think of this file as an "exception" file used to make sure
certain folder trees and larger folders get placed into specific public folder mailboxes. It
is normal to not see every one of your public folders in this file. Child folders of any
folder listed in this mapping file will also be migrated to the same public folder mailbox
as their parent folder (unless explicitly mentioned on another line within the mapping
file that directs them to a different public folder mailbox).

PowerShell

.\ModernPublicFolderToMailboxMapGenerator.ps1 <Maximum mailbox size in

bytes><Maximum mailbox recoverable item size in bytes><Folder-to-size map
path><Folder-to-mailbox map path>
 Maximum mailbox size in bytes is the maximum amount of data you want to

migrate into any single public folder mailbox in Exchange Online. The maximum
size of this field is currently 100 GB, but we recommend you use a smaller size,
such as 50% of maximum size, to allow for future growth.

Maximum mailbox recoverable items size in bytes is the recoverable items quota

on your Exchange Online mailboxes. The maximum size of public folder mailboxes
In Exchange Online is currently 100 GB. We recommend setting
RecoverableItemsQuota to 15 GB or less.

Folder-to-size map path is the file path of the .csv file you created when you ran
the Export-ModernPublicFolderStatistics.ps1 script.

Folder-to-mailbox map path is the file path of the folder-to-mailbox .csv file that

you're creating in this step. If you only specify a file name, the file will be generated
in the current PowerShell directory on the local computer.

Example:

PowerShell

.\ModernPublicFolderToMailboxMapGenerator.ps1 -MailboxSize 50GB -

MailboxRecoverableItemSize 1GB -ImportFile .\stats.csv -ExportFile map.csv

７ Note

The map.csv generated by the script uses generic names for the target public folder
mailboxes that will be created in EXO during the next step (for example, Mailbox1
and Mailbox2). We encourage you to change the public folder mailbox names in
the map.csv to suit your organization's naming policies. Also, if your on-premises
organization already has mailboxes that match the generic names, you should edit
the map.csv and provide unique names for the target public folder mailboxes in
Exchange Online. Use Notepad or a similar editor to edit the TargetMailbox names
in the map.csv

７ Note

We don't support the migration of public folders to Exchange Online when there
are more than 100 unique public folder mailboxes in Exchange Online. During
migration, you can have up to 100 public folder mailboxes enabled.
Step 4: Create the public folder mailboxes in
Exchange Online
Next, in Exchange Online PowerShell, create the target public folder mailboxes that will
contain your migrated public folders.

Run the following script to create the target public folder mailboxes. The script will
create a target mailbox for each mailbox in the .csv file that you generated previously in
Step 3: Generate the .csv files, when you ran the
ModernPublicFoldertoMailboxMapGenerator.ps1 script.

PowerShell

$mappings = Import-Csv <Folder-to-mailbox map path>

$primaryMailboxName = ($mappings | Where-Object FolderPath -eq "\"
).TargetMailbox;
New-Mailbox -HoldForMigration:$true -PublicFolder -
IsExcludedFromServingHierarchy:$false $primaryMailboxName
($mappings | Where-Object TargetMailbox -ne
$primaryMailboxName).TargetMailbox | Sort-Object -unique | ForEach-Object {
New-Mailbox -PublicFolder -IsExcludedFromServingHierarchy:$false $_ }

Folder-to-mailbox map path is the file path of the folder-to-mailbox.csv file that was

generated by the ModernPublicFoldertoMailboxMapGenerator.ps1 script in Step 3:

Generate the .csv files.

Step 5: Start the migration request

A number of commands now need to be run both in your Exchange Server on-premises
environment and in Exchange Online.

1. From any of your Exchange 2016 or Exchange 2019 servers hosting public folder
mailboxes, execute the following script. This script will synchronize mail-enabled
public folders from your local Active Directory to Exchange Online. Make sure that
you have downloaded the latest version of this script and that you're running it
from Exchange Management Shell.

PowerShell

.\Sync-ModernMailPublicFolders.ps1 -CsvSummaryFile:sync_summary.csv

CsvSummaryFile is the file path to where you want your log file of
synchronization operations and errors located. The log will be in .csv format.
 ７ Note

Use Sync MEPF Script troubleshooting if you see any errors during the Sync-
ModernMailPublicFolders.ps1 script.

2. In Exchange Online PowerShell, pass the credential of a user who has administrator
permissions in the Exchange 2013, Exchange 2016, or Exchange 2019 on-premises
environment into the variable $Source_Credential . The migration request that you
run in Exchange Online will use this credential to gain access to your on-premises
Exchange servers to copy the public folder content over to Exchange Online.

PowerShell

$Source_Credential = Get-Credential <source_domain>\

<PublicFolder_Administrator_Account>

3. In Exchange Online Powershell, pass the Internet routable fully qualified domain
name of your Exchange Mailbox Replication Service (MRS) into the variable
$Source_RemoteServer . The migration request that you run in Exchange Online will

use this remote server to copy the public folder content to Exchange Online.

PowerShell

$Source_RemoteServer = "<MRS proxy endpoint server>"

4. On your on-premises Exchange server, open the Exchange Management Shell and
find the GUID of the primary hierarchy mailbox with the following command:

PowerShell

(Get-
OrganizationConfig).RootPublicFolderMailbox.HierarchyMailboxGuid.GUID

Note the output of this command. You will need it in the next step. For example:

91edc6dd-478a-497c-8731-b0b793f5a986

７ Note
The public folder mailbox GUID mentioned in the previous command must be obtained
from the on-premises server; if it is obtained from Exchange Online, the migration batch
will fail with transient error.

5. In Exchange Online PowerShell, run the following commands to create the public
folder migration endpoint and the public folder migration request:

PowerShell

$bytes = [System.IO.File]::ReadAllBytes('folder_mapping.csv')
$PfEndpoint = New-MigrationEndpoint -PublicFolder -Name
PublicFolderEndpoint -RemoteServer $Source_RemoteServer -Credentials
$Source_Credential
New-MigrationBatch -Name PublicFolderMigration -CSVData $bytes -
SourceEndpoint $PfEndpoint.Identity -SourcePfPrimaryMailboxGuid <guid
you noted from previous step> -NotificationEmails <email addresses for
migration notifications>

Where folder_mapping.csv is the map file that was generated in Step 3: Generate
the .csv files and HierarchyMailboxGUID is the output you noted in the previous
step. Be sure to provide the full file path to folder_mapping.csv . If the map file was
moved for any reason, be sure to use the new location.

Separate multiple email addresses with commas.

７ Note

You may notice the above command failing with the error "Cannot find a recipient that
has mailbox GUID" with the GUID mentioned of public folder mailbox in EXO. This can
happen because of AD replication latency. In such case, wait for an hour and retry the
command again.

6. Finally, start the migration using the following command in Exchange Online
PowerShell:

PowerShell

Start-MigrationBatch PublicFolderMigration

While batch migrations need to be created using the New-MigrationBatch cmdlet in

Exchange Online PowerShell, the progress and completion of the migration can be
viewed and managed in the EAC or by running the Get-MigrationBatch cmdlet. The New-
MigrationBatch cmdlet initiates a mailbox migration request for each public folder
mailbox, and you can view the status of these requests using the mailbox migration
page.

To go to the mailbox migration page:

1. Log on to Exchange Online and open the EAC.

2. Navigate to Recipients, and then select Migration.

3. Select the migration request that was just created and then, on the Details pane,
select View Details.

Before moving on to Step 6: Lock down the public folders on the Exchange on-premises
server, verify that all data has been copied and that there are no errors in the migration.
Once you have confirmed that the batch has moved to the state of Synced, run the
commands mentioned in Step 2: Prepare for the migration, in the final step under
Prerequisite steps in the Exchange Server on-premises environment, to take a
snapshot of the public folders on-premises.

Once these commands have run, you can proceed to the next step. Note that these
commands could take a while to complete depending on the number of folders you
have. The migration process will synchronize the data from the source (on-premises)
environment once every 24 hours.

You can use the following cmdlets to monitor your migration:

Get-PublicFolderMailboxMigrationRequest

Get-PublicFolderMailboxMigrationRequestStatistics

Get-MigrationBatch

Step 6: Lock down the public folders on the

Exchange on-premises server (public folder
downtime required)
Until this point in the migration process, users have been able to access your on-
premises public folders. The following steps will now log off users off from Exchange
Server public folders and then lock the folders as the migration process completes its
final synchronization. Users won't be able to access public folders during this time, and
any messages sent to these mail-enabled public folders will be queued and remain
undelivered until the public folder migration is complete.
 ７ Note

The final sync might take a substantial amount of time, depending on the changes
made to the source environment, the size of the public folder deployment, server
capacity, and so on. If the folder hierarchy had many corrupt ACLs that were not
cleaned up before the migration, there might be a significant delay in completion.
It is recommended that you plan for a minimum of 48 hours of downtime for the
final sync to complete.

Ensure the migration batch and individual migration requests have successfully synced.

Run the following command in EXO PowerShell for more information:

Get-MigrationBatch |?{$_.MigrationType -like "*PublicFolder*"} | ft *last*sync*

Get-PublicFolderMailboxMigrationRequest | Get-

PublicFolderMailboxMigrationRequestStatistics |ft targetmailbox,*last*sync*

The LastSyncedDate (on migration batch) and LastSuccessfulSyncTimestamp (on

individual jobs) should be within the last 7 days. If the date is too far in the past, such as
more than a month ago, you might want to review public folder migration requests and
ensure that all the requests were synced recently.

After you have confirmed that the batch and all migration requests have successfully
synced, in your on-premises environment, run the following command to lock the
Exchange Server public folders for finalization.

PowerShell

Set-OrganizationConfig -PublicFolderMailboxesLockedForNewConnections $true

７ Note

If you aren't able to access the -PublicFolderMailboxesLockedForNewConnections

parameter, it could be because your Active Directory was not prepared during the
CU upgrade, as we advised above in What do you need to know before you begin?
See Prepare Active Directory and domains for more information. Also note that
any users who need access to public folders should be migrated first, before you
migrate the public folders themselves.
If your organization has public folder mailboxes on multiple Exchange servers, you'll
need to wait until Active Directory replication is complete. Once complete, you can
confirm that all public folder mailboxes have picked up the
PublicFolderMailboxesLockedForNewConnections flag, and that any pending changes
users recently made to their public folders have converged across the organization. All
of this could take several hours.

Run the following command in your on-premises environment to ensure that public
folders are locked:

PowerShell

Get-PublicFolder \

The expected result if public folders are locked is:

Couldn't find the public folder mailbox. + CategoryInfo : NotSpecified: (:) [Get-

PublicFolder], ObjectNotFoundException

Step 7: Finalize the public folder migration

(public folder downtime required)
You need to check the following items before you can complete your public folder
migration:

1. Confirm that there are no other public folder mailbox moves or public folder
moves going on in your on-premises Exchange environment. To do this, use the
Get-MoveRequest and Get-PublicFolderMoveRequest cmdlets to list any existing
public folder moves. If there are any moves in progress, or in the Completed state,
remove them.

2. At this point, we recommend re-running the following script to ensure that any
new mail-enabled public folders are synchronized with Exchange Online:

PowerShell

.\Sync-ModernMailPublicFolders.ps1 -CsvSummaryFile:sync_summary.csv

3. If your environment has multiple active directory domains, ensure the steps in "No
active public folder mailboxes were found" error and migration batch fails at
Complete-MigrationBatch command are followed before initiating completing.
 4. To complete the public folder migration, run the following command in Exchange
Online PowerShell:

PowerShell

Complete-MigrationBatch PublicFolderMigration

） Important

After a migration batch is completed, no additional data can be synchornized from

the on-premises Exchange servers and Exchange Online.

When you run Complete-MigrationBatch PublicFolderMigration , Exchange will perform a

final synchronization between your Exchange on-premises organization and Exchange
Online. During this period, the status of the migration batch will change from Synced to
Completing, and then finally to Completed. If the final synchronization is successful, the
public folders in Exchange Online will be unlocked. However, it is strongly
recommended that you complete Step 8 and Step 9 of this article before you open up
public folders to your users.

It's common for the status of migration batch to remain on Synced for a few hours
before it switches to Completing. For migrations involving a large number of target
mailboxes, it's normal to see the status remain in the Synced state for more than 24
hours, provided none of the underlying public folder migration requests have failed or
were quarantined.

Step 8: Test and unlock public folders in

Exchange Online
Once the public folder migration is complete, take the following steps to test the
success of the migration, and to officially verify its completion. These final tasks allow
you to test the migrated public folder hierarchy before you permanently switch your
organization to Exchange Online public folders.

1. In Exchange Online PowerShell, configure some test user mailboxes to use one of
your newly migrated public folder mailboxes as their default public folder mailbox:

PowerShell

Set-Mailbox -Identity <test user> -DefaultPublicFolderMailbox <public

folder mailbox identity>
 Make sure that your test users have necessary permissions to create public folders.

2. Log on to Outlook with the test user you designated in the previous step, and then
perform the following public folder tests. Note that it may take 15 to 30 minutes
for changes to take effect. Once Outlook is aware of the changes, it might prompt
you to restart a couple of times.

a. View the hierarchy.

b. Check permissions.

c. Create some public folders and then delete them.

d. Post content to, and delete content from, a public folder.

If you run into any issues and determine you aren't ready to switch your
organization's public folders entirely to Exchange Online, see Roll back a public
folder migration from Exchange Server to Exchange Online.

3. Run the following command in Exchange Online PowerShell to unlock your public
folders in Exchange Online. After you run the command, it may take approximately
15 to 30 minutes for the changes to take effect. Once Outlook is aware of the
changes, it might prompt your users to restart Outlook a couple of times.

PowerShell

Set-OrganizationConfig -RemotePublicFolderMailboxes $Null -

PublicFoldersEnabled Local

Step 9: Finalize the migration on-premises

To enable emails to mail-enabled public folders on-premises, perform the following
steps:

1. Run the following command in your on-premises environment, to take a backup of

the emails in the queue that were sent to your mail-enabled public folders. This
backup can be used in scenarios where email delivery to mail-enabled public
folders failed for any reason:

PowerShell

$Server=Get-TransportService;ForEach ($t in $server) {Get-Message -

Server $t -ResultSize Unlimited| ?{$_.Recipients -like
"*PF.InTransit*"} | ForEach-Object {Suspend-Message $_.Identity -
 Confirm:$False; $Temp="C:\ExportFolder\"+$_.InternetMessageID+".eml";
$Temp=$Temp.Replace("<","_"); $Temp=$Temp.Replace(">","_"); Export-
Message $_.Identity | AssembleMessage -Path $Temp;Resume-message
$_.Identity -Confirm:$false}}

2. In your on-premises environment, run the following script to make sure all emails
to mail-enabled public folders are correctly routed to Exchange Online. The script
will stamp mail-enabled public folders with an ExternalEmailAddress that points
them to their Exchange Online counterparts:

PowerShell

.\SetMailPublicFolderExternalAddress.ps1 -
ExecutionSummaryFile:mepf_summary.csv

3. If your testing is successful, in your on-premises environment, run the following

command to indicate that the public folder migration is complete:

PowerShell

Set-OrganizationConfig -PublicFolderMailboxesMigrationComplete:$true -
PublicFoldersEnabled Remote

How do I know this worked?

In Step 2: Prepare for the migration, you took snapshots of your on-premises public
folder structure, statistics, and permissions. The following steps will help you verify your
public folder migration was successful by taking the same snapshots in Exchange Online
post-migration. Compare the data in both files to verify success.

1. In Exchange Online PowerShell, run the following command to take a snapshot of

the new folder structure:

PowerShell

Get-PublicFolder -Recurse -ResultSize Unlimited | Export-CliXML

Cloud_PFStructure.xml

2. In Exchange Online PowerShell, run the following command to take a snapshot of

the public folder statistics, including item count, size, and owner:

PowerShell
 Get-PublicFolder -Recurse -ResultSize Unlimited | Get-
PublicFolderStatistics | Export-CliXML Cloud_PFStatistics.xml

3. In Exchange Online PowerShell, run the following command to take a snapshot of

the permissions:

PowerShell

Get-PublicFolder -Recurse -ResultSize Unlimited | Get-

PublicFolderClientPermission | Select-Object Identity,User,AccessRights
| Export-CliXML Cloud_PFPerms.xml

4. Exchange Online PowerShell, run the following command to take a snapshot of the
mail-enabled public folders:

PowerShell

Get-MailPublicFolder -ResultSize Unlimited | Export-CliXML

Cloud_MEPF.xml

７ Note

Post-migration, if external emails fail mail-enabled public folders in Exchange

Online with a 5.7.13 or 5.4.1 error, ensure that the public folder has CreateItems
permission enabled for anonymous users and Domain Based Edge Blocking
(DBEB) is disabled for the email domain configured on the public folder.

Known issues
The following are common public folder migration issues that you may encounter in
your organization.

We don't support the migration of public folders to Exchange Online when there
are more than 100 unique public folder mailboxes in Exchange Online.

Permissions for the root public folder and the EFORMS REGISTRY folder will not be
migrated to Exchange Online, and you will have to manually apply them in
Exchange Online. To do this, run the following command in your Exchange Online
PowerShell. Run the command once for each permission entry that is present on-
premises but missing in Exchange Online:
 PowerShell

Add-PublicFolderClientPermission "\" -User <user> -AccessRights <access

rights>
Add-PublicFolderClientPermission "\NON_IPM_SUBTREE\EFORMS REGISTRY" -
User <user> -AccessRights <access rights>

There is a known issue where some public folder migrations will fail if some public
folder mailboxes are not serving the public folder hierarchy. This means the
IsExcludedFromServingHierarchy parameter on one or more mailboxes is set to
$true . To avoid this, set all mailboxes in Exchange Online to serve the hierarchy.

Send As and Send on Behalf permissions don't get migrated to Exchange Online.
If this happens with your migration, use the following commands in your on-
premises environment to note who has these permissions.

To see which public folders have Send As permissions on-premises:

PowerShell

Get-MailPublicFolder | Get-ADPermission | ?{$_.ExtendedRights -like

"*Send-As*"}

To see which public folders have Send on Behalf permissions on-premises:

PowerShell

Get-MailPublicFolder | ?{$_.GrantSendOnBehalfTo -ne "$null"} | Format-

Table name,GrantSendOnBehalfTo

To add Send As permission to a mail-enabled public folder in Exchange Online, in

Exchange Online PowerShell type:

PowerShell

Add-RecipientPermission -Identity <mail-enabled public folder primary

SMTP address> -Trustee <name of user to be assigned permission> -
AccessRights SendAs

Example:

PowerShell

Add-RecipientPermission -Identity send1 -Trustee Exo1 -AccessRights

SendAs
To add Send on Behalf permission to a mail-enabled public folder in Exchange
Online, in Exchange Online PowerShell type:

PowerShell

Set-MailPublicFolder -Identity <name of public folder> -

GrantSendOnBehalfTo <user or comma-separated list of users>

Example:

PowerShell

Set-MailPublicFolder send2 -GrantSendOnBehalfTo exo1,exo2

Having more than 10,000 folders under the

"\NON_IPM_SUBTREE\DUMPSTER_ROOT" folder can cause the migration to fail.
Therefore, check the "\NON_IPM_SUBTREE\DUMPSTER_ROOT" folder to see if
there are more than 10,000 folders directly under it (immediate children). You can
use the following command to find the number of public folders in this location:

PowerShell

(Get-PublicFolder -GetChildren "\NON_IPM_SUBTREE\DUMPSTER_ROOT").Count

Exchange Online does not support more than 10,000 subfolders, which is why
migrations of more than 10,000 folders will fail. We are currently developing a
script to unblock such configurations. In the meantime, we suggest waiting to
migrate your public folders.

Migration jobs are not making progress or are stalled. This can happen if there are
too many jobs running in parallel, causing jobs to fail with intermittent errors. You
can reduce the number of concurrent jobs by modifying MaxConcurrentMigrations
and MaxConcurrentIncrementalSyncs to a smaller number. Use the following
example to set these values:

PowerShell

Set-MigrationEndpoint <PublicFolderEndpoint> -MaxConcurrentMigrations

30 -MaxConcurrentIncrementalSyncs 20 -SkipVerification

Migration jobs fail with the error "Error: Dumpster of the Dumpster folder." If you
see this error, it should be resolved if you stop the batch and then restart it.
 Migration jobs fail with the error "Request was quarantined because of the
following error: The given key was not present in the dictionary." This happens
when a corrupt item is present in a folder which migration jobs cannot copy. To
work around this:

1. Stop the migration batch.

2. Identify the folder containing the bad item. The migration report should
include references to the folder that was being copied when the error
occurred.

3. In your on-premises environment, move the affected folder to the primary

public folder mailbox. You can use the New-PublicFolderMoveRequest cmdlet
to move folders.

4. Wait for the folder move to complete. After it is complete, remove the move
request. Finally, re-start the migration batch.

Remove public folder mailboxes from your

Exchange on-premises environment
After the migration is complete and you have verified that your public folders in
Exchange Online are working as expected and contain all expected data, you can
remove your on-premises public folder mailboxes.

Be aware that this step is irreversible, because once public folder mailboxes are deleted,
they cannot be recovered. Therefore we strongly recommend that, in addition to
validating the success of your migration, that you also monitor your Exchange Online
public folders for a few weeks before removing the on-premises public folder mailboxes.

Migrate Public Folders to Microsoft 365 or

Office 365 by using Outlook PST export
We recommend that you don't use Outlook's PST export feature to migrate public
folders to Microsoft 365 or Office 365 or Exchange Online if your on-premises public
folder hierarchy is greater than 30 GB. Microsoft 365 and Office 365 online public folder
mailbox growth is managed using an auto-split feature that splits the public folder
mailbox when it exceeds size quotas. Auto-split can't handle the sudden growth of
public folder mailboxes when you use PST export to migrate your public folders and you
may have to wait for up to two weeks for auto-split to move the data from the primary
mailbox. In addition, consider the following before using Outlook PST to export public
folders to Microsoft 365 or Office 365 or Exchange Online:

Public folder permissions will be lost during this process. Capture the current
permissions before migration and manually add them back once the migration is
completed.

If you use complex permissions or have many folders to migrate, we recommend

that you use the cmdlet method for migration.

Any item and folder changes made to the source public folders during the PST
export migration will be lost. Therefore, we recommend that you use the cmdlet
method if this export and import process will take a long time to complete.

If you still want to migrate your public folders by using PST files, follow these steps to
ensure a successful migration.

1. Use the instructions in Step 1: Download the migration scripts to download the
migration scripts. You only need to download the
PublicFolderToMailboxMapGenerator.ps1 file.

2. Follow step number 2 of Step 3: Generate the .csv files to create the public folder-
to-mailbox mapping file. This file is used to calculate the correct number of public
folder mailboxes in Exchange Online.

3. Create the public folder mailboxes that you'll need based on the mapping file. For
more information, see Use the EAC to create a public folder mailbox.

4. Use the New-PublicFolder cmdlet to create the top-most public folder in each of
the public folder mailboxes by using the Mailbox parameter.

5. Export and import the PST files using Outlook.

6. Set the permissions on the public folders using the EAC. For more information,
follow Step 3: Assign permissions to the public folder in the Set up public folders in
a new organization article.

Ｕ Caution

If you've already started a PST migration and have run into an issue where the
primary mailbox is full, you have two options for recovering the PST migration:

The first option is to wait for the auto-split to move the data from the primary
mailbox. This may take up to two weeks. However, all the public folders in a
 completely filled public folder mailbox won't be able to receive new content until
the auto-split completes.

Option two is to create a public folder mailbox in Exchange Server and then use
the New-PublicFolder cmdlet with the Mailbox parameter to create the remaining
public folders in the secondary public folder mailbox.

Troubleshoot public folder migrations

Select the following button for common issues during public folder migration:

Run Tests: Troubleshoot public folder migration

A flyout page opens in the Microsoft 365 admin center, login with your tenant admin
account and select appropriate option
Roll back a public folder migration from
Exchange Server to Exchange Online
Article • 07/13/2023

If you run into issues with your public folder migration to Exchange Online, or for any
other reason need to reactivate your Exchange Server public folders, perform the
following steps:

Roll back the migration

If you roll back your migration, you will lose any content that was added to public
folders in Exchange Online post-migration, either through clients or via email for mail-
enabled public folders. To save this content, you can export the post-migration public
folder content to a .pst file, which can then be imported into the on-premises public
folders when the rollback is complete.

1. In your Exchange on-premises environment, run the following command to unlock

your Exchange Server public folders:

PowerShell

Set-OrganizationConfig -
PublicFolderMailboxesLockedForNewConnections:$false -
PublicFolderMailboxesMigrationComplete:$false -PublicFoldersEnabled
Local

７ Note

The unlocking may take several hours.

2. In your Exchange on-premises environment, revert the ExternalEmailAddress of

any mail-enabled public folder that was updated by
SetMailPublicFolderExternalAddress.ps1 (the script used in Step 8: Test and unlock
public folders in Exchange Online of Use batch migration to migrate Exchange
Server public folders to Exchange Online). You can refer to the summary file
created by the script to identify the ones that were modified, or use the
OnPrem_MEPF.xml file generated earlier in the same batch migration process to
get the original properties for all mail-enabled public folders.
3. In Exchange Online PowerShell, run the following commands to remove all
Exchange Online public folders and mailboxes:

PowerShell

Get-MailPublicFolder -ResultSize Unlimited | where {$_.EntryId -ne

$null}| Disable-MailPublicFolder -Confirm:$false
Get-PublicFolder -GetChildren \ -ResultSize Unlimited | Remove-
PublicFolder -Recurse -Confirm:$false
$hierarchyMailboxGuid = $(Get-
OrganizationConfig).RootPublicFolderMailbox.HierarchyMailboxGuid
Get-Mailbox -PublicFolder | Where-Object {$_.ExchangeGuid -ne
$hierarchyMailboxGuid} | Remove-Mailbox -PublicFolder -Confirm:$false -
Force
Get-Mailbox -PublicFolder | Where-Object {$_.ExchangeGuid -eq
$hierarchyMailboxGuid} | Remove-Mailbox -PublicFolder -Confirm:$false -
Force
Get-Mailbox -PublicFolder -SoftDeletedMailbox | Remove-Mailbox -
PublicFolder -PermanentlyDelete:$true -Force

4. Run the following command in your Exchange Online environment to redirect

public folder traffic back to on-premises (Exchange Server):

PowerShell

Set-OrganizationConfig -PublicFoldersEnabled Remote

5. See Configure Exchange 2013 public folders for a hybrid deployment for
instructions on reconfiguring access to your on-premises public folders, so that
your Exchange Online users can access them.
Migrate your public folders to Microsoft
365 Groups in Exchange Online
Article • 02/22/2023

Summary: Why you should or shouldn't migrate your public folders to Microsoft 365
Groups.

This article provides a comparison of public folders and Microsoft 365 Groups, and how
one or the other might be the best solution for your organization. Public folders have
been around as long as Exchange, whereas Groups were introduced more recently. If
you want to migrate some or all of your public folders to Groups, this article describes
how the process works, and provides links to the articles that walk you through the
process, step by step.

What are public folders?

Public Folders contain different kinds of data and are organized in a hierarchical
structure.

Public folders are not recommended for the following situations:

Archiving data. Users with mailbox limits sometimes use public folders instead of
mailboxes to archive data. This practice isn't recommended because it affects
storage in public folders and undermines the goal of mailbox limits.

Document sharing and collaboration. Public folders don't provide document

management features, such as versioning, controlled check-in and check-out
functionality, and automatic notifications of content changes.

What are Microsoft 365 Groups?

Microsoft 365 groups let you choose a set of people who you wish to collaborate with,
and then easily set up a collection of resources for those people to share. You don't
have to worry about manually assigning permissions to those resources, because adding
members to your group automatically gives the members the permissions they need to
access the tools and resources your group provides. Groups are also the new and
improved experience for those tasks that were previously handled by distribution lists
and shared mailboxes.

For the full Groups story, see Learn about Microsoft 365 Groups .
Should you migrate your public folders to
Microsoft 365 Groups?
Microsoft 365 Groups is the latest collaboration offering from Microsoft, which means
there are many reasons why they would be a preferable solution over public folders, a
much older technology. In Outlook, for example, Groups can replace mail-enabled
public folders altogether. Compiling a list of every scenario in which Microsoft 365
Groups works better than public folders is impossible, but here are the highlights:

Collaboration over email. Groups in Outlook has a dedicated Conversations space

that stores all the emails and lets users collaborate over them. The group can even
be set up to receive messages from people outside the group or from outside the
organization. If you're currently using mail-enabled public folders to store project-
related discussions, for example, or purchase orders that need to be viewed by a
team of people, using groups would be an improvement. Groups are also better
for situations when you simply want to broadcast information to a set of users.

Collaboration over documents. In Outlook, Groups has a dedicated Files tab that
displays all files from the group's SharePoint team site, as well as from mail
attachments. You get one view of all the files, so you don't have to go searching
for them like you would in public folders. Co-authoring also becomes easier. If
you're using public folders for storing files meant to be consumed by multiple
people, consider migrating to Groups.

Shared calendar. Upon creation every group gets a shared calendar. Any member
of the group can create events on that calendar. When you favorite a group, that
group's calendar can be displayed alongside your personal calendar. You can also
subscribe to a group's events, in which case events created in that group appear in
your personal calendar. If you're using public folders to host calendars for your
team, such as a schedule or a timetable, Groups would be an improved experience.

Simplified permissions. When you assign users to a group, they immediately get
the permissions they need, whereas with public folders you need to manually
assign the proper permissions. Members can be added as "owners" or "members."
Owners have full rights in the group, including the ability to perform group
management tasks. Members can also create content and edit files like owners, but
members cannot delete content that they have not created. If the public folders'
permissions model is too overwhelming for you and you want something simple
and quick, Microsoft 365 Groups is the way to go.

Mobile and Web presence. Public folders can't be accessed through mobile
devices and have a limited set of functionality on the Web. Microsoft 365 Groups,
 on the other hand, is accessible through Outlook mobile apps and has a richer set
of features on the Web. If your team is on the move and requires mobile access,
then you should be using Microsoft 365 Groups.

Access to a wide range of Microsoft 365 or Office 365 apps. When you create a
group, you unlock access to a wide range of apps from the Microsoft 365 or Office
365 suite. You get a SharePoint team site for storing files and a plan on Planner to
track your tasks. Microsoft 365 Groups is the membership service that combines
elements of the entire Microsoft 365 or Office 365 suite.

While Microsoft 365 Groups offers many advantages, you should be aware of a few
major differences that you'll notice after leaving the public folders experience. These are
primarily:

Folder hierarchy. While public folders are often used to organize content in deep
rooted hierarchy, Microsoft 365 Groups has a flat structure. All emails in the group
reside in the Conversations space and all the documents go into the Files tab. Also,
you can't create sub-folders in Microsoft 365 groups.

Granular permission roles. While public folders have a variety of permission roles,
Microsoft 365 Groups only provides two: owner and member.

Before you move to Groups, it's also a good idea to make note of the various limits that
come with creating and maintaining groups. See How do I manage my groups? in Learn
about Microsoft 365 Groups for more information.

Migrating public folders to Microsoft 365

Groups
If you decide to switch to Microsoft 365 Groups, you can use a process known as batch
migration to move your email and calendar content from your existing public folders to
Groups. The specific steps for running a batch migration depends on which version of
Exchange currently hosts your public folder hierarchy. At the end of this article, you will
find links to instructions that walk you through the batch migration process.

７ Note

When you finish migrating a mail-enabled public folder to a particular Microsoft

365 group, all the emails addressed to the public folder will at that point be
received by the group.
Key benefits of batch migrations are:

Mailbox Replication Service (MRS)-based migration. The migration process uses

migration batch cmdlets. Migration to multiple groups can be triggered together
in a single migration batch. There are also scripts available to assist in the
migration process.

Supports mail and calendar public folders. Copied emails and posts will appear as
in Groups as group conversations, and copied calendar items will be visible in
group calendars. Other public folder types, such as tasks and contacts, are
currently not supported for this migration.

On-premises public folders can be migrated directly to Microsoft 365 Groups.

This migration does not require you to first move your public folders to Microsoft
365 or Office 365 and then move to Groups. The MRS data copy cmdlets read the
public folder data directly from your on-premises environment and then copy the
data to Microsoft 365 Groups. Note that Exchange 2010 public folders will require
an Outlook Anywhere endpoint. Exchange 2013 public folders will require an MRS
Proxy-based endpoint.

Not an "all or nothing" migration. You get to choose specific public folders to
migrate to Groups, and only those chosen public folders get migrated.

One-shot data copy. Batch migrations are designed to be a simple one-time data
copy from source public folders to target groups, without the complexities of
incremental synchronization and finalization.

Merges public folder data with existing data in a group. The data copy will merge
the public folder content with the existing group's content, if any. If there is a need
for incremental data copy, you can simply run the data copy as many times as you
need. This will copy incremental data over to the group.

Overview of batch migrations

The following steps outline the overall process of migrating your public folder content
to Microsoft 365 Groups in a batch migration. The specific details are contained in the
articles listed below.

1. Select source: Choose the public folders that you want to migrate. You can choose
any folder containing mail or calendar content.

2. Create target: Create corresponding groups for your folders, with the desired
configurations, such as members, privacy settings, and data classification.
 3. Copy data: Use the migration batch cmdlets to copy data from public folders to
Groups.

4. Lock source: Lock the public folders once you have verified the data in Groups.

5. Cutover: Copy any new data that has been created between steps 3 and 4.

Note that your public folders and their corresponding groups will remain online for your
users during steps 1 through 3 above. After step 3, you can evaluate whether or not to
proceed with the rest of the migration, based on the Groups experience and whether or
not it suits your users and your organization. You can roll back your migration and
resume using public folders at that point. If you do proceed with the migration, after
step 5 completes, you can delete the original public folders. Even post-migration it is
possible to roll back to public folders, provided you have saved your backup files from
the migration process and you have not deleted your original public folders.

Batch migration prerequisites and step-by-step

instructions
The following prerequisites are required in your Exchange environment before you can
run a batch migration. The specific prerequisites depend on which version of Exchange
you're currently running.

1. If your public folders are on-premises, your servers need to be running one of the
following versions:

Exchange 2010 SP3 RU8 or later

Exchange 2013 CU15 or later

Exchange 2016 CU4 or later

2. If your public folders are on-premises, you must have an Exchange Hybrid
environment set up. See Exchange Server Hybrid Deployments for more
information.

Migration instructions
Select the appropriate link below for step-by-step instructions on running a batch
migration.

Use batch migration to migrate Exchange Online public folders to Microsoft 365
Groups
Use batch migration to migrate Exchange 2010 public folders to Microsoft 365
Groups

Use batch migration to migrate Exchange 2013 public folders to Microsoft 365
Groups

Use batch migration to migrate Exchange 2016 public folders to Microsoft 365
Groups
Use batch migration to migrate
Exchange Online public folders to
Microsoft 365 Groups
Article • 02/22/2023

Summary: How to move your Exchange Online public folders to Microsoft 365 Groups.

Through a process known as batch migration, you can move some or all of your
Exchange Online public folders to Microsoft 365 Groups. Groups is a new collaboration
offering from Microsoft that offers certain advantages over public folders. See Migrate
your public folders to Microsoft 365 Groups for an overview of the differences between
public folders and Groups, and reasons why your organization may or may not benefit
from switching to Groups.

This article contains the step-by-step procedures for performing the actual batch
migration of your Exchange Online public folders.

What do you need to know before you begin?

Ensure that all of the following conditions are met before you begin preparing your
migration.

Only public folders of type calendar and mail can be migrated to Microsoft 365
Groups at this time; migration of other types of public folders is not supported.
Also, the target Microsoft 365 groups are expected to exist prior to the migration.

Microsoft 365 Groups don't support the permission roles and access rights that are
available in public folders. In Microsoft 365 Groups, the users are designated as
either members or owners.

The batch migration process only copies messages and calendar items from public
folders for migration to Microsoft 365 Groups. It doesn't copy other types of public
folder content like rules and permissions, since that type of content is not
supported in Microsoft 365 Groups.

Microsoft 365 Groups come with a 50 GB mailbox. Ensure that the sum of public
folder data that you are migrating totals less than 50 GB. In addition, leave storage
space for future content additions. We recommend migrating public folders no
bigger than 25GB in total size.
 This migration is not "all or nothing". You can pick and choose specific public
folders to migrate, and only those public folders will be migrated. If the public
folder being migrated has sub-folders, those sub-folders will not be automatically
included in the migration. If you need to migrate them, you need to explicitly
include them.

The public folders will not be affected in any manner by this migration. However,
once you use our lock-down script to make the migrated public folders read-only,
your users will be forced to use Microsoft 365 Groups instead of public folders.

Use a single migration batch to migrate all of your public folder data. Exchange
allows creating only one migration batch at a time. If you attempt to create more
than one migration batch simultaneously, the result will be an error.

Before you begin, we recommend that you read this article in its entirety, as
downtime is required for some steps.

Step 1: Get the scripts

The batch migration to Microsoft 365 Groups requires running multiple scripts at
different points in the migration as described in this article. Download the scripts and
their supporting files from this location . After all the scripts and files are downloaded,
save them to the same location, such as c:\PFtoGroups\Scripts .

Before proceeding, verify you have downloaded and saved all of the following scripts
and files:

７ Note

Make sure to save all scripts and files to the same location.

AddMembersToGroups.ps1: Adds members and owners to Microsoft 365 groups

based on permission entries in the source public folders.

AddMembersToGroups.strings.psd1: A support file that's used by the

AddMembersToGroups.ps1 script.

LockAndSavePublicFolderProperties.ps1: Makes public folders read-only to

prevent any modifications, and it transfers the mail-related public folder properties
(provided the public folders are mail-enabled) to the target groups, which will
reroute email from the public folders to the target groups. This script also backs up
the permission entries and the mail properties before modifying them.
 LockAndSavePublicFolderProperties.strings.psd1: A support file that's used by the
LockAndSavePublicFolderProperties.ps1 script.

UnlockAndRestorePublicFolderProperties.ps1: Restores access rights and mail

properties of the public folders using backup files created by
LockandSavePublicFolderProperties.ps1 .

UnlockAndRestorePublicFolderProperties.strings.psd1: A support file that's used

by the UnlockAndRestorePublicFolderProperties.ps1 script.

WriteLog.ps1: Allows the AddMembersToGroups.ps1 ,

LockAndSavePublicFolderProperties.ps1 , and
UnlockAndRestorePublicFolderProperties.ps1 scripts to write logs.

RetryScriptBlock.ps1: Allows the AddMembersToGroups ,

LockAndSavePublicFolderProperties , and UnlockAndRestorePublicFolderProperties
scripts to retry certain actions if they encounter transient errors.

For details about the AddMembersToGroups.ps1 , LockAndSavePublicFolderProperties.ps1 ,

and UnlockAndRestorePublicFolderProperties.ps1 scripts and the tasks they run in your
environment, see the Migration scripts section later in this article.

Step 2: Prepare for the migration

The following steps are necessary to prepare your organization for the migration:

1. Compile a list of public folders (mail and calendar types) that you want to migrate
to Microsoft 365 Groups.

2. Have a list of corresponding target groups for each public folder being migrated.
You can either create a new group in Office 365 for each public folder or use an
existing group. If you're creating a new group, see Learn about Microsoft 365
Groups to understand the settings a group must have. If a public folder that you
are migrating has the default permission set to Author or above, you should create
the corresponding group in Office 365 with the Public privacy setting. However, for
users to see the public group under the Groups node in Outlook, they will still
have to join the group.

3. Rename any public folders that contain a backslash ( \) in their name. Otherwise,
those public folders may not get migrated correctly.

4. The migration feature name PAW must be enabled for your organization. To verify
that PAW is enabled, run the following command in Exchange Online PowerShell:
 PowerShell

Get-MigrationConfig

If the output under Features lists PAW, the feature is enabled and you can
continue.

If you have any existing user or public folder migration batches in any state
(including Completed), PAW will not be enabled. Complete any remove any
existing migration batches until no records are returned in the output of Get-
MigrationBatch . After you remove all existing migration batches, PAW should be

enabled automatically. The change may not reflect in Get-MigrationConfig

immediately.

Once this step is completed, you can continue creating new batches of user
migrations.

Step 3: Create the .csv file

Create a .csv file, which provides input for one of the migration scripts.

The .csv file needs to contain the following columns:

FolderPath. Path of the public folder to be migrated.

TargetGroupMailbox. SMTP address of the target Microsoft 365 group. You can
run the following command to see the primary SMTP address.

PowerShell

Get-UnifiedGroup <alias of the group> | Format-Table PrimarySmtpAddress

An example .csv:

csv

"FolderPath","TargetGroupMailbox"
"\Sales","sales@contoso.onmicrosoft.com"
"\Sales\EMEA","emeasales@contoso.onmicrosoft.com"

You can merge a mail folder and a calendar folder into a single Microsoft 365 group.
However, any other scenario of multiple public folders merging into one group isn't
supported within a single migration batch. If you need to map multiple public folders to
the same Microsoft 365 group, run separate migration batches consecutively, one after
another. You can have up to 500 entries in each migration batch.

One public folder should be migrated to only one group in one migration batch.

Step 4: Start the migration request

In this step, you gather information from your Exchange environment, and then you use
that information in Exchange Online PowerShell to create a migration batch. After that,
you start the migration.

1. In Exchange Online PowerShell, run the following command to create a new public
folder-to-Microsoft 365 group migration batch.

PowerShell

New-MigrationBatch -Name PublicFolderToGroupMigration -CSVData

([System.IO.File]::ReadAllBytes('<path to .csv file>')) -
PublicFolderToUnifiedGroup [-AutoStart]

In this command:

CSVData is the .csv file created above in Step 3: Create the .csv file. Be sure to
provide the full path to this file. If the file was moved for any reason, be sure
to verify and use the new location.
AutoStart is an optional switch that starts the migration batch as soon as it's
created.
PublicFolderToUnifiedGroup indicates that this is a public folder to Microsoft
365 Groups migration batch.

2. If you didn't use the AutoStart switch in the first command, start the migration by
running the following command in Exchange Online PowerShell:

PowerShell

Start-MigrationBatch PublicFolderToGroupMigration

While batch migrations need to be created using the New-MigrationBatch cmdlet in

Exchange Online PowerShell, the progress of the migration can be viewed and managed
in Exchange admin center. You can also view the progress of the migration by running
the Get-MigrationBatch and Get-MigrationUser cmdlets. The New-MigrationBatch
cmdlet initiates a migration user for each Microsoft 365 group mailbox, and you can
view the status of these requests using the mailbox migration page.
To view the mailbox migration page:

1. In Exchange Online, open Exchange admin center.

2. Navigate to Recipients, and then select Migration.

3. Select the migration request that was just created and then, on the Details pane,
select View Details.

When the batch status is Completed, you can move on to Step 5: Add members to
Microsoft 365 groups from public folders.

Step 5: Add members to Microsoft 365 groups

from public folders
You can add members to the target Microsoft 365 group manually as required. However,
if you want to add members to the group based on the permission entries in public
folders, you need to do that by running the script AddMembersToGroups.ps1 as shown in
the following command. To know which public folder permissions are eligible to be
added as members of a Microsoft 365 group, see Migration scripts later in this article.

In the following command:

MappingCsv is the .csv file created above in Step 3: Create the .csv file. Be sure to
provide the full path to this file. If the file was moved for any reason, be sure to
verify and use the new location.

BackupDir is the directory where the migration log files will be stored.

ArePublicFoldersOnPremises is a parameter to indicate whether public folders are

located on-premises or in Exchange Online.

PowerShell

.\AddMembersToGroups.ps1 -MappingCsv <path to .csv file> -BackupDir <path to

backup directory> -ArePublicFoldersOnPremises $false

Once users have been added to a Microsoft 365 group, they can begin using it.

Step 6: Lock down the public folders (public

folder downtime required)
When most of the data in your public folders has migrated to Microsoft 365 Groups, you
can run the script LockAndSavePublicFolderProperties.ps1 to make the public folders
read-only. This step ensures that no new data is added to public folders before the
migration completes.

７ Note

If there are mail-enabled public folders (MEPFs) among the public folders being
migrated, this step will copy some properties of MEPFs, such as SMTP addresses, to
the corresponding Microsoft 365 group and then mail-disable the public folder.
Because the migrating MEPFs will be mail-disabled after the execution of this script,
you will start seeing emails sent to MEPFs instead being received in the
corresponding groups. For details, see the Migration scripts section later in this
article.

In the following command:

MappingCsv is the .csv file created above in Step 3: Create the .csv file. Be sure to
provide the full path to this file. If the file was moved for any reason, be sure to
verify and use the new location.

BackupDir is the directory where the backup files for permission entries, MEPF
properties, and migration log files will be stored. This backup will be useful in case
you need to roll back to public folders.

ArePublicFoldersOnPremises is a parameter to indicate whether public folders are

located on-premises or in Exchange Online.

PowerShell

.\LockAndSavePublicFolderProperties.ps1 -MappingCsv <path to .csv file> -

BackupDir <path to backup directory> -ArePublicFoldersOnPremises $false

Step 7: Finalize the public folder to Microsoft

365 Groups migration
1. After you've made your public folders read-only, you'll need to perform the
migration again. This step is required for a final incremental copy of your data.
Before you can run the migration again, you'll have to remove the existing batch,
which you can do by running the following command:
 PowerShell

Remove-MigrationBatch <name of migration batch>

2. Create a new batch with the same .csv file by running the following command:

PowerShell

New-MigrationBatch -Name PublicFolderToGroupMigration -CSVData

([System.IO.File]::ReadAllBytes('<path to .csv file>')) -
PublicFolderToUnifiedGroup [-NotificationEmails <email addresses for
migration notifications>] [-AutoStart]

In this command:

CSVData is the .csv file created above in Step 3: Create the .csv file. Be sure to
provide the full path to this file. If the file was moved for any reason, be sure
to verify and use the new location.
NotificationEmails is an optional parameter that can be used to set email
addresses that will receive notifications about the status and progress of the
migration.
AutoStart is an optional switch that starts the migration batch as soon as it is
created.

3. If you didn't use the AutoStart switch in the previous command, start the migration
by running the following command in Exchange Online PowerShell:

PowerShell

Start-MigrationBatch PublicFolderToGroupMigration

After you have finished this step (the batch status is Completed), verify that all
data has been copied to Microsoft 365 groups. At that point, provided you are
satisfied with the Groups experience, you can begin deleting the migrated public
folders from your Exchange Online environment.

） Important

While there are supported procedures for rolling back your migration and returning
to public folders, this isn't possible after the source public folders have been
deleted. See How do I roll back to public folders from Microsoft 365 Groups? for
more information.
Known issues
The following issues might occur during a typical public folders to Microsoft 365 Groups
migration:

The script that transfers SMTP address from mail-enabled public folders to
Microsoft 365 groups only adds the addresses as secondary email addresses in
Exchange Online. If you have Exchange Online Protection (EOP) or if you use
Centralized Mail Flow, you'll have issues sending email to the groups (to the
secondary email addresses) after the migration.
If the .csv mapping file has an entry with invalid public folder path, the migration
batch displays as Completed without throwing an error, and no further data is
copied.

Migration scripts
For your reference, this section provides in-depth descriptions for three of the migration
scripts and the tasks they execute in your Exchange environment. You can download all
of the scripts and supporting files from this location .

AddMembersToGroups.ps1
This script will read the permissions of the public folders being migrated and then add
members and owners to Microsoft 365 groups as follows:

Users with the following permission roles will be added as members to a Microsoft
365 group. Permission roles: Owner, PublishingEditor, Editor, PublishingAuthor,
Author

In addition to the above, users with the following minimum access rights will also
be added as members to a Microsoft 365 group. Access rights: ReadItems,
CreateItems, FolderVisible, EditOwnedItems, DeleteOwnedItems

Users with access right "Owner" will be added as owners to a group and users with
other eligible access rights will be added as members.

Security groups cannot be added as members to Microsoft 365 groups. Therefore

they will be expanded, and then the individual users will be added as members or
owners to the groups based on the access rights of the security group.

When users in security groups that have access rights over a public folder have
themselves explicit permissions over the same public folder, explicit permissions
 will be given preference. For example, consider a case in which a security group
called "SG1" has members User1 and User2. Permission entries for the public folder
"PF1" are as follows:

SG1: Author in PF1

User1: Owner in PF1

In this case, User1 will be added as an owner to the Microsoft 365 group.

When the default permission of a public folder being migrated is 'Author' or

above, the script will suggest setting the corresponding group's privacy setting as
'Public'.

This script can be run even after the lock-down of public folders, with parameter
ArePublicFoldersLocked set to $true . In this scenario, the script will read permissions

from the backup file that was created during lock-down.

LockAndSavePublicFolderProperties.ps1
This script makes the public folders that are being migrated read-only. When mail-
enabled public folders are migrated, they will first be mail-disabled and their SMTP
addresses will be added to the respective Microsoft 365 groups. Then the permission
entries will be modified to make them read-only. A backup of the mail properties of
mail-enabled public folders, as well as the permission entries of all the public folders,
will be copied, before performing any modification on them.

If there are multiple migration batches, a separate backup directory should be used with
each mapping .csv file.

The following mail properties will be stored, along with respective mail-enabled public
folders and Microsoft 365 groups:

PrimarySMTPAddress
EmailAddresses
ExternalEmailAddress
EmailAddressPolicyEnabled
GrantSendOnBehalfTo
SendAs Trustee list

The above mail properties will be stored in a .csv file, which can be used in the rollback
process (if you want to return to using public folders, see How do I roll back to public
folders from Microsoft 365 Groups? for more information). A snapshot of the mail-
enabled public folders' properties will also be stored in a file called PfMailProperties.csv.
This file is not necessary for the rollback process, but can still be used for your reference.

The following mail properties will be migrated to target group as part of the lockdown:

PrimarySMTPAddress
EmailAddresses
SendAs Trustee list
GrantSendOnBehalfTo

The script ensures that the PrimarySMTPAddress and EmailAddresses of migrating mail-
enabled public folders will be added as secondary SMTP addresses of the corresponding
Microsoft 365 groups. Also, SendAs and SendOnBehalfTo permissions of users on mail-
enabled public folders will be given equivalent permission in the corresponding target
groups.

Access rights allowed

Only the following access rights will be allowed for users to ensure that the public
folders are made read-only for all users. These are stored in ListOfAccessRightsAllowed.

ReadItems
CreateSubfolders
FolderContact
FolderVisible

1. The permission entries will be modified as follows:

Before lockdown After lockdown

None None

AvailabilityOnly AvailabilityOnly

LimitedDetails LimitedDetails

Contributor FolderVisible

Reviewer ReadItems, FolderVisible

NonEditingAuthor ReadItems, FolderVisible

Author ReadItems, FolderVisible

Editor ReadItems, FolderVisible

PublishingAuthor ReadItems, CreateSubfolders, FolderVisible

 Before lockdown After lockdown

PublishingEditor ReadItems, CreateSubfolders, FolderVisible

Owner ReadItems, CreateSubfolders, FolderContact, FolderVisible

2. Access rights for users without read permissions will be left untouched, and they
will continue to be blocked from read rights.

3. For users with custom roles, all the access rights that are not in
ListOfAccessRightsAllowed will be removed. If users don't have access rights from
the allowed list after filtering, their access right will be set to 'None'.

There might be an interruption in sending emails to mail-enabled public folders during

the time between when the folders are mail-disabled and their SMTP addresses are
added to Microsoft 365 Groups.

UnlockAndRestorePublicFolderProperties.ps1
This script will re-assign permissions back to public folders, based on the backup file
that was taken during public folder lock-down. This script will also mail-enable public
folders that had been mail-disabled, after it removes the folders' SMTP addresses from
their respective Microsoft 365 groups. There might be slight downtime during this
process.

How do I roll back to public folders from

Microsoft 365 Groups?
If you change your mind and want to return to using public folders after using Microsoft
365 Groups, the command listed below will restore your environment to the state it was
pre-migration. A roll back can be performed as long as the backup files exist and as long
as you didn't delete the public folders post-migration.

Run the following command. In this command:

BackupDir is the directory where the backup files for permission entries, MEPF
properties, and migration log files will be stored. Make sure you use the same
location you specified in Step 6: Lock down the public folders to cut-over (public
folder downtime required).

ArePublicFoldersOnPremises is a parameter to indicate whether public folders are

located on-premises or in Exchange Online.
 PowerShell

.\UnlockAndRestorePublicFolderProperties.ps1 -BackupDir <path to backup

directory> -ArePublicFoldersOnPremises $false

Any items added to the Microsoft 365 groups, or any edit operations performed in the
groups, are not copied back to your public folders. Therefore there will be data loss,
assuming new data was added while the public folder was a group.

Note also that it's not possible to restore a subset of public folders, which means all of
the public folders there were migrated should be restored.

The corresponding Microsoft 365 groups won't be deleted as part of the roll back
process. You'll have to clean or delete those groups manually.
Configure legacy on-premises public
folders for a hybrid deployment in
Exchange Online
Article • 02/22/2023

Summary: Use the steps in this article to synchronize public folders between Microsoft
365 or Office 365 and your Exchange Server 2010 on-premises deployment.

In a hybrid deployment, your users can be in Exchange Online , on-premises, or both,

and your public folders are either in Exchange Online or on-premises. Public folders can
reside in only one place, so you must decide whether your public folders will be in
Exchange Online or on-premises. They can't be in both locations. Public folder
mailboxes are synchronized to Exchange Online by the Directory Synchronization
service. However, mail-enabled public folders aren't synchronized across premises.

This topic describes how to synchronize mail-enabled public folders if your users are in
Microsoft 365 or Office 365 and your Exchange Server 2010 SP3 public folders are on-
premises. However, a Microsoft 365 or Office 365 user who is not represented by a
MailUser object on-premises (local to the target public folder hierarchy) won't be able to
access legacy or modern on-premises public folders.

７ Note

This topic refers to the Exchange Server 2010 SP3 servers as the legacy Exchange
server.

You will sync your mail-enabled public folders by using the following scripts, which are
initiated by a Windows task that runs in the on-premises environment:

Sync-MailPublicFolders.ps1 : This script synchronizes mail-enabled public folder

objects from your local Exchange on-premises deployment with Microsoft 365 or
Office 365. It uses the local Exchange on-premises deployment as master to
determine what changes need to be applied to Microsoft 365 or Office 365. The
script will create, update, or delete mail-enabled public folder objects on Microsoft
365 or Office 365 Active Directory based on what exists in the local on-premises
Exchange deployment.

SyncMailPublicFolders.strings.psd1 : This is a support file used by the preceding

synchronization script and should be copied to the same location as the preceding
 script.

When you complete this procedure your on-premises and Microsoft 365 or Office 365
users will be able to access the same on-premises public folder infrastructure.

What hybrid versions of Exchange will work

with public folders?
The following table describes the version and location combinations of user mailboxes
and public folders that are supported. "Hybrid not applicable" is still a supported
scenario, but is not considered a hybrid scenario since both the public folders and the
users are residing in the same location.

Version On-Premises Exchange On-Premises Exchange Exchange Online

2010 User Mailbox 2013 User Mailbox User Mailbox

On-Premises Exchange Hybrid not applicable Hybrid not applicable Supported

2010 Public Folders

On-Premises Exchange Hybrid not applicable Hybrid not applicable Supported

2013 Public Folders

Exchange Online Public Not supported Supported Hybrid not

Folders applicable

７ Note

Outlook 2016 does not support accessing Exchange 2007 legacy public folders. If
you have users who are using Outlook 2016, you must move your public folders to
a more recent version of Exchange Server. More information about Outlook 2016
and Office 2016 compatibility with Exchange 2007 and earlier versions can be
found in this article .

Step 1: What do you have to know before you

begin?
These instructions assume that you have used the Hybrid Configuration Wizard to
configure and synchronize your on-premises and Exchange Online environments,
and that the DNS records that are used for the Autodiscover service for most users
reference an on-premises end point. For more information, see Hybrid
Configuration Wizard.
These instructions assume that Outlook Anywhere is enabled and functional on all
the on-premises legacy Exchange public folder servers. For information about how
to enable Outlook Anywhere, see Outlook Anywhere.

Implementing legacy public folder coexistence for a hybrid deployment of

Exchange with Microsoft 365 or Office 365 may require you to fix conflicts during
the import procedure. Conflicts can occur because a non-routable email address
that's assigned to mail-enabled public folders, conflicts with other users and
groups in Microsoft 365 or Office 365, and other reasons.

These instructions assume that your Exchange Online organization has been
upgraded to a version that supports public folders.

In Exchange Online, you must be a member of the Organization Management role

group. This role group is different from the permissions assigned to you when you
subscribe to Exchange Online. For information about how to enable the
Organization Management role group, see Manage role groups in Exchange
Online.

In Exchange 2010, you must be a member of the Organization Management or

Server Management RBAC role groups. For details, see Add Members to a Role
Group

To access public folders cross-premises, users must upgrade their Outlook clients
to the November 2012 Outlook public update or a later version.

1. To download the November 2012 Outlook update for Outlook 2010, see
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition .

2. To download the November 2012 Outlook Update for Outlook 2007, see
Update for Microsoft Office Outlook 2007 (KB2687404) and download in
your preferred language from the dialog box.

Outlook 2016 for Mac (and earlier versions) and Outlook for Mac for Office 365 are
not supported for cross-premises legacy public folders. Users must be in the same
location as the public folders to access them with Outlook for Mac or Outlook for
Mac for Office 365.

Users whose mailboxes are in Exchange Online won't be able to access on-
premises public folders using Outlook on the web.

After you follow the instructions in this article to configure your on-premises
public folders for a hybrid deployment, users who are external to your organization
won't be able to send messages to your on-premises public folders unless you
 take additional steps. You can either set the accepted domain for the public folders
to Internal Relay (see Manage accepted domains in Exchange Online) or you can
disable Directory Based Edge Blocking (DBEB) (see Use Directory Based Edge
Blocking to reject messages sent to invalid recipients).

Step 2: Make remote public folders

discoverable
1. If your public folders are on Exchange 2010 or later servers, you must install the
Client Access server (CAS) role on all mailbox servers that have a public folder
database. This allows the Microsoft Exchange RpcClientAccess service to be
running so that all clients can access public folders. For more information, see
Install Exchange Server 2010.

７ Note

This server doesn't have to be part of the Client Access load balancing. For
more information, see Understanding Load Balancing in Exchange 2010.

2. Create an empty mailbox database on each public folder server.

For Exchange 2010, run the following command. This command excludes the
mailbox database from the mailbox provisioning load balancer. This prevents new
mailboxes from being added automatically to this database.

PowerShell

New-MailboxDatabase -Server <PFServerName_with_CASRole> -Name

<NewMDBforPFs> -IsExcludedFromProvisioning $true

７ Note

We recommend that the only mailbox that you add to this database is the
proxy mailbox that you'll create in step 3. No other mailboxes should be
created on this mailbox database.

3. Create a proxy mailbox within the new mailbox database, and hide the mailbox
from the address book. The SMTP of this mailbox will be returned by AutoDiscover
as the DefaultPublicFolderMailbox SMTP, so that by resolving this SMTP the client
can reach the legacy exchange server for public folder access.
 PowerShell

New-Mailbox -Name <PFMailbox1> -Database <NewMDBforPFs>

PowerShell

Set-Mailbox -Identity <PFMailbox1> -HiddenFromAddressListsEnabled $true

4. For Exchange 2010, enable AutoDiscover to return the proxy public folder
mailboxes.

PowerShell

Set-MailboxDatabase <NewMDBforPFs> -RPCClientAccessServer

<PFServerName_with_CASRole>

5. Repeat the preceding steps for every public folder server in your organization.

Step 3: Download the scripts

1. Download the following files from Mail-enabled Public Folders - directory sync
script :

Sync-MailPublicFolders.ps1

SyncMailPublicFolders.strings.psd1

2. Save the files to the local computer on which you'll be running PowerShell. For
example, C:\PFScripts.

Step 4: Configure directory synchronization

The Directory Synchronization service doesn't synchronize mail-enabled public folders.
Running the following script will synchronize the mail-enabled public folders across
premises. Special permissions assigned to mail-enabled public folders will need to be
recreated in the cloud since cross-premise permission are not supported in Hybrid
Deployment scenarios. For more information, see Exchange Server Hybrid Deployment.

７ Note

Synchronized mail-enabled public folders will appear as mail contact objects for
mail flow purposes and will not be viewable in the Exchange admin center. See the
 Get-MailPublicFolder command. To recreate the SendAs permissions in the cloud,
use the Add-RecipientPermission command.

On the legacy Exchange server, run the following command to synchronize mail-enabled
public folders from your local on-premises Active Directory to Microsoft 365 or Office
365.

PowerShell

Sync-MailPublicFolders.ps1 -Credential (Get-Credential) -CsvSummaryFile "

<sync_summary.csv>"

Where you're prompted for your Microsoft 365 or Office 365 username and password,
and <sync_summary.csv> is the path to where you would like to log synchronization
operations and errors, in .csv format.

７ Note

Before running the script, we recommend that you first simulate the actions that
the script would take in your environment by running it as described above with
the WhatIf parameter. > We also recommend that you run this script daily to
synchronize your mail-enabled public folders.

Step 5: Configure Exchange Online users to

access on-premises public folders
The final step in this procedure is to configure the Exchange Online organization and to
allow access to the legacy on-premises public folders.

Enable the exchange online organization to access the on-premises public folders. You
will point to all of the proxy public folder mailboxes that you created in Step 2: Make
remote public folders discoverable.

Run the following command in Exchange Online PowerShell:

PowerShell

Set-OrganizationConfig -PublicFoldersEnabled Remote -

RemotePublicFolderMailboxes 'PFMailbox1','PFMailbox2','PFMailbox3'
You must wait until Active Directory synchronization has completed to see the changes.
This process can take up to 3 hours to complete. If you don't want to wait for the
recurring synchronizations that occur every three hours, you can force directory
synchronization at any time. For detailed steps to do force directory synchronization, see
Method 1: Manually verify that the service is started and that the admin account can
sign in . Microsoft 365 and Office 365 randomly select one of the public folder
mailboxes that's supplied in this command.

） Important

A Microsoft 365 or Office 365 user who is not represented by a MailUser object on-
premises (local to the target public folder hierarchy) won't be able to access legacy
or Exchange 2013 on-premises public folders. See the Knowledge Base article
Exchange Online users can't access legacy on-premises public folders for a
solution.

How do I know this worked?

Log on to Outlook for a user who is in Exchange Online, and then run the following
public folder tests:

View the hierarchy.

Check permissions.

Create and delete public folders.

Post content to and delete content from a public folder.

Configure Exchange Server public
folders for a hybrid deployment
Article • 01/27/2023

Summary: Instructions for enabling Exchange Online users to access on-premises public
folders in your Exchange 2013, Exchange 2016, or Exchange 2019 environment.

In a hybrid deployment, your users can be in Exchange Online, on-premises, or both,

and your public folders are either in Exchange Online or on-premises. Sometimes your
online users may need to access public folders in your Exchange Server on-premises
environment.

７ Note

If you have Exchange 2010 public folders, see Configure legacy on-premises public
folders for a hybrid deployment.

This article describes how to enable your Exchange Online, Microsoft 365, or Office 365
users to access public folders in Exchange 2013, Exchange 2016 and Exchange 2019 (for
the rest of this article, referred to as Exchange Server). To enable on-premises Exchange
Server users to access public folders in Exchange Online, Microsoft 365, or Office 365,
see Configure Exchange Online public folders for a hybrid deployment.

An Exchange Online, Microsoft 365, or Office 365 user must be represented by a

MailUser object in the Exchange on-premises environment in order to access Exchange
Server public folders. This MailUser object must also be local to the target Exchange
Server public folder hierarchy. If you have Exchange Online, Microsoft 365, or Office 365
users who aren't currently represented on-premises by MailUser objects, refer to the
Microsoft Knowledge Base article KB3106618 to create matching on-premises entities.

What do you need to know before you begin?

1. These instructions assume that Azure Active Directory Connect synchronization
services (Azure AD Connect sync) is configured to synchronize public folder
mailbox objects to Exchange Online. Ensure that your public folder mailbox objects
are synchronized to Exchange Online and that they have auto-discoverable primary
SMTP addresses.

Here is an example of proper configuration in an on-premises environment:

 Here is an example of proper configuration in Exchange Online:

2. These instructions assume that you have used the Hybrid Configuration wizard to
configure and synchronize your on-premises and Exchange Online environments
and that the DNS records used for most users' AutoDiscover references an on-
premises end-point. For more information, see Hybrid Configuration wizard.

3. The public folders in this configuration cannot be accessed using Outlook on the
web (formerly known as Outlook Web App).

4. Implementing public folder coexistence for a hybrid deployment of Exchange with

Office 365 may require you to fix conflicts during the import procedure. Conflicts
can happen due to non-routable email addresses assigned to mail enabled public
folders, conflicts with other users and groups in Office 365, and other attributes.

5. In order to access public folders cross-premises, users must upgrade their Outlook
clients to the November 2012 Outlook public update or later.

6. To download the November 2012 Outlook update for Outlook 2010, see Update
for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition .

7. Outlook 2016 for Mac (and later versions) is supported for cross-premises public
folders. If clients in your organization use Outlook 2016 for Mac, make sure they
have the April 2016 or higher update installed. For more information, see
Accessing public folders with Outlook 2016 for Mac.
Step 1: Download the scripts
1. Download the following files from Exchange 2013/2016 Public Folders Migration
Scripts :

Sync-ModernMailPublicFolders.ps1
SyncModernMailPublicFolders.strings.psd1

７ Note

The download package at this location contains additional files. To follow the
instructions in this article, you only need the two listed above. These scripts
now support modern authentication.

2. Save the files to the local computer. For example, C:\PFScripts.

Step 2: Synchronize mail-enabled public folder

objects to Exchange Online
Azure AD Connect sync doesn't synchronize mail-enabled public folders to Exchange
Online. Running the following script will synchronize the mail-enabled public folders
across your on-premises environment and Exchange Online. Special permissions
assigned to mail-enabled public folders, such as Send As, will need to be recreated in
Office 365 since cross-premises permissions are not supported in hybrid deployment
scenarios. For more information, see Exchange hybrid deployment documentation.

７ Note

Synchronized mail-enabled public folders will not be visible in the Exchange admin
center (EAC). Instead, use the Get-MailPublicFolder cmdlet. To recreate Send As
permissions in the cloud, use the Add-RecipientPermission cmdlet.

On the Exchange server, run the following command in the Exchange Management Shell
to synchronize mail-enabled public folders from your local on-premises Active Directory
to Office 365:

PowerShell

.\Sync-ModernMailPublicFolders.ps1 -CsvSummaryFile:sync_summary.csv
Where CsvSummaryFile is the path to where you would like to log synchronization
operations and errors, in .csv format.

） Important

Before running the script, we recommend that you first simulate the actions that
the script would take in your environment by running it as described above with
the -WhatIf switch. As part of the sync operation, the script, when appropriate,
could create, update, or delete mail-enabled public folder objects on Exchange
Online.

We also recommend that you run this script daily to synchronize your mail-enabled
public folders.

Use the steps in Troubleshooting mail enabled public folder synchronization failures
when using PowerShell script if you see errors while running the script.

Step 3: Configure Exchange Online users to

access Exchange Server on-premises public
folders
An Exchange Online mailbox that isn't represented by a MailUser object in on-premises
Exchange (local to the target public folder hierarchy) won't be able to access on-
premises public folders.

Run the following command in the Exchange Management Shell to identify such
mailboxes:

PowerShell

Get-Mailbox |?{$_.IsDirSynced -eq $false}

These users will keep getting credential prompts after public folder mailbox access is
configured. Use one of the following solutions for such users before enabling public
folder access:

1. Link the Exchange Online only mailboxes listed in the previous step to on-premises
users as described in Exchange Online users can't access legacy on-premises public
folders .
 2. Use the steps provided in Controlled Connections to Public Folders to enable
public folder access only to mailboxes that have linked users on-premises.

The final step in this process is to configure the Exchange Online organization and to
allow access to the Exchange Server public folders.

Run the following command in Exchange Online PowerShell to enable the Exchange
Online organization to access the on-premises public folders. You'll point to all of your
on-premises public folder mailboxes.

PowerShell

Set-OrganizationConfig -PublicFoldersEnabled Remote -

RemotePublicFolderMailboxes PFMailbox1,PFMailbox2,PFMailbox3

７ Note

You must wait until Azure Active Directory (AAD) synchronization is complete
before you can see the changes. This process can take up to three hours to
complete. If you don't want to wait for the recurring synchronizations that occur
every three hours, you can force directory synchronization at any time. For detailed
steps to do force directory synchronization, see Azure AD Connect sync: Scheduler.

How do I know this worked?

Run the following Exchange Online PowerShell command to verify if Exchange Online
mailboxes have been assigned an EffectivePublicFolderMailbox value:

PowerShell

Get-Mailbox | Format-Table name,EffectivePublicFolderMailbox

Next, log on to Outlook with the credentials of an Exchange Online user and perform
the following public folder tests:

View the hierarchy

Check permissions
Create and delete public folders
Post content to and delete content from a public folder
Set up public folders in a new
organization in Exchange Online
Article • 02/22/2023

Summary: How to set up public folders, including assigning permissions to them in the
EAC.

This topic shows you how to get public folders configured and running in a new
organization or in an organization that has never previously had public folders.

７ Note

For more information about the storage quotas and limits for public folders, see
Exchange Online Limits.

OWA for devices refers to the old "OWA for Android" and "OWA for iPhone/iPad"
applications that have since been deprecated. For more details, see Microsoft OWA
mobile apps are being retired .

The procedure in this article guides you through the process of creating public
folders for the first time.

What do you need to know before you begin?

Estimated time to complete this task: 30 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Public folders" entry in the
Feature permissions in Exchange Online topic.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
Step 1: Create the primary public folder
mailbox
The primary public folder mailbox contains a writeable copy of the public folder
hierarchy plus content and is the first public folder mailbox that you create for your
organization. Subsequent public folder mailboxes will be secondary public folder
mailboxes, which will contain a read-only copy of the hierarchy plus content.

For detailed steps, see Create a public folder mailbox.

Step 2: Create your first public folder

For detailed steps, see Create a public folder.

Step 3: Assign permissions to the public folder

After you create the public folder, you'll need to assign the Owner permissions level so
that at least one user can access the public folder from the client and create subfolders.
Any public folders created after this one will inherit the permissions of the parent public
folder.

1. In the Exchange admin center (EAC), navigate to Public folders > Public folders.

2. In the list view, select the public folder.

3. In the details pane, under Folder permissions, click Manage.

4. In Public Folder Permissions, click Add .

5. Click Browse to select a user.

6. In the Permission level list, select a level. At least one user should be an Owner.

7. Click Save.

8. You can add multiple users by clicking Add and assigning the appropriate
permissions using the steps above. You can also customize the permission level by
selecting or clearing the check boxes. When you edit a predefined permission level
such as Owner, the permission level will change to Custom.

For information about how to use Exchange Online PowerShell to assign permissions to
a public folder, see Add-PublicFolderClientPermission.
Step 4 (Optional): Mail-enable the public folder
If you want users to send mail to the public folder, you can mail-enable it. This step is
optional. If you don't mail-enable the public folder, users can post messages to the
public folder by dragging items into it from within Outlook.

1. In the EAC, navigate to Public folders > Public folders.

2. In the list view, select the public folder you want to mail-enable.

3. In the details pane, under Mail settings - Disabled, click Enable.

A warning displays asking if you are sure you want to enable mail for the public
folder. Click Yes.

The public folder will be mail-enabled and the name of the public folder will become the
alias of the public folder. If you have multiple recipients with that name, the public
folder's alias will be appended with a number. For example, if you have a distribution
group named SalesTeam and you create a public folder named SalesTeam and then
mail-enable it, the alias of that public folder will be SalesTeam1.

For information about how to use Exchange Online PowerShell to mail-enable a public
folder, see Enable-MailPublicFolder.

７ Note

If you have a hybrid configuration, the public folders created on Exchange Online
are only visible to cloud-based mailboxes. Conversely, public folders created on-
premises are only visible to on-premises mailboxes.

To complete a migration from Exchange Server 2010 to Exchange Online with

public folders, see Configure legacy on-premises public folders for a hybrid
deployment.
Accessing public folders with Outlook
2016 or 2019 for Mac in Exchange Online
Article • 02/22/2023

Summary: The most recent supported Exchange topologies that allow users to access
public folders with Outlook 2016 for Mac.

Users of Outlook 2016 for Mac can now access public folders in Exchange Online in a
number of different topologies.

Outlook 2016 or 2019 for Mac

With the April 2016 update for Outlook 2016 for Mac, as well as CU14 for Exchange
2013 and CU2 for Exchange 2016, the above scenario will now work for Outlook 2016 or
2019 for Mac clients.

The following table summarizes the supported topologies for users with Outlook 2016
for Mac clients trying to access public folders in Exchange Online.

７ Note

The scenarios shown in the following table assume that the April 2016 update for
Outlook 2016 for Mac has been applied to all clients.

Public folders User mailbox User mailbox is User mailbox is User mailbox is in
are deployed is on Exchange on Exchange on Exchange Microsoft 365, Office
on... 2010 SP3 or 2013 CU13 or 2016 CU2 or 365, or Exchange
later later later Online

Exchange Supported Supported Supported Not supported

Server 2010
SP3 or later

Exchange Not supported Supported Supported Supported

Server 2013
CU13 or later

Exchange Not supported Supported Supported Supported

Server 2016
CU2 or later
 Public folders User mailbox User mailbox is User mailbox is User mailbox is in
are deployed is on Exchange on Exchange on Exchange Microsoft 365, Office
on... 2010 SP3 or 2013 CU13 or 2016 CU2 or 365, or Exchange
later later later Online

Microsoft 365, Not supported Supported Supported Supported

Office 365, or
Exchange
Online

The following articles describe how to deploy public folders in your Exchange
organization in a co-existence or hybrid topology. As long as your Outlook 2016 for Mac
clients have installed the April 2016 update, they will be able to access public folders in
the configurations detailed in these articles:

Configure legacy public folders where user mailboxes are on Exchange 2013
servers

Configure Exchange 2013 public folders for a hybrid deployment

Configure Exchange Online public folders for a hybrid deployment

Create a public folder mailbox in
Exchange Online
Article • 02/22/2023

Before you can create a public folder, you must first create a public folder mailbox.
Public folder mailboxes contain the hierarchy information plus the content for public
folders. The first public folder mailbox you create will be the primary hierarchy mailbox,
which contains the only writable copy of the hierarchy. Any additional public folder
mailboxes you create will be secondary mailboxes, which contain a read-only copy of
the hierarchy.

７ Note

For more information about the storage quotas and limits for public folders, see
Exchange Online Limits.

For additional management tasks related to public folders in Exchange Online, see
Public folder procedures in Microsoft 365 or Office 365 and Exchange Online.

What do you need to know before you begin?

Estimated time to complete: less than 5 minutes.

Exchange Server public folders and public folders on legacy Exchange servers can't
exist in the same organization. If you try to create a public folder mailbox when
you still have legacy public folders, you'll receive the error An existing Public
Folder deployment has been detected. To migrate existing Public Folder data,
create new Public Folder mailbox using -HoldForMigration switch.

Before you can create public folders in Exchange Server, you need to migrate your
legacy public folders to Exchange Server. To do this, follow the steps in Migrate
Public Folders to Exchange 2013 From Previous Versions. These steps will show you
how to create a public folder mailbox that can be used to store your migrated
public folders.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Public folders" entry in the
Feature permissions in Exchange Online topic.
 For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

Use the EAC to create a public folder mailbox

1. Navigate to Public folders > Public folder mailboxes, and then click New .

2. In Public Folder Mailbox, provide a name for the public folder mailbox.

3. Click Save.

Use Exchange Online PowerShell to create a

public folder mailbox
This example creates the primary public folder mailbox.

PowerShell

New-Mailbox -PublicFolder -Name MasterHierarchy

This example creates a secondary public folder mailbox. The only difference between
creating the primary hierarchy mailbox and a secondary hierarchy mailbox is that the
primary mailbox is the first one created in the organization. You can create additional
public folder mailboxes for load balancing purposes.

PowerShell

New-Mailbox -PublicFolder -Name Istanbul

For detailed syntax and parameter information, see new-Mailbox.

How do you know this worked?

To verify that you have successfully created the primary public folder mailbox, run the
following command in Exchange Online PowerShell:

PowerShell

Get-OrganizationConfig | Format-List RootPublicFolderMailbox

For detailed syntax and parameter information, see get-OrganizationConfig.

Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange
Online or Exchange Online Protection .
Create a public folder in Exchange
Online
Article • 02/22/2023

Public folders are designed for shared access and provide an easy and effective way to
collect, organize, and share information with other people in your workgroup or
organization.

By default, a public folder inherits the settings of its parent folder, including the
permissions settings.

７ Note

For more information about the storage quotas and limits for public folders in
Exchange Online, see Exchange Online Limits.

What do you need to know before you begin?

Estimated time to complete: 5 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Public folders" entry in the
Feature permissions in Exchange Online topic.

You can't create a public folder unless you've first created a public folder mailbox.
For more information about how to create a public folder mailbox, see Create a
public folder mailbox.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

Use the EAC to create a public folder

When using the EAC to create a public folder, you'll only be able to set the name and
the path of the public folder. To configure additional settings, you'll need to edit the
public folder after it's created.

1. Navigate to Public folders > Public folders.

 2. If you want to create this public folder as a child of an existing public folder, click
the existing public folder in the list view. If you want to create a top-level public
folder, skip this step.

3. Click New .

4. In Public Folder, type the name of the public folder.

） Important

Don't use a backslash ( \ ) in the name when creating a public folder.

5. In the Path box, verify the path to the public folder. If this isn't the desired path,
click Cancel and follow Step 2 of this procedure.

6. Click Save.

Use Exchange Online PowerShell to create a

public folder
This example creates a public folder named Reports in the path Marketing\2013.

PowerShell

New-PublicFolder -Name Reports -Path \Marketing\2013

） Important

Don't use a backslash (\) in the name when creating a public folder.

For detailed syntax and parameter information, see New-PublicFolder.

How do you know this worked?

To verify that you've successfully created a public folder, do the following:

In the EAC, click Refresh to refresh the list of public folders. Your new public folder
should be displayed in the list.

In Exchange Online PowerShell, run any of the following commands:

 PowerShell

Get-PublicFolder -Identity \Marketing\2013\Reports | Format-List

PowerShell

Get-PublicFolder -Identity \Marketing\2013 -GetChildren

PowerShell

Get-PublicFolder -Recurse

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
Create a Public Folder calendar in
Exchange Online
Article • 02/22/2023

A public folder calendar is a good solution for people looking for only a shared calendar
without having to maintain an additional mailbox along with it. This article explains how
to set up and access public folder calendars in Microsoft Exchange Online.

） Important

You must use the Microsoft Outlook desktop client to create the public folder
calendar.

７ Note

The Calendar type of public folder can be accessed from Outlook Web App and the
Outlook desktop client. Public folders, including calendar, cannot be accessed from
mobile devices.

Prerequisites
Before you create your public folder calendar, follow the prerequisites.

1. Ensure public folders are deployed in Exchange Online.

2. Use the following command to see a list of any public folder mailboxes present in
the organization:

PowerShell

Get-Mailbox -PublicFolder
Get-PublicFolder \

3. If you don't see a list of the public folder mailboxes, then follow the steps to create
a public folder mailbox.

4. Verify that you have the necessary access rights to create the public folder.
 If you want the user to be able to create a public folder on the root of the
public folder hierarchy, along with all other access rights, run the following
command:

PowerShell

Add-PublicFolderClientPermission -Identity "\" -AccessRights Owner

-User User1

If you want the user to be able to create a public folder under the existing
public folder, such as a folder named Marketing, then run the following
command:

PowerShell

Add-PublicFolderClientPermission -Identity "\Marketing" -

AccessRights Editor -User User1

5. Login to the Outlook desktop client and ensure you're able to access the public
folder deployment.

Create a public folder calendar

Once you have ensured the prerequisites are met, then you're ready to get started
creating a public folder calendar.

1. Login to the Outlook desktop client with a user account that has the necessary
access rights to create a public folder.

2. Expand the folders.

3. Create a new public folder.

To create a public folder calendar at the top level of the directories, right-click All
Public Folders and select New Folder.
 To create a public folder calendar under an existing public folder, right-click the
folder, and select New Folder.

4. Name the new public folder and select Calendar Items from the Folder contains
drop-down list.

5. Click OK.

The calendar type folder shows up with a different icon.

 6. For faster access to the new public folder calendar, right-click the folder and select
Add to Favorites....

Share a public folder calendar

By default, everyone in the organization can access the public folder and create items in
it. If you want to delegate additional access rights, add other users, and provide a
required set of permissions, then follow the instructions in public folder permissions .

Access a public folder calendar in the Outlook

Web App
1. Login to the Outlook Web App.

2. Right-click Folders and select Add public folder to Favorites.

3. Browse the directory and select the desired public folder.

4. Click Add Public Folders.

5. Close the Add Public Folder menu.

The calendar public folder shows in Calendar area of the Outlook Web App.

6. Click the Calendar icon.

You'll see the public folder calendar under Other Calendars.

Receive emails to a public folder calendar
Follow the steps in mail enable public folder calendar to allow users to email calendar
invites and appointments to the calendar.
Recover a deleted public folder mailbox
in Exchange Online
Article • 02/22/2023

Summary: This article describes how to recover a public folder mailbox in Microsoft 365
or Office 365 that was previously soft-deleted, meaning the mailbox retention period
has not yet elapsed and the recycle bin has not been purged.

You can delete public folder mailboxes either in the EAC or through the Remove-Mailbox
-PublicFolder cmdlet. To delete a primary mailbox, all other mailboxes must be deleted

first. After a mailbox is deleted it will no longer be visible in the EAC.

Deleted Public Folder mailboxes are recoverable for a period of up to 90 days.

What do you need to know before you begin?

Estimated time to complete: 5-10 minutes.

A public folder mailbox can only be deleted once all folders within that mailbox
have been deleted. However, you can bypass this restriction by using the -Force
switch, as in Remove-Mailbox -PublicFolder -Force .

A deleted public folder mailbox is only recoverable for a period of 90 days after the
mailbox is soft-deleted. The retention period for a soft-deleted mailbox is 90 days,
after which the mailbox is permanently deleted and you won't be able to restore it.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Public folders" entry in the
Feature permissions in Exchange Online topic.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

７ Note

For deleted public folder mailboxes that contain folders, the folders will be
automatically recovered along with the mailbox that contains them when you use
one of the following procedures to recover the mailbox.
Restore a primary mailbox
To restore a primary public folder mailbox:

1. Type the following command to find the soft-deleted mailbox:

PowerShell

Get-Mailbox -PublicFolder -SoftDeletedMailbox

2. Type the following command to restore the chosen mailbox:

PowerShell

Undo-SoftDeletedMailbox -PublicFolder

Restore a primary mailbox and secondary

mailboxes
The Type field, part of the information returned by the Get-Mailbox cmdlet, identifies
public folder mailboxes as either Primary or Secondary. Primary public folder mailboxes
must be restored first.

Perform the following steps to restore both a primary public folder mailbox and any
relevant secondary mailboxes.

1. Type the following command to find the soft-deleted mailboxes:

PowerShell

Get-Mailbox -PublicFolder -SoftDeletedMailbox

2. Type the following command to restore the primary mailbox:

PowerShell

Undo-SoftDeletedMailbox -PublicFolder

3. Type the following for each secondary public folder mailbox that you want to
restore (once per mailbox).

PowerShell
 Undo-SoftDeletedMailbox -PublicFolder

Restore secondary mailboxes

Use this procedure if you want to restore one or more secondary public folder
mailboxes that were soft-deleted, and the primary mailbox still exists within your
organization.

1. Type the following command to find the soft-deleted mailboxes:

PowerShell

Get-Mailbox -PublicFolder -SoftDeletedMailbox

You will be able to distinguish primary from secondary public folder mailboxes by
the information in the Type field.

2. Type the following for each secondary public folder mailbox that you want to
restore (once per mailbox).

PowerShell

Undo-SoftDeletedMailbox -PublicFolder

７ Note

If a primary public folder has been deleted from an organization, any secondary
mailbox associated with it can't be restored.
Assign "Send As" or "Send on Behalf"
permissions for mail-enabled public
folders in Exchange Online
Article • 02/22/2023

You can assign either "Send As" or "Send on Behalf" permissions for mail-enabled public
folders to users in Microsoft Exchange Online.

What do you need to know before you begin?

Estimated time to complete this task: 5 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Public folders" entry in
Sharing and collaboration permissions.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the Exchange admin center (EAC) to assign

permissions
1. Sign in to Exchange admin center as an administrator.

2. Select public folders > public folders.

3. In the list view, select the public folder that requires the permissions, and then click
Edit (the pencil icon).

4. Select delivery options, and then add the user to Send As or Send on Behalf
permissions, as required.

5. Select Save.
Use Exchange Online PowerShell to assign
permissions
The following example assigns "Send on Behalf" permissions for the mail-enabled public
folder NewPF1 to the user Jason.

Set-MailPublicFolder -Identity '\\NewPF1' -GrantSendOnBehalfTo "Jason"

The following example assigns "Send As" permissions for the mail-enabled public folder
NewPF1 to the user Jason.

Add-RecipientPermission -Identity 'NewPF1' -Trustee "Jason" -AccessRights 'SendAs'

For detailed syntax and parameter information, see the following articles:

Set-MailPublicFolder

Add-RecipientPermission

Send As mail enabled public folder in Hybrid

scenario
For Exchange Online mailboxes accessing public folders deployed at On-Premises:

1. Ensure Mail Enabled Public Folders are synced to Exchange Online:

PowerShell

Get-MailPublicFolder <MEPFName>

Example:

PowerShell

Get-MailPublicFolder OnPremPF

If the MEPF from On-Premises are not showing in EXO, use the Sync-
MailPublicFolders.ps1 (for Exchange Server 2010) or Sync-
ModernMailPublicFolders.ps1 (For Exchange 2013/2016/2019) to sync the MEPF's
first.

2. Use following command in EXO PowerShell to assign SendAs permission:

PowerShell

Add-RecipientPermission -Identity 'OnPremPF1' -Trustee "Richard" -

AccessRights 'SendAs'
Use favorite public folders in Outlook
on the web and the new Outlook for
Windows in Exchange Online
Article • 06/27/2023

In the Outlook client, users in your organization can add public folders to their Favorites
folders. Then, depending on your organization's policies, they can use Outlook on the
web or the new Outlook for Windows to add those same public folders to their Favorites
and perform certain functions in Outlook on the web that they use in the Outlook client.

Add public folders to Favorites in Outlook

In order for users to perform certain tasks on public folders in their Favorites folder, they
must first use the Outlook client to add public folders to the Favorites folder.

７ Note

For more information about creating and configuring public folders, users in your
organization can see Create a public folder in Outlook .

1. In Outlook, go to the Folders view. Click the three dots on the Navigation Bar, and
the click Folders.

2. If necessary, scroll to the Public Folders node in the Navigation Pane. Click to
expand the All Public Folders folder.

3. Right-click the public folder that you want to add to Favorites, then select Add to
Favorites....
 ７ Note

By default, the Favorites folder is directly beneath the All Public Folders
folder in the Navigation Bar.

4. In the Add to Favorites dialog, you have the option to rename the folder for your
Favorites only. Click Add to add the folder to Favorites.

） Important

There are several types of public folders. In order for users to be able to work with a
favorite public folder in Outlook on the web, the public folder must be of type Mail
and Post items, Calendar items, or Contact items.

Add favorite public folders in Outlook on the

web and the new Outlook for Windows
In order for users to access their Outlook favorite public folders, they must also add
them to their Favorites in Outlook on the web or the new Outlook for Windows. The
Outlook client does not automatically sync public folders with Outlook on the web or
the new Outlook for Windows.

To add a public folder in Outlook on the web or the new Outlook for Windows,
right-click Folders, and then choose Add public folder to Favorites. Locate the
folder and click Add.
Your users can now use Outlook on the web to perform the following tasks in their
favorite Calendar, Contact, or Mail and Post public folders:

Create items in the public folders

Retrieve items

Update items

Delete items

） Important

If you want to remove folders from the Favorites make sure to remove them instead
of deleting them. When you remove a folder from Favorites, the original folder in
the folder list remains. Deleting a folder from Favorites deletes the folder and its
contents from Outlook. More information can be found here .

See also
Create a public folder in Outlook
Mail-enable or mail-disable a public
folder in Exchange Online
Article • 02/22/2023

Public folders are designed for shared access and provide an easy and effective way to
collect, organize, and share information with other people in your workgroup or
organization. Mail-enabling a public folder allows users to post to the public folder by
sending an email message to it. When a public folder is mail-enabled additional settings
become available for the public folder in the Exchange admin center (EAC), such as
email addresses and mail quotas. In Exchange Online PowerShell, before a public folder
is mail-enabled, you use the Set-PublicFolder cmdlet to manage all of its settings. After
the public folder is mail-enabled, you use the Set-PublicFolder and the Set-
MailPublicFolder cmdlets to manage the settings.

If you want users on the internet to send mail to a mail-enabled public folder, you need
to set addition permissions using the Add-PublicFolderClientPermission cmdlet.

For additional management tasks related to public folders, see Public folder procedures
in Microsoft 365 or Office 365 and Exchange Online.

What do you need to know before you begin?

Estimated time to complete: 5 minutes

To ensure that users on the internet can send e-mail messages to a mail-enabled
public folder, the public folder needs to have at least the CreateItems access right
granted to the Anonymous account. If you want to learn how to do this, check out
Allow anonymous users to send email to a mail-enabled public folder.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Public folders" entry in the
topic.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
Use the EAC to mail-enable or mail-disable a
public folder
1. Navigate to Public folders > Public folders.

2. In the list view, select the public folder that you want to mail-enable or mail-
disable.

3. In the details pane, under Mail settings, click Enable or Disable.

4. A warning box displays asking if you are sure you want to enable or disable email
for the public folder. Click Yes to continue.

If you want external users to send mail to this public folder, make sure you follow the
steps in Allow anonymous users to send email to a mail-enabled public folder.

Use Exchange Online PowerShell to mail-enable

a public folder
This example mail-enables the public folder Help Desk.

PowerShell

Enable-MailPublicFolder -Identity "\Help Desk"

This example mail-enables the public folder Reports under the Marketing public folder,
but hides the folder from address lists.

PowerShell

Enable-MailPublicFolder -Identity "\Marketing\Reports" -

HiddenFromAddressListsEnabled $True

If you want external users to send mail to this public folder, make sure you follow the
steps in Allow anonymous users to send email to a mail-enabled public folder.

For detailed syntax and parameter information, see Enable-MailPublicFolder.

Use Exchange Online PowerShell to mail-

disable a public folder
This example mail-disables the public folder Marketing\Reports.

PowerShell

Disable-MailPublicFolder -Identity "\Marketing\Reports"

For detailed syntax and parameter information, see Disable-MailPublicFolder.

Allow anonymous users to send email to a

mail-enabled public folder
You can use either Outlook or Exchange Online PowerShell to set permissions on a
public folder's Anonymous account. You can't use the EAC to set permissions on the
Anonymous account.

Use Outlook to set permissions for the Anonymous account

1. Open Outlook using an account that's been granted Owner permissions on the
email-enabled public folder you want anonymous users to send mail to.

2. Navigate to Public folders - <user's name>.

3. Navigate to the public folder you want to change.

4. Right-click on the public folder, click Properties and then select the Permissions
tab.

5. Select the Anonymous account, select Create items under Write, and then click
OK.

Use Exchange Online PowerShell to set permissions for the Anonymous account

This example sets the CreateItems permission for the Anonymous account on the
"Customer Feedback" mail-enabled public folder.

PowerShell

Add-PublicFolderClientPermission "\Customer Feedback" -AccessRights

CreateItems -User Anonymous

For detailed syntax and parameter information, see Add-PublicFolderClientPermission.

Update the public folder hierarchy in
Exchange Online
Article • 02/22/2023

You only need to update the public folder hierarchy if you want to manually invoke the
hierarchy synchronizer and the mailbox assistant. Both these are invoked at least once
every 24 hours for each public folder mailbox in the organization. The hierarchy
synchronizer is invoked every 15 minutes if any users are logged on to a secondary
mailbox through Microsoft Outlook or a Microsoft Exchange Web Services client.

What do you need to know before you begin?

Estimated time to complete: 5 minutes

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Public folders" entry in the
Feature permissions in Exchange Online topic.

You can't perform this procedure in the EAC. You must use Exchange Online
PowerShell.

We recommend that when you run this command with the InvokeSynchronizer
parameter, you use the SuppressStatus parameter. If you don't use this parameter
in the command, the output will display status messages every 3 seconds for up to
one minute. Until the minute passes, you can't use that instance of Exchange
Online PowerShell.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Update the public folder hierarchy

This example updates the public folder hierarchy on the public folder mailbox
PF_marketing and suppresses the command's output.
 PowerShell

Update-PublicFolderMailbox -Identity PF_marketing -InvokeSynchronizer -

SuppressStatus

This example updates all public folder mailboxes and suppresses the command's output.

PowerShell

Get-Mailbox -PublicFolder | Update-PublicFolderMailbox -InvokeSynchronizer -

SuppressStatus
Remove a public folder in Exchange
Online
Article • 02/22/2023

You may need to remove public folders that are no longer being used in your
organization. To help determine which public folders should be removed, see View
statistics for public folders and public folder items.

What do you need to know before you begin?

Estimated time to complete: 5 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Public folders" entry in the
Feature permissions in Exchange Online topic.

You can't delete a mail-enabled public folder. Before you can delete it, you must
first disable email for the public folder. For more information, see Mail-enable or
mail-disable a public folder.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the EAC to remove a public folder

1. Navigate to Public folders > Public folders.

2. In the list view, select the public folder you want to delete. Note that clicking on
the folder name will display sub-folders within that folder, if there are any. At that
point you can click to select a specific sub-folder to remove.

To delete a folder or sub-folder, click anywhere on the folder's row except the
underlined name of the folder, and then click Delete . If you click the underlined
name of the folder, the Delete option will not be available to select.
 3. A warning box displays asking if you're sure you want to delete the public folder.
Click Yes to continue.

Use Exchange Online PowerShell to delete a

public folder
This example deletes the public folder Help Desk\Resolved. This command assumes that
the Resolved public folder doesn't have any subfolders.

PowerShell

Remove-PublicFolder -Identity "\Help Desk\Resolved"

This example tests the previous command without making any modifications.

PowerShell

Remove-PublicFolder -Identity "\HelpDesk\Resolved" -WhatIf

This example removes the public folder Marketing and all its subfolders because the
command runs recursively.

PowerShell

Remove-PublicFolder -Identity "\Marketing" -Recurse:$True

For detailed syntax and parameter information, see Remove-PublicFolder.

Restore a deleted public folder in
Exchange Online
Article • 02/22/2023

This article walks you through the steps to restore a deleted public folder in Exchange
Online.

Public folders that have been deleted by users (using clients like Outlook) or admins
(using administrative tools like PowerShell or the Exchange admin center) are normally
stored in the public folder dumpster located in \NON_IPM_SUBTREE\DUMPSTER_ROOT .
Deleted folders are preserved there until the retention period ends.

For the scenarios where public folder contents are put on hold using retention policies,
the folders that are removed from \NON_IPM_SUBTREE\DUMPSTER_ROOT are preserved under
\NON_IPM_SUBTREE\DiscoveryHolds until the retention hold period ends.

You can restore folders that are preserved in the public folder dumpster or under the
DiscoveryHolds folder using Exchange Online PowerShell. Restoring the public folder will
restore all subfolders and items present in the folder.

In rare scenarios, you might also find folders under \NON_IPM_SUBTREE\LOST_AND_FOUND .

See this blog post for details on LOST_AND_FOUND and how to recover folders if you
find them there.

７ Note

The folders in the dumpster are permanently deleted after the retention period
ends. After a public folder has been permanently deleted, you can't restore it,
unless the folder is preserved under DiscoveryHolds by a retention policy.

Permissions required
The user restoring the public folder must have the Public Folders role assigned to them.
By default, this role is assigned to users present in the Organization Management role
group.

Restore a deleted public folder

1. Connect to Exchange Online PowerShell.
2. Determine if the public folder you want to restore is in the public folder dumpster.

The following command lists all non-system public folders in the dumpster:

PowerShell

Get-PublicFolder \NON_IPM_SUBTREE\DUMPSTER_ROOT -Recurse -ResultSize

Unlimited | where {$_.FolderClass -ne "$null"}

Alternatively, you can search for specific folders. For example, the following
command searches for a deleted public folder named Marketing :

PowerShell

Get-PublicFolder \NON_IPM_SUBTREE\DUMPSTER_ROOT -Recurse -ResultSize

Unlimited | where {$_.Name -like "Marketing"}

Public folders under \NON_IPM_SUBTREE\DiscoveryHolds have a GUID appended to

their name that you'll need to account for in your search.

For example, the following command searches for a deleted public folder named
Sales :

PowerShell

Get-PublicFolder \NON_IPM_SUBTREE\DiscoveryHolds -Recurse -ResultSize

Unlimited | where {$_.Name -like "*Sales*"}

3. Use the following syntax to restore a public folder:

PowerShell

Set-PublicFolder -Identity "Full path of folder to be restored" -Path

"Parent folder path where folder needs to be restored"

For example, run the following command to restore a public folder named PF1 to
the root of the public folder tree:

PowerShell

Set-PublicFolder -Identity
\NON_IPM_SUBTREE\DUMPSTER_ROOT\DUMPSTER_EXTEND\RESERVED_1\RESERVED_1\9f
32c468-4bc2-42aa-b979-16a057394b2f\PF1 -Path \
 The following alternate example restores a public folder named Sales to the root
of the public folder tree:

PowerShell

Set-PublicFolder -Identity
\NON_IPM_SUBTREE\DiscoveryHolds\Sales_774d775c-da53-4ee7-869c-
353c8a6e3265 -Path \

If don't know the original path of the deleted folder, you can find the folder's
original path before it was deleted.

For example, the following commands reveal the original path of the deleted
folder named Marketing :

PowerShell

$folder = Get-PublicFolder \NON_IPM_SUBTREE\DUMPSTER_ROOT -Recurse -

ResultSize Unlimited | where {$_.Name -like "Marketing"}; Get-
PublicFolder (Get-PublicFolder $folder.ParentPath).DumpsterEntryId

Restore a specific subfolder

Restoring a folder restores all of its subfolders, but you can also restore only one
subfolder.

For example, the following commands restore Subfolder1 under \Parent1 :

PowerShell

$pf = Get-PublicFolder \NON_IPM_SUBTREE\DUMPSTER_ROOT -Recurse | where

{$_.Name -eq "Subfolder1"}; Set-PublicFolder $pf.identity -Path \Parent1

Restore a public calendar folder

You can restore a public calendar folder using the same procedure as any other public
folder, but there are special considerations.

When deleting a public calendar folder, a user sees the following options:
If the user selected "Yes", the items were deleted. In this case, you can restore the public
folder, but the items cannot be recovered.

７ Note

We don't recommend using Outlook to restore deleted public folders because

Outlook truncates the public folder names. This issue is under investigation and this
article will be updated when a fix is available.
Restore deleted items from public folder
in Exchange Online
Article • 01/26/2023

The items deleted from public folders are stored in the recoverable items (dumpster) of
public folder until the retention period is over.

Permissions required
The user restoring items from the public folder must have atleast the Author public
folder client permission assigned. For more information on public folder client
permissions, see Add-PublicFolderClientPermission.

Restore deleted items

1. In outlook, under Public Folders, select the folder from which items were deleted,
and click Recover Deleted Items.

2. Select the item to be restored, ensure Restore Selected Items option is selected
and click Ok.
 3. The item is restored.

７ Note

To enable the Recover Deleted Items option for non-mail type (for example:
Calendar, Contact, Tasks) of public folders, see Can't recover deleted items from a
non-mail public folder.

Related articles
Recover a deleted public folder mailbox

Restore a deleted public folder

View statistics for public folders and
public folder items in Exchange Online
Article • 02/22/2023

This topic explains how to retrieve statistics about a public folder, such as the display
name, creation time, last user modified time, last user access, and item size. You can use
this information to make decisions about deleting or retaining public folders.

７ Note

In the Exchange admin center (EAC), you can view some of the quota and usage
information for public folders by navigating to Public Folders > Edit > Mailbox
usage. However, this information is incomplete, and we recommend that you use
Exchange Online PowerShell to view public folder statistics.

What do you need to know before you begin?

Estimated time to complete: 1 minute.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Public folders" entry in the
Feature permissions in Exchange Online topic.

You can't use the EAC to retrieve public folder statistics.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use Exchange Online PowerShell to retrieve

public folder statistics
This example returns the statistics for the public folder Marketing with a piped
command to format the list.
 PowerShell

Get-PublicFolderStatistics -Identity \Marketing | Format-List

７ Note

The value for the Identity parameter must include the path to the public folder. For
example, if the public folder Marketing existed under the parent folder Business,
you would provide the following value: \Business\Marketing

For detailed syntax and parameter information, see Get-PublicFolderStatistics.

Use Exchange Online PowerShell to view

statistics for public folder items
You can view the following information about items within a public folder:

Type of item

Subject

Last user modification time

Last user access time

Creation time

Attachments

Message size

You can use this information to make decisions about what actions to take for your
public folders, such as which public folders to delete. For example, you may want to
delete a public folder if the items haven't been accessed for over two years, or you may
want to convert a public folder that's being used as a document repository to another
client access application.

This example returns default statistics for all items in the public folder Pamphlets under
the path \Marketing\2013. Default information includes item identity, creation time, and
subject.

PowerShell
 Get-PublicFolderItemStatistics -Identity "\Marketing\2013\Pamphlets"

This example returns additional information about the items within the public folder
Pamphlets, such as subject, last modification time, creation time, attachments, message
size, and the type of item. It also includes a piped command to format the list.

PowerShell

Get-PublicFolderItemStatistics -Identity "\Marketing\2010\Pamphlets" |

Format-List

For detailed syntax and parameter information, see Get-PublicFolderItemStatistics.

Use Exchange Online PowerShell to export the

output of the Get-PublicFolderItemStatistics
cmdlet to a .csv file
This example exports the output of the cmdlet to the PFItemStats.csv file that includes
the following information for all items within the public folder \Marketing\Reports:

Subject of the message ( Subject )

Date and time that the item was last modified ( LastModificationTime )

Whether the item has attachments ( HasAttachments )

Type of item ( ItemType)

Size of the item ( MessageSize )

PowerShell

Get-PublicFolderItemStatistics -Identity "\Marketing\Reports" | Select

Subject,LastModificationTime,HasAttachments,ItemType,MessageSize | Export-
CSV C:\PFItemStats.csv

For detailed syntax and parameter information, see Get-PublicFolderItemStatistics.

Shared mailboxes in Exchange Online
Article • 02/22/2023

） Important

Effective from December 2022, the classic Exchange Admin Center will be
deprecated for worldwide customers. Microsoft recommends using the new
Exchange Admin Center , if not already doing so.

While most of the features have been migrated to new EAC, some have been
migrated to other admin centers and remaining ones will soon be migrated to New
EAC. Find features that are not yet there in new EAC at Other Features or use
Global Search that will help you navigate across new EAC.

Shared mailboxes make it easy for a group of people in your company to monitor and
send email from a common account, such as info@contoso.com or
support@contoso.com. When a person in the group replies to a message sent to the
shared mailbox, the email looks like it was sent by the shared mailbox, not from the
individual user.

Notes:

You should create your shared mailbox in the Microsoft 365 admin center. For
more information, see Create a shared mailbox.

Creating a shared mailbox in Exchange Online also creates an active user account
with a system-generated (unknown) password. To block sign-in for this account,
see Block sign-in for the shared mailbox account.

If your organization uses a hybrid Exchange environment, you should use the
Exchange admin center (EAC) in your on-premises Exchange organization to create
and manage shared mailboxes. To learn more about shared mailboxes, see Shared
mailboxes.

When users move items from one folder to another in a shared mailbox, a copy of
the item is stored in the Recoverable Items folder.

Use the EAC to create a shared mailbox

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Recipients" entry in the Feature
permissions in Exchange Online topic.

1. Open the EAC Exchange admin center.

2. Go to Recipients > Mailboxes and then click Add a shared mailbox .

3. Fill in the required fields:

Name
Email address
Alias

4. Click Create to save your changes and create the shared mailbox.

5. Under the Next steps section, click the Add users to this mailbox link.

6. To grant Full Access or Send As permissions, click the Add users button, and then
select or search the users you want to grant permissions to. Confused about which
permission to use? See Which permissions should you use? later in this topic.

７ Note

The Full Access permission allows a user to open the mailbox as well as create
and modify items in it. The Send As permission allows anyone other than the
mailbox owner to send email from this shared mailbox. Both permissions are
required for successful shared mailbox operation.

7. Click Save to save your changes and create the shared mailbox.

Use the EAC to edit shared mailbox delegation

1. In the EAC, go to Recipients > Mailboxes. Select the shared mailbox, and then click
Manage mailbox delegation .

2. To grant or remove Full Access (Read and manage) and Send As permissions, click
Edit next to the permission type.

3. On the Manage mailbox delegation page, you can remove permissions already
added by clicking on the users listed (if any) or grant the permission by clicking
Add permissions and then select the users you want to grant permissions to.

７ Note
 The Full Access permission allows a user to open the mailbox as well as create
and modify items in it. The Send As permission allows anyone other than the
mailbox owner to send email from this shared mailbox. Both permissions are
required for successful shared mailbox operation.

4. Click Save to save your changes.

5. Click Close to close the Mailbox permissions added/removed page.

Use a shared mailbox

To learn how users can access and use shared mailboxes, check out the following
articles:

Open and use a shared mailbox in Outlook for Windows

Open and use a shared mailbox in Outlook on the web
Open and use a shared mailbox in Outlook mobile

Use Exchange Online PowerShell to create a

shared mailbox
To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.

This example creates the shared mailbox Sales Department and grants Full Access and
Send on Behalf permissions for the security group MarketingSG. Users who are
members of the security group will be granted the permissions to the mailbox.

７ Note

This example assumes that you've already created the security group MarketingSG
and that security group is mail-enabled. See Manage mail-enabled security
groups.

PowerShell

New-Mailbox -Shared -Name "Sales Department" -DisplayName "Sales Department"

-Alias Sales | Set-Mailbox -GrantSendOnBehalfTo MarketingSG | Add-
MailboxPermission -User MarketingSG -AccessRights FullAccess -
InheritanceType All

For detailed syntax and parameter information, see New-Mailbox.

Which permissions should you use?
You can use the following permissions with a shared mailbox.

Full Access: The Full Access permission lets a user open the shared mailbox and act
as the owner of that mailbox. After accessing the shared mailbox, a user can create
calendar items; read, view, delete, and change email messages; create tasks and
calendar contacts. However, a user with Full Access permission can't send email
from the shared mailbox unless they also have Send As or Send on Behalf
permission.

Send As: The Send As permission lets a user impersonate the shared mailbox when
sending mail. For example, if Kweku logs into the shared mailbox Marketing
Department and sends an email, it will look like the Marketing Department sent
the email.

Send on Behalf: The Send on Behalf permission lets a user send email on behalf of
the shared mailbox. For example, if John logs into the shared mailbox Reception
Building 32 and sends an email, it look like the mail was sent by "John on behalf of
Reception Building 32". You can't use the EAC to grant Send on Behalf permissions,
you must use Set-Mailbox cmdlet with the GrantSendonBehalf parameter.

More information
For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
Sharing in Exchange Online
Article • 02/22/2023

You may need to coordinate schedules with people in different organizations or with
friends and family members so that you can work together on projects or plan social
events. With Microsoft 365 and Office 365, administrators can set up different levels of
calendar access in Exchange Online to allow businesses to collaborate with other
businesses and to let users share their schedules with others. Business-to-business
calendar sharing is set up by creating organization relationships. User-to-user calendar
sharing is set up by applying sharing policies.

７ Note

Organization Sharing functionality of the Classic Exchange admin center experience

is available in the new Exchange admin center as we continue to work on updated
versions. If you're using Edge incognito and this page isn't working, enable the
third-party cookies .

Sharing Scenarios in Exchange Online

The following sharing scenarios are supported in Exchange Online:

Sharing goal Setting to Requirements

use

Share calendars with Organization None, ready to configure

another Microsoft 365 or relationships
Office 365 organization

Share calendars with an Organization The on-premises Exchange administrator has to set
on-premises Exchange relationships up an authentication relationship with the cloud
organization (also known as "federation") and must meet
minimum software requirements

Share a Microsoft 365 or Sharing None, ready to configure

Office 365 user's calendar policies
with another internet user

Share a Microsoft 365 or Sharing The on-premises Exchange administrator has to set
Office 365 user's calendar policies up an authentication relationship with the cloud
with an Exchange on- (also known as "federation") and must meet
premises user minimum software requirements
Sharing documentation
The following table contains links to articles that will help you learn about and manage
sharing in Exchange Online.

Topic Description

Organization relationships Learn more about the one-to-one relationships between

in Exchange Online organizations that enable calendar free/busy sharing.

Sharing policies in Learn more about the person-to-person policies that enable
Exchange Online calendar sharing.
Organization relationships in Exchange
Online
Article • 02/22/2023

Set up an organization relationship to share calendar information with an external

business partner. Microsoft 365 or Office 365 admins can set up an organization
relationship with another Microsoft 365 and Office 365 organization or with an
Exchange on-premises organization. If you want to share calendars with an on-premises
Exchange organization, the on-premises Exchange administrator has to set up an
authentication relationship with the cloud (also known as "federation") and must meet
minimum software requirements.

７ Note

Organization functionality of the Classic Exchange admin center experience is

available in the new Exchange admin center as we continue to work on updated
versions. If you're using Edge incognito and this page isn't working, enable the
third-party cookies .

An organization relationship is a one-to-one relationship between businesses to allow

users in each organization to view calendar availability information. When you set up the
organization relationship, you're responsible for setting up your side of the relationship.
You specify the level of information that users in the external organization can view in
your organization. The external organization is responsible for setting up their side of
the relationship and specifying their level of information that's visible to users in your
organization (which might be different than yours). The point is: the organization
relationship must be set up at both ends for calendar availability information to be
shared.

For example, a Contoso admin creates an organization relationship with Tailspin Toys,
and a Tailspin Toys admin creates an organization relationship with Contoso. As a result,
Tailsping Toys users will be able to schedule meetings and view the availability of
Contoso users Contoso by adding Contoso email addresses to meeting invitations.
Likewise, Contoso users will also see the availability of Tailspin Toys users when
scheduling meetings.

There are three levels of access that you can specify:

No access.
Access to availability (free/busy) time only.
 Access to free/busy, including time, subject, and location.

７ Note

If users don't want to share their free/busy information with others, they can
change their permissions entry in Outlook. To do this, users go to the Calendar
Properties > Permissions tab, select one or more users/groups, and select any of
the Permissions options.

To completely hide their calendar, they can remove the user/group from the list of
those with which the calendar is shared. Their free/busy information won't be seen
by internal or external users, even if an organization relationship exists. The
permissions set by the user will apply.

The following articles will help you configure and manage organization relationships:

Create an organization relationship in Exchange Online

Modify an organization relationship in Exchange Online

Remove an organization relationship in Exchange Online

Create an organization relationship in Exchange Online
Article • 02/22/2023

Set up an organization relationship to share calendar information with an external business partner. Microsoft 365 and
Office 365 admins can set up an organization relationship with another Microsoft 365 or Office 365 organization or with
an Exchange on-premises organization.

What do you need to know before you begin?

Estimated time to complete: 15 minutes.

You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions
you need, see the Permissions in Exchange Online topic.

If you want to share calendars with an on-premises Exchange organization, the on-premises Exchange administrator
has to set up an authentication relationship with the cloud (also known as "federation") and must meet minimum
software requirements.

Use the Exchange admin center to create an organization

relationship
1. From the Microsoft 365 admin center dashboard, go to Admin > Exchange.

2. Go to organization > sharing.

3. Under Organization Sharing, click New .

4. In new organization relationship, in the Relationship name box, type a friendly name for the organization
relationship.

5. In the Domains to share with box, type the domain for the external Microsoft 365, Office 365, or Exchange on-
premises organization you want to let see your calendars. If you need to add more than one domain, you can do it
after you create the organization relationship by editing it.

6. Select the Enable calendar free/busy information sharing check box to turn on calendar sharing with the domains
you listed. Set the sharing level for calendar free/busy information and set which users can share calendar free/busy
information.

To set the free/busy access level, select one of the following values:

Calendar free/busy information with time only

Calendar free/busy with time, subject, and location

To set which users will share calendar free/busy information, select one of the following values:

Everyone in your organization

A specified security group

Click Browse to pick the security group from a list, then click OK.

7. Click Save to create the organization relationship.

Use Exchange Online PowerShell to create an organization

relationship
This example creates an organization relationship with Contoso, Ltd with the following conditions:
 An organization relationship is set up with contoso.com, northamerica.contoso.com, and europe.contoso.com.
Free/busy access is enabled.
Contoso.com and the subdomains get free/busy time, subject, and location information from your organization.

PowerShell

New-OrganizationRelationship -Name "Contoso" -DomainNames

"contoso.com","northamerica.contoso.com","europe.contoso.com" -FreeBusyAccessEnabled $true -
FreeBusyAccessLevel LimitedDetails

If you're not sure which domains Contoso has set up for cloud-based authentication, you can run this command to
automatically find the configuration information. The Get-FederationInformation cmdlet is used to find the right
information, which is then passed to the New-OrganizationRelationship cmdlet.

PowerShell

Get-FederationInformation -DomainName Contoso.com | New-OrganizationRelationship -Name "Contoso" -

FreeBusyAccessEnabled $true -FreeBusyAccessLevel LimitedDetails

For detailed syntax and parameter information, see Get-FederationInformation and New-OrganizationRelationship.

If you're setting up an organization relationship with an on-premises Exchange organization, you may want to provide the
connection settings. This example creates an organization relationship with Fourth Coffee and specifies the connection
settings to use. The following conditions apply:

The organization relationship is established with the domain fourthcoffee.com.

The Exchange Web Services application URL is mail.fourthcoffee.com.
The Autodiscover URL is https://mail.fourthcoffee.com/autodiscover/autodiscover.svc/wssecurity .
Free/busy access is enabled.
Fourth Coffee sees free/busy information with the time.

PowerShell

New-OrganizationRelationship -Name "Fourth Coffee" -DomainNames "fourthcoffee.com" -FreeBusyAccessEnabled

$true -FreeBusyAccessLevel AvailabilityOnly -TargetAutodiscoverEpr
"https://mail.fourthcoffee.com/autodiscover/autodiscover.svc/wssecurity" -TargetApplicationUri
"mail.fourthcoffee.com"

For detailed syntax and parameter information, see New-OrganizationRelationship.

How do you know this worked?

The successful completion of the New organization relationship wizard indicates that the organization relationship was
created.

You can also run the following command to verify the organization relationship information:

PowerShell

Get-OrganizationRelationship | Format-List

Organization relationships with GCC High

Tenants in the GCC High cloud can now create organization relationships with tenants in the World Wide and the GCC
clouds.

） Important
 Organization relationships between the DoD cloud and other clouds is not supported.

Create cross-cloud organization relationships

Using PowerShell is the best way to create organization relationships between clouds.

This example creates an organization relationship between Contoso, Ltd in the WorldWide cloud and Fourth Coffee in the
GCC-H cloud. with the following conditions:

Contoso domains are contoso.com, northamerica.contoso.com, and europe.contoso.com.

Fourth Coffee domains are fourthcoffee.com
Free/busy access is enabled.
Each tenant gets free/busy time, subject, and location information from the other tenant

In Fourth Coffee run the following command:

PowerShell

New-OrganizationRelationship -Name "Contoso" -DomainNames

"contoso.com","northamerica.contoso.com","europe.contoso.com" -FreeBusyAccessEnabled $true -
FreeBusyAccessLevel LimitedDetails -TargetApplicationUri "outlook.com" -TargetAutodiscoverEpr
"https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/WSSecurity"

In Contoso, run the following command:

PowerShell

New-OrganizationRelationship -Name "Fourth Coffee" -DomainNames "fourthcoffee.com" -FreeBusyAccessEnabled

$true -FreeBusyAccessLevel LimitedDetails -TargetApplicationUri "office365.us" -TargetAutodiscoverEpr
"https://autodiscover-s.office365.us/autodiscover/autodiscover.svc/WSSecurity"

You can't use the Get-FederationInformation cmdlet to automatically discover the domains and other configurations
needed for cross-cloud organization relationship setup.

The configuration parameters that you need to set are described in the following table:

Parameter OrgRel in WW/GCC for GCC-H Tenant OrgRel in GCC-H for WW/GCC Tenant

DomainNames All the domains for the remote org. You need to collect All the domains for the remote org. You need to collect
and add these manually. and add these manually.

TargetApplicationUri Office365.us Outlook.com

TargetAutodiscoverEpr https://autodiscover- https://autodiscover-

s.office365.us/autodiscover/autodiscover.svc/WSSecurity s.outlook.com/autodiscover/autodiscover.svc/WSSecurity

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online
Protection .
Modify an organization relationship in
Exchange Online
Article • 02/22/2023

An organization relationship lets users in your Microsoft 365 or Office 365 organization
share calendar free/busy information with other Microsoft 365, Office 365, or on-
premises Exchange organizations. You may want to change the settings of an
organization relationship, such as changing the name, temporarily disabling calendar
sharing, changing the access level, or changing which security groups will share
calendars.

To learn more about organization relationships, see Organization relationships in

Exchange Online.

What do you need to know before you begin?

Estimated time to complete: 15 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the Permissions in Exchange
Online topic.

If you want to share calendars with an on-premises Exchange organization, the on-
premises Exchange administrator has to set up an authentication relationship with
the cloud (also known as "federation") and must meet minimum software
requirements.

The procedures in this topic make changes to an organization relationship named

Contoso. The examples show how to:

Add a domain named service.contoso.com to the organization relationship.

Disable free/busy sharing for the organization relationship.

Change the free/busy access level from Calendar free/busy information with
time, subject, and location to Calendar free/busy information with time only.

Use the Exchange admin center to add a

domain to an organization relationship
 1. From the Microsoft 365 admin center go to Admin > Exchange.

2. Go to organization > sharing.

3. In list view, under Organization Sharing, select the organization relationship

Contoso, and then click Edit .

4. In organization relationship, general don't change the Name for the organization
relationship.

5. In the Domains to share with box, enter the domain service.contoso.com, then
click Add .

6. Click save to update the organization relationship.

Use the Exchange admin center to disable

free/busy sharing for the organization
relationship
1. From the Microsoft 365 admin center go to Admin > Exchange.

2. Go to organization > sharing.

3. In the list view, under Organization Sharing, select the organization relationship
Contoso, and then click Edit .

4. In organization relationship click sharing.

5. Clear the Enable calendar free/busy information sharing check box to disable
free/busy sharing. The free/busy access level and security group buttons will also
be disabled.

6. Click save to update the organization relationship.

Use the Exchange admin center to change the

free/busy access level for the organization
relationship
1. From the Microsoft 365 admin center go to Admin > Exchange.

2. Go to organization > sharing.

 3. In list view, under Organization Sharing, select the organization relationship
Contoso, and then click Edit .

4. In organization relationship, click sharing

5. Select Calendar free/busy information with time only.

6. Click save to update the organization relationship.

Use Exchange Online PowerShell to modify the

organization relationship
This example adds the domain name service.contoso.com to the organization
relationship Contoso.

PowerShell

$domains = (Get-OrganizationRelationship Contoso).DomainNames

$domains += 'service.contoso.com'
Set-OrganizationRelationship -Identity Contoso -DomainNames $domains

This example disables the organization relationship Contoso.

PowerShell

Set-OrganizationRelationship -Identity Contoso -Enabled $false

This example enables calendar availability information access for the organization
relationship WoodgroveBank and sets the access level to AvailabilityOnly
(calendar free/busy information with time only).

PowerShell

Set-OrganizationRelationship -Identity Contoso -FreeBusyAccessEnabled

$true -FreeBusyAccessLevel AvailabilityOnly

For detailed syntax and parameter information, see Get-OrganizationRelationship and

Set-OrganizationRelationship.

How do you know this worked?

To verify that you have successfully updated the organization relationship, run the
following command and verify the organization relationship information.

PowerShell

Get-OrganizationRelationship | format-list

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
Remove an organization relationship in
Exchange Online
Article • 02/22/2023

An organization relationship lets users in your Microsoft 365 or Office 365 organization
share calendar free/busy information with other Microsoft 365, Office 365, or on-
premises Exchange organizations. You can remove an organization relationship to
disable calendar sharing with the other organization.

To learn more about organization relationships, see Organization relationships in

Exchange Online.

What do you need to know before you begin?

Estimated time to complete: 5 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the Permissions in Exchange
Online topic.

Use the Exchange admin center to remove an

organization relationship
1. From the Microsoft 365 admin center go to Admin > Exchange.

2. Go to organization > sharing.

3. Under Organization Sharing, select an organization relationship, and then click

Delete .

4. In the warning that appears, click yes.

Use Exchange Online PowerShell to remove an

organization relationship
This example removes the organization relationship Contoso.

PowerShell
 Remove-OrganizationRelationship -Identity "Contoso"

For detailed syntax and parameter information, see Remove-OrganizationRelationship.

How do you know this worked?

To verify that you have successfully removed the organization relationship, do one of the
following:

In the Exchange admin center, go to organization > sharing and verify that the
organization relationship isn't displayed in the list view under Organization
Sharing.

Run the following command to verify the organization relationship information is

removed.

PowerShell

Get-OrganizationRelationship | Format-List

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
Sharing policies in Exchange Online
Article • 02/22/2023

People in your organization may want to share calendars with individual business
associates, friends, or family members. Sharing policies control how your users share
their calendars with people outside your organization. The sharing policy that an admin
applies to the user's mailbox determines what level of access a user can share and with
whom. If you don't change anything, then all users can invite anyone with an email
address to view their calendar. You may decide to apply a more restrictive policy.

７ Note

Organization Sharing functionality of the Classic Exchange admin center experience

is available in the new Exchange admin center as we continue to work on updated
versions. If you're using Edge incognito and this page isn't working, enable the
third-party cookies .

An admin defines the rules that make up a sharing policy. You can specify the domains
that users can share with, and the following levels of access to calendars:

Free/busy information with time only

Free/busy information with time, subject, and location

Free/busy information, including time, subject, location, and title

After you create a new sharing policy, you have to apply that policy to mailboxes before
it takes effect. Sharing policies are applied to individual user's mailboxes. An admin can
also disable a user's sharing policy to prevent external access to calendars.

Users share their calendar by sending an email invitation to the external user. Outlook
2010 or later or Outlook on the web (formerly known as Outlook Web App) users can
send this type of invitation. The calendar can be opened through a URL link, or can be
accessed as an additional calendar folder if the external user has Outlook 2010 or later
or is using Outlook on the web.

These articles will help you learn how to manage sharing policies for your Microsoft 365
or Office 365 organization:

Create a sharing policy in Exchange Online

Apply a sharing policy to mailboxes in Exchange Online

Modify, disable, or remove a sharing policy in Exchange Online
Create a sharing policy in Exchange
Online
Article • 02/22/2023

Create a new Sharing Policy to change how people in your organization share calendars
with individual business associates, friends, or family members. Sharing policies control
how your users share their calendars with people outside your organization. By default,
all users can invite anyone with an email address to view their calendar. After you create
a new sharing policy, you have to apply that policy to mailboxes before it takes effect. To
apply a specific sharing policy to users, see Apply a sharing policy to mailboxes in
Exchange Online.

What do you need to know before you begin?

Estimated time to complete: 15 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the Permissions in Exchange
Online topic.

Only Outlook 2010 or later and Outlook on the web (formerly known as Outlook
Web App) users can create sharing invitations.

Use the wizard to create a sharing policy

1. From the Microsoft 365 admin center dashboard, go to Admin > Exchange.

2. Go to organization > sharing.

3. In the list view, under Individual Sharing, click New .

4. In new sharing policy, type a friendly name for the sharing policy in the Policy
name box.

5. Click Add to define the sharing rules for the policy.

6. In sharing rule, select one of the following options to specify the domains you
want to share with:

Sharing with all domains

 Sharing with a specific domain

7. If you select Sharing with a specific domain, type the name of the domain you
want to share with. If you need to enter more than one domain for this sharing
policy, save the settings for the first domain, then edit the sharing rules to add
more domains.

8. To specify the information that can be shared, select the Share your calendar
folder check box, and then select one of the following options:

Calendar free/busy information with time only

Calendar free/busy information with time, subject, and location

All calendar appointment information, including time, subject, location and

title

9. Click save to set the rules for the sharing policy.

10. If you want to set this sharing policy as the new default sharing policy for all users
in your Microsoft 365 or Office 365 organization, select the Make this policy my
default sharing policy check box.

11. Click save to create the sharing policy.

Use Exchange Online PowerShell to create a

sharing policy
This example creates the sharing policy Contoso. This policy allows users in the
contoso.com domain to see your user's detailed calendar availability (free/busy)
information. By default, this policy is enabled.

PowerShell

New-SharingPolicy -Name "Contoso" -Domains 'contoso.com:

CalendarSharingFreeBusyDetail'

This example creates the sharing policy ContosoWoodgrove for two different
domains (contoso.com and woodgrovebank.com) with different sharing settings
configured for each domain. The policy is disabled.

PowerShell
 New-SharingPolicy -Name "ContosoWoodgrove" -Domains 'contoso.com:
CalendarSharingFreeBusySimple', 'woodgrovebank.com:
CalendarSharingFreeBusyDetail' -Enabled $false

For detailed syntax and parameter information, see New-SharingPolicy.

How do you know this worked?

To verify that you have successfully created the sharing policy, run the following
command to view the sharing policy information.

PowerShell

Get-SharingPolicy <policy name> | format-list

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
Apply a sharing policy to mailboxes in
Exchange Online
Article • 02/22/2023

Sharing policies control how your users share their calendars with people outside your
organization. The sharing policy that an admin applies to the user's mailbox determines
what level of access a user can share and with whom. If you don't change anything, then
all users can invite anyone with an email address to view their calendar. If you create a
new sharing policy, you have to apply that policy to mailboxes before it takes effect.
Sharing policies are applied to individual user's mailboxes. An admin can also disable a
user's sharing policy to prevent external access to calendars.

What do you need to know before you begin?

Estimated time to complete: 5 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the Permissions in Exchange
Online topic.

A sharing policy must exist. For details, see Create a sharing policy in Exchange
Online.

Use the Exchange admin center to apply a

sharing policy to one mailbox
1. From the Microsoft 365 admin center dashboard, go to Admin > Exchange.

2. Go to recipients > mailboxes.

3. In the list view, select the mailbox you want, and then click Edit .

4. In User Mailbox, click mailbox features.

5. In the Sharing policy list, select the sharing policy you want to apply to this
mailbox.

6. Click save to apply the sharing policy.

Use the Exchange admin center to apply a
sharing policy to multiple mailboxes
1. From the Microsoft 365 admin center dashboard, go to Admin > Exchange.

2. Go to recipients > mailboxes.

3. In the list view, hold the Ctrl key while you select multiple mailboxes.

4. In the details pane, the mailbox properties will be configured for bulk edit. Scroll
down to click More options.

5. Under Sharing Policy, click Update.

6. In bulk assign sharing policy, select the sharing policy from the list.

7. Click save to apply the sharing policy to the selected mailboxes.

Use Exchange Online PowerShell to apply a

sharing policy to one or more mailboxes
This example applies the sharing policy Contoso to Barbara's mailbox.

PowerShell

Set-Mailbox -Identity Barbara -SharingPolicy "Contoso"

This example finds all user mailboxes in the Marketing department and then applies the
sharing policy Contoso Marketing.

PowerShell

Get-Mailbox -Filter "Department -eq 'Marketing'" | Set-Mailbox -

SharingPolicy "Contoso Marketing"

This example shows all mailboxes that have the sharing policy Contoso applied, and it
sorts the users into a table that displays only their aliases and email addresses.

PowerShell

Get-Mailbox -ResultSize unlimited | Where {$_.SharingPolicy -eq "Contoso"} |

format-table Alias,EmailAddresses
For detailed syntax and parameter information, see Set-Mailbox and Get-Mailbox.

How do you know this worked?

To verify that you have successfully applied the sharing policy to a user mailbox, do one
of the following:

In the Exchange admin center, go to recipients > mailboxes, and then select the
mailbox to which you applied the sharing policy. Click Edit , click mailbox
features, and then confirm that the correct sharing policy displays in the Sharing
policy.

Run the following command to verify the sharing policy was assigned to a user
mailbox. Verify that the correct sharing policy is listed for the SharingPolicy
parameter.

PowerShell

Get-Mailbox <username> | format-list

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
Modify, disable, or remove a sharing
policy in Exchange Online
Article • 02/22/2023

Sharing policies control how your users share their calendars with people outside your
organization. You may want to change some sharing policy properties, such as changing
sharing rules, changing the free/busy access level, temporarily disabling a sharing policy,
or removing a sharing policy entirely.

For details about how to create a sharing policy, see Create a sharing policy in Exchange
Online

What do you need to know before you begin?

Estimated time to complete each procedure: 5 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the Permissions in Exchange
Online topic.

Use the Exchange admin center to change a

sharing policy
1. From the Microsoft 365 admin center dashboard, go to Admin > Exchange.

2. Go to organization > sharing.

3. Under Individual Sharing, select a sharing a policy, and then click Edit .

4. In sharing policy, click Edit .

5. In sharing rule, change the settings such as the domain you want to share
information with and the sharing level for calendars. Click save to update the rule.

6. In sharing policy, click save to update the sharing policy.

Use the Exchange admin center to set a sharing

policy as the default sharing policy
 1. From the Microsoft 365 admin center dashboard, go to Admin > Exchange.

2. Go to organization > sharing.

3. Under Individual Sharing, select a sharing a policy, and then click Edit .

4. In sharing policy, select the Make this policy my default sharing policy check box.

5. Click save to update the sharing policy.

Use the Exchange admin center to disable a

sharing policy
1. From the Microsoft 365 admin center dashboard, go to Admin > Exchange.

2. Go to organization > sharing.

3. Under Individual Sharing, select a sharing a policy.

4. In the On column, clear the check box for the sharing policy you want to disable.

Use the Exchange admin center to remove a sharing

policy

） Important

Before you remove a sharing policy, the sharing policy must be removed from all
user mailboxes.

1. From the Microsoft 365 admin center dashboard, go to Admin > Exchange.

2. Go to organization > sharing.

3. Under Individual Sharing, select a sharing a policy, and then click Delete .

4. In the warning, click yes to delete the sharing policy.

Use Exchange Online PowerShell to modify,

disable or remove a sharing policy
This example modifies the sharing policy Contoso. This policy allows users in the
Contoso domain to see simple free/busy information.
 PowerShell

Set-SharingPolicy -Identity Contoso -Domains 'sales.contoso.com:

CalendarSharingFreeBusySimple'

This example adds a second domain to the sharing policy Contoso. When you're
adding a domain to an existing policy, you must include any previously included
domains.

PowerShell

Set-SharingPolicy -Identity Contoso -Domains 'contoso.com:

CalendarSharingFreeBusySimple', 'atlanta.contoso.com:
CalendarSharingFreeBusyReviewer', 'beijing.contoso.com:
CalendarSharingFreeBusyReviewer'

This example sets the sharing policy Contoso as the default sharing policy.

PowerShell

Set-SharingPolicy -Identity Contoso -Default $True

This example disables the sharing policy Contoso.

PowerShell

Set-SharingPolicy -Identity "Contoso" -Enabled $False

The first example removes the sharing policy Contoso. The second example
removes the sharing policy Contoso and suppresses the confirmation that you
want to remove the policy.

PowerShell

Remove-SharingPolicy -Identity Contoso

PowerShell

Remove-SharingPolicy -Identity Contoso -Confirm

For detailed syntax and parameter information, see Set-SharingPolicy and Remove-
SharingPolicy.
Monitoring, reporting, and message
tracing in Exchange Online
Article • 02/22/2023

Exchange Online offers many different reports that can help you determine the overall
status and health of your organization. There are also tools to help you troubleshoot
specific events (such as a message not arriving to its intended recipients), and auditing
reports to aid with compliance requirements. The following table describes the reports
and troubleshooting tools that are available to Exchange Online administrators.

Feature Reports Location

Reports in Email activity In the Microsoft 365 admin center , go to Show all (if necessary),
the click Reports > Usage, and then select one of the reports on the page:
Microsoft Email app usage
365 admin Email activity
Mailbox usage Active users - Microsoft 365 services > View more:
center
Exchange:
Microsoft 365
Email activity
Groups activity
Email app usage
Mailbox usage
Office 365:
Groups activity

Reports in DLP reports1 In the Microsoft Purview compliance portal

the (https://security.microsoft.com ), go to Reports, and then select one
Microsoft of the available reports on the page. To go directly to the Reports
Purview page, use https://compliance.microsoft.com/reports .
compliance
portal

Reports in View Defender In the Microsoft 365 Defender portal

the for Office 365 (https://security.microsoft.com ), go to Reports > Email &
Microsoft reports2 collaboration > Email & collaboration reports, and then select one of
365 the available reports on the page. To go directly to the Reports page,
Defender View email use https://security.microsoft.com/emailandcollabreport .
portal security reports
Feature Reports Location

Reports Programmatically n/a

using create the
Microsoft reports that are
Graph available in the
Microsoft 365
admin center by
using Microsoft
Graph. For more
information, see
the following
topics:
Email activity
reports

Email app usage

reports

Mailbox usage
reports

Microsoft 365
groups activity
reports

Reports Programmatically https://reports.office365.com/ecp/reportingwebservice/reporting.svc

using create reports
reporting from the
web available
services Exchange Online
PowerShell
reporting
cmdlets by using
REST/ODATA2
query filtering.3

For more
information, see
Reporting Web
Services.

Message Message trace in In the Exchange admin center

trace the modern (https://admin.exchange.microsoft.com ), go to Mail flow > Message
Exchange admin trace.
center
Note: The Exchange message trace link in the Microsoft 365 Defender
portal opens message trace in the modern EAC.
 Feature Reports Location

Audit Search the audit In the Microsoft Purview compliance portal

logging log in the (https://compliance.microsoft.com ), go to Solutions > Audit >
Microsoft Search tab on the Audit page.
Purview
compliance
portal)

1
DLP is only available in certain Exchange Online subscription plans. For information,
see the Data Loss Prevention entries in the Exchange Online Service Description.

2
Defender for Office 365 is available in Office 365 Enterprise E5, but you can also
purchase Defender for Office 365 as an add-on to other subscription plans. For more
information, see the Microsoft Defender for Office 365 Service Description.

3
Many of the original reporting cmdlets in Exchange Online PowerShell have been
deprecated (the cmdlets are available, but they don't return useful data). For a list of
available and unavailable reporting cmdlets, see Exchange reporting cmdlets.

Reporting and message trace data availability

and latency
The following table describes when Exchange Online reporting and message trace data
is available and for how long.

Report Data Latency

type available for
(look back
period)

Mailbox 60 days Message data aggregation is mostly complete within 24-48 hours.
summary Some minor incremental aggregated changes may occur for up to 5
reports days.

Mail 90 days Message data aggregation is mostly complete within 24-48 hours.
protection Some minor incremental aggregated changes may occur for up to 5
summary days.
reports

Mail 90 days For detail data that's less than 7 days old, data should appear within
protection 24 hours but may not be complete until 48 hours. Some minor
detail incremental changes may occur for up to 5 days.
reports To view detail reports for messages that are greater than 7 days old,
results may take up to a few hours.
Report Data Latency
type available for
(look back
period)

Message 90 days When you run a message trace for messages that are less than 7
trace data days old, the messages should appear within 5-30 minutes.
When you run a message trace for messages that are greater than 7
days old, results may take up to a few hours.

７ Note

Data availability and latency doesn't depend on the user interface (it's the same in
the admin centers as in PowerShell).
Use mail protection reports to view data
about malware, spam, and rule
detections in Exchange Online
Article • 02/22/2023

If you're an Exchange Online or Exchange Online Protection (EOP) admin, there's a good
chance you'd like to monitor how much spam and malware is being detected, or how
often your mail flow rules (also known as transport rules) are being matched. With the
interactive mail protection reports in the Microsoft 365 security center, you can quickly
get a visual report of summary data, and drill-down into details about individual
messages, for as far back as 90 days.

Reports in the Microsoft 365 Defender portal

In the Microsoft 365 Defender portal (https://security.microsoft.com ), go to Reports >
Email & collaboration > Email & collaboration reports. and sign in using your work or
school account. Or, to go directly to the Email & collaboration reports page, use
https://security.microsoft.com/emailandcollabreport

７ Note

You must be a global administrator or have appropriate permissions assigned in

order to use the Microsoft 365 Defender portal. For details, see Permissions in the
Microsoft 365 Defender portal.

Reporting overview
The following table describes the types of reports that are available, how to find them,
and where to go to learn more.

Type of information Learn more

Email security reports: Malware, spam, spoof and other protection reports View email security
for all Exchange Online organizations. reports in the
Microsoft 365
Defender portal
Type of information Learn more

View Defender for Office 365 reports in the Microsoft 365 Defender View reports for
portal: Mail latency, threat protection and other reports that are available Microsoft Defender
to organizations with Defender for Office 365 (include in a subscription or for Office 365
as an add-on).
Customize and schedule mail protection
reports to be automatically sent to your
inbox in Exchange Online
Article • 02/22/2023

As an Exchange Online or Exchange Online Protection (EOP) admin, you probably want
to keep an eye on your organization's mail flow, how much spam and malware is being
detected, or how often your rules and policies are being matched. By using mail
protection reports, you'll get a quick summary of the messages that Microsoft 365 or
Office 365 has delivered or rejected based on spam or malware characteristics, rules, or
data loss prevention (DLP) policies.

You can choose to either schedule mail protection reports to be sent to your inbox
automatically, or you can view them any time in the Microsoft 365 Defender portal.

To get started customizing and downloading reports, see the following articles:

View email security reports in the Microsoft 365 Defender portal

View Defender for Office 365 reports in the Microsoft 365 Defender portal
What happened to delivery reports? in
Exchange Online
Article • 02/22/2023

Delivery reports in Microsoft 365 and Office 365 allowed users and administrators to
discover and view delivery information about mail messages. Delivery reports for users
have been discontinued and there is currently no direct replacement. Delivery reports
for administrators have been replaced by the Message Trace feature.

For more information, see these topics:

Trace an email message

Message trace in the modern Exchange admin center
Run a message trace and view the results in the Exchange admin center

７ Note

The Exchange message trace link in the Microsoft 365 Defender portal opens
message trace in the modern EAC.
Delivery reports for users and administrators is still available in on-premises
Exchange environments. For more information, see Track messages with
delivery reports.
Read receipts and delivery notifications are separate from delivery reports and
are still available in Microsoft 365 and Office 365. For more information, see
Add and request read receipts and delivery notifications .
Trace an email message in Exchange
Online
Article • 02/22/2023

Sometimes an email message gets lost in transit, or it can take a lot longer than
expected for delivery, and your users can wonder what happened. As an administrator,
you can use the message trace feature to follow messages as they pass through your
Exchange Online or Exchange Online Protection service. With message trace, you can
determine whether a targeted email message was received, rejected, deferred, or
delivered by the service. It also shows what events have occurred to the message before
reaching its final status. Getting detailed information about a specific message lets you
efficiently answer your user's questions, troubleshoot mail flow issues, validate policy
changes, and alleviates the need to contact technical support for assistance.

 Tip

For troubleshooting general issues and trends, use the Reports page in the
Microsoft 365 Defender portal
(https://security.microsoft.com/emailandcollabreport ). For single point specifics
where details are needed about a message, use the message trace tool.

The following topics describe how to run a message trace to narrow down your search
criteria, how to view message trace results, and how to view details about a specific
message:

Run a message trace in the classic EAC

Message trace in the modern EAC

７ Note

The Exchange message trace link in the Microsoft 365 Defender portal opens
message trace in the modern EAC.

The Message Trace FAQ topic presents common messaging questions that arise and
how to best answer these questions using the message trace tool.
Run a message trace in the classic EAC
in Exchange Online
Article • 02/22/2023

７ Note

Message trace is available in the modern Exchange admin center. For more
information, see Message trace in the modern Exchange admin center. The
Exchange message trace link in the Microsoft 365 Defender portal opens message
trace in the modern EAC.

As an administrator, you can find out what happened to an email message by running a
message trace in the Exchange admin center (EAC). After running the message trace,
you can view the results in a list, and then view the details about a specific message.
Message trace data is available for the past 90 days. If a message is more than 7 days
old, you can only view the results in a downloadable .CSV file.

For a video walkthrough of message trace and other mail flow troubleshooting tools,
see Find and fix email delivery issues as a Microsoft 365 or Office 365 for business
admin.

What do you need to know before you begin?

To find and open the classic EAC, see Exchange admin center in Exchange Online.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Message trace" entry in
the Feature permissions in Exchange Online topic.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection . If you're a Microsoft 365 or
Office 365 for business admin, see Contact support for business products - Admin
Help.
Run a message trace
1. In the EAC, go to Mail flow > message trace.

2. Depending on what you're searching for, you can enter values in the following
fields. None of these fields are required for messages that are less than 7 days old.
You can simply click Search to retrieve all message trace data over the default time
period, which is the past 48 hours.

a. Date range: Using the drop-down list, select to search for messages sent or
received within the past 24 hours, 48 hours, or 7 days. You can also select a
custom time frame that includes any range within the past 90 days. For custom
searches you can also change the time zone, in Coordinated Universal Time
(UTC).

b. Delivery status: Using the drop-down list, select the status of the message you
want to view information about. Leave the default value of All to cover all
statuses. Other possible values are:

Delivered: The message was successfully delivered to the intended

destination.
Failed: The message was not delivered. Either it was attempted and failed
or it was not delivered as a result of actions taken by the filtering service.
For example, if the message was determined to contain malware.
 Pending*: Delivery of the message is being attempted or re-attempted.
Expanded: The message was sent to a distribution list and was expanded
so the members of the list can be viewed individually.
Filtered as spam: The message was delivered to the Junk Email folder.
Unknown*: The message delivery status is unknown at this time. When the
results of the query are listed, the delivery details fields will not contain
any information.

*
If you're searching for messages that are older than 7 days, you can't select
Pending or Unknown.

c. Message ID: This is the Internet message ID (also known as the Client ID) found
in the message header in the Message-ID: header field. Users can provide you
with this information in order to investigate specific messages.

The form of this ID varies depending on the sending mail system. The following
is an example: <08f1e0f6806a47b4ac103961109ae6ef@server.domain> .

This ID should be unique; however, not all sending mail systems behave the
same way. As a result, there's a possibility that you may get results for multiple
messages when querying upon a single Message ID.

Note: Be sure to include the full Message ID string. This may include angle
brackets (<>).

d. Sender: You can narrow the search for specific senders by clicking the Add
sender button next to the Sender field. In the subsequent dialog box, select one
or more senders from your company from the user picker list and then click
Add. To add senders who aren't on the list, type their email addresses and click
Check names. In this box, wildcards are supported for email addresses in the
format: *@contoso.com. When specifying a wildcard, other addresses can't be
used. When you're done with your selections, click OK.

e. Recipient: You can narrow the search for specific recipients by clicking the Add
recipient button next to the Recipient field. In the subsequent dialog box, select
one or more recipients from your company from the user picker list and then
click Add. To add recipients who aren't on the list, type their email addresses
and click Check names. In this box, wildcards are supported for email addresses
in the format: *@contoso.com. When specifying a wildcard, other addresses
can't be used. When you're done with your selections, click OK.

3. If you're searching for messages that are older than 7 days, configure the following
settings: (otherwise you can skip this step):
 a. Include message events and routing details with report: We recommend
selecting this check box only if you're looking for a small number of messages.
Otherwise, the results will take longer to return.

b. Direction: Leave the default All or select Inbound for messages sent to your
organization or Outbound for messages sent from your organization.

c. Original client IP address: Specify the IP address of the sender's client.

d. Report title: Specify the unique identifier for this report. This will also be used as
the subject line text for the email notification. The default is "Message trace
report <day of the week>, <current date> <current time>". For example,
"Message trace report Thursday, October 17, 2018 7:21:09 AM".

e. Notification email address: Specify the email address that you want to receive
the notification when the message trace completes. This address must reside
within your list of accepted domains.

4. Click Search: to run the message trace. You'll be warned if you're nearing the
threshold of the amount of traces you're allowed to run over a 24 hour period.

After running your message trace, proceed to one of the next sections to read about
how to view your results.

Note: To search for a different message, you can click the Clear button and then specify
new search criteria.

View message trace results for messages less

than 7 days old
After you run a message trace in the EAC, the results will be listed, sorted by date, with
the most recent message appearing first. You can sort on any of the listed fields by
clicking their headers. Clicking a column header a second time will reverse the sort
order. When viewing message trace results, the following information is provided about
each message:

Date: The date and time at which the message was received by the service, using
the configured UTC time zone.
Sender: The email address of the sender in the form alias@domain .
Recipient: The email address of the recipient or recipients. For messages sent to
more than one recipient, there is one line per recipient. If the recipient is a
distribution list, the distribution list will be the first recipient, and then each
 member of the distribution list will be included on a separate line so that you can
check the status for all recipients.
Subject: The subject line text of the message. If necessary, this is truncated to the
first 256 characters.
Status: This field specifies whether the message was Delivered to the recipient or
the intended destination, Failed to be delivered to the recipient (either because it
failed to reach its destination or because it was filtered), is Pending delivery (it is
either in the process of being delivered or the delivery was deferred but is being
re-attempted), was Expanded (there was no delivery because the message was
sent to a distribution list (DL) that was expanded to the recipients of the DL), or has
a status of None (there is no status of delivery for the message to the recipient
because the message was either rejected or redirected to a different recipient).

７ Note

The message trace can display a maximum of 500 entries. By default, the user
interface displays 50 entries per page, and you can navigate through the pages. You
can also change the entry size of each page up to 500.

View details about a specific message less than 7 days old

After you review the list of items returned by running the message trace in the EAC, you
can double-click an individual message to view the following additional details about
the message:

Message size: The size of the message, including attachments, in kilobytes (KB), or,
if the message size is greater than 999 KBs, in megabytes (MB).

Message ID: This is the Internet message ID (also known as the Client ID) found in
the header of the message with the "Message-ID:" token. The form of this varies
depending on the sending mail system. The following is an example:
<08f1e0f6806a47b4ac103961109ae6ef@contoso.com> .

This ID should be unique, however, it is dependent on the sending mail system for
generation and not all sending mail systems behave the same way. As a result,
there is a possibility that you may get results for multiple messages when querying
upon a single Message ID.

This is given as output so that trace entries and the messages in question can be
co-related.
 To IP: The IP address or addresses to which the service attempted to deliver the
message. If there are multiple recipients, these are displayed. For inbound
messages sent to Exchange Online, this value is blank.

From IP: The IP address of the computer that sent the message. For outbound
messages sent from Exchange Online, this value is blank.

In the events section, the following fields provide information about the events that
occurred to the message as it passed through the messaging pipeline:

Date: The date and time that the event occurred.

Event: This field briefly informs you of what happened, for example if the message
was received by the service, if it was delivered or failed to be delivered to the
intended recipient, and so on. The following are examples of events that may be
listed:

RECEIVE: The message was received by the service.

SEND: The message was sent by the service.

FAIL: The message failed to be delivered.

DELIVER: The message was delivered to a mailbox.

EXPAND: The message was sent to a distribution group that was expanded.

TRANSFER: Recipients were moved to a bifurcated message because of content

conversion, message recipient limits, or agents.

DEFER: The message delivery was postponed and may be re-attempted later.

RESOLVED: The message was redirected to a new recipient address based on an

Active Directory look up. When this happens, the original recipient address is
listed in a separate row in the message trace along with the final delivery status
for the message.

DLP rule: The message had a DLP rule match in this message.

Sensitivity label: A server-side labeling event occurred. For example, a label was
automatically added to a message that includes an action to encrypt or was
added via the web or mobile client. This action is completed by the Exchange
server and logged. A label added via Outlook will not be included in the event
field.
  Tip

Additional events may appear. For more information about these events,
see Event types in the message tracking log.

Action: This field shows the action that was performed if the message was filtered
due to a malware or spam detection or a rule match. For example, it will let you
know if the message was deleted or if it was sent to the quarantine.

Detail: This field provides detailed information that elaborates on what happened.
For example, it may inform you which specific mail flow rule (also known as a
transport rule) was matched, and what happened to the message as a result of that
match. It can also inform you which specific malware was detected in which
specific attachment, or why a message was detected as spam. If the message was
successfully delivered, it can tell you the IP address to which it was delivered.

View message trace results for messages more

than 7 days old
If you run a message trace for items that are older than 7 days, when you click Search a
message should appear letting you know that the message was successfully submitted,
and that an email notification will be sent to the supplied email address when the trace
has completed. (If the message trace is processed and data that matches your search
criteria is successfully retrieved, this notification message will include information about
the trace and a link to the downloadable .CSV file. If no data was found that matched
the search criteria you specified, you'll be asked to submit a new request with changed
criteria in order to obtain valid results.)

In the EAC, you can click View pending or completed traces in order to view a list of
traces that were run for items that older than 7 days. In the resulting UI, the list of traces
is sorted based on the date and time that they were submitted, with the most recent
submissions appearing first. In addition to the report title, the date and time the trace
was submitted, and the number of messages in the report, the following status values
are listed:

Not started: The trace was submitted but is not yet running. At this point, you
have the option to cancel the trace.
Cancelled: The trace was submitted but was cancelled.
In progress: The trace is running and you can't cancel the trace or download the
results.
 Completed: The trace has completed and you can click Download this report to
retrieve the results in a .CSV file. Note that if your message trace results exceed
100000 messages for a summary report, it will be truncated to the first 100000
messages. If your message trace results exceed 1000 messages for a detailed
report, it will be truncated to the first 1000 messages. If you do not see all the
results that you need, we recommend that break your search out into multiple
queries.

When you select a specific message trace, additional information appears in the right
pane. Depending on what search criteria you specified, this may include details such as
the date range for which the trace was run, and the sender and intended recipients of
the message.

７ Note

Message traces containing data that is more than 7 days old are automatically
deleted in the EAC after 10 days. They can't be manually deleted.

The maximum size for a downloadable report is 500 MB. If a downloadable

report exceeds 500 MB, you can't open the report in Excel or Notepad.

View report details about a specific message more than 7

days old
When you download and view a message trace report, either from View pending or
completed traces in the EAC or from a notification email, its contents depend on
whether you have selected the Include message events and routing details with report
option.

） Important

In order to view the downloaded message trace report, you must have the "View-
Only Recipients" RBAC role assigned to your role group. By default, the following
role groups have this role assigned: Compliance Management, Help Desk, Hygiene
Management, Organization Management, View-Only Organization Management.

Viewing a message trace report without routing details

If you didn't include routing details when running the message trace, the following
information is included in the .CSV file, which you can open in an application such as
Microsoft Excel:

origin_timestamp: The date and time at which the message was received by the
service, using the configured UTC time zone.

sender_address: The email address of the sender in the form alias@domain.

Recipient_status: The status of the delivery of the message to the recipient. If the
message was sent to multiple recipients, it will show all the recipients and the
corresponding status against each, in the format: <email address>##<status>. For
example, a status of:
##Receive, Send: means that the message was received by the service and sent
to the intended destination.
##Receive, Fail: means that the message was received by the service but failed
to be delivered to the intended destination.
##Receive, Deliver: means that the message was received by the service and
delivered to the recipient's mailbox.

message_subject: The subject line text of the message. If necessary, this is

truncated to the first 256 characters.

total_bytes: The size of the message, including attachments, in bytes.

message_id: This is the Internet message ID (also known as the Client ID) found in
the header of the message with the "Message-ID:" token. The form of this varies
depending on the sending mail system. The following is an example:
<*08f1e0f6806a47b4ac103961109ae6ef*@*server*.*domain*> .

This ID should be unique, however, it is dependent on the sending mail system for
generation and not all sending mail systems behave the same way. As a result,
there is a possibility that you may get results for multiple messages when querying
upon a single Message ID.

This is given as output so that trace entries and the messages in question can be
co-related.

network_message_id: This is a unique message ID value that persists across copies

of the message that may be created due to bifurcation or distribution group
expansion. An example value is 1341ac7b13fb42ab4d4408cf7f55890f.

original_client_ip: The IP address of the sender's client.

 directionality: This field denotes whether the message was sent inbound (1) to
your organization, or whether it was sent outbound (2) from your organization.

connector_id: The name of the source or destination Send connector or Receive

connector. For example, ServerName\ConnectorName or ConnectorName.

delivery_priority: Denotes whether the message was sent with High, Low, or
Normal priority.

View a message trace report with routing details

If you included routing details when running the message trace, all information from the
message tracking logs is included in the .CSV file, which you can open in an application
such as Microsoft Excel. Some of the values included in this report are described in the
prior section, while other values that may be useful for investigative purposes are
described in Fields in the message tracking log files.

The custom_data field

Additionally, the custom_data field may contain values that are specific to the filtering
service. The custom_data field in an AGENTINFO event is used by a variety of different
agents to log details from the agent's processing of the message. Some of the message
data protection related agents are described below.

Spam Filter Agent (S:SFA)

A string beginning with S:SFA is an entry from the spam filter agent and provides the
following key details:

Log Description
information

SFV=NSPM The message was marked as non-spam and was sent to the intended recipients.

SFV=SPM The message was marked as spam by the content filter.

SFV=BLK Filtering was skipped and the message was blocked because it originated from a
blocked sender.

SFV=SKS The message was marked as spam prior to being processed by the content filter.
This includes messages where the message matched a mail flow rule to
automatically mark it as spam and bypass all additional filtering.
 Log Description
information

SCL= For more information about the different SCL values and what they mean, see
<number> Spam Confidence Levels.

PCL= The Phishing Confidence Level (PCL) value of the message. These can be
<number> interpreted the same way as the SCL values documented in Spam Confidence
Levels.

DI=SB The sender of the message was blocked.

DI=SQ The message was quarantined.

DI=SD The message was deleted.

DI=SJ The message was sent to the recipient's Junk Email folder.

DI=SN The message was routed through the higher risk delivery pool. For more
information, see High-risk delivery pool for outbound messages.

DI=SO The message was routed through the normal outbound delivery pool.

SFS=[a] This denotes that spam rules were matched.

SFS=[b]

IPV=CAL The message was allowed through the spam filters because the IP address was
specified in an IP Allow list in the connection filter.

H= The HELO or EHLO string of the connecting mail server.

[helostring]

PTR= The PTR record of the sending IP address, also known as the reverse DNS address.
[ReverseDNS]

When a message is filtered for spam, a sample custom_data entry would look similar to
the following:

S:SFA=SUM|SFV=SPM|IPV=CAL|SRV=BULK|SFS=470454002|SFS=349001|SCL=9|SCORE=-1|LIST=0|D
I=SN|RD=ftmail.inc.com|H=ftmail.inc.com|CIP=98.129.140.74|SFP=1501|ASF=1|CTRY=US|CL

TCTRY=|LANG=en|LAT=287|LAT=260|LAT=18;

Malware Filter Agent (S:AMA)

A string beginning with S:AMA is an entry from the anti-malware agent and provides the
following key details:
 Log Description
Information

AMA=SUM|v=1| The message was determined to contain malware. SUM denotes that the
or malware could've been detected by any number of engines. EV denotes that
the malware was detected by a specific engine. When malware is detected by
AMA=EV|v=1| an engine this triggers the subsequent actions.

Action=r The message was replaced.

Action=p The message was bypassed.

Action=d The message was deferred.

Action=s The message was deleted.

Action=st The message was bypassed.

Action=sy The message was bypassed.

Action=ni The message was rejected.

Action=ne The message was rejected.

Action=b The message was blocked.

Name= The name of the malware that was detected.

<malware>

File= The name of the file that contained the malware.

<filename>

When a message contains malware, a sample custom_data entry would look similar to
the following:

S:AMA=SUM|v=1|action=b|error=|atch=1;S:AMA=EV|engine=M|v=1|sig=1.155.974.0|name=DOS

/Test_File|file=filename;S:AMA=EV|engine=A|v=1|sig=201307282038|name=Test_File|file
=filename

Transport Rule Agent (S:TRA)

A string beginning with S:TRA is an entry from the Transport Rule agent and provides
the following key details:

Log Information Description

ETR|ruleId=[guid] The rule ID that was matched.

St=[datetime] The date and time (in UTC) when the rule match occurred.
 Log Information Description

Action= The action that was applied. For a list of available actions, see Mail flow rule
[ActionDefinition] actions in Exchange Online.

Mode=Enforce The mode of the rule. Possible values are:

Enforce: All actions on the rule will be enforced.
Test with Policy Tips: Any Policy Tip actions will be sent, but other
enforcement actions will not be acted on.
Test without Policy Tips: Actions will be listed in a log file, but senders
will not be notified in any way, and enforcement actions will not be
acted on.

When a message matches a mail flow rule, a sample custom_data entry would look
similar to the following:

S:TRA=ETR|ruleId=19a25eb2-3e43-4896-ad9e-47b6c359779d|st=7/17/2013 12:31:25
AM|action=ApplyHtmlDisclaimer|sev=1|mode=Enforce

For more information

Message Trace FAQ presents messaging questions that a user may have, along with
possible answers. It also describes how to use the message trace tool in order to get
those answers and troubleshoot specific mail delivery issues.

Can I run a message trace via Exchange Online PowerShell or Exchange Online
Protection PowerShell? What are the cmdlets to use? gives information about the
PowerShell cmdlets that you can use to run a message trace.
Message Trace FAQ in Exchange Online
Article • 02/22/2023

This article presents messaging questions that a user may have, along with possible
answers. It also describes how to use the message trace tool in order to get those
answers and troubleshoot specific mail delivery issues.

How long does it take to see results when

running a message trace?
In the classic Exchange admin center (classic EAC), the search results appear
immediately for messages that are less than seven days old.
In the modern Exchange admin center (modern EAC), the search results appear
immediately for messages that are less than 10 days old.

When you run a message trace for older messages, the results are returned within a few
hours as a downloadable CSV file.

７ Note

The Exchange message trace link in the Microsoft 365 Defender portal opens
message trace in the modern EAC.

How long does it take for a sent message to

appear in a message trace?
When a message is sent, it should take between 5-10 minutes for the message to
appear in the message trace data.

Can I run a message trace via Exchange Online

PowerShell or Exchange Online Protection
PowerShell? What are the cmdlets to use?
You can use the following cmdlets in Exchange Online PowerShell or Exchange Online
Protection PowerShell to run a message trace:

Get-MessageTrace: Trace messages that are less than 10 days old.

Get-MessageTraceDetail: View the message trace event details for a specific message.

Get-HistoricalSearch: Use this cmdlet to view information about historical searches that
have been performed within the last 10 days.

Start-HistoricalSearch: Start a new historical search for messages that are less than 90
days old.

Stop-HistoricalSearch: Stop queued historical searches that haven't started yet (the
status value is NotStarted ).

To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.

To connect to Exchange Online Protection PowerShell in standalone EOP organizations

without Exchange Online mailboxes, see Connect to Exchange Online Protection
PowerShell.

Why am I getting a timeout error when running

a message trace in the user interface?
The likely cause of a timeout error is that the query is taking too long to process.
Consider simplifying your search criteria. You may want to consider using the Get-
MessageTrace cmdlet, which has more liberal timeout requirements.

Why didn't I receive an expected email

message?
Here are some possible reasons:

The message was detected as spam.

The message was sent to quarantine due to a rule match.

The message was rejected

By the malware filter
Because a file attached to the message contained malware
Because the message body contained malware
By a rule
Because the action was Reject
Because the action was Force TLS and TLS failed to be established
By a connector because TLS was required and failed to be established
 The message was sent for moderation and is awaiting approval or was rejected by
the moderator.

The message was never sent.

The message is still being processed because there was a previous failure and the
service is reattempting delivery.

The message failed to be delivered to your mailboxes

Because the destination is not reachable
Because the destination rejected the message
Because the message timed out during the delivery attempt

To find out what happened:

Run a message trace. Use as many search criteria as possible to narrow down the results.
For example, you should know the sender and the intended recipient or recipients of the
message, and the general time period when the message was sent.

View the results, locate the message, and then view specific details about the message
(see View message trace results for messages less than seven days old or View message
trace results for messages more than seven days old). Look for a delivery status of Failed
or Pending to explain why the message was not received.

Confirm that the message was sent, that it was successfully received by the service, that
it was not filtered, redirected, or sent for moderation, and that it did not experience any
delivery failures or delays.

Why did I receive an unexpected message?

Here are some possible reasons:

The message was released from quarantine.

The message was awaiting moderator approval and was released.
The message was spam that was not detected.
The message matched a rule that added you to the message.
The message was sent to a distribution list of which you are a member.

To find out what happened:

Run a message trace. Use as many search criteria as possible to narrow down the results.
For example, specify the recipient who received the message, set the delivery status to
Delivered, and set the time period based on when the message was received.
View the results, locate the message, and then view specific details about the message
(see View message trace results for messages less than seven days old or View message
trace results for messages more than seven days old).

Why didn't someone receive my message or

why did I get this non-delivery report (also
known as an NDR or bounce message)?
Possible reasons include the following:

The message was detected as spam.

The message was sent to quarantine due to a rule match.

The message was rerouted because a connector sent it to another destination.

The message was rejected:

By the malware filter
Because a file attached to the message contained malware
Because the message body contained malware
By a rule
Because the action was Reject
Because the action was Force TLS and TLS failed to be established
By a connector because TLS was required and failed to be established

The message was sent for moderation and is awaiting approval or was rejected by
the moderator.

The message was never sent.

The message is still being processed because there was a previous failure and the
service is reattempting delivery.

The message failed to be delivered to the destination:

Because the destination is not reachable
Because the destination rejected the message
Because the message timed out during the delivery attempt

The message was delivered to the destination but it was deleted before it was
accessed (perhaps because it matched a rule).

To find out what happened:

Run a message trace. Use as many search criteria as possible to narrow down the results.
For example, you should know the sender and the intended recipient or recipients of the
message, and the general time period when the message was sent.

View the results, locate the message, and then view specific details about the message
(see View message trace results for messages less than seven days old or View message
trace results for messages more than seven days old).

Look for a delivery status of Failed or Pending to explain why the message wasn't
delivered. Confirm that the message was sent, that it was successfully received by the
service, that it was not filtered, redirected, or sent for moderation, and that it did not
experience any delivery failures or delays. If the destination is not reachable, you can use
the To IP to help troubleshoot connectivity issues.

Why is my message taking so long to arrive to

its destination? Where is it in the pipeline?
Possible reasons include the following:

The intended destination is not responsive. This is the most likely scenario.
It may be a large message that is taking a long time to process
Latency in the service may be causing delays
The message may have been blocked

To find out what happened:

Run a message trace. Use as many search criteria as possible to narrow down the results.
For example, you should know the sender and the intended recipient or recipients of the
message, and the general time period when the message was sent.

View the results, locate the message, and then view specific details about the message
(see View message trace results for messages less than seven days old or View message
trace results for messages more than seven days old).

The events section will tell you why the message was not yet delivered. When viewing
the events, the timestamp information will let you follow the message through the
messaging pipeline, and tell you how long the service takes to process each event. The
event details will also inform you if the message being delivered is large or if the
destination is not responsive.

Was a message marked as spam?

Messages can be marked as spam for several reasons. For example, the sending IP
address may appear on one of the service's IP Block lists. A message can be marked as
spam due to the content of the actual message, such as when it matches a rule in the
spam content filter. The message trace tool only tracks spam content filter events;
connection filter events (such as blocked IP addresses) are not traceable. For more
information about spam filtering, including spam content filtering, see Anti-Spam
Protection.

To find out why a message was marked as spam:

Run a message trace, locate the message in the results, and then view specific details
about the message (see View message trace results for messages less than seven days
old or View message trace results for messages more than seven days old).

When the content filter marks a message as spam, if it is sent to the Junk Email folder or
the quarantine, it will have a status of Delivered. You can view the event details in order
to see how the message arrived at its destination. For example, it may inform you that
the message was determined to have a high spam confidence level, or that an advanced
spam filtering option was matched. You will also be informed of the action that occurred
as a result of the message being marked as spam, for example if it was sent to
quarantine, stamped with an X-header, or if it was sent through the high risk delivery
pool.

Was a message detected to contain malware?

Messages are detected as malware when its properties, either in the message body or in
an attachment, match a malware definition in of one of the anti-malware engines. For
more detailed information about malware filtering, see Anti-Malware protection.

To find out why a message was detected to contain malware, run a message trace. Use
as many search criteria as possible to narrow down the results. Set the delivery status to
Failed.

View the results, locate the message, and then view specific details about the message
(see View message trace results for messages less than seven days old or View message
trace results for messages more than seven days old).

If the message was not delivered because it was determined to contain malware, this
information will be provided in the events section. For example, the following is a
sample Detail: Malware: "ZipBomb" was detected in attachment file.zip. You will also be
informed of the action that occurred as a result of the message containing malware, for
example if the entire message was blocked or if all attachments were deleted and
replaced with an alert text file.

Which mail flow rule (also known as a transport

rule) or DLP policy was applied to a message?
To find out which mail flow rule (custom policy rule) or data loss prevention (DLP) policy
(Exchange Online customers only) was applied to a message, run a message trace. Use
as many search criteria as possible to narrow down the results. Set the delivery status to
Failed.

View the results, locate the message, and then view specific details about the message
(see View message trace results for messages less than seven days old or View message
trace results for messages more than seven days old).

If the message was not delivered because its contents matched a rule, the events section
will let you know the name of the mail flow rule that was matched. You will also be
informed of the action that occurred as a result of the mail flow rule match, for example
if the message was quarantined, rejected, redirected, sent for moderation, decrypted, or
any number of other possible options. For information about how to create Exchange
mail flow rules and set actions for them, see Mail flow rules (transport rules) in Exchange
Online.

When I run a message trace, it returns rule ID-1.

What does this mean?
Rule ID-1 is returned when the message trace comes across a mail flow rule that no
longer exists. (The mail flow rule could have been modified or deleted after the original
message was sent.)

Are there any known limitations or behavior

clarifications that I should be aware of when
using the message trace tool?
You should be aware of the following when using the message trace tool:

IP-blocked messages: Messages blocked by IP reputation block lists will be

included in the spam data for real time reports, but you cannot perform a message
trace on these messages.
 Redirected messages: If a recipient is rewritten by a mail flow rule or because the
spam action for the domain is set to Redirect to email address, the message is not
traceable in a single search. The original message can be traced until to the point
when the recipient is changed. After that, the message is not traceable under the
original recipient. You can trace the message again using the new recipient.

MAIL FROM: The message trace tool uses the MAIL FROM value presented at the
initiation of the SMTP conversation as the Sender in a search, regardless of what
the DATA section of the message shows. The message may show a Reply-to
address or different From: or Sender values. If the email message was sent by a
process and not by an email client, there is an increased likelihood that the sender
in the MAIL FROM will not match the sender in the actual message.

Mail flow rule updates: When a message matches a mail flow rule, the rule ID is
stored in the message trace and real time reporting databases. If you trace one of
these messages, or drill down on rule details in a report, the message trace, and
real time reporting user interfaces dynamically pull the current rule information
from the hosted services network based on the rule ID in the reporting database. If
you have changed the attributes of that particular rule since the message was
processed (changed it from Reject to Allow, for example), the rule ID stays the
same in the message trace and real time reporting returned results, but the
Exchange admin center will show the new mail flow rule properties. You can use
the auditing reports feature in order to determine when the rule was changed and
the properties that were changed.

Spam-filtered messages: When the content filter marks a message as spam, if it is

sent to the Junk Email folder or the quarantine, it will have a status of Delivered.
Drill down to the event details in order to see how the message arrived at its
destination.

For more information

Trace an email message
Message trace in the modern Exchange
admin center in Exchange Online
Article • 04/05/2023

Message trace in the modern Exchange admin center (EAC) follows email messages as
they travel through your Exchange Online organization. You can determine if a message
was received, rejected, deferred, or delivered by the service. Message trace also shows
what actions were taken on the message before it reached its final status.

Message trace in the modern EAC improves upon the original message trace that was
available in the classic EAC. You can use the information from message trace to
efficiently answer user questions about what happened to messages, to troubleshoot
mail flow issues, and to validate policy changes.

What do you need to know before you begin?

To run a message trace, you need to be a member of one of the following role
groups:
Global Administrator
Exchange Administrator

For more information, see Manage role groups in Exchange Online and
Permissions in Exchange Online.

The maximum number of messages that are displayed in the results depends on
the report type you selected (For more information, see the Choose report type
section.). The Get-HistoricalSearch cmdlet in Exchange Online PowerShell or
standalone EOP PowerShell returns all messages in the results.

Open message trace

You can open message trace in any of the following ways:

1. Launch the URL https://admin.exchange.microsoft.com , and select Mail flow <

Message trace.
2. Launch the URL https://admin.exchange.microsoft.com/#/messagetrace .

Message trace page

From the Message trace page, you can start a new default trace by clicking Start a trace.
This option triggers a search for all messages for all senders and recipients for the last 2
days. Or, you can use one of the stored queries from the available query categories and
either run them as-is or use them as starting points for your own queries:

Default queries: Built-in queries provided by Microsoft 365.

Custom queries: Queries saved by administrators in your organization for future

use.

Autosaved queries: The last 10 most recently run queries. This list makes it simple
to pick up from where you left off.

Also on this page is a Downloadable reports section, for the requests you've submitted
and for the reports themselves when they're available for download.

Options for a new message trace

Filter by senders and recipients

The default values are All for Senders and All for Recipients, but you can filter the
results for these fields:

Senders: Click in this box and start typing to enter or select one or more senders
from your organization.

Recipients: Click in this box and start typing to enter or select one or more
recipients in your organization.

７ Note

You can also type the email addresses of external senders and recipients.
Wildcards are supported (for example, *@contoso.com ), but you can't use
multiple wildcard entries in the same field at the same time.

You can paste multiple senders' or recipients' lists separated by semicolons

( ; ), spaces ( \s ), carriage returns ( \r ), or next lines ( \n ).

Time range
The default value is 2 days, but you can specify date/time ranges of up to 90 days.
When you use date/time ranges, consider the following issues:

By default, you select the time range in Slider view using a timeline.

But, you can also switch to Custom time range view where you can specify the
Start date and End date values (including times), and you can also select the Time
zone for the date/time range. The Time zone setting applies both to your query
inputs and to your query results.

For 10 days or less, the results are available instantly as a Summary report. If you
specify a time range that's even slightly greater than 10 days, the results are
delayed as they're only available as a downloadable CSV file ( Enhanced summary
or Extended reports).

For more information about the different report types, see Choose report type.

７ Note

Enhanced summary and Extended reports are prepared using archived

message trace data, and it can take up to several hours before your report is
available for download. Depending on how many other administrators have
also submitted report requests around the same time, you might also notice a
delay before processing starts for your queued request.
 Saving a query in Slider view saves the relative time range (for example, 3
days from today). Saving a query in Custom view saves the absolute date/time
range (for example, 2018-05-06 13:00 to 2018-05-08 18:00).

Detailed search options

When you expand Detailed search options, the following options are available:

Delivery status
Message ID
Network Message ID
Direction
Original client IP address

Delivery status
You can leave the default value All selected, or you can select one of the following
values to filter the results:

Delivered: The message was successfully delivered to the intended destination.

Expanded: A distribution group recipient was expanded before delivery to the

individual members of the group.

Failed: The message wasn't delivered.

Pending: Delivery of the message is being attempted or reattempted.

Quarantined: The message was quarantined (as spam, bulk mail, or phishing). For
more information, see Quarantined email messages in EOP.

Filtered as spam: The message was identified as spam, and was rejected or
blocked (not quarantined).

Getting status: The message was recently received by Microsoft 365, but no other
status data is yet available. You can check again within a few minutes.

７ Note

The values Pending, Quarantined, and Filter as spam are only available for
searches less than 10 days. Also, there might be a 5-to-10-minute delay between
the actual and reported delivery status.
Message ID
Message ID is the internet message ID (also known as the Client ID) that's found in the
Message-ID header field in the message header. Users can give you this value to
investigate specific messages.

This value is constant for the lifetime of the message. For messages created in Microsoft
365 or Exchange, the Message ID value is in the format <GUID@ServerFQDN> , including
the angled brackets (< >), for example, <d9683b4c-127b-413a-ae2e-
fa7dfb32c69d@DM3NAM06BG401.Eop-nam06.prod.protection.outlook.com> . Other messaging

systems might use different syntaxes or values. This value is supposed to be unique, but
not all email systems strictly follow this requirement. If the Message-ID: header field
doesn't exist or is blank for incoming messages from external sources, an arbitrary value
is assigned.

When you use Message ID to filter the results, ensure that you include the full string,
including any angled brackets.

Network Message ID

Network Message ID is a unique message ID value that prevails across copies of the
message that may be created due to bifurcation, and across the message transport
process. It's dynamic wherein its value differs for even a copy of the message's specific
instance. Therefore, each copied version of the instance has a different Network
Message ID value.

The differences between Network Message ID and Message ID are described in the
following table:

Network Message ID Message ID

ID of an email message's specific instance ID of the email message

Unique and persists across copies of the message that may be Constant for the lifetime of
created due to bifurcation the message

For more information about Network Message ID, see:

Message tracking logs in Exchange Servers

Enhanced message trace reports in Exchange Online
Message headers from Outlook

To trace the Network Message ID value and to use it to trace specific messages in
Exchange Online, use the following message headers:
 X-MS-Exchange-Organization-Network-Message-Id , or

X-MS-Exchange-CrossTenant-Network-Message-Id

These message headers enable you to trace the Network Message ID value. You can use
this value to further retrieve specific messages, for example, messages - with the traced
Network Message ID value - sent by a specific sender, addressed to a specific recipient,
or sent during a specific time period.

You can also use the following command to trace the Network Message ID value:

Get-MessageTrace -MessageTraceId 2bbad36aa4674c7ba82f4b307fff549f -SenderAddress

john@contoso.com -StartDate 06/13/2022 -EndDate 06/15/2022 | Get-MessageTraceDetail

７ Note

-MessageTraceId is a parameter that's an alternative (and, effectively, similar) to

Network Message ID.

This command enables you to identify:

The Network Message ID value

The specific messages retrieved with the help of the Network Message ID value

For example, in this command, the value of Message Trace ID is

2bbad36aa4674c7ba82f4b307fff549f which is effectively the Network Message ID
value. The Get-MessageTrace cmdlet uses this value to retrieve the trace information for
messages that have this value and that have been sent by john@contoso.com between
June 13, 2022, and June 15, 2022.

The Get-MessageTrace cmdlet then pipes the retrieved trace information to the Get-
MessageTraceDetail cmdlet.

Direction

You can leave the default value All selected, or you can select Inbound (messages sent
to recipients in your organization) or Outbound (messages sent from users in your
organization) to filter the results.

Original client IP address

You can filter the results by using the "client IP address" criteria to investigate hacked
computers that are sending large amounts of spam or malware. Although the messages
might appear to come from multiple senders, it's likely that the same computer is
generating all of the messages.

７ Note

The client IP address information is only available for 10 days and in the Enhanced
summary or Extended reports (downloadable CSV files).

Choose report type

The available report types are:

Summary: Available if the time range is less than 10 days, and requires no other
filtering options. The results are available almost immediately after you click
Search. The report returns up to 20,000 results.

Enhanced summary or Extended: These reports are only available as

downloadable CSV files, and require one or more of the following filtering options
regardless of the time range:
Senders
Recipients
Message ID

You can use wildcards for the senders or the recipients (for example,
*@contoso.com). The Enhanced summary report returns up to 100,000 results. The
Extended report returns up to 1,000 results.

７ Note

Enhanced summary and Extended reports are prepared using archived

message trace data, and it can take up to several hours before your report is
available to download. Depending on how many other administrators have
also submitted report requests around the same time, you might also notice a
delay before your queued request starts to be processed.

While you can select an Enhanced summary or Extended report for any
date/time range, commonly the last 24 hours of archived data will not yet be
available for these two types of reports.
 The maximum size for a downloadable report is 800 MB. If a downloadable
report exceeds 800 MB, you can't open the report in Excel or Notepad.

When you click Next, you're presented with a summary page that lists the filtering
options that you selected, a unique (editable) title for the report, and the email address
that receives the notification when the message trace completes (also editable, and
must be in one of the accepted domains of your organization). Click Prepare report to
submit the message trace. On the main Message trace page, you can see the status of
the report in the Downloadable reports section.

For more information about the data that's returned in the different report types, see
Message trace results.

Message trace results

The different report types return different levels of information. The information that's
available in the different reports is described in the following sections:

Summary report output

Enhanced summary reports
Extended reports

Summary report output

After the message trace is executed, the results will be listed, sorted by descending
date/time (most recent displayed first).

The summary report contains the following information:

Date: The date and time at which the message was received by the service, using
the configured UTC time zone.

Sender: The email address of the sender (alias@domain).

Recipient: The email address of the recipient(s). For a message sent to multiple
recipients, there's one line per recipient. If the recipient is a distribution group,
dynamic distribution group, or mail-enabled security group, the group is the first
recipient, and then each member of the group is on a separate line.

Subject: The first 256 characters of the message's Subject: field.

Status: These values are described in the Delivery status section.

By default, the first 250 results are loaded and readily available. When you scroll down,
there's a slight pause as the next batch of results are loaded, up to a maximum of
10,000.

You can click on the column headers to sort the results by the values in that column in
ascending or descending order.

You can click Search to filter the results.

You can export the results after you've selected one or more rows by clicking Export
results.

Find related records for this message

Related message records are records that share the same Message ID. Remember, even
a single message sent between two people can generate multiple records. The number
of records increases when the message is affected by distribution group expansion,
forwarding, mail flow rules (also known as transport rules), and so on.

After you select a row's check box, the Find related button appears. You can click this
button to find the related records for the message.

For more information about the Message ID, see Message ID.

Message trace details

In the summary report output, you can view details about a message by selecting the
row (click anywhere in the row but don't check the check box).
The message trace details contain the following additional information that's not
present in the summary report:

Message events: After you expand this section, you can see classifications that
help categorize the actions that the service takes on messages. Some of the more
interesting events that you might encounter are:
Receive: The message was received by the service.
Send: The message was sent by the service.
Fail: The message failed to be delivered.
Deliver: The message was delivered to a mailbox.
Expand: The message was sent to a distribution group that was expanded.
Transfer: Recipients were moved to a bifurcated message because of content
conversion, message recipient limits, or agents.
Defer: The message delivery was postponed and might be reattempted later.
Resolved: The message was redirected to a new recipient address based on an
Active Directory look up. When this event happens, the original recipient
address is listed in a separate row in the message trace along with the final
delivery status for the message.
DLP rule: The message had a DLP rule match.
Sensitivity label: A server-side labeling event occurred. For example, a label was
automatically added to a message that includes an action to encrypt or was
added via the web or mobile client. This action is completed by the Exchange
server and is logged. A label added via Outlook won't be included in the event
field.

Notes:

An uneventful message that's successfully delivered will generate multiple Event

entries in the message trace.

This list isn't meant to be exhaustive. For descriptions of more events, see Event
types in the message tracking log. This link is an Exchange Server (on-premises
Exchange) topic.

More information: After you expand this section, you can view the following
details:

Message ID: This value is described in Message ID. An example of a Message ID

value is <d9683b4c-127b-413a-ae2e-fa7dfb32c69d@DM3NAM06BG401.Eop-
nam06.prod.protection.outlook.com> .

Message size: The size of the sent message, including

attachments/pictures/text.
 From IP: The IP address of the computer that sent the message. For outbound
messages sent from Exchange Online, this value is blank.

To IP: The IP address(es) to which the service attempted to deliver the message.
If the message has multiple recipients, these addresses are displayed. For
inbound messages sent to Exchange Online, this value is blank.

Enhanced summary reports

A generated report of the type Enhanced summary is available in Downloadable
reports at the beginning of message trace.

７ Note

The term "generated" means a report that is ready to be downloaded. A generated

report is marked by the status Completed.

Under the Downloadable reports tab, you can also view details of Enhanced summary
reports which are yet to be generated. These reports are marked with Not started or In
progress status.

The following information is available in a downloadable Enhanced summary report:

origin_timestamp*: The date and time when the message was initially received by
the service, using the configured UTC time zone.

sender_address: The sender's email address (alias@domain).

Recipient_status: The status of the delivery of the message to the recipient. If the
message was sent to multiple recipients, it shows all the recipients and the
corresponding status for each, in the format: <email address>##<status>.
Examples of the recipient statuses are:

##Receive, Send means the message was received by the service and was sent
to the intended destination.

##Receive, Fail means the message was received by the service but delivery to
the intended destination failed.

##Receive, Deliver means the message was received by the service and was
delivered to the recipient's mailbox.

message_subject: The first 256 characters of the message's Subject field.

 total_bytes: The size of the message in bytes, including attachments.

message_id: This value is described in Message ID. An example of a message_id

value is <d9683b4c-127b-413a-ae2e-fa7dfb32c69d@DM3NAM06BG401.Eop-
nam06.prod.protection.outlook.com> .

network_message_id: A unique message ID value that persists across all copies of

the message that might be created due to bifurcation or distribution group
expansion. An example of network_message_id value is
1341ac7b13fb42ab4d4408cf7f55890f .

original_client_ip: The IP address of the sender's SMTP server.

directionality: Indicates whether the message was sent inbound (to your
organization) or outbound (from your organization).

connector_id: The name of the source or destination connector. For more

information about connectors in Exchange Online, see Configure mail flow using
connectors in Office 365.

delivery_priority*: Whether the message was sent with High, Low, or Normal
priority.

*
These properties are only available in Enhanced summary reports.

Extended reports
A generated report of the type Extended is available in Downloadable reports at the
beginning of message trace.

７ Note

The term "generated" means a report that is ready to be downloaded. A generated

report is marked by the status Completed.

Under the Downloadable reports tab, you can also view details of Extended reports
which are yet to be generated. These reports are marked with Not started or In
progress status.

The following information is available in a downloadable Extended report:

client_ip: The IP address of the email server or messaging client that submitted the
message.
client_hostname: The host name or FQDN of the email server or messaging client
that submitted the message.

server_ip: The IP address of the source or destination server.

server_hostname: The host name or FQDN of the destination server.

source_context: Extra information associated with the source field. For example:
Protocol Filter Agent

3489061114359050000

source: The Exchange Online component that's responsible for the event. For
example:
AGENT

MAILBOXRULE

SMTP

event_id: This value corresponds to the Message event values that are explained in
Find related records for this message.

internal_message_id: A message identifier that's assigned by the Exchange Online

server that's currently processing the message.

recipient_address: The email addresses of the message's recipients. Multiple email

addresses are separated by the semicolon character (;).

recipient_count: The total number of recipients in the message.

related_recipient_address: Used with EXPAND , REDIRECT , and RESOLVE events to

display other recipients' email addresses that are associated with the message.

reference: This field contains additional information for specific types of events.
For example:

DSN: Contains the report link, which is the message_id value of the associated
delivery status notification (also known as a DSN, nondelivery report, NDR, or
bounce message) if a DSN is generated subsequent to this event. If this
message is a DSN message, this field contains the message_id value of the
original message that the DSN was generated for.

EXPAND: Contains the related_recipient_address value of the related messages.

RECEIVE: Might contain the message_id value of the related message if the
message was generated by other processes (for example, Inbox rules).
 SEND: Contains the internal_message_id value of any DSN message.

TRANSFER: Contains the internal_message_id value of the message that's being

forked (for example, by content conversion, message recipient limits, or agents).

MAILBOXRULE: Contains the internal_message_id value of the inbound

message that caused the Inbox rule to generate the outbound message.

For other types of events, this field (internal_message_id) is blank.

return_path: The return email address specified by the MAIL FROM command that
sent the message. Although this field is never empty, it can have the null sender
address value represented as <> .

message_info: Additional information about the message. For example:

The message origination date-time in UTC for DELIVER and SEND events. The
origination date-time is the time when the message first entered the Exchange
Online organization. The UTC date-time is represented in the ISO 8601 date-
time format: yyyy-mm-ddThh:mm:ss.fffZ , where yyyy = year, mm = month, dd =
day, T indicates the beginning of the time component, hh = hour, mm = minute,
ss = second, fff = fractions of a second, and Z signifies Zulu , which is

another way to denote UTC.

Authentication errors. For example, you might see the value 11a and the type of
authentication that was used when the authentication error occurred.

tenant_id: A GUID value that represents the Exchange Online organization (for
example, 39238e87-b5ab-4ef6-a559-af54c6b07b42 ).

original_server_ip: The IP address of the original server.

custom_data: Contains data related to specific event types. For more information,
see the following sections:
custom_data values
Spam filter agent
Malware filter agent
Transport Rule agent

custom_data values
The custom_data field for an AGENTINFO event is used by various Exchange Online
agents to log message-processing details. Some of the more interesting agents are
described in the following sections.
 Spam filter agent
Malware filter agent
Transport Rule agent

Spam filter agent

A custom_data value that starts with S:SFA is from the spam filter agent. For more
information, see X-Forefront-Antispam-Report message header fields.

An example of a custom_data value for a message that's filtered for spam looks like this:

S:SFA=SUM|SFV=SPM|IPV=CAL|SRV=BULK|SFS=470454002|SFS=349001|SCL=9|SCORE=-1|LIST=0|D

I=SN|RD=ftmail.inc.com|H=ftmail.inc.com|CIP=98.129.140.74|SFP=1501|ASF=1|CTRY=US|CL
TCTRY=|LANG=en|LAT=287|LAT=260|LAT=18;

Malware filter agent

A custom_data value that starts with S:AMA is from the malware filter agent. The key
details are described in the following table:

Value Description

AMA=SUM|v=1| The message was determined to contain malware. SUM indicates the malware
or could have been detected by any number of engines. EV indicates the malware
AMA=EV|v=1 was detected by a specific engine. When malware is detected by an engine, this
detection triggers the subsequent actions.

Action=r The message was replaced.

Action=p The message was bypassed.

Action=d The message was deferred.

Action=s The message was deleted.

Action=st The message was bypassed.

Action=sy The message was bypassed.

Action=ni The message was rejected.

Action=ne The message was rejected.

Action=b The message was blocked.

 Value Description

Name= The name of the malware that was detected.

<malware>

File= The name of the file that contained the malware.

<filename>

An example of a custom_data value for a message that contains malware looks like this:

S:AMA=SUM|v=1|action=b|error=|atch=1;S:AMA=EV|engine=M|v=1|sig=1.155.974.0|name=DOS

/Test_File|file=filename;S:AMA=EV|engine=A|v=1|sig=201707282038|name=Test_File|file
=filename

Transport Rule agent

A custom_data value that starts with S:TRA is from the Transport Rule agent for mail flow
rules (also known as transport rules). The key details are described in the following table:

Value Description

ETR|ruleId=<guid> The rule ID that was matched.

St=<datetime> The date and time in UTC when the rule match occurred.

Action= The action that was applied. For a list of available actions, see Mail flow rule
<ActionDefinition> actions in Exchange Online.

Mode=<Mode> The mode of the rule. Valid values are:

Enforce: All actions on the rule will be enforced.
Test with Policy Tips:: Any Policy Tip actions are sent, but other
enforcement actions won't be acted on.
Test without Policy Tips: Actions are listed in a log file, but senders
won't be notified in any way, and enforcement actions won't be acted
on.</li?

An example of a custom_data value for a message that matches the conditions of a mail
flow rule looks like this:

S:TRA=ETR|ruleId=19a25eb2-3e43-4896-ad9e-47b6c359779d|st=7/17/2017 12:31:25
AM|action=ApplyHtmlDisclaimer|sev=1|mode=Enforce
Mail flow reports in the new Exchange
admin center in Exchange Online
Article • 04/04/2023

Administrators can use mail flow reports in the new Exchange admin center (new EAC)
to establish baselines and discover trends to fix issues related to mail flow in their
organization.

７ Note

Mail flow reports are currently not available in the GCC High or DoD environments.

The following mail flow reports are available:

Auto forwarded messages report

Email issues for priority accounts report
Exchange transport rule report
Inbound messages report
Non-accepted domain report
Non-delivery details report
Outbound messages report
Queued messages report
SMTP AUTH clients report
Top domain mail flow status report
Mailboxes exceeding receiving limits report
Dynamic Distribution Groups report
Reply-all storm protection report
Outbound messages in Transit Security report

Permissions required to view mail flow reports

To view and use mail flow reports, you need to be a member of one of the following role
groups in Exchange Online:

Compliance Administrator
Exchange Administrator
Organization Management
Security Administrator<sup>*
Security Reader*
 View-Only Recipients

For more information, see Permissions in Exchange Online and Manage role groups in
Exchange Online.

<sup>* You manage these role groups in the Azure Active Directory admin center
(https://aad.portal.azure.com ).

Where to find mail flow reports

Open the new EAC at https://admin.exchange.microsoft.com , expand Reports, and
then select Mail flow.

To go directly to the mail flow reports, open

https://admin.exchange.microsoft.com/#/reports/mailflowreportsmain .
Auto forwarded messages report in the
new EAC in Exchange Online
Article • 06/15/2023

The Auto-forwarded messages report in the new Exchange admin center (new EAC)
displays information on messages that are automatically forwarded from your
organization to recipients in external domains. You can use this report to look for
potential data leaks.

７ Note

By default, the report shows data for the last 7 days. If the report is empty, try
changing the date range.

The summary page allows you to query up to the last 90 days of data. The new
activity page shows the activity of the last 7 days. The request report feature has a
limit of the last 30 days.

For permissions that are required to use this report, see Permissions required to
view mail flow reports.

The overview section contains the following charts:

Forwarding type: Typical values are:

Mail flow rules
Inbox rules
SMTP forwarding: This is automatic forwarding that admins can configure on a
mailbox as described in Configure email forwarding for a mailbox.
Recipient domain
Forwarding users

If you hover over a specific color in the chart, you'll see the associated numbers for that
specific forwarding type, recipient domain, or forwarding user.
The Auto forwarded message details section shows the following information about
each-specific forwarder (the user account that's doing the forwarding):

Forwarders
Forwarding type
Recipient name
Recipient domain
Details: If the message was auto-forwarded by a Transport rule, the ID of the rule is
shown. Otherwise, this value is blank. In Exchange Online PowerShell, you can use
the Get-TransportRule cmdlet to identify the rule by running the following
command: Get-TransportRule -Identity <RuleIDParameter> . For example, Get-
TransportRule -Identity 8754395095991580000 .

Forward count
First forward date

Click Export to export the displayed results to a .csv file.

Insights
Two insights are generated based on the report data: New domains being forwarded
email and New users forwarding email. Each insight provides a summary of the number
of new forwarders or domains with a link back to this report.

See also
For more information about other mail flow reports, see Mail flow reports in the modern
EAC.
Email issues for priority accounts report
in the new EAC in Exchange Online
Article • 01/27/2023

７ Note

The priority accounts report that's described in this topic is available only to
organizations that meet both of the following requirements:

At least 5,000 licenses for one or more of the following products: Office 365
E3, Microsoft 365 E3, Office 365 E5, or Microsoft 365 E5. For example, 3,000
Office 365 E3 licenses and 2,500 Microsoft 365 E5 licenses.
Your organization needs to have at least 50 monthly active users for one or
more core workloads – Teams, One Drive for Business, SharePoint Online,
Exchange Online and Office apps

For permissions that are required to use this report, see Permissions required to
view mail flow reports.

The Email issues for priority accounts report in the new Exchange admin center (new
EAC) allows Exchange Admins and Global admins to view failed events from the last 15
minutes and delayed email messages from last 6 hours that were sent to or sent from
priority accounts. If no issues are found, the report will be empty. Users can configure to
receive email notifications for failed and delayed messages which will provide
information at the time alert is fired.

Priority users are people in your Microsoft 365 organization who have a high business
impact, like your CEO, executives, or other users who have access to sensitive or high
priority information. For more information about priority accounts, see Manage and
monitor priority account. For more reporting for priority accounts, see Exchange Online
monitoring for Microsoft 365.

The Unhealthy email status section shows the following information about messages
where a priority user is a sender or a recipient:

Date
Sender
Recipient
Subject
 Status: The value is Failed or Delayed.

To quickly filter the results by recipient, click Search and start typing the recipient's
email address.

For more advanced filters that you can also save and use later, click Filter and select
New filter. In the Custom filter flyout that appears, enter the following information:

Name your filter: Enter a unique name.

Click Add new clause. A clause contains the following elements that you need to
enter:
Field: Select Date, Sender, Recipient, Subject or Status.
Operator: Select starts with or is.
Value: Enter the value you want to search for.

You can click Add new clause as many times as you need. Multiple clauses use
AND logic (<Clause1> AND <Clause2>...).

To remove a clause, click Remove

When you're finished, click Save. The new filter is automatically loaded, and the
results are changed based on the filter. This is the same result as clicking Filter and
selecting the customer filter from the list.

To unload a existing filter (return to the default list), click Filter and select Clear
all filters.

Select an entry in the list to be taken to the message trace search results for the
message. Select the message trace entry to view details about the message and what
happened to it.
 ７ Note

For the following procedures, you need to be a Security Reader to see the alerts,
and a Security Administrator to edit the policy.

Click Export to export the displayed results to a .csv file.

Click Manage priority accounts to add or remove users from the priority accounts list.

Click Edit policy to configure email notifications related to priority accounts:

Send email notification: Select or clear this checkbox.

Send email notifications to these users or groups: Click in the box to find or enter
a user or group to receive email notifications.
Daily notification limit: Select from the following values: No limit, 1 (default), 5, 10,
25, 50, 150, or 200.
Threshold: An email notification is sent when the number of failed or delayed
email messages for priority accounts exceeds the specified value. The default value
is 100.

You can see alerts for delayed and failed messages under View Alerts. Selecting the alert
will provide details about the messages that were delayed or failed at the time alert is
fired.

When you're finished, click Save.

Exchange transport rule report in the
new Exchange admin center in Exchange
Online
Article • 01/27/2023

The Exchange transport rule report in the new Exchange admin center (new EAC)
displays information on messages that were affected by mail flow rules (also known as
transport rules).

７ Note

By default, the report shows data for the last 7 days. If the report is empty, try
changing the date range. It could take up to 24 hours to reflect the Transport Rule
data in the Transport Rule report. For permissions that are required to use this
report, see Permissions required to view mail flow reports.

To view the report in the new EAC at https://admin.exchange.microsoft.com , go to

Reports > Mail flow > and then select Exchange transport rule report on the Mail flow
reports page. To go directly to the report, open
https://admin.exchange.microsoft.com/#/reports/transportruledetails .

By default, Chart breakdown by Severity is selected, and the follow charts are shown:

A line graph that shows the number of inbound and outbound messages per day
that were affected by mail flow rules.*
Message volume by direction: A doughnut graph that shows the total number of
messages and portion of Outbound and Inbound messages that were affected by
mail flow rules.***
Message volume by severity A doughnut graph that shows the total number of
messages and portion of messages that were affected by High severity, Medium
 severity, and Low severity mail flow rules.**

*
If you hover over the line on the chart for a specific day, you'll see the number of
messages for that day.

** If you hover over a specific color in the chart, you'll see the total number of messages
in the category for the entire time period.

If you change the chart view to Chart breakdown by severity, the line graph changes to
show the number of messages that were affected by High severity, Medium severity,
and Low severity mail flow rules.

By default, Show data for all transport rules is selected, but if you click on that value,
you can select a specific mail flow rule to show data for.

The following information is shown in the details table below the graph:

Date
Transport rule
Subject
Sender address
Recipient address
Severity
Direction

You can sort the information in the details table by clicking on a column header.

To quickly filter the results by Transport rule or Subject, click Search and start typing
a value.

To filter the results, use the boxes. The following filters are available:

Date: 7 days is selected by default, but you can select 30 days, 90 days or a
Custom start date that's less than 90 days.
Direction: Outbound, Inbound is selected by default, but you can select either
value by itself.
Severity: High severity, Medium severity, Low severity are selected by default, but
you can select one or more severity values.

Click Export to export the displayed results to a .csv file.

See also
For more information about other mail flow reports, see Mail flow reports in the new
EAC.
Inbound messages and Outbound
messages reports in the new EAC in
Exchange Online
Article • 01/27/2023

The Inbound messages report and the Outbound messages report in the new
Exchange admin center (new EAC) display information about email entering and leaving
your organization. Specifically, the Inbound messages report shows information about
email coming into your organization from the internet and over connectors. The
Outbound messages report displays information about email leaving your organization
to the internet and over connectors. Both reports also show the TLS encryption level
that's being used.

７ Note

By default, the report shows data for the last 7 days. If the report is empty, try
changing the date range.

For permissions that are required to use this report, see Permissions required to
view mail flow reports.

The overview section contains the following charts:

Message volume: Shows the number of inbound or outbound messages to or

from the internet and over connectors.

Messages by TLS used: Shows the TLS encryption level. If you hover over a specific
color in the chart, you'll see the number of messages for that specific version of
TLS.
The Connector report details section shows the following information about each
specific connector or email from the internet:

Date
Connector direction and name
Connector type
Forced TLS?
No TLS
TLS 1.0
TLS 1.1
TLS 1.2
Volume

To quickly filter the results, click Search and start typing a value.

To filter the results by date range or connector name, use the boxes. You can specify a
date range up to 90 days.

For more advanced filters that you can also save and use later, click Filter and select
New filter. In the Custom filter flyout that appears, enter the following information:

Name your filter: Enter a unique name.

Click Add new clause. A clause contains the following elements that you need to
enter:

Field: Select Date, Connector direction, Connector type, Forced TLS, No TLS,
TLS 1.0, TLS 1.1, TLS 1.2, or Volume.

Operator: Select starts with or is.

Value: Enter the value you want to search for.

You can click Add new clause as many times as you need. Multiple clauses use
AND logic (<Clause1> AND <Clause2>...).

To remove a clause, click Remove

When you're finished, click Save. The new filter is automatically loaded, and the
results are changed based on the filter. This is the same result as clicking Filter and
selecting the customer filter from the list.

To unload an existing filter (return to the default list), click Filter and select
Clear all filters.

Click Export to export the displayed results to a .csv file.

Exceptions where messages will not be
included in these reports
Cross-tenant scenarios where messages are sent from one Microsoft 365 tenant
(including consumer organizations) directly to another Microsoft 365 tenant will not be
included in the report.

See also
For more information about other mail flow reports, see Mail flow reports in the new
EAC.
Non-accepted domain report in the new
Exchange admin center in Exchange
Online
Article • 07/31/2023

The Non-accepted domain report in the new Exchange admin center (new EAC) displays
information about messages from your on-premises email organization where the
sender's domain isn't configured as an accepted domain in your Microsoft 365
organization.

Microsoft 365 might throttle these messages if we have data to prove that the intent of
these messages is malicious. Therefore, it's important for you to understand what's
happening and to fix the issue.

７ Note

By default, the report shows data for the last 7 days. If the report is empty, try
changing the date range.

For permissions that are required to use this report, see Permissions required to
view mail flow reports.

In the new EAC at https://admin.exchange.microsoft.com , select Reports > Mail flow

> Non-accepted domain report. Or, to go directly to the Non-accepted domain report
page, use https://admin.exchange.microsoft.com/#/reports/nonaccepteddomain .

On Non-accepted domain report page, the overview section contains a chart that
shows the number of messages sent per connector:

The Non-Accepted domain details section contains the following information:

Date
 Inbound connector name
Sender domain
Count
Sample messages: This field contains the internet message IDs (also known as the
Client IDs) of a sample of the original messages. This value is stored in the
Message-ID header field in the message header and is constant for the lifetime of
the message.

Click on the column headers to sort by those categories.

To change the list from normal to compact spacing, select Change view , and then
select Compact list .

Use the Search box to filter the results by connector name.

Use the 7 days box to filter the results by date. The following values are available in the
dropdown list:

7 days
30 days
90 days
Custom start date. You can specify a start date up to 90 days old.

For more advanced filters that you can also save and use later, select Filter , and then
select New filter . In the Custom filter flyout that opens, enter the following
information:

Name your filter: Enter a unique name.

Add a filter clause by entering the following information:

Field: Select from the following values:
Date
Inbound connector
Sender domain
Count
Sample messages.
Operator: Select starts with or is.
Value: Enter the value you want to search for.

You can select Add new clause and repeat the previous step as many times as
needed. Multiple clauses use AND logic (<Clause1> AND <Clause2>...).

To remove a filter clause, select Remove clause next to the entry.

 When you're finished in the Custom filter flyout, select Save. The new filter is
automatically loaded, and the filtered results are shown on the Non-accepted
domain report page. This result is the same as selecting Filter and then
selecting the existing filter from the list.

To unload an existing filter and return to the default information that's shown on
the Non-accepted domain report page, select Filter > Clear all filters .

Use Export to export the displayed results to a .csv file.

Use Request report to generate a non-accepted domain report with up to one

million rows of data.

See also
For more information about other mail flow reports, see Mail flow reports in the new
EAC.
Non-delivery details report in the new
Exchange admin center in Exchange
Online
Article • 01/27/2023

The Non-delivery details report in the new Exchange admin center (new EAC) shows
the most-encountered error codes in non-delivery reports (also known as NDRs or
bounce messages) for users in your organization. This report shows the details of NDRs
so you can troubleshoot email delivery problems.

７ Note

By default, the report shows data for the last 7 days. If the report is empty, try
changing the date range.

For permissions that are required to use this report, see Permissions required to
view mail flow reports.

The chart in the overview section contains the most-encountered NDR error codes for a
given day. If you hover over a specific color in the chart, you'll see the number of
messages for that specific error code.

The Non-delivery details section shows the following information for each date-error
code combination:

Date
Count
Error code
Sample messages: This field contains the internet message IDs (also known as the
Client IDs) of a sample of the original messages. This value is stored in the
Message-ID header field in the message header and is constant for the lifetime of
the message.
To quickly filter the results, click Search and start typing a value.

To filter the results by date range or error code, use the boxes. You can specify a date
range up to 90 days.

For more advanced filters that you can also save and use later, click Filter and select
New filter. In the Custom filter flyout that appears, enter the following information:

Name your filter: Enter a unique name.

Click Add new clause. A clause contains the following elements that you need to
enter:

Field: Select Date, Count, Error code or Sample messages.

Operator: Select starts with or is.

Value: Enter the value you want to search for.

You can click Add new clause as many times as you need. Multiple clauses use
AND logic (<Clause1> AND <Clause2>...).

To remove a clause, click Remove

When you're finished, click Save. The new filter is automatically loaded, and the
results are changed based on the filter. This is the same result as clicking Filter and
selecting the customer filter from the list.

To unload a existing filter (return to the default list), click Filter and select Clear
all filters.

Click Export to export the displayed results to a .csv file.

See also
For more information about other mail flow reports, see Mail flow reports in the new
EAC.
Inbound messages and Outbound
messages reports in the new EAC in
Exchange Online
Article • 01/27/2023

The Inbound messages report and the Outbound messages report in the new
Exchange admin center (new EAC) display information about email entering and leaving
your organization. Specifically, the Inbound messages report shows information about
email coming into your organization from the internet and over connectors. The
Outbound messages report displays information about email leaving your organization
to the internet and over connectors. Both reports also show the TLS encryption level
that's being used.

７ Note

By default, the report shows data for the last 7 days. If the report is empty, try
changing the date range.

For permissions that are required to use this report, see Permissions required to
view mail flow reports.

The overview section contains the following charts:

Message volume: Shows the number of inbound or outbound messages to or

from the internet and over connectors.

Messages by TLS used: Shows the TLS encryption level. If you hover over a specific
color in the chart, you'll see the number of messages for that specific version of
TLS.
The Connector report details section shows the following information about each
specific connector or email from the internet:

Date
Connector direction and name
Connector type
Forced TLS?
No TLS
TLS 1.0
TLS 1.1
TLS 1.2
Volume

To quickly filter the results, click Search and start typing a value.

To filter the results by date range or connector name, use the boxes. You can specify a
date range up to 90 days.

For more advanced filters that you can also save and use later, click Filter and select
New filter. In the Custom filter flyout that appears, enter the following information:

Name your filter: Enter a unique name.

Click Add new clause. A clause contains the following elements that you need to
enter:

Field: Select Date, Connector direction, Connector type, Forced TLS, No TLS,
TLS 1.0, TLS 1.1, TLS 1.2, or Volume.

Operator: Select starts with or is.

Value: Enter the value you want to search for.

You can click Add new clause as many times as you need. Multiple clauses use
AND logic (<Clause1> AND <Clause2>...).

To remove a clause, click Remove

When you're finished, click Save. The new filter is automatically loaded, and the
results are changed based on the filter. This is the same result as clicking Filter and
selecting the customer filter from the list.

To unload an existing filter (return to the default list), click Filter and select
Clear all filters.

Click Export to export the displayed results to a .csv file.

Exceptions where messages will not be
included in these reports
Cross-tenant scenarios where messages are sent from one Microsoft 365 tenant
(including consumer organizations) directly to another Microsoft 365 tenant will not be
included in the report.

See also
For more information about other mail flow reports, see Mail flow reports in the new
EAC.
Outbound messages in Transit Security
report in the Exchange Admin Center
for Exchange Online
Article • 03/21/2023

The Outbound messages in Transit Security report in the Exchange Admin Center (EAC)
displays information about outbound SMTP DNS-based Authentication of Named
Entities (DANE), MTA-Strict Transport Security (STS), and Opportunistic TLS usage data
when sending from Exchange Online.

７ Note

SMTP DANE with DNSSEC and MTA-STS are both turned on by default on the
outbound path when sending from Exchange Online.

The report consists of the following two sections:

1. Messages Blocked: Provides aggregated information for tenant admins regarding

SMTP DANE with DNSSEC or MTA-STS errors experienced when trying to send to
destination domains that have configured to either of the security protocols. If no
errors were detected, the section will consist of an empty table.
2. Messages Secured: Provides time-series data for emails secured by SMTP DANE
with DNSSEC, MTA-STS, or Opportunistic TLS.

Messages Blocked
The Messages Blocked section will be displayed by default and shows a table with the
following four columns of information:

Recipient Domain: The domain that is experiencing the error.

Security Type: The security protocol attempted.
Count of Messages Blocked: The summarized count of messages that were
affected by an error over the selected time-period, this is sorted by default as
descending.
Distinct Error Generated for Domain: The distinct error type that affected all the
emails in the row.
 

The table aggregation works over a configurable time-period. Filters can be created
using Starts With or Is operators on the columns:

Recipient Domain
Security Type
Distinct Error Generated for Domain

To search for a specific piece of information, click Search and start typing a value.

To export the report data to a .csv file, you'll have the following three options to choose
from:

Export all results: Exports all messages that were affected by all SMTP DANE with
DNSSEC or MTA-STS errors over the selected time period.
Export loaded results: Exports the rows of aggregated data that are currently
loaded into view.
Export selected: Exports all messages of the selected rows that were affected by all
SMTP DANE with DNSSEC or MTA-STS errors over the selected time period.

To drill into the non-aggregated data live, without having to wait on exporting the data,
click on the domain, such as contoso.com from the row in the Messages Blocked table.
A pop up will immediately appear with a new table consisting a row for each message
that was affected by the selected rows' error. The new pop-up table will include the
following columns:

Time: Time of the failure event in UTC.

Security type: The allowed values are: - SMTP DANE with DNSSEC - MTA-STS
Error Details: Contains the error code and statement.
Sender: Sender's email address
Recipient: Recipient's email address
 Recipient Domain: The destination domain experiencing the error.
Message ID: ID of the message affected by the error.

You can use the Request report to receive the data and can filter based on Security Type
and Error. The Request report will generate a .csv file including the same fields.

Messages Secured
The Messages Secured section can be accessed by clicking Messages Secured. It will
show time series data for messages successfully sent using four methods, such as SMTP
DANE with DNSSEC, MTA-STS, both SMTP DANE with DNSSEC and MTA-STS, or
Opportunistic TLS.

The data will be automatically visualized through a time series chart showing volume of
emails secured by each of the four methods over a configurable time-period. '7 days' is
selected by default, but you can select 14 days, 31 days, 6 months, or custom time spans
with options to filter by security type. The bar chart from the report will show the
summary of the volume of emails secured over the selected time period for an
aggregated view.

Requesting a report will generate a .csv file containing a table with the following fields:

Date: Date of the Send event in UTC.

Security type: Allowed values are: - SMTP DANE with DNSSEC - MTA-STS - SMTP
DANE with DNSSEC and MTA-STS - Opportunistic TLS
Count Of Secured Messages: Number of emails secured by security type, over a
selected time duration.
 Tip

There are options to filter on the security type before exporting the rows or to
customize the date.
Queued messages report in the new
Exchange admin center in Exchange
Online
Article • 01/27/2023

When messages can't be sent from your organization to your on-premises or partner
email servers using connectors, the messages are queued in Microsoft 365. Common
examples that cause this condition are:

The connector is incorrectly configured.

There have been networking or firewall changes in your on-premises environment.

Microsoft 365 will continue to retry to delivery for 24 hours. After 24 hours, the
messages will expire and will be returned to the senders in non-delivery reports (also
known as a NDRs or bounce messages).

If the queued email volume exceeds the pre-defined threshold (the default value is 200
messages), the information is available in the following locations:

The Queued messages report report in the new Exchange admin center (new EAC).
For more information, see the Queues section in this topic.

For permissions that are required to use this report, see Permissions required to
view mail flow reports.

An alert is displayed on the Alerts page in the Microsoft 365 Defender portal
(https://security.microsoft.com > Incidents & alerts > Alerts or
https://security.microsoft.com/alerts ).

Admins will receive an email notification based on the configuration of the default
alert policy named Messages have been delayed. To configure the notification
settings for this alert, see the next section.

For more information about alert policies, see Alert policies in the Microsoft
Purview compliance portal.

Customize queue alerts

1. In the Microsoft 365 Defender portal (https://security.microsoft.com ), go to
Incidents & alerts > Alerts > Alert policy or go directly to
https://security.microsoft.com/alertpolicies .
2. On the Alert policies page, find and select the policy named Messages have been
delayed by clicking on the name. You can sort the policies by name or use the
Search box.

3. In the Message have been delayed flyout that appears, you can turn the alert on
or off and configure the notification settings.

Status: You can toggle the alert on or off.

Email recipients and Daily notification limit: Click the Edit link or the Edit
policy button to configure the settings as described in the next step.
 4. In the Edit policy flyout that appears, configure the following settings:

Send email notifications: The default value is On (selected).

Email recipients: The default value is TenantAdmins.
Daily notification limit: The default value is No limit.
Threshold: The default value is 2000.

5. When you're finished, click Save and Close.

Queues
Even if the queued message volume hasn't exceeded the threshold and generated an
alert, you can still use the Queued messages report in the new EAC to see messages
that have been queued for more than one hour, and take action before the number of
queued messages becomes too large.
The same information and fix option is displayed after you click View queue in the
details of a Messages have been delayed alert.

See also
For more information about other mail flow reports, see Mail flow reports in the new
EAC.
SMTP AUTH Clients report in the new
Exchange admin center in Exchange
Online
Article • 01/27/2023

The SMTP AUTH Clients report in the new Exchange admin center (new EAC) highlights
the use of the SMTP AUTH client submission protocol by users or system accounts in
your organization. By default, this legacy protocol (which uses the endpoint
smtp.office365.com) supports Basic authentication, and is susceptible to being used to
send email from compromised accounts. This report allows you to check for unusual
activity. It also shows the TLS usage data for clients or devices using SMTP AUTH.

７ Note

By default, the report shows data for the last 7 days. If the report is empty, try
changing the date range.

For permissions that are required to use this report, see Permissions required to
view mail flow reports.

The overview section contains the following charts:

The volume of messages per day for each sending domain.

Message volume by sender*
Message sent by domain*
Senders by TLS protocol*

* If you hover over a specific color in the chart, you'll see the number of messages.
The Messages sent using SMTP Auth section shows the following information:

Sender address
Domain
TLS 1.0 (percentage)
TLS 1.1 (percentage)
TLS 1.2 (percentage)
Messages sent

To quickly filter the results, click Search and start typing a value.

To filter the results by a date range, use the box. You can specify a date range up to 90
days.

For more advanced filters that you can also save and use later, click Filter and select
New filter. In the Custom filter flyout that appears, enter the following information:

Name your filter: Enter a unique name.

Click Add new clause. A clause contains the following elements that you need to
enter:
Field: Select Sender address, Domain, TLS 1.0, TLS 1.1, TLS 1.2, or Messages
sent.
Operator: Select starts with or is.
Value: Enter the value you want to search for.

You can click Add new clause as many times as you need. Multiple clauses use
AND logic (<Clause1> AND <Clause2>...).

To remove a clause, click Remove

 When you're finished, click Save. The new filter is automatically loaded, and the
results are changed based on the filter. This is the same result as clicking Filter and
selecting the customer filter from the list.

To unload an existing filter (return to the default list), click Filter and select
Clear all filters.

Click Export to export the displayed results to a .csv file.

If you select a row, a details pane for the sender appears that contains the same
information from the main report.
Top domain mailflow status report in
the new Exchange admin center in
Exchange Online
Article • 03/01/2023

The Top domain mailflow status report in the new Exchange Admin Center (EAC)
contains two tabs providing insight into your inbound and outbound mail flow status for
your organization. You can find this report at Reports > Mail Flow in the new EAC.

On the Inbound page, you can find information on whether your email domains
are receiving external messages or not. Typically, these types of issues are related
to MX record problems or an expired domain.

On the Outbound page, the report gives you insights into your outbound mail
flow, for example, which outbound pools are used to send mail out of your
organization.

７ Note

The Outbound page-based report provides information about only specific

domains that fulfill certain criteria to use outbound pools to send emails. For more
information on such domains, see Outbound page.

７ Note

For permissions that are required to use this report, see Permissions required to
view mail flow reports.

Inbound page
 ７ Note

By default, the report shows data for the last 7 days.

This page shows the following information for each domain:

Domain
Domain status: The value is Healthy or Error
Previous MX record
Current MX record
Email received (past 6 hours)

To quickly filter the results, click Search and start typing a value.

For more advanced filters that you can also save and use later, click Filter and select
New filter. In the Custom filter flyout that appears, enter the following information:

Name your filter: Enter a unique name.

Click Add new clause. A clause contains the following elements that you need to
enter information for:
Field: Select Domain, Domain status, Previous MX record, Current MX record,
or Email received (past 6 hours).
Operator: Select starts with or is.
 Value: Enter the value you want to search for.

You can click Add new clause as many times as you need. Multiple clauses use
AND logic (<Clause1> AND <Clause2>...).

To remove a clause, click Remove .

When you've finished, select Save. The new filter is automatically loaded, and the
results have changed based on the filter. The "filter loading" and "change in
results" are the same result as clicking Filter and selecting the customer filter from
the list.

To clear an existing filter (to return to the default list), click Filter and select
Clear all filters.

Click Export to export the displayed results to a .csv file.

If you select a row, a details pane for the domain appears based on the value of Domain
status:

Healthy: An explanation about MX records and the same information from the
main report is displayed.
Error: Additional information about the cause of the error and how to fix it is
available in the Reason and How to fix sections.

Outbound page
The report on the Outbound page shows details of only domains that have sent any
messages using high risk or relay pools or have sent over 20 messages.

７ Note

Domains that either don't use the high risk or relay pools or have sent under 20
messages will be summarized together under "All other domains". For more
information on the summarized domains, use the request report feature.
 ７ Note

By default, the report shows data for the last 7 days.

To quickly filter the results, click Search and start typing a value.

This page shows the following information for each domain:

Domain

Mail sent from each domain for the outbound pools:

Normal
High Risk
Normal Relay
High Risk Relay
Bulk Risk
Low Risk

Pie charts:
Total outbound messages sent per domain
Total outbound messages by outbound pool

Click Export to export the displayed results to a .csv file.

For more information on the outbound pools, see Outbound delivery pools.
Mailboxes exceeding receiving limits
report in the new EAC in Exchange
Online
Article • 01/27/2023

In the new Exchange Center (EAC), the Mailboxes exceeding receiving limits report
displays information on mailboxes that are receiving large volumes of messages in a
short amount of time.

This report shows details on three categories of the Exchange Online receiving limit (see
Exchange Online limits):

1. Hot limit: The general receiving limit. When a mailbox exceeds the overall
receiving limit, they won't receive any mail from the Internet or on-premises
senders until the limit resets.

2. Sender-recipient pair limit: The receiving limit per sender-recipient pair. When a
mailbox exceeds the SRP limit, they won't receive any mail from that sender, if the
sender is from the Internet or on-premises.

3. Warm limit: The logging-only limit that indicates when messages are 'At risk' of
being blocked, set to 1000 messages per rolling hour. When a mailbox exceeds the
warm limit, they aren't yet impacted but will be displayed in reporting for admin
awareness.

７ Note

For permissions that are required to use this report, see Permissions required to
view mail flow reports.

There are two sections to this report:

1. A heatmap that indicates:

a. When a mailbox exceeded their receiving limit and can no longer receive mail
until the limit is reset, which occurs 1 hour after the threshold is exceeded.

Hot limit: Mailboxes won't receive any mail from the Internet or on-
premises senders if the overall receiving limit is exceeded.
 b. When a mailbox is at risk, which means they've exceeded one or both of the
below limits. This mailbox hasn't exceeded the receiving (Hot) limit yet but is
receiving large volumes of messages regularly.

Sender-recipient pair (SRP) limit: Mailboxes won't receive any mail from a
specific sender if the mailbox has received too many messages from the
sender. High volumes from specific senders should be paid attention to, as
they can put the mailbox at risk of exceeding the receiving (Hot) limit.

Warm limit: When a mailbox hasn't exceeded their limit yet but is
receiving large volumes of messages regularly.

2. A table that shows, in the selected time window:

The date

The impacted mailbox

The limit type (Hot, SRP, or Warm) based on the user's filter selection

The number of hours a mailbox has exceeded the limit

The number of hours a mailbox is at risk

The limit value, based on limit type

The maximum number of messages they received per hour

The top sender

The report includes a filter on Limit type, allowing the user to display mailboxes that hit
the Hot, SRP, or Warm limit separately.

７ Note

The default view is for the last 24 hours for all types. If no data is showing, that
means you had no mailboxes exceeding the limit (or at risk) in the last 24 hours.

The chart is limited to showing the top 10 mailboxes. If you'd like to see more
mailboxes, you'll have to filter/search differently.
1. Use the Limit type filter to display mailboxes affected by the Hot, SRP, or Warm
limit.

2. Click Export to download the data as a csv.

3. Select a mailbox address to view in detail the mailbox owner's contact information.
Contact the mailbox owner to understand why they're receiving so much email, so
they can reduce their mail volume and have a better experience.
Reply-all storm protection report in the
new Exchange admin center in Exchange
Online
Article • 01/27/2023

The Reply-all storm protection report in the new Exchange admin center (new EAC),
Reports > Mail flow section displays information about detected reply-all storms in
your organization and the reply-all messages that were blocked.

７ Note

For more information on permissions that are required to use this report, see
Permissions required to view mail flow reports.

The top of the report shows the current settings used by Reply-all Storm Protection for
detecting and blocking reply-all messages during a reply-all storm.

Status
Minimum recipients
Minimum reply-alls
 Block duration hours

To view the current feature settings here on the report, you must have read access to
Transport configuration information (Get-TransportConfig) via the View-Only
Configuration or Organization Transport Settings roles. Both the Organization
Management and View-Only Organization Management role groups include both of
these roles. For more information, see View-only Organization Management.

Note that the current settings shown might not be the same as the settings that were
used for past reply-all storms if they were previously changed. Changing the settings
while a storm is happening might not apply those settings in time to affect the current
storm, but it will apply to future storms.

Beneath the current settings is the time/date range drop-down from which you can
select to view from 3 hours to 30 days of data (with the last 3 hours as the default). All
times shown are based on your local time.

The overview section shows these two charts:

Detected reply-all storm messages

Messages blocked

The Detected reply-all storm messages chart shows the number of reply-all messages
that were sent during the preceding time-interval for detected reply-all storms. For
example, in the chart above the five reply-all messages for the "Happy Thanksgiving"
storm shown at 3pm were detected between 2:45 and 3pm. While reply-all messages
sent before a reply-all storm is detected won't get blocked, they're included in the
Detected reply-all storm messages chart values, as are the messages that were blocked.

７ Note

This chart displays data only for declared reply-all storms where at least one reply-
all message has been blocked. It can't be used to track potential storms before
they're declared a reply-all storm.

The Messages blocked chart includes a subset of the messages shown in the Detected
reply-all storm messages chart. It shows the number of reply-all messages blocked
during the Blocked duration hours time frame.

Selecting any one of the reply-all storm names in either chart will pop up a side panel
showing specific details about the selected reply-all storm, as shown below.
The reply-all storm details panel includes the following information about the storm:

Item Description

Subject The message subject of the initial message.

Original The sender of the first message in the conversation thread.

Sender

Start When the first reply-all message was sent.

Date/Time

Total The total number of messages in the conversation thread (includes the first
Messages message).

Blocked The total number of reply-all storm messages blocked by the feature. This is always
Messages lower than the total number of messages in the thread. In some cases it might be
lower than you'd expect based on the feature's Minimum reply-alls setting. It can
take up to a few minutes to synchronize the block enforcement notification to all
relevant servers in the service. During that time, a few reply-alls could still get
through before blocking kicks-in.

Block Start Time when message blocking started.

Time

Message ID The Message ID of the first message in the conversation thread. Clicking on this
link will open Message Trace in a new tab and run a query for this message.

Reply-all Users who sent (or tried to send) a reply-all to the thread. Includes whether or not
senders the message they sent was allowed through or blocked.
The final section of the main report page, Reply-all storm details, shows a table of all
the reply-all storms shown in the charts for the selected time range. It also includes the
key details about each of the following:

Start Date/Time
End Date/Time
Subject
Original Sender
Total Messages
Blocked Messages
Message ID

Click Export to export the displayed results to a .csv file.

See also
For more information about other mail flow reports, see Mail flow reports in the modern
EAC.
Dynamic Distribution Groups report in
the new Exchange admin center in
Exchange Online
Article • 03/13/2023

The Dynamic Distribution Groups report in the new Exchange admin center provides
insight into the usage of dynamic distribution groups for your organization. You can find
this report at Reports > Mail Flow in the new EAC.

７ Note

By default, the report shows data for the last 30 days. If the report is empty, try
changing the date range.

For permissions that are required to use this report, see Permissions required to
view mail flow reports.

By default, the report shows data for "Used" Dynamic Distribution Groups. If the
report is empty, try changing the filter to show "All" or "Unused" Dynamic
Distribution Groups.

The table lists the dynamic distribution groups and the number of times it was used
based on the date filter and the filter that allows you to select All, Used, or Unused. If
you select All, it lists all dynamic distribution groups whether it was used or unused
based on the date filter. If you select Used, it lists only the dynamic distribution groups
that were used based on the date filter. If you select Unused, it lists only the dynamic
distribution groups that were unused based on the date filter.
 

The dynamic distribution group report details section shows the following information
about each dynamic distribution group:

Group Name
Group Email
Last used on (date)
Number of times used

To quickly filter the results, click Search and start typing a value.

To filter the results by date range, use the date filter. You can specify a date range up to
90 days.

For more advanced filters that you can save and use later, click Filter and select New
filter. In the Custom filter flyout that appears, enter the following information:

Name your filter: Enter a unique name.

Click Add new clause. A clause contains the following elements that you need to
enter:
Field: Select Group Name, Group Email, Last Used on, or Number of Times
Used.
Operator: Select starts with or is.
Value: Enter the value you want to search for.

You can click Add new clause as many times as you need. Multiple clauses use AND
logic (<Clause1> AND <Clause2>...).

To remove a clause, click Remove .

When you're finished, click Save. The new filter is automatically loaded and the results
are changed based on the filter. This gives the same result as clicking Filter and
selecting the customer filter from the list.

To unload an existing filter (return to the default list), click Filter and select Clear all
filters.

Click Export to export the displayed results to a .csv file.

Mail flow insights in the new Exchange
admin center in Exchange Online
Article • 01/27/2023

Admins can use the insights dashboard in the new Exchange admin center (new EAC) to
discover issues with mail flow and take corrective action. If an item appears in the mail
flow insights dashboard, you need to investigate and likely fix the issue.

The following mail flow insights are available:

Fix possible mail loop insight

Fix slow mail flow rules insight
New domains being forwarded email insight
New users forwarding email insight
Domain expiring soon insight
Mailboxes exceeding receiving limits insight

Permissions required to view and use mail flow

insights
To use the mail flow insights to take corrective action, you need to be a member of one
of the following role groups:

Organization Management
Security Administrator<sup>*

For read only access to the mail flow insights, you need to be a member of one of the
following role groups:

Security Reader*
View-only Organization Management
View-Only Recipients

For more information, see Permissions in Exchange Online and Manage role groups in
Exchange Online.

<sup>* You manage these role groups in the Azure Active Directory admin center .

Where to find mail flow insights

To see the mail flow insights, open the new EAC at
https://admin.exchange.microsoft.com and select Insights.

To go directly to the mail flow insights dashboard, open

https://admin.exchange.microsoft.com/#/insights .
Alert policies in Exchange Online
Article • 07/27/2023

Alert policies in the new Exchange admin center (EAC) allow you to track events related
to mail flow. They can be created when your organization has fulfilled the Licensing
requirements.

Additionally, certain permissions are required for creating, viewing and managing alert
policies. For more information, see:

Permissions associated with alert policies

RBAC permissions required to view alerts section in Alert policies in Microsoft 365

Licensing requirements
The alert policies in the new EAC support aggregated alert configurations only. To
configure aggregate alert policies based on a threshold, you must have one of the
following license configurations:

E5/G5 subscription

E1/F1/G1 or E3/G3 subscription that includes one of the following features:

i. Office 365 Advanced Threat Protection Plan 2

ii. Microsoft 365 E5 Compliance

iii. Microsoft 365 eDiscovery and Audit add-on license

Types of alert policies

There are two types of alert policies on the Alert policies page, namely System and
Custom.

System policy
System policy is created by the system, by default, hence, it is also referred to as "default
alert policy".

Characteristics of a system policy

A system alert policy is one that is:

Marked in bold
Labeled as System under Policy type
Available for viewing by an admin

User tasks on system policies

The user can perform the following tasks on a system policy:

Turn it off (by default, it is turned on)

Choose a list of recipients and group them as the recipients entitled to receive
email notifications of an alert
Set the daily notification limit for the list of recipients

Custom policy
Custom policy is the policy that can be created by the admin.

Permissions associated with alert policies

To create alert policies you have to be assigned the Manage Alerts or Organization
Configuration role in the Microsoft Purview portal or Defender portal. You can assign
View-Only Manage Alerts role for viewing alert policies.

The following management role groups are associated with alert policies:

Security administrator: This management role group allows admins to create and
manage alert policies.

７ Note

Managing alert policies involve a list of tasks. For more information, see User tasks
on alert policies.

Security reader: This management role group allows admins to only read/view an
alert policy.

User tasks on custom policies

A user with security administrator privileges can perform the following tasks on an alert
policy:

Creation: A user with security administrator privileges can create an alert policy,
which is a custom alert policy. For information on how to create an alert policy, see
Create custom policy.
Disable: A user can disable both the system and custom policies. For more
information, see Disable alert policy.
Disable email notifications of alert policies: A user can disable the email
notifications pertaining to both system and custom policies. For more information,
see Disable email notifications.
View: A user can view alert policies (system or custom) on the Alerts screen. For
more information, see View/read alert policy.

Create custom policy

To create an alert policy, perform the following steps:

1. Open the Exchange Admin Center .

2. In the left pane, select Mail flow > Alert policies, and click New alert policy.

3. Provide a name for your policy in the Name box and click Next.

７ Note

Entering a description for the policy in the Description box is optional.

4. From the Severity drop-down list, select the severity level.

７ Note

The Category drop-down list is disabled because Mail flow is the only
category supported in the new EAC.

5. From the Trigger an alert when the following insight is generated drop-down list,
select one from the following types of insights:

Mail loop
Slow transport rule
New users forwarding
New domains being forwarded
 Cert expiry

6. Click Next.

7. Provide the name or email address of the alert notification recipients in the Email
recipients box.

8. From the Daily notification limit drop-down list, select daily notification count.

７ Note

Choosing the daily-notification count value is optional.

9. Click Next.

10. Review the alert-policy settings and click Create. The alert policy is created.

Disable alert policy

To disable an alert policy, perform the following steps:

1. In the left navigation pane of the new EAC, select Mail flow > Alert policies. The
Alert policies screen appears.

2. Select the alert policy you want to disable and click on it.

The alert policy details screen appears.

3. Uncheck the Enable this policy check box.

 4. Click Save. The alert policy is disabled. The user will no longer receive any email
notifications pertaining to this alert policy.

Disable email notifications

A user has the option of disabling just the email notifications pertaining to an alert
policy. This disabling results in non-receipt of email notifications of the alert policy.
However, the details of the alert policy can continue to be viewed on the Alerts screen.

To disable the email notifications of an alert policy, perform the following steps:

1. In the left navigation pane of the new EAC, select Mail flow > Alert policies. The
Alert policies screen appears.

2. Select the alert policy for which you to disable email notifications.

The alert policy details screen appears.

3. Click the Settings tab.

 4. Uncheck the Send email notifications check box.

The email notifications for the alert policy are disabled, and the user will no longer
receive email notifications pertaining to the alert policy.

View/read alert policy

To view alerts generated by alert policies, perform the below steps:

1. Open the Exchange Admin Center .

2. In the left pane, select Mail flow > Alerts. The Alerts screen appears, displaying
alerts generated by the alert policies created.
3. Under the Alert name column, click the alert for which you want to view the
details. Details will be displayed on the screen.
Fix possible mail loop insight in the new
EAC in Exchange Online
Article • 01/27/2023

A mail loop is bad because it wastes system resources, consumes your organization's
mail volume quota, and sends confusing non-delivery reports (also known as NDRs or
bounce messages) to the original senders.

The Fix possible mail loop insight in the Insights dashboard in the new Exchange admin
center (new EAC) reports when a mail loop is detected in your organization, the email
domains that are involved in the loop, and the number of messages from the previous
day that were in the loop.

You can click View details to see the details in a flyout where we identify the most
common mail loop scenarios and provide the recommended actions (if available) to fix
the loop.
Related topics
For more information about other mail flow insights in the mail flow dashboard, see
Mail flow insights in the new Exchange admin center.
Fix slow mail flow rules insight in the
new EAC in Exchange Online
Article • 01/27/2023

Inefficient mail flow rules (also known as transport rules) can lead to mail flow delays for
your organization. This insight reports mail flow rules that have an impact on your
organization's mail flow. Examples of these types of rules are:

Conditions that use Is member of for large groups.

Conditions that use complex regular expression (regex) pattern matching.
Conditions that use content checking in attachments.

The Fix slow mail flow rules insight in the Insights dashboard in the new Exchange
admin center (new EAC) will notify you when a mail flow rule is taking too long to
complete. You can use this notification to help you to identify and fine-tune mail flow
rules to help reduce mail flow delays.

When you click View details, a flyout appears where you can review the rule by clicking
View rules. You can also click View sample messages to see what kind of messages are
impacted by the rule.
For more information about conditions and exceptions in mail flow rules in Exchange
Online, see Mail flow rule conditions and exceptions (predicates) in Exchange Online.

Related topics
For more information about other mail flow insights in the mail flow dashboard, see
Mail flow insights in the new Exchange admin center.
New domains being forwarded email
insight in the new EAC in Exchange
Online
Article • 01/27/2023

Although you might have valid business reasons to forward email messages to external
recipients in specific domains, it's suspicious when users in your organization suddenly
start forwarding messages to external domains, and no one in the organization has ever
forwarded messages to those domains (new domains).

The New domains being forwarded email insight in the Insights dashboard in the new
Exchange admin center (new EAC) notifies you when users in your organization are
forwarding messages to new domains.

When you click View details, a flyout appears where you can find more details about the
forwarded messages, including a link to the Auto forwarded messages report for more
information.
To prevent automatic message forwarding to external domains, configure a remote
domain for some or all external domains. For more information, see Manage remote
domains in Exchange Online.

If you suspect the accounts have been compromised, see Responding to a compromised
email account.

Related topics
For more information about other mail flow insights in the mail flow dashboard, see
Mail flow insights in the new Exchange admin center.
New users forwarding email insight in
the new EAC in Exchange Online
Article • 01/27/2023

It's suspicious when new user accounts in your organization suddenly start forwarding
email messages to external domains.

The New users fowarding email insight in the Insights dashboard in the new Exchange
admin center (new EAC) notifies you when new users accounts in your organization are
forwarding messages to external domains.

When you click View details, a flyout appears where you can find more details about the
forwarded messages, including a link to the Auto forwarded messages report for more
information.
If you suspect the accounts have been compromised, see Responding to a compromised
email account.

Related topics
For more information about other mail flow insights in the mail flow dashboard, see
Mail flow insights in the new Exchange admin center.
Domain expiring soon insight in the
new Exchange admin center in Exchange
Online
Article • 01/27/2023

When you add your domain to Microsoft 365 or Office 365, it's called an accepted
domain. Users in this accepted domain can send and receive mails. To keep a healthy
mail flow, domains owned by customers must be active. Once domains expire, users
configured under that domain will no longer receive emails.

The Domain expiring soon insight in the Insights dashboard in the new Exchange
admin center (new EAC) reports the domains that are about to expire and need
necessary action to be taken.

Click View details to see the identified domains that are about to expire.
If a domain is expiring within 90 days, 60 days, or 30 days and less, it triggers an alert. A
single alert could have multiple domains, for example, it may have one domain that is
expiring in 90 days and another one that is expiring in 60, and so forth. These alerts are
sent as email notifications to your registered email IDs.

These notifications list the domains that are expiring and require necessary action to be
taken to avoid disruption in your mail flow. You can ignore the notifications if you've
renewed/deleted the domain.

You can also view these alerts in new EAC , navigate to Mail flow > View alerts.

Related article
Mail flow insights in the modern Exchange admin center
Mailboxes exceeding receiving limits
insight in the new EAC in Exchange
Online
Article • 01/27/2023

Mailboxes that receive large volumes of messages in a short amount of time can lead to
mail flow delays for those mailboxes, and other mailboxes in your organization. The
mailboxes exceeding receiving limits insight in the Insights dashboard in the new
Exchange admin center (new EAC) highlights:

1. Mailboxes that have exceeded their receiving limit (For more information, see
Exchange Online limits), which means they can no longer receive mail until the
limit is reset (which is 1 hour after the threshold is exceeded).

Mailboxes won't receive any mail at all if the overall receiving limit is
exceeded.
Mailboxes won't receive any mail from a specific sender, if the mailbox has
received too many messages from the sender.

2. Mailboxes that are at risk. They haven't exceeded their limit but are receiving large
volumes of messages regularly.

The insight will only appear if:

1. Mailboxes have exceeded their receiving limit in the past 24 hours.

2. A mailbox has become newly warm in the past 24 hours.
3. A mailbox has been warm for >12 hours of the past 24 hours.

The insight will appear in the dashboard:

When you click on View details, the following flyout will appear:
1. Select Learn more about receiving limits to view documentation about Exchange's
limits.

2. Select receiving limits report to view a detailed report that shows up to seven
days of data. Each section shows at least 20 mailboxes – if there are more, you may
view them in the report.

3. Mailboxes that appear in the Mailboxes exceeded the receiving limit section are
mailboxes that have exceeded their receiving limit in the past 24 hours (includes
 overall receiving limit, and single sender sending too much email).

4. Mailboxes that appear in the Mailboxes at risk now section are mailboxes that
have newly started receiving large volumes of mail.

5. Mailboxes that appear in the Mailboxes repeatedly at risk section are mailboxes
that have received large volumes of mail for > 12 hours of the past 24 hours.

6. Select the email address of the mailbox to view the contact information of the
owner of the mailbox. Contact the mailbox owner to understand why their
receiving so much email, so they can reduce their mail volume and have a better
experience.
Address books in Exchange Online
Article • 02/22/2023

Exchange Online uses address books to organize and store email address information
for recipients in the organization. The topics that will help you learn about and configure
email addresses and address books in Exchange Online are described in the following
table.

Key Description Topic

terminology

Address The global address list (GAL) is the master list of all recipients in Address
book your Exchange Online organization. Address book policies (ABPs) book
policies provide a simpler mechanism for GAL segmentation in policies in
organizations that require multiple GALs. An ABP defines a GAL, an Exchange
offline address book (OAB), a room list, and one or more address Online
lists. You can then assign the ABP to users.

Address lists An address list is a subset of a GAL. Each address list is a dynamic Address
collection of one or more types recipients. You can use address lists lists
to help users find the recipients and resources that they need.

Hierarchical The hierarchical address book (HAB) presents recipients in the GAL Hierarchical
address by using your organization's unique business structure (for address
books example, seniority or management hierarchy), which provides an books
efficient method for locating internal recipients.

Offline An offline address book (OAB) is a collection of address lists that Offline
address can be downloaded and used in Outlook by users that are address
books disconnected from the Exchange Online organization. books in
Exchange
Online

Note: Email address policies are available in Exchange Online, but only for Microsoft 365
groups. For more information, see Choose the domain to use when creating Microsoft
365 Groups.

For help with everyday email tasks, such as organizing your contacts in Outlook, see
Microsoft 365 training . You can find help including:

Add an email contact

Import your contacts

Create a contact group

Send an email message to a contact group
Address book policies in Exchange
Online
Article • 02/22/2023

Address book policies (ABPs) let admins segment users into specific groups to provide
customized views of the organization's global address list (GAL). The goal of an ABP is to
provide a simpler mechanism for GAL segmentation (also known as GAL segregation) in
organizations that require multiple GALs.

An ABP contains these elements:

One GAL. For more information about GALs, see Default address lists in Exchange
Online.

One offline address book (OAB). For more information about OABs, see Offline
address books in Exchange Online.

One room list. Note that this room list is a custom address list that specifies rooms
(contains the filter RecipientDisplayType -eq 'ConferenceRoomMailbox' ). It's not a
room finder that you create with the RoomList switch on the New-
DistributionGroup or Set-DistributionGroup cmdlet. For more information, see
Managing resource mailboxes.

One or more address lists. For more information about address lists, see Custom
Address Lists in Exchange Online.

For procedures involving ABPs, see Address book policy procedures in Exchange Online.

７ Note

ABPs create only a virtual separation of users from a directory perspective, not
a legal separation.

Implementing an ABP is a multi-step process that requires planning. For more

information, see Address book policy procedures in Exchange Online.

How ABPs Work

The following diagram shows how ABPs work. The user is assigned Address Book Policy
A that contains a subset of address lists that are available in the organization. When the
ABP is created and assigned to the user, the ABP becomes the scope of the address lists
that the user is able to view.

To turn on ABP email routing in your Exchange Online organization, see Turn on address
book policy routing in Exchange Online.

To assign ABPs to users, see Assign an address book policy to users in Exchange Online.

ABPs take effect when a user connects to their Exchange Online Mailbox. If you change
an ABP, the updated ABP takes effect when a user restarts or reconnects their email
client app.

ABP example
In the following diagram, Fabrikam and Tailspin Toys share the same Exchange Online
organization and the same CEO. The CEO is the only employee common to both
companies.
The suggested configuration includes three ABPs:

One ABP is assigned to Fabrikam employees. The GAL and address lists in the ABP
include Fabrikam employees and the CEO.

One ABP is assigned to Tailspin Toys employees. The GAL and address lists in the
ABP include Tailspin Toys employees and the CEO.

One ABP is assigned to only the CEO. The (default) GAL and address lists in the
ABP include all employees (Fabrikam, Tailspin Toys, and the CEO).

Based on this configuration, the ABPs help to enforce these requirements:

The users in Tailspin Toys can only see Tailspin Toys employees and the CEO when
they browse the GAL.

The users in Fabrikam can only see Fabrikam employees and the CEO when they
browse the GAL.

The CEO can see all Fabrikam and Tailspin Toys employees when she browses the
GAL.

Users who view the CEO's group membership can see only groups that belong to
their company. They can't see groups that belong to the other company.
Address book policy procedures in
Exchange Online
Article • 02/22/2023

Turn on address book policy routing in Exchange Online

Create an address book policy in Exchange Online

Assign an address book policy to users in Exchange Online

Change the settings of an address book policy in Exchange Online

Remove an address book policy in Exchange Online

Turn on address book policy routing in
Exchange Online
Article • 02/22/2023

Address book policies (ABPs) allow you to segment users into specific groups to give
them customized global address lists (GALs) in Outlook and Outlook on the web
(formerly known as Outlook Web App). For more information about ABPs, see Address
book policies in Exchange Online.

ABP routing creates the virtual organizations within a single Exchange Online
organization. Your virtual organization is determined by the global address list (GAL) you
reside in. When ABP routing is turned on, users that are assigned to different GALs
appear as external recipients and won't be able to view each other's contact cards.

In Exchange Online, you can only turn on ABP routing in Exchange Online PowerShell.

Looking for the Exchange Server version of this topic? See Use the Exchange
Management Shell to install and configure the Address Book Policy Routing Agent.

What do you need to know before you begin?

You need to be a member of the Organization Management role group in
Exchange Online (or a global administrator) before you can perform the procedure
in this topic.

To connect to Exchange Online PowerShell, see Connect to Exchange Online

PowerShell.

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use Exchange Online PowerShell to turn on

ABP routing
To enable ABP routing in the Exchange Online organization, run the following command:

PowerShell

Set-TransportConfig -AddressBookPolicyRoutingEnabled $true

For detailed syntax and parameter information, see Set-TransportConfig.

How do you know this worked?

To verify that you've successfully turned on ABP routing, use any of the following steps:

In Exchange Online PowerShell, run the following command to verify that ABP
routing is enabled for the organization:

PowerShell

Get-TransportConfig | Format-List AddressBookPolicyRoutingEnabled

Have a user that's assigned an ABP send an email message to an user that's
assigned a different ABP, and verify that the sender's email address doesn't resolve
to their display name.
Create an address book policy in
Exchange Online
Article • 02/22/2023

Address book policies (ABPs) allow you to segment users into specific groups to give
them customized global address lists (GALs) in Outlook and Outlook on the web
(formerly known as Outlook Web App). For more information about ABPs, see Address
book policies in Exchange Online.

In Exchange Online, you can only create ABPs in Exchange Online PowerShell.

An ABP requires one global address list (GAL), one offline address book (OAB), one
room list, and one or more address lists. To view the available objects, use the Get-
GlobalAddressList, Get-OfflineAddressBook, and Get-AddressList cmdlets.

７ Note

In Exchange Online, these cmdlets are available only in the Address Lists role,
and by default, the role isn't assigned to any role groups. To use this cmdlet,
add the Address Lists role to a role group (for example, to the Organization
Management role group). For more information, see Modify role groups in
Exchange Online.

The room list that's required for an ABP is an address list that specifies rooms
(contains the filter RecipientDisplayType -eq 'ConferenceRoomMailbox' ). It's
not a room finder distribution group that you create with the RoomList switch
on the New-DistributionGroup or Set-DistributionGroup cmdlets.

What do you need to know before you begin?

Estimated time to complete: Less than 5 minutes.

By default, the Address List role isn't assigned to any role groups in Exchange
Online. To use any cmdlets or features that require the Address List role, you need
to add the role to a role group. For more information, see Modify role groups.

To connect to Exchange Online PowerShell, see Connect to Exchange Online

PowerShell.
 Creating an ABP for an organization is a multi-step process that requires planning.
For more information, see Address book policy procedures in Exchange Online.

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use Exchange Online PowerShell to create an

ABP
To create an ABP, use this syntax:

PowerShell

New-AddressBookPolicy -Name "<Unique Name>" -GlobalAddressList "<GAL>" -

OfflineAddressBook "<OAB>" -RoomList "<RoomList>" -AddressLists "
<AddressList1>","<AddressList2>"...

This example creates an ABP with the following settings:

Name: All Fabrikam ABP

GAL: All Fabrikam

OAB: Fabrikam-All-OAB

Room list: All Fabrikam Rooms

Address lists: All Fabrikam, All Fabrikam Mailboxes, All Fabrikam DLs, and All
Fabrikam Contacts

PowerShell

New-AddressBookPolicy -Name "All Fabrikam ABP" -AddressLists "\All

Fabrikam","\All Fabrikam Mailboxes","\All Fabrikam DLs","\All Fabrikam
Contacts" -OfflineAddressBook \Fabrikam-All-OAB -GlobalAddressList "\All
Fabrikam" -RoomList "\All Fabrikam Rooms"

For detailed syntax and parameter information, see New-AddressBookPolicy.

How do you know this worked?

To verify that you've successfully created an ABP, use either of these procedures in
Exchange Online PowerShell:
 Run the following command to verify that the ABP is listed:

PowerShell

Get-AddressBookPolicy

Replace <ABPName> with the name of the ABP, and run the following command
to verify the property values:

PowerShell

Get-AddressBookPolicy -Identity "<ABPName>" | Format-List

For more information

After you create an ABP, you need to assign the ABP to users. For instructions, see
Assign an address book policy to users in Exchange Online.
Assign an address book policy to users
in Exchange Online
Article • 02/22/2023

Address book policies (ABPs) allow you to segment users into specific groups to give
them customized global address lists (GALs) in Outlook and Outlook on the web
(formerly known as Outlook Web App). For more information about ABPs, see Address
book policies in Exchange Online.

Users aren't automatically assigned an ABP when you create mailboxes. If you don't
assign an ABP to a mailbox, the GAL for your entire organization is visible to the user in
Outlook and Outlook on the web. Furthermore, a user that's assigned an ABP needs to
exist in the GAL that's specified for the ABP. For more information, see Considerations
and best practices for address book policies.

To identify your virtual organizations for ABPs, we recommend that you use the
CustomAttribute1 to CustomAttribute15 attributes on mailboxes, contacts, and groups,
because these attributes are the most widely available and manageable for all recipient
types.

To assign ABPs to mailboxes, you select the ABP in Exchange admin center (EAC), or
specify the ABP in Exchange Online PowerShell.

What do you need to know before you begin?

Estimated time to complete: Less than 5 minutes.

By default, the Address List role isn't assigned to any role groups in Exchange
Online. To use any cmdlets or features that require the Address List role, you need
to add the role to a role group. For more information, see Modify role groups.

To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online. To connect to Exchange Online PowerShell, see Connect to Exchange
Online PowerShell.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip
 Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the EAC to assign an ABP to a mailbox

1. In the EAC, go to Recipients > Mailboxes.

2. In the list of mailboxes, find the mailbox that you want to modify. You can:

Scroll through the list of mailboxes.

Click Search and enter part of the user's name, email address, or alias.

Click More options > Advanced search to find the mailbox.

Once you've found the mailbox that you want to modify, select it, and then click
Edit .

3. On the mailbox properties page that opens, click Mailbox features.

4. Click the drop-down arrow in Address book policy, and select the ADP that you
want to apply.

When you're finished, click Save.

Use the EAC to assign an ABP to multiple
mailboxes
1. In the EAC, go to Recipients > Mailboxes.

2. In the list of mailboxes, find the mailboxes that you want to modify. For example:

a. Click More options > Advanced search.

b. In the Advanced search window that opens, select Recipient types and verify
the default value User mailbox.

c. Click More options, and then click Add a condition.

d. In the Select one drop-down box that appears, select the appropriate Custom
attribute 1 to Custom attribute 15 values that defines your virtual organizations.

e. In the Specify words or phrases dialog that appears, enter the value that you
want to search for, and then click OK.

f. Back on the Advanced search window, click OK. In the EAC at Recipients >
Mailboxes, click More options > Advanced search to find user mailboxes.

3. In the list of mailboxes, select multiple mailboxes of the same type (for example,
User) from the list. For example:

Select a mailbox, hold down the Shift key, and select another mailbox that's
farther down in the list.

Hold down the CTRL key as you select each mailbox.

After you select multiple mailboxes of the same type, the title of the details pane
changes to Bulk Edit.

4. In the details pane, scroll down and click More options, scroll down to Address
Book Policy, and then click Update.
 5. In the Bulk assign address book policy window that opens, select the ABP by
clicking the drop-down arrow in Select Address Book Policy, and then click Save.

Use Exchange Online PowerShell to assign an

ABP to mailbox users
There are three basic methods you can use to apply an ABP to mailboxes:

Individual mailboxes: Use the following syntax:

PowerShell

Set-Mailbox -Identity <MailboxIdentity> -AddressBookPolicy

<ABPIdentity>

This example assigns the ABP named All Fabrikam to the mailbox
joe@fabrikam.com.

PowerShell

Set-Mailbox -Identity joe@fabrikam.com -AddressBookPolicy "All

Fabrikam"

Filter mailboxes by attributes: This method uses the unique filterable attribute that
defines the virtual organization (for example, the CustomAttribute1 through
CustomAttribute15 attribute value).
The syntax uses the following two commands (one to identify the mailboxes, and
the other to apply the ABP to the mailboxes):

PowerShell

$<VariableName> = Get-Mailbox -ResultSize unlimited -Filter <Filter>

PowerShell

$<VariableName> | foreach {Set-Mailbox -Identity

$_.MicrosoftOnlineServicesID -AddressBookPolicy <ABPIdentity>}

This example assigns the ABP named All Fabrikam to all mailbox users whose
CustomAttribute15 value is FAB .

PowerShell

$Fabrikam = Get-Mailbox -Filter "CustomAttribute15 -eq 'FAB'"

PowerShell

$Fabrikam | foreach {Set-Mailbox -Identity $_.MicrosoftOnlineServicesID

-AddressBookPolicy "All Fabrikam"}

Use a list of specific mailboxes: This method requires a text file to identify the
mailboxes. Values that don't contain spaces (for example, the user account) work
best. The text file must contain one user account on each line like this:

akol@contoso.com
tjohnston@contoso.com
kakers@contoso.com

The syntax uses the following two commands (one to identify the user accounts,
and the other to apply the policy to those users):

PowerShell

$<VariableName> = Get-Content "<text file>"

PowerShell

$<VariableName> | foreach {Set-Mailbox -Identity

$_.MicrosoftOnlineServicesID -AddressBookPolicy <ABPIdentity>}
 This example assigns the ABP policy named All Fabrikam to the mailboxes specified
in the file C:\My Documents\Fabrikam.txt.

PowerShell

$Fab = Get-Content "C:\My Documents\Fabrikam.txt"

PowerShell

$Fab | foreach {Set-Mailbox -Identity $_.MicrosoftOnlineServicesID -

AddressBookPolicy "All Fabrikam"}

For detailed syntax and parameter information, see Set-Mailbox and Get-Mailbox.

How do you know this worked?

To verify that you've successfully applied an ABP to a mailbox, use any of the following
steps:

In the EAC, go to Recipients > Mailboxes, select the mailbox, and click Edit . In
the properties of the mailbox window that opens, click Mailbox features, and verify
the ABP in the Address book policy field.

In Exchange Online PowerShell, replace <MailboxIdentity> with the name, alias,

email address, or account name of the mailbox, and run the following command to
verify the value of the AddressBookPolicy property:

PowerShell

Get-Mailbox -Identity "<MailboxIdentity>" | Format-List

AddressBookPolicy

In Exchange Online PowerShell, run the following command to verify the value of
the AddressBookPolicy property:

PowerShell

Get-Mailbox -ResultSize unlimited | Format-Table Name,AddressBookPolicy

-Auto

More information
To remove the ABP assignment from a mailbox, you select the value [No Policy] in the
EAC, or use the value $null for the AddressBookPolicy parameter in Exchange Online
PowerShell.
Change the settings of an address book
policy in Exchange Online
Article • 02/22/2023

Address book policies (ABPs) allow you to segment users into specific groups to give
them customized global address lists (GALs) in Outlook and Outlook on the web
(formerly known as Outlook Web App). For more information about ABPs, see Address
book policies in Exchange Online.

After you create an ABP, you can view or modify the name and the assigned address
lists: the global address list (GAL), offline address book (OAB), room list, and other
address lists.

In Exchange Online, you can only modify ABPs in Exchange Online PowerShell.

For additional management tasks related to ABPs, see Address book policy procedures
in Exchange Online.

What do you need to know before you begin?

Estimated time to complete: Less than 5 minutes.

By default, the Address List role isn't assigned to any role groups in Exchange
Online. To use any cmdlets or features that require the Address List role, you need
to add the role to a role group. For more information, see Modify role groups.

To connect to Exchange Online PowerShell, see Connect to Exchange Online

PowerShell.

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use Exchange Online PowerShell to modify

address book policies
To modify an ABP, use this syntax:

PowerShell

Set-AddressBookPolicy -Identity "<ABPName>" [-Name "<Unique Name>"] [-

GlobalAddressList "<GAL>"] [-OfflineAddressBook "<OAB>"] [-RoomList "
<RoomList>"] [-AddressLists <AddressLists>]

The Name, GlobalAddressList, OfflineAddressBook, and RoomList parameters all take

single values, so the value you specify replaces the existing value.

This example modifies the ABP named "All Fabrikam ABP" by replacing the OAB
with the specified OAB.

PowerShell

Set-AddressBookPolicy -Identity "All Fabrikam ABP" -OfflineAddressBook

\Fabrikam-OAB-2

The AddressLists parameter takes multiple values, so you need to decide whether
you want to replace the existing address lists in the ABP, or add and remove
address lists without affecting the other address lists in the ABP.

This example replaces the existing address lists in the ABP named Government
Agency A with the specified address lists.

PowerShell

Set-AddressBookPolicy -Identity "Government Agency A" -AddressLists

"GovernmentAgencyA-Atlanta","GovernmentAgencyA-Moscow"

To add address lists to an ABP, you need to specify the new address lists and any
existing address lists that you want to keep.

This example adds the address list named Contoso-Chicago to the ABP named ABP
Contoso, which is already configured to use the address list named Contoso-
Seattle.

PowerShell

Set-AddressBookPolicy -Identity "ABP Contoso" -AddressLists "Contoso-

Chicago","Contoso-Seattle"

To remove address lists from an ABP, you need to specify the existing address lists
that you want to keep, and omit the address lists that you want to remove.

For example, the ABP named ABP Fabrikam uses the address lists named Fabrikam-
HR and Fabrikam-Finance. To remove the Fabrikam-HR address list, specify only
the Fabrikam-Finance address list.
 PowerShell

Set-AddressBookPolicy -Identity "ABP Fabrikam" -AddressLists Fabrikam-

Finance

For detailed syntax and parameter information, see Set-AddressBookPolicy.

How do you know this worked?

To verify that you've successfully modify an ABP, replace <ABPName> with the name of
the ABP, and run the following command in Exchange Online PowerShell to verify the
property values:

PowerShell

Get-AddressBookPolicy -Identity "<ABPName>" | Format-List

Remove an address book policy in
Exchange Online
Article • 02/22/2023

Address book policies (ABPs) allow you to segment users into specific groups to give
them customized global address lists (GALs) in Outlook and Outlook on the web
(formerly known as Outlook Web App). For more information about ABPs, see Address
book policies in Exchange Online.

You can only remove ABPs from your Exchange Online organization using Exchange
Online PowerShell, and only if the ABP isn't assigned to a mailbox (active mailboxes or
soft-deleted mailboxes that are still recoverable).

What do you need to know before you begin?

Estimated time to complete: Less than 5 minutes.

By default, the Address List role isn't assigned to any role groups in Exchange
Online. To use any cmdlets or features that require the Address List role, you need
to add the role to a role group. For more information, see Modify role groups.

To connect to Exchange Online PowerShell, see Connect to Exchange Online

PowerShell.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use Exchange Online PowerShell to remove an

ABP

Step 1: Verify the ABP isn't assigned to a mailbox

1. Replace <ABPName> with the name of the ABP, and run the following command
to get the DistinguishedName (DN) value of the ABP that you want to remove:

PowerShell
 Get-AddressBookPolicy -Identity "<ABPName>" | Format-List
DistinguishedName

2. To see if the ABP is assigned to an active mailbox, replace

<ABPDistinguishedName> with the DN of the ABP and run the following
command:

PowerShell

Get-Mailbox -ResultSize unlimited -Filter "AddressBookPolicy -eq

'<ABPDistinguishedName>'"

To remove the ABP assignment from any active mailboxes that you find, replace
<ABPDistinguishedName> with the DN of the ABP and run the following
commands:

PowerShell

$a = Get-Mailbox -ResultSize unlimited -Filter "AddressBookPolicy -eq

'<ABPDistinguishedName>'"

PowerShell

$a | foreach {Set-Mailbox -Identity $_.MicrosoftOnlineServicesID -

AddressBookPolicy $null}

3. To see if the ABP is assigned to a soft-deleted (recoverable) mailbox, replace

<ABPDistinguishedName> with the DN of the ABP and run the following
command:

PowerShell

Get-Mailbox -SoftDeletedMailbox -ResultSize unlimited -Filter

"AddressBookPolicy -eq '<ABPDistinguishedName>'"

To remove the ABP assignment from any soft-deleted mailboxes that you find,
replace <ABPDistinguishedName> with the DN of the ABP and run the following
commands:

PowerShell

$s = Get-Mailbox -SoftDeletedMailbox -ResultSize unlimited -Filter

"AddressBookPolicy -eq '<ABPDistinguishedName>'"
 PowerShell

$s | foreach {Set-Mailbox -Identity $_.MicrosoftOnlineServicesID -

AddressBookPolicy $null}

Note: If you don't assign an ABP to a mailbox, the GAL for your entire organization will
be visible to the user in Outlook and Outlook on the web. Instead of using the value
$null , you can specify the name of a different ABP (enclosed in quotation marks if the

name contains spaces).

Step 2: Remove the ABP

To remove an ABP, use this syntax:

PowerShell

Remove-AddressBookPolicy -Identity <ABPIdentity>

This example removes the ABP named ABP TailspinToys.

PowerShell

Remove-AddressBookPolicy -Identity "ABP TailspinToys"

For detailed syntax and parameter information, see Remove-AddressBookPolicy.

How do you know this worked?

To verify that you've successfully removed an ABP, use either of these procedures in
Exchange Online PowerShell:

Run the following command to verify that the ABP isn't listed:

PowerShell

Get-AddressBookPolicy

Replace <ABPName> with the name of the ABP, and run the following command
to confirm that an error is returned:

PowerShell

Get-AddressBookPolicy -Identity "<ABPName>"

Address lists in Exchange Online
Article • 02/22/2023

An address list is a collection of mail-enabled recipient objects in Exchange Online.

Address lists are based on recipient filters. You can filter by recipient type (for example,
mailboxes and mail contacts), recipient properties (for example, Company or State or
Province), or both. Address lists aren't static; they're updated dynamically. When you
create or modify recipients in your organization, they're automatically added to the
appropriate address lists. These are the different types of address lists that are available:

Global address lists (GALs): The built-in GAL that's automatically created by
Exchange Online includes every mail-enabled object in the organization. You can
create additional GALs to separate users by organization or location, but a user can
only see and use one GAL.

Address lists: Address lists are subsets of recipients that are grouped together in
one list, which makes them easier to find by users. Exchange Online comes with
several built-in address lists, and you can create more based on you organization's
needs.

Offline address books (OABs): OABs contain address lists and GALs. OABs are used
by Outlook clients in cached Exchange mode to provide local access to address
lists and GALs for recipient look-ups. For more information, see [Offline address
books in Exchange Online].

Users in your organization use address lists and the GAL to find recipients for email
messages. Here's an example of what address lists look like in Outlook 2016:
For procedures related to address lists, see Address list procedures in Exchange Online.

Notes:

By default, the Address List role isn't assigned to any role groups in Exchange
Online. To use any cmdlets or features that require the Address List role, you need
to add the role to a role group. For more information, see Modify role groups.

Precanned recipient filters or custom recipient filters identify the recipients that are
included in address lists and GALs. For more information, see Recipient filters for
address lists in Exchange Online PowerShell.

You can hide recipients from all address lists and GALs. For more information, see
Hide recipients from address lists.

Global address lists

By default, a new Exchange Online organization has a GAL named Default Global
Address List that's the primary repository of all recipients in the organization. Typically,
most organizations have only one GAL, because users can only see and use one GAL in
Outlook and Outlook on the web (formerly known as Outlook Web App). You might
need to create multiple GALs if you want to prevent groups of recipients from seeing
each other (for example, your organization contains two separate companies). If you
plan on creating additional GALs, consider the following issues:
 You can only use the Exchange Online PowerShell to create, modify, remove, and
update GALs.

If a user belongs to multiple GALs, they'll still see only one GAL based on the
following conditions:
The user needs permissions to view the GAL. You assign user permissions to
GALs by using address book policies (ABPs). For more information, see Address
book policies in Exchange Online.
If a user is still eligible to see multiple GALs, only the largest GAL is used (the
GAL that contains the most recipients).
Each GAL needs a corresponding offline address book (OAB) that includes the
GAL. To create OABs, see Create an offline address book in Exchange Online.

The built-in GAL is named Default Global Address List, and any additional GALs
that you create require unique names. Depending on the email client, users might
not see the actual name of the GAL that they're using:
In Outlook on the web, users see the actual name of the GAL that they're using
(for example, Default Global Address List).
In Outlook, the GAL always appears as Global Address List, which likely doesn't
match the actual name.

Default address lists

By default, Exchange Online comes with five built-in address lists and one GAL. These
address lists are described in the following table. Note that by default, system-related
mailboxes like arbitration mailboxes and public folder mailboxes are hidden from
address lists.

Name Type Description Recipient filter used

All Address Includes all mail contacts in "Alias -ne $null -and (ObjectCategory
Contacts list the organization. To learn -like 'person' -and ObjectClass -eq
more about mail contacts, 'contact')"
see Recipients in Exchange
Online.

All Address Includes all distribution "Alias -ne $null -and ObjectCategory -
Distribution list groups and mail-enabled like 'group'"
Lists security groups in the
organization. To learn more
about mail-enabled groups,
see Recipients in Exchange
Online.
 Name Type Description Recipient filter used

All Rooms Address Includes all room mailboxes. "Alias -ne $null -and
list Equipment mailboxes aren't (RecipientDisplayType -eq
included. To learn more 'ConferenceRoomMailbox' -or
about room and equipment RecipientDisplayType -eq
(resource) mailboxes, see 'SyncedConferenceRoomMailbox')"
Recipients in Exchange
Online.

All Users Address Includes all user mailboxes, "((Alias -ne $null) -and
list linked mailboxes, remote (((((((ObjectCategory -like 'person') -
mailboxes (Microsoft 365 or and (ObjectClass -eq 'user') -and (-
Office 365 mailboxes), not(Database -ne $null)) -and (-
shared mailboxes, room not(ServerLegacyDN -ne $null)))) -or
mailboxes, equipment (((ObjectCategory -like 'person') -and
mailboxes, and mail users in (ObjectClass -eq 'user') -and
the organization. To learn (((Database -ne $null) -or
more about these recipient (ServerLegacyDN -ne $null))))))) -and
types, see Recipients in (-not(RecipientTypeDetailsValue -eq
Exchange Online.
'GroupMailbox')))))"

Default GAL Includes all mail-enabled "((Alias -ne $null) -and

Global recipient objects in the (((ObjectClass -eq 'user') -or
Address organization (users, (ObjectClass -eq 'contact') -or
List contacts, groups, dynamic (ObjectClass -eq 'msExchSystemMailbox')
distribution groups, and -or (ObjectClass -eq
public folders. 'msExchDynamicDistributionList') -or
(ObjectClass -eq 'group') -or
(ObjectClass -eq 'publicFolder'))))"

Public Address Includes all mail-enabled "Alias -ne $null -and ObjectCategory -
Folders list public folders in your like 'publicFolder'"
organization. Access
permissions determine who
can view and use public
folders. For more
information about public
folders, see Public folders in
Microsoft 365 or Office 365
and Exchange Online.

Custom Address Lists

An Exchange Online organization might contain thousands of recipients, so the built-in
address lists could become quite large. To prevent this, you can create custom address
lists to help users find what they're looking for.
For example, consider a company that has two large divisions in one Exchange Online
organization:

Fourth Coffee, which imports and sells coffee beans.

Contoso, Ltd, which underwrites insurance policies.

For most day-to-day activities, employees at Fourth Coffee don't communicate with
employees at Contoso, Ltd. Therefore, to make it easier for employees to find recipients
who exist only in their division, you can create two new custom address lists: one for
Fourth Coffee and one for Contoso, Ltd. However, if an employee is unsure about where
recipient exists, they can search in the GAL, which contains all recipients from both
divisions.

In Exchange Online, you can only use PowerShell to create custom address lists.

Best Practices for Creating Address Lists

Although address lists are useful tools for users, poorly planned address lists can cause
frustration. To make sure that your address lists are practical for users, consider the
following best practices:

Address lists should make it easier for users to find recipients.

Avoid creating so many address lists that users can't tell which list to use.
Use a naming convention and location hierarchy for your address lists so users can
immediately tell what the list is for (which recipients are included in the list). If you
have difficulty naming your address lists, create fewer lists and remind users that
they can find anyone in your organization by using the GAL.

For detailed instructions about creating address lists in Exchange Online, see Address list
procedures in Exchange Online.
Address list procedures in Exchange
Online
Article • 02/22/2023

Manage address lists in Exchange Online

Create an address list in Exchange Online by using recipient filters

Remove a global address list in Exchange Online

Configure global address list properties in Exchange Online

Create a global address list in Exchange Online

Manage address lists in Exchange
Online
Article • 02/22/2023

An address list is a collection of mail-enabled recipient objects in Exchange Online.

Address lists are based on recipient filters. For more information about address lists, see
Address lists in Exchange Online.

For additional management tasks related to manage address lists, see Address list
procedures in Exchange Online.

Looking for the Exchange Server version of this topic? See Create address lists.

What do you need to know before you begin?

Estimated time to complete each procedure: 5 minutes.

By default, the Address List role isn't assigned to any role groups in Exchange
Online. To use any cmdlets that require the Address List role, you need to add the
role to a role group. For more information, see Modify role groups.

You can only use Exchange Online PowerShell to perform virtually all of the
procedures in this topic (everything except hiding recipients from address lists). To
connect to Exchange Online PowerShell, see Connect to Exchange Online
PowerShell.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use Exchange Online PowerShell to create

address lists
You can create address lists with or without recipient filters. For details about recipient
filters, see Recipient filters for address lists in Exchange Online PowerShell.

To create an address list, use the following syntax:

 PowerShell

New-AddressList -Name "<Address List Name>" [-Container

<ExistingAddressListPath>] [<Precanned recipient filter | Custom recipient
filter>] [-RecipientContainer <OrganizationalUnit>]

This example creates an address list with a precanned recipient filter:

Name: Southeast Offices

Location: Under the root (" \ ", also known as All Address Lists) because we didn't
use the Container parameter, and the default value is " \ ".

Precanned recipient filter: All users with mailboxes where the State or province
value is GA, AL, or LA (Georgia, Alabama, or Louisiana).

PowerShell

New-AddressList -Name "Southeast Offices" -IncludedRecipients MailboxUsers -

ConditionalStateorProvince "GA","AL","LA"

This example creates an address list with a custom recipient filter:

Name: Northwest Executives

Location: Under the existing address list named North America.

Custom recipient filter: All users with mailboxes where the Title value contains
Director or Manager, and the State or province value is WA, OR, or ID
(Washington, Oregon, or Idaho).

PowerShell

New-AddressList -Name "Northwest Executives" -Container "\North America"-

RecipientFilter "(RecipientType -eq 'UserMailbox') -and (Title -like
'*Director*' -or Title -like '*Manager*') -and (StateOrProvince -eq 'WA' -or
StateOrProvince -eq 'OR' -or StateOrProvince -eq 'ID')"

For detailed syntax and parameter information, see New-AddressList.

This example creates the address list named Oregon and Washington Users by using the
RecipientFilter parameter and includes recipients that are mailbox users and have
StateOrProvince set to Washington or Oregon .

PowerShell
 New-AddressList -Name "Oregon and Washington" -RecipientFilter "
((RecipientType -eq 'UserMailbox') -and ((StateOrProvince -eq 'Washington')
-or (StateOrProvince -eq 'Oregon')))"

This example creates the child address list Building 34 Meeting Rooms in the All Rooms
parent container, using built-in conditions.

PowerShell

New-AddressList -Name "Building 34 Meeting Rooms" -Container "\All Rooms" -

IncludedRecipients Resources -ConditionalCustomAttribute1 "Building 34"

For detailed syntax and parameter information, see New-AddressList.

How do you know this worked?

To verify that you've successfully created an address list, replace <AddressListIdentity>
with the path\name of the address list, and run the following command in Exchange
Online Powershell to verify the property values:

PowerShell

Get-AddressList -Identity "<AddressListIdentity>" | Format-List

Name,RecipientFilterType,RecipientFilter,IncludedRecipients,Conditional*

Use Exchange Online Powershell to view

members of address lists
Technically, this procedure returns all recipients (including hidden recipients) that match
the recipient filters for the address list. The recipients that are actually visible in the
address list have the HiddenFromAddressListsEnabled property value False .

To view the members of an address list, use the following syntax:

PowerShell

$<VariableName> = Get-AddressList -Identity <AddressListIdentity>; Get-

Recipient -ResultSize unlimited -RecipientPreviewFilter
$<VariableName>.RecipientFilter | select
Name,PrimarySmtpAddress,HiddenFromAddressListsEnabled

This example returns the members of the address list named Southeast Offices.
 PowerShell

$AL = Get-AddressList -Identity "Southeast Offices"; Get-Recipient -

ResultSize unlimited -RecipientPreviewFilter $AL.RecipientFilter | select
Name,PrimarySmtpAddress,HiddenFromAddressListsEnabled

This example exports the results to the file C:\My Documents\Southeast Offices
Export.csv.

PowerShell

$AL = Get-AddressList -Identity "Southeast Offices"; Get-Recipient -

ResultSize unlimited -RecipientPreviewFilter $AL.RecipientFilter | select
Name,PrimarySmtpAddress,HiddenFromAddressListsEnabled | Export-Csv -
NoTypeInformation -Path "C:\My Documents\Southeast Offices Export.csv"

Use Exchange Online PowerShell to update

address lists
The Update-AddressList cmdlet (or Update-GlobalAddressList) isn't available in
Exchange Online PowerShell. If recipients that should appear an address list do not, you
need to change the required property value for those users to a temporary value, and
then back to the value that's required by the address list. You can update the user
property values in the Exchange admin center (EAC) or Exchange Online PowerShell, but
it's quicker to do bulk operations in PowerShell.

For example, suppose the address list named Oregon and Washington Users uses the
filter "((RecipientType -eq 'UserMailbox') -and ((StateOrProvince -eq 'Washington') -
or (StateOrProvince -eq 'Oregon')))" , but the address list doesn't include everyone
whose StateOrProvince property values are set correctly. To update the address list,
perform the following steps:

1. Use the query from the address list to find all users that should be in the address
list. For example:

PowerShell

$Before = Get-User -Filter "((RecipientType -eq 'UserMailbox') -and

((StateOrProvince -eq 'Oregon') -or (StateOrProvince -eq
'Washington')))" -ResultSize Unlimited
 2. Change the required property to a temporary value. For example, change the
StateOrProvince values from Oregon to OR , and Washington to WA :

PowerShell

$Before | where {$_.StateOrProvince -eq 'Oregon'} | foreach {Set-User

$_.Identity -StateOrProvince OR}

PowerShell

$Before | where {$_.StateOrProvince -eq 'Washington'} | foreach {Set-

User $_.Identity -StateOrProvince WA}

3. Find those same users again by using the temporary property values. For example:

PowerShell

$After = Get-User -Filter "((RecipientType -eq 'UserMailbox') -and

((StateOrProvince -eq 'OR') -or (StateOrProvince -eq 'WA')))" -
ResultSize Unlimited

4. Change the temporary value back to the required value. For example, change the
StateOrProvince values from OR to Oregon , and WA to Washington :

PowerShell

$After | where {$_.StateOrProvince -eq 'OR'} | foreach {Set-User

$_.Identity -StateOrProvince Oregon}

PowerShell

$After | where {$_.StateOrProvince -eq 'WA'} | foreach {Set-User

$_.Identity -StateOrProvince Washington}

Notes:

Title, department and address properties require the Get-User and Set-User
cmdlets. CustomAttribute1 through CustomAttribute15 properties require the Get-
Mailbox and Set-Mailbox cmdlets. For more information about what properties
are available on which cmdlet, see the following topics:

Set-User

Set-Mailbox
 If a only small number of users don't appear in the address list, you can modify the
required property value for each user. For example:

1. Set a temporary property value for the user:

PowerShell

Set-User -Identity <UserIdentity> -StateOrProvince WA

2. Change the temporary value back to the required value:

PowerShell

Set-User -Identity <Identity> -StateOrProvince Washington

How do you know this worked?

To verify that you've successfully updated an address list, replace <AddressListIdentity>
with the name of the address list, and run the following command in Exchange Online
PowerShell to verify the RecipientFilterApplied property value:

PowerShell

Get-AddressList -Identity <AddressListIdentity> | Format-Table

Name,RecipientFilterApplied -Auto

Use Exchange Online PowerShell to modify

address lists
The same basic settings are available as when you created the address list. For more
information, see the Use Exchange Online PowerShell to create address lists section in
this topic.

To modify an existing address list, use the following syntax:

PowerShell

Set-AddressList -Identity <AddressListIdentity> [-Name <Name>] [<Precanned

recipient filter | Custom recipient filter>] [-RecipientContainer
<OrganizationalUnit>]
When you modify the Conditional parameter values, you can use the following syntax to
add or remove values without affecting other existing values: @{Add="<Value1>","
<Value2>"...; Remove="<Value1>","<Value2>"...} .

This example modifies the existing address list named Southeast Offices by adding the
State or province value TX (Texas) to the precanned recipient filter.

PowerShell

Set-AddressList -Identity "Southeast Offices" -ConditionalStateOrProvince

@{Add="TX"}

For detailed syntax and parameter information, see Set-AddressList.

How do you know this worked?

To verify that you've successfully modified an address list, replace <AddressListIdentity>
with the path\name of the address list, and run the following command in Exchange
Online Powershell to verify the property values:

PowerShell

Get-AddressList -Identity "<AddressListIdentity>" | Format-List

Name,RecipientFilterType,RecipientFilter,IncludedRecipients,Conditional*

Use Exchange Online PowerShell to delete

address lists
To remove an address list, use the following syntax:

PowerShell

Remove-AddressList -Identity "<AddressListName>"

This example removes the address list Sales Department, which doesn't contain child
address lists.

PowerShell

Remove-AddressList -Identity "Sales Department"

For detailed syntax and parameter information, see Remove-AddressList.

How do you know this worked?
To verify that you've successfully removed an address list, run the following command in
Exchange Online Powershell to verify that the address list isn't listed:

PowerShell

Get-AddressList

Hide recipients from address lists

Hiding a recipient from address lists doesn't prevent the recipient from receiving email
messages; it prevents users from finding the recipient in address lists. The recipient is
hidden from all address lists and GALs (effectively, they're exceptions to the recipient
filters in all address lists). If you want to selectively include the recipient in some address
lists but not others, you need to adjust the recipient filters in the address lists to include
or exclude the recipient.

Use the new EAC to hide recipients from address lists

To open the new EAC, see Exchange admin center in Exchange Online.

You can't use the new EAC to hide Microsoft 365 groups from address lists.

1. In the new EAC, go to one of the following locations based on the recipient type:

Recipients > Mailboxes: User mailboxes.

Recipients > Groups: Distribution groups, mail-enabled security groups, and

dynamic distribution groups.

Recipients > Resources: Room and equipment mailboxes.

Recipients > Contacts: Mail users and mail contacts.

Public folders > Public folders: Mail-enabled public folders.

2. Select the recipient that you want to hide from address lists.

3. The recipient properties window opens. What you do next depends on the
recipient type:

Mailboxes: On the Account tab, select Manage contact information. Then

select Hide from global address list.
 Groups: On the Settings tab, select Hide this group from the global address
list.

Resources: Click the pencil and select Hide from address lists (GAL).

Contacts: Select Hide this from the global address list.

Public folders: On the General mail properties tab, select Hide from
Exchange address list.

4. When you're finished, click Save.

Use Exchange Online PowerShell to hide recipients from

address lists
To hide a recipient from address lists, use the following syntax:

PowerShell

Set-<RecipientType> -Identity <RecipientIdentity> -

HiddenFromAddressListsEnabled $true

<RecipientType> is one of these values:

DistributionGroup

DynamicDistributionGroup

Mailbox

MailContact

MailPublicFolder

MailUser

UnifiedGroup

This example hides the distribution group named Internal Affairs from address lists.

PowerShell

Set-DistributionGroup -Identity "Internal Affairs" -

HiddenFromAddressListsEnabled $true
This example hides the mailbox michelle@contoso.com from address lists.

PowerShell

Set-Mailbox -Identity michelle@contoso.com -HiddenFromAddressListsEnabled

$true

Note: To make the recipient visible in address lists again, use the value $false for the
HiddenFromAddressListsEnabled parameter.

How do you know this worked?

You can verify that you've successfully hidden a recipient from address lists by using any
of the following procedures:

In the EAC, select the recipient, click Edit ( ) and verify the hide from address lists
setting is selected.

In Exchange Online PowerShell, run the following command and verify the
recipient is listed:

PowerShell

Get-Recipient -ResultSize unlimited -Filter

'HiddenFromAddressListsEnabled -eq $true'

Open the GAL in Outlook or Outlook on the web (formerly known as Outlook Web
App), and verify the recipient isn't visible.
Recipient filters for address lists in
Exchange Online PowerShell
Article • 02/22/2023

Recipient filters identify the recipients that are included in address lists and GALs. There
are two basic options: precanned recipient filters and custom recipient filters. These
are basically the same recipient filtering options that are used by dynamic distribution
groups and email address policies.

Precanned recipient filters

Uses the required IncludedRecipient parameter with the AllRecipients value or

one or more of the following values: MailboxUsers , MailContacts , MailGroups ,
MailUsers , or Resources . You can specify multiple values separated by commas.

You can also use any of the optional Conditional filter parameters:
ConditionalCompany, ConditionalCustomAttribute[1to15],
ConditionalDepartment, and ConditionalStateOrProvince.

You specify multiple values for a Conditional parameter by using the syntax "
<Value1>","<Value2>"... . Multiple values of the same property implies the or

operator. For example, "Department equals Sales or Marketing or Finance".

Custom recipient filters: Uses the required RecipientFilter parameter with an

OPATH filter.

The basic OPATH filter syntax is "<Property1> -<Operator> '<Value1>'

<Property2> -<Operator> '<Value2>'..." .

Double quotation marks " " are required around the whole OPATH filter.
Although the filter is a string (not a system block), you can also use braces { } ,
but only if the filter doesn't contain variables that require expansion.

Hyphens ( - ) are required before all operators. Here are some of the most
frequently used operators:

and , or , and not .

eq and ne (equals and does not equal; not case-sensitive).

lt and gt (less than and greater than).

 like and notlike (string contains and does not contain; requires at least one

wildcard in the string. For example, "Department -like 'Sales*'" .

Use parentheses to group <Property> -<Operator> '<Value>' statements

together in complex filters. For example, "(Department -like 'Sales*' -or
Department -like 'Marketing*') -and (Company -eq 'Contoso' -or Company -eq

'Fabrikam')" . Exchange stores the filter in the RecipientFilter property with

each individual statement enclosed in parentheses, but you don't need to enter
them that way.

For more information, see Additional OPATH syntax information.

For more information about address lists, see Address lists in Exchange Online.

For address list procedures that use recipient filters, see Address list procedures in
Exchange Online.
Remove a global address list in
Exchange Online
Article • 02/22/2023

The built-in global address list (GAL) that's automatically created by Exchange Online
includes every mail-enabled object in the organization. You can create additional GALs
to separate users by organization or location, but a user can only see and use one GAL.
For more information about address lists, see Address lists in Exchange Online.

You can use the procedures in this topic to remove any custom GALs that you've
created. You can't remove:

The GAL named Default Offline Address Book, which is the built-in GAL that's
available in Exchange Online, and the only GAL that has the
IsDefaultGlobalAddressList property value True .

A GAL that's defined in an offline address book (OAB). For OAB procedures, see
Offline address book procedures.

For additional GAL management tasks, see Address list procedures in Exchange Online.

What do you need to know before you begin?

Estimated time to complete each procedure: 5 minutes.

By default, the Address List role isn't assigned to any role groups in Exchange
Online. To use any cmdlets that require the Address List role, you need to add the
role to a role group. For more information, see Modify role groups.

You can only use Exchange Online PowerShell to perform the procedures in this
topic. To connect to Exchange Online PowerShell, see Connect to Exchange Online
PowerShell.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
Use Exchange Online PowerShell to remove a
GAL
To remove a GAL, use the following syntax:

PowerShell

Remove-GlobalAddressList -Identity <GALIdentity>

This example removes the address list named Agency A GAL.

PowerShell

Remove-GlobalAddressList -Identity "Agency A GAL"

For detailed syntax and parameter information, see Remove-GlobalAddressList.

How do you know this worked?

To verify that you've successfully removed a GAL, run the following command in
Exchange Online PowerShell to verify that the GAL isn't listed:

PowerShell

Get-GlobalAddressList
Configure global address list properties
in Exchange Online
Article • 02/22/2023

The built-in global address list (GAL) that's automatically created by Exchange Online
includes every mail-enabled object in the organization. You can create additional GALs
to separate users by organization or location, but a user can only see and use one GAL.
For more information about address lists, see Address lists in Exchange Online.

The same settings to configure a GAL are available as when you created the GAL. For
more information, see Create a global address list in Exchange Online. For additional
GAL management tasks, see Address list procedures in Exchange Online.

What do you need to know before you begin?

Estimated time to complete each procedure: 5 minutes.

By default, the Address List role isn't assigned to any role groups in Exchange
Online. To use any cmdlets that require the Address List role, you need to add the
role to a role group. For more information, see Modify role groups.

You can't modify the GAL named Default Global Address List, the built-in GAL
that's available in Exchange Online, and the only GAL that has the
IsDefaultGlobalAddressList property value True .

You can't replace a custom recipient filter with a precanned recipient filter or vice-
versa in an existing GAL.

You can only use Exchange Online PowerShell to perform the procedures in this
topic. To connect to Exchange Online PowerShell, see Connect to Exchange Online
PowerShell.

For details about recipient filters in the Exchange Online PowerShell, see Recipient
filters for address lists in Exchange Online PowerShell.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
Use the Exchange Online PowerShell to modify
global address lists
To modify a GAL, use the following syntax:

PowerShell

Set-GlobalAddressList -Identity <GALIdentity>] [-Name <Name>] [<Precanned

recipient filter | Custom recipient filter>]

When you modify the precanned Conditional parameter values, you can use the
following syntax to add or remove values without affecting other existing values:
@{Add="<Value1>","<Value2>"...; Remove="<Value1>","<Value2>"...} .

This example modifies the existing GAL named Contoso GAL by adding the Company
value Fabrikam to the precanned recipient filter.

PowerShell

Set-GlobalAddressList -Identity "Contoso GAL" -ConditionalCompany

@{Add="Fabrikam"}

For detailed syntax and parameter information, see Set-GlobalAddressList.

How do you know this worked?

To verify that you've successfully modified a GAL, replace <GAL Name> with the name
of the GAL and run the following command in Exchange Online PowerShell to verify the
property values:

PowerShell

Get-GlobalAddressList -Identity "<GAL Name>" | Format-List

Name,RecipientFilterType,RecipientFilter,IncludedRecipients,Conditional*
Create a global address list in Exchange
Online
Article • 02/22/2023

The built-in global address list (GAL) that's automatically created by Exchange Online
includes every mail-enabled object in the organization. You can create additional GALs
to separate users by organization or location, but a user can only see and use one GAL.
For more information about address lists, see Address lists in Exchange Online.

If your organization uses address book policies (ABPs), you'll need to create additional
GALs. To learn more, see Address book policies in Exchange Online.

For additional GAL management tasks, see Address list procedures in Exchange Online.

What do you need to know before you begin?

Estimated time to complete each procedure: 5 minutes.

By default, the Address List role isn't assigned to any role groups in Exchange
Online. To use any cmdlets that require the Address List role, you need to add the
role to a role group. For more information, see Modify role groups.

You can only use Exchange Online PowerShell to perform the procedures in this
topic. To connect to Exchange Online PowerShell, see Connect to Exchange Online
PowerShell.

For details about recipient filters in the Exchange Online PowerShell, see Recipient
filters for address lists in Exchange Online PowerShell.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use Exchange Online PowerShell to create

global address lists
To create a GAL, use the following syntax:
 PowerShell

New-GlobalAddressList -Name "<GAL Name>" [<Precanned recipient filter |

Custom recipient filter>]

This example creates a GAL with a precanned recipient filter:

Name: Contoso GAL

Precanned recipient filter: All recipient types where the Company value is
Contoso.

PowerShell

New-GlobalAddressList -Name "Contoso GAL" -IncludedRecipients AllRecipients

-ConditionalCompany Contoso

This example creates a GAL with a custom recipient filter:

Name: Agency A GAL

Custom recipient filter: All recipient types where the CustomAttribute15 property
contains the value AgencyA.

PowerShell

New-GlobalAddressList -Name "Agency A GAL" -RecipientFilter

"CustomAttribute15 -like '*AgencyA*'"

For detailed syntax and parameter information, see New-GlobalAddressList.

How do you know this worked?

To verify that you've successfully created a GAL, replace <GAL Name> with the name of
the GAL and run the following command in Exchange Online PowerShell to verify the
property values:

PowerShell

Get-GlobalAddressList -Identity "<GAL Name>" | Format-List

Name,RecipientFilterType,RecipientFilter,IncludedRecipients,Conditional*
Hierarchical address books in Exchange
Online
Article • 02/22/2023

The hierarchical address book (HAB) allows users to look for recipients in their address
book using an organizational hierarchy. Normally, users are limited to the default global
address list (GAL) and its recipient properties and the structure of the GAL often doesn't
reflect the management or seniority relationships of recipients in your organization.
Being able to customize an HAB that maps to your organization's unique business
structure provides your users with an efficient method for locating internal recipients.

Using hierarchical address books

In an HAB, your root organization (for example, Contoso, Ltd) is used as the top-level
tier. Under this top-level tier, you can add several child tiers to create a customized HAB
that's segmented by division, department, or any other organizational tier you want to
specify. The following figure illustrates an HAB for Contoso, Ltd with the following
structure:

The top-level tier represents the root organization Contoso, Ltd.

The second-level child tiers represent the business divisions within Contoso, Ltd:
Corporate Office, Product Support Organization, and Sales & Marketing
Organization.

The third-level child tiers represent departments within the Corporate Office
division: Human Resources, Accounting Group, and Administration Group.
You can provide an additional level of hierarchical structure by using the SeniorityIndex
parameter. When creating an HAB, use the SeniorityIndex parameter to rank individual
recipients or organizational groups by seniority within these organizational tiers. This
ranking specifies the order in which the recipients or groups are displayed in the HAB.
For example, in the preceding example, the SeniorityIndex parameter for the recipients
in the Corporate Office division is set to the following:

100 for David Hamilton

50 for Rajesh M. Patel

25 for Amy Alberts

７ Note

If the SeniorityIndex parameter isn't set or is equal for two or more users, the HAB
sorting order uses the PhoneticDisplayName parameter value to list the users in
ascending alphabetical order. If the PhoneticDisplayName parameter value isn't set,
the HAB defaults to the DisplayName parameter value and lists the users in
ascending alphabetical order.

Configuring hierarchical address books

Detailed instructions for creating HABs are included in the topic Enable or disable
hierarchical address books. The general steps are as follows:
1. Create a distribution group that will be used for the root organization (top-level
tier).

2. Create distribution groups for the child tiers and designate them as members of
the HAB. Modify the SeniorityIndex parameter of these groups so they're listed in
the proper hierarchical order within the root organization.

3. Add organization members. Modify the SeniorityIndex parameter of the members

so they're listed in the proper hierarchical order within the child tiers.

4. For accessibility purposes, you can use the PhoneticDisplayName parameter, which
specifies a phonetic pronunciation of the DisplayName parameter, and is also used
for the sort order if the SeniorityIndex parameter value isn't set.
Enable or disable hierarchical address
books in Exchange Online
Article • 02/22/2023

The hierarchical address book (HAB) allows users to look for recipients in their address
book using an organizational hierarchy. For more information, see Hierarchical address
books.

The cmdlets and parameters that you use to configure a HAB are described in the
following table:

Cmdlet Parameter Description

Set- HierarchicalAddressBookRoot Enables or disables the HAB in the

OrganizationConfig organization.
A valid value is a distribution group or mail-
enabled security group. You can't use a
dynamic distribution group or an Office 35
group.

Set-Group IsHierarchicalGroup Specifies whether the distribution group or

mail-enabled security group is used in the
hierarchy of the HAB. Valid values are $true
or $false (the default value is $false ).

Set-Contact SeniorityIndex SeniorityIndex: A numerical value that sorts

Set-Group PhoneticDisplayName users, contacts, or groups in descending
Set-User order in the HAB (higher values are shown
before lower values).

PhoneticDisplayName: When multiple users,

contacts or groups have the same
SeniorityIndex value or the value isn't set,
the users, contacts, or groups are listed in
ascending alphabetical order. If
PhoneticDisplayName isn't configured, the
users, contacts, or groups are listed in
ascending alphabetical order based on the
DisplayName parameter value (which is also
the default sort order without the HAB).

What do you need to know before you begin?

Estimated time to complete: 30 minutes.
 You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Distribution groups" entry
in the Feature permissions in Exchange Online topic.

To connect to Exchange Online PowerShell, see Connect to Exchange Online

PowerShell.

This topic uses Exchange Online PowerShell examples to create distribution

groups, but you can also use the Exchange admin center (EAC) to create and add
members to distribution groups. For details, see Create and manage distribution
groups.

After you create the HAB, you can use the EAC to manage the membership of the
groups in the organizational hierarchy. However, you can only use Exchange
Online PowerShell to configure the SeniorityIndex parameter for any new groups or
users that you create.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Enable and configure a hierarchical address

book

Step 1: Create the distribution groups for the HAB

structure
This example uses the following hierarchy:

The distribution group named "Contoso,Ltd" is the top-level organization in the

hierarchy (the root organization).

Distribution groups named Corporate Office, Product Support Organization, and

Sales & Marketing Organization are child organizations under Contoso,Ltd
(members of the Contoso,Ltd group).

The distribution groups named Human Resources, Accounting Group, and

Administration Group are child organizations under Corporate Office (members of
the Corporate Office group).
 PowerShell

New-DistributionGroup -Name "Contoso,Ltd" -Alias "ContosoRoot"

PowerShell

New-DistributionGroup -Name "Corporate Office"

PowerShell

New-DistributionGroup -Name "Product Support Organization" -Alias

ProductSupport

PowerShell

New-DistributionGroup -Name "Sales & Marketing Organization" -Alias

"Sales&Marketing"

PowerShell

New-DistributionGroup -Name "Human Resources"

PowerShell

New-DistributionGroup -Name "Accounting Group" -Alias Accounting

PowerShell

New-DistributionGroup -Name "Administration Group" -Alias Administration

Note: If you don't use the Alias parameter when you create a distribution group, the
value of the Name parameter is used with spaces removed.

For detailed syntax and parameter information, see New-DistributionGroup.

Step 2: Use Exchange Online PowerShell to specify the

root organization for the HAB
This example specifies the distribution group named "Contoso,Ltd" from the previous
step as the root organization for the HAB.

PowerShell
 Set-OrganizationConfig -HierarchicalAddressBookRoot "Contoso,Ltd"

Step 3: Use Exchange Online PowerShell to designate

distribution groups as hierarchical groups
The following examples designate the groups that we previously created as hierarchical
groups:

PowerShell

Set-Group -Identity "Contoso,Ltd" -IsHierarchicalGroup $true

PowerShell

Set-Group -Identity "Corporate Office" -IsHierarchicalGroup $true

PowerShell

Set-Group -Identity "Product Support Organization" -IsHierarchicalGroup

$true

PowerShell

Set-Group -Identity "Sales & Marketing Organization" -IsHierarchicalGroup

$true

PowerShell

Set-Group -Identity "Human Resources" -IsHierarchicalGroup $true

PowerShell

Set-Group -Identity "Accounting Group" -IsHierarchicalGroup $true

PowerShell

Set-Group -Identity "Administration Group" -IsHierarchicalGroup $true

For detailed syntax and parameter information, see Set-Group.

Step 4: Add the child groups as members of the
appropriate groups in the hierarchy
This example adds the groups named Corporate Office, Product Support Organization,
and Sales & Marketing Organization as members of Contoso,Ltd (the root organization).

PowerShell

Update-DistributionGroupMember -Identity "Contoso,Ltd" -Members "Corporate

Office","Product Support Organization","Sales & Marketing Organization"

This example adds the groups named Human Resources, Accounting Group, and
Administration Group as members of Corporate Office.

PowerShell

Update-DistributionGroupMember -Identity "Corporate Office" -Members "Human

Resources","Accounting Group","Administration Group"

For detailed syntax and parameter information, see Update-DistributionGroupMember.

Step 5: Add users to the appropriate groups in the HAB

This example adds the users Amy Alberts, David Hamilton, and Rajesh M. Patel to the
group named Corporate Office without affecting other existing members.

PowerShell

$members=@('aalberts@contoso.com','dhamilton@contoso.com','rmpatel@contoso.c
om')
foreach($member in $members){
Add-DistributionGroupMember -Identity "Corporate Office" -Member $member
}

For detailed syntax and parameter information, see Update-DistributionGroupMember.

Step 6: Use Exchange Online PowerShell to configure the

sort order for groups in the HAB
The SeniorityIndex parameter value for a group affects how the groups are sorted in the
HAB (higher values are displayed first).
The following examples configure the child groups of the Corporate Office group to
display in the following order:

Human Resources

Accounting Group

Administration Group

PowerShell

Set-Group -Identity "Human Resources" -SeniorityIndex 100

PowerShell

Set-Group -Identity "Accounting Group" -SeniorityIndex 50

PowerShell

Set-Group -Identity "Administration Group" -SeniorityIndex 25

For detailed syntax and parameter information, see Set-Group.

Step 7: Use Exchange Online PowerShell to configure the

sort order for users in the HAB
The SeniorityIndex parameter value for a user affects how the users are sorted in groups
in the HAB (higher values are displayed first).

The following examples configure the members of the Corporate Office group to display
in the following order:

David Hamilton

Rajesh M. Patel

Amy Alberts

PowerShell

Set-User -Identity DHamilton -SeniorityIndex 100

PowerShell
 Set-User -Identity RMPatel -SeniorityIndex 50

PowerShell

Set-User -Identity AAlberts -SeniorityIndex 25

For detailed syntax and parameter information, see Set-User.

How do you know this worked?

To verify that you've successfully enabled and configured a hierarchical address book,
use any of the following steps:

Open Outlook in a profile that's connected to a mailbox in your Exchange Online

organization, and click Address Book or press Ctrl+Shift+B. The HAB is displayed
on the Organization tab, similar to the following figure.

In Exchange Online PowerShell, run the following commands to verify the property
values:

PowerShell

Get-OrganizationConfig | Format-List HierarchicalAddressBookRoot

PowerShell
 Get-Group -ResultSize unlimited | where {$_.IsHierarchicalGroup -match
'True'} | Format-Table SeniorityIndex,PhoneticDisplayName,DisplayName -
Auto

PowerShell

Get-Group -ResultSize unlimited | Format-Table

SeniorityIndex,PhoneticDisplayName,DisplayName -Auto

Use Exchange Online PowerShell to disable a

hierarchical address book
To disable a HAB, you don't need to delete the groups that are associated with the HAB
structure or reset the SeniorityIndex values for groups or users. Disabling the HAB only
prevents the HAB from being displayed in Outlook. To re-enable the HAB with the same
configuration settings, you only need to specify the root organization for the HAB.

This example disables the hierarchical address book.

PowerShell

Set-OrganizationConfig -HierarchicalAddressBookRoot $null

How do you know this worked?

To verify that you've successfully disabled hierarchical address book, use any of the
following steps:

Open Outlook in a profile that's connected to a mailbox in your Exchange Online

organization, and click Address Book or press Ctrl+Shift+B. Verify that the entries
in the address book are displayed in alphabetical order.

In Exchange Online PowerShell, run the following command to verify that the
HierarchicalAddressBookRoot property value is blank:

PowerShell

Get-OrganizationConfig | Format-List HierarchicalAddressBookRoot

Offline address books in Exchange
Online
Article • 02/22/2023

An offline address book (OAB) is a downloadable address list collection that Outlook
users can access while disconnected from Exchange Online. Admins can decide which
address lists are made available to users who work offline.

Offline address books are generated every 8 hours.

For more information about address lists in Exchange Online, see Address lists.

For OAB procedures, see Offline address book procedures.

How users download offline address books

1. In Outlook, click File > Account Settings > Download Address Book.

2. On the Offline address book dialog box that's displayed, make the following
selections:

Download changes since last Send/Receive: By default, this check box is

selected. Unchecking this box causes a full download of the OAB.

Choose address book: This drop-down list will display the offline address
books that are available to you. Depending on what an admin has configured,
you might see only one value here (for example, the global address list).

3. Click OK. The OAB is downloaded and saved on your computer.

Conditions that cause a full download of the OAB

There are situations where Outlook will always perform a full OAB download. For
example:

There's no OAB on the client computer (for example, this is the first time you've
connected to your Exchange Online mailbox in Outlook on this computer).

The version of the OAB on the server and the client don't match (a more recent
version of the OAB is present on the server).

One or more OAB files are missing from the client computer.
A previous full download failed, and Outlook has to start over.

When a user has multiple MAPI profiles on the same Outlook client computer and
they switch between the two profiles that both use Cached Exchange Mode,
multiple full OAB downloads of the same OAB files will occur.
Offline address book procedures in
Exchange Online
Article • 02/22/2023

Create an offline address book

Add an address list to or remove an address list from an offline address book

Change the default offline address book

Provision recipients for offline address book downloads

Remove an offline address book

Create an offline address book in
Exchange Online
Article • 02/22/2023

An offline address book (OAB) is a downloadable address list collection that Outlook
users can access while disconnected from Exchange Online. An OAB allows Outlook
users to access the information within the specified address lists while disconnected
from Exchange Online. Admins can decide which address lists are made available to
users who work offline.

For additional management tasks related to OABs, see Offline address book procedures.

What do you need to know before you begin?

Estimated time to complete: 5 minutes.

By default, the Address List role isn't assigned to any role groups in Exchange
Online. To use any cmdlets that require the Address List role, you need to add the
role to a role group. For more information, see Modify role groups.

You can only use Exchange Online PowerShell to perform the procedures in this
topic. To connect to Exchange Online PowerShell, see Connect to Exchange Online
PowerShell.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use Exchange Online PowerShell to create an

OAB with web-based distribution
This example creates an OAB named OAB_Contoso that contains the default global
address list.

PowerShell

New-OfflineAddressBook -Name "OAB_Contoso" -AddressLists "\Default Global

Address List"
For detailed syntax and parameter information, see New-OfflineAddressBook.
Add an address list to or remove an
address list from an offline address
book in Exchange Online
Article • 02/22/2023

You can use Exchange Online PowerShell to add or remove an address list from an
offline address book (OAB). By default, there is an OAB named the Default Offline
Address Book that contains the global address list (GAL). OABs are generated based on
the address lists that they contain. To create custom OABs that users can download, you
can add or remove address lists from OABs.

For additional management tasks related to OABs, see Offline address book procedures.

What do you need to know before you begin?

Estimated time to complete each procedure: 5 minutes

Changes to the address list aren't available for client download until after the OAB
in which the address list resides has been generated.

By default, the Address List role isn't assigned to any role groups in Exchange
Online. To use any cmdlets that require the Address List role, you need to add the
role to a role group. For more information, see Modify role groups.

You can only use Exchange Online PowerShell to perform the procedures in this
topic. To connect to Exchange Online PowerShell, see Connect to Exchange Online
PowerShell.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use Exchange Online PowerShell to add and

remove address lists from offline address books
When you modify the address lists that are configured in an OAB, the values that you
specify will replace any address lists in the OAB. To add address lists to the OAB, specify
the current address lists plus the ones you want to add. To remove address lists from the
OAB, specify the current address lists minus the ones you want to remove.

In this example, the OAB named Marketing OAB is already configured with Address List
1 and Address List 2. To keeps those address lists and add Address List 3, run the
following command:

PowerShell

Set-OfflineAddressBook -Identity "Marketing OAB" -AddressLists "Address

List1","Address List 2","Address List 3"

Similarly, to keep the OAB configured with Address List 1 and Address 2, but remove
Address List 3, run the following command:

PowerShell

Set-OfflineAddressBook -Identity "Marketing OAB" -AddressLists "Address List

1","Address List 2"

For detailed syntax and parameter information, see Set-OfflineAddressBook.

How do you know this worked?

To verify that you've successfully added or removed address lists from an OAB, run the
following command to verify the property AddressLists property values:

PowerShell

Get-OfflineAddressBook | Format-List Name,AddressLists

Change the default offline address book
in Exchange Online
Article • 02/22/2023

By default, the automatically-created OAB named Default Offline Address Book is the
default OAB. You can set any OAB in your Exchange Online organization as the default
OAB. The default OAB is used by:

Mailboxes without an address book policy (ABP) assigned, or where the assigned
ABP policy has no OAB defined (by default, there are no ABPs).

Mailboxes without an OAB assigned (by default, all mailboxes).

If you delete the default OAB, Exchange Online doesn't automatically assign another
OAB as the default. You need to manually designate another OAB as the default.

For additional management tasks related to OABs, see Offline address book procedures.

What do you need to know before you begin?

Estimated time to complete this procedure: 5 minutes.

By default, the Address List role isn't assigned to any role groups in Exchange
Online. To use any cmdlets that require the Address List role, you need to add the
role to a role group. For more information, see Modify role groups.

You can only use Exchange Online PowerShell to perform the procedures in this
topic. To connect to Exchange Online PowerShell, see Connect to Exchange Online
PowerShell.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use Exchange Online PowerShell to change the

default OAB
This example sets the OAB named My OAB as the default OAB.
 PowerShell

Set-OfflineAddressBook -Identity "My OAB" -IsDefault $true

For detailed syntax and parameter information, see Set-OfflineAddressBook.

How do you know this worked?

To verify that you've successfully changed the default OAB, run the following command
to verify the IsDefault property value:

PowerShell

Get-OfflineAddressBook | Format-List Name,IsDefault

Provision recipients for offline address
book downloads in Exchange Online
Article • 02/22/2023

If you use multiple offline address books (OABs) in your organization, you have only one
option for assigning the OAB to users:

Per address book policy: You can assign an address book policy (ABP) to a user,
and the ABP specifies the OAB. If you assign an ABP to a user that already has an
OAB assigned to their mailbox, the OAB that's assigned to the mailbox will take
precedence. For more information, see Assign an address book policy to mail
users.

For additional management tasks related to OABs, see Offline address book procedures.
Remove an offline address book in
Exchange Online
Article • 02/22/2023

This topic explains how to remove an offline address book (OAB) from Exchange Online.
If you remove the default OAB, you must assign a different OAB as the default OAB. For
instructions about how to change the default OAB, see Change the default offline
address book.

For additional management tasks related to OABs, see Offline address book procedures.

What do you need to know before you begin?

Estimated time to complete each procedure: 5 minutes.

By default, the Address List role isn't assigned to any role groups in Exchange
Online. To use any cmdlets that require the Address List role, you need to add the
role to a role group. For more information, see Modify role groups.

You can only use Exchange Online PowerShell to perform the procedures in this
topic. To connect to Exchange Online PowerShell, see Connect to Exchange Online
PowerShell.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use Exchange Online PowerShell to remove an

OAB
This example removes an OAB named My OAB.

PowerShell

Remove-OfflineAddressBook -Identity "My OAB"

For detailed syntax and parameter information, see Remove-OfflineAddressBook.

How do you know this worked?
To verify that you've successfully removed the OAB, run the following command to verify
that the OAB is gone.

PowerShell

Get-OfflineAddressBook
Voice mail in Exchange Online: Unified
Messaging
Article • 02/22/2023

Unified Messaging (UM) in Exchange Online has been retired. Cloud Voicemail replaces
Exchange UM for providing voice messaging functionality for Teams and Exchange
Online users. For more information, see Set up Cloud Voicemail.

Cloud Voicemail is also the solution for Skype for Business Server 2019 voice users who
have mailboxes on Exchange Server 2019 or Exchange Online. For more information on
setting up Cloud Voicemail for Skype for Business Server 2019, see Plan Cloud Voicemail
service.
Clients and mobile in Exchange Online
Article • 02/22/2023

Many different clients can be used to access information in an Exchange Online mailbox.
These clients include desktop programs such as Microsoft Outlook, Outlook on the web
(formerly known as Outlook Web App), and mobile clients such as phones, tablets, and
other mobile devices. Each of these clients offers a variety of features.

The following table contains links to topics that will help you learn about and manage
some of the clients and client access methods that can be used to access an Office 365
or Microsoft 365 mailbox.

Topic Description

Outlook for iOS

and Android in
Exchange Online

Exchange Learn about Exchange ActiveSync, the protocol that provides connectivity to
ActiveSync in a wide variety of mobile phones and tablets. Using Exchange ActiveSync,
Exchange Online users can access email, calendar, contact, and task information.

Mobile device
mailbox policies in
Exchange Online

POP3 and IMAP4 Learn about how you can use the POP3 and IMAP4 protocols to provide
users access to a number of the features in their Office 365 or Microsoft 365
mailbox. These client protocols can be used on desktop email applications
and on many mobile phones and devices.

Outlook on the Learn about Outlook on the web, which provides users access to their
web in Exchange Exchange Online mailbox through a web browser.
Online

MailTips in Learn about MailTips, the informative messages displayed to users while
Exchange Online they're composing a message.

Add-ins for
Outlook in
Exchange Online

Remote
Connectivity
Analyzer tests for
Exchange Online
Topic Description

Client Access Rules Learn how to use Client Access Rules to control connections to Exchange
in Exchange Online Online.

Disable Basic Learn how to disable Basic auth connections to your Exchange Online
authentication in mailboxes.
Exchange Online

Enable or disable Learn how to require Modern auth connections to your Exchange Online
modern mailboxes.
authentication for
Outlook in
Exchange Online
Deprecation of Basic authentication in
Exchange Online
Article • 02/22/2023

） Important

If Basic authentication was disabled in your tenant and users and apps were unable
to connect, you had until Dec 31 2022, to re-enable the affected protocols. Now that
the date has passed, you (or support) can't re-enable Basic authentication in your
tenant.

Basic authentication is now being disabled in all new tenants, or wherever it is still
enabled.

Read the rest of this article to fully understand the changes we're making and how
these changes might affect you.

For many years, applications have used Basic authentication to connect to servers,
services, and API endpoints. Basic authentication simply means the application sends a
username and password with every request, and those credentials are also often stored
or saved on the device. Traditionally, Basic authentication is enabled by default on most
servers or services, and is simple to set up.

Simplicity isn't at all bad, but Basic authentication makes it easier for attackers to capture
user credentials (particularly if the credentials are not protected by TLS), which increases
the risk of those stolen credentials being reused against other endpoints or services.
Furthermore, the enforcement of multifactor authentication (MFA) is not simple or in
some cases, possible when Basic authentication remains enabled.

Basic authentication is an outdated industry standard. Threats posed by it have only

increased since we originally announced that we were going to turn it off (see Improving
Security - Together ) There are better and more effective user authentication
alternatives.

We actively recommend that customers adopt security strategies such as Zero Trust
(Never Trust, Always Verify), or apply real-time assessment policies when users and
devices access corporate information. These alternatives allow for intelligent decisions
about who is trying to access what from where on which device rather than simply
trusting an authentication credential that could be a bad actor impersonating a user.
With these threats and risks in mind, we're taking steps to improve data security in
Exchange Online.

７ Note

The deprecation of basic authentication will also prevent the use of app passwords
with apps that don't support two-step verification.

What we are changing

We're removing the ability to use Basic authentication in Exchange Online for Exchange
ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline
Address Book (OAB), Autodiscover, Outlook for Windows, and Outlook for Mac.

We're also disabling SMTP AUTH in all tenants in which it's not being used.

This decision requires customers to move from apps that use basic authentication to
apps that use Modern authentication. Modern authentication (OAuth 2.0 token-based
authorization) has many benefits and improvements that help mitigate the issues in basic
authentication. For example, OAuth access tokens have a limited usable lifetime, and are
specific to the applications and resources for which they are issued, so they cannot be
reused. Enabling and enforcing multifactor authentication (MFA) is also simple with
Modern authentication.

When will this change take place?

We've already started making this change. We now create new Microsoft 365 tenants
with Basic authentication in Exchange Online turned off, because Security defaults is
enabled for them.

Beginning in early 2021, we started to disable Basic authentication for existing tenants
with no reported usage.

Beginning in early 2023, we disabled Basic authentication for any tenants who requested
an extension. You can read more about the timing here .

７ Note

In Office 365 Operated by 21Vianet, we'll begin disabling Basic authentication on

March 31, 2023. All other cloud environments are subject to the October 1, 2022
date.
Impact to messaging protocols and existing
applications
This change affects the applications and scripts you might use in different ways.

POP, IMAP, and SMTP AUTH

In 2020, we released OAuth 2.0 support for POP, IMAP, and SMTP AUTH. Updates to
some client apps have been updated to support these authentication types (Thunderbird
for example, though not yet for customers using Office 365 Operated by 21Vianet), so
users with up-to-date versions can change their configuration to use OAuth. There is no
plan for Outlook clients to support OAuth for POP and IMAP, but Outlook can connect
use MAPI/HTTP (Windows clients) and EWS (Outlook for Mac).

Application developers who have built apps that send, read, or otherwise process email
using these protocols will be able to keep the same protocol, but need to implement
secure, Modern authentication experiences for their users. This functionality is built on
top of Microsoft Identity platform v2.0 and supports access to Microsoft 365 email
accounts.

If your in-house application needs to access IMAP, POP and SMTP AUTH protocols in
Exchange Online, follow these step-by-step instructions to implement OAuth 2.0
authentication: Authenticate an IMAP, POP, or SMTP connection using OAuth.
Additionally, use this PowerShell script Get-IMAPAccesstoken.ps1 to test IMAP access
after your OAuth enablement on your own in a simple way including the shared mailbox
use case. If this is successful, just make a confident next step talk to your application
owner of your vendor or internal business partner.

Work with your vendor to update any apps or clients that you use that could be
impacted.

SMTP AUTH will still be available when Basic authentication is permanently disabled on
October 1, 2022. The reason SMTP will still be available is that many multi-function
devices such as printers and scanners can't be updated to use modern authentication.
However, we strongly encourage customers to move away from using Basic
authentication with SMTP AUTH when possible. Other options for sending authenticated
mail include using alternative protocols, such as the Microsoft Graph API.

Exchange ActiveSync (EAS)

Many users have mobile devices that are set up to use EAS. If they're using Basic
authentication, they will be impacted by this change.
We recommend using Outlook for iOS and Android when connecting to Exchange
Online. Outlook for iOS and Android fully integrates Microsoft Enterprise Mobility +
Security (EMS), which enables conditional access and app protection (MAM) capabilities.
Outlook for iOS and Android helps you secure your users and your corporate data, and it
natively supports Modern authentication.

There are other mobile device email apps that support Modern authentication. The built-
in email apps for all popular platforms typically support Modern authentication, so
sometimes the solution is to verify that your device is running the latest version of the
app. If the email app is current, but is still using Basic authentication, you might need to
remove the account from the device and then add it back.

If you're using Microsoft Intune, you might be able to change the authentication type
using the email profile you push or deploy to your devices. If you are using iOS devices
(iPhones and iPads) you should take a look at Add e-mail settings for iOS and iPadOS
devices in Microsoft Intune

Any iOS device that's managed with Basic Mobility and Security won't be able to access
email if the following conditions are true:

You've configured a device security policy to require a managed email profile for
access.
You haven't modified the policy since November 9, 2021 (which means the policy is
still using Basic authentication).

Policies created or modified after this date have already been updated to use modern
authentication.

To update policies that haven't been modified since November 9, 2021 to use modern
authentication, make a temporary change to the policy's access requirements. We
recommend changing and saving the Require Encrypted backups cloud setting, which
will upgrade the policy to use modern authentication. Once the altered policy has the
status value Turned on, the email profile has been upgraded. You may then revert the
temporary change to the policy.

７ Note

During the upgrade process, the email profile will be updated on the iOS device and
the user will be prompted to enter their username and password.

If your devices are using certificate-based authentication, they will be unaffected

when Basic authentication is turned off in Exchange Online later this year. Only
devices authenticating directly using Basic authentication will be affected.
 Certificate-based authentication is still legacy authentication and as such will be
blocked by Azure AD conditional access policies that block legacy authentication.
For more information see Block legacy authentication - Azure Active Directory.

Exchange Online PowerShell

Since the release of the Exchange Online PowerShell module, it's been easy to manage
your Exchange Online settings and protection settings from the command line using
Modern authentication. The module uses Modern authentication and works with multi-
factor authentication (MFA) for connecting to all Exchange-related PowerShell
environments in Microsoft 365: Exchange Online PowerShell, Security & Compliance
PowerShell, and standalone Exchange Online Protection (EOP) PowerShell.

The Exchange Online PowerShell module can also be used non-interactively, which
enables running unattended scripts. Certificate-based authentication provides admins
the ability to run scripts without the need to create service-accounts or store credentials
locally. To learn more, see: App-only authentication for unattended scripts in the
Exchange Online PowerShell module.

Administrators who still use the old remote PowerShell connection method or the older
Exchange Online Remote PowerShell Module (V1), are encouraged to begin using the
Exchange Online PowerShell module as soon as possible. These older connection
methods will eventually be retired, either through Basic authentication disablement or
the end of support.

） Important

Do not confuse the fact that PowerShell requires Basic authentication enabled for
WinRM (on the local machine where the session is run from). The
username/password isn't sent to the service using Basic, but the Basic Auth header
is required to send the session's OAuth token, because the WinRM client doesn't
support OAuth. We are working on this problem and will have more to announce in
the future. Just know that enabling Basic on WinRM is not using Basic to
authenticate to the service. For more information, see Exchange Online PowerShell:
Turn on Basic authentication in WinRM.

Read more about this situation here: Understanding the Different Versions of
Exchange Online PowerShell Modules and Basic Auth .

For details on moving from the V1 version of the module to the current version, see
this blog post .
 Version 3.0.0 of the Exchange Online PowerShell V3 module (Preview versions 2.0.6-
PreviewX) contains REST API backed versions of all Exchange Online cmdlets that
don't require Basic authentication in WinRM. For more information, see Updates for
version 3.0.0.

Exchange Web Services (EWS)

Many applications have been created using EWS for access to mailbox and calendar data.

In 2018, we announced that Exchange Web Services would no longer receive feature
updates and we recommended that application developers switch to using Microsoft
Graph. See Upcoming changes to Exchange Web Services (EWS) API for Office 365 .

Many applications have successfully moved to Graph, but for those applications that
haven't, it's noteworthy that EWS already fully supports Modern authentication. So if you
can't migrate to Graph yet, you can switch to using Modern authentication with EWS,
knowing that EWS will eventually be deprecated.

To learn more, see:

Upcoming API Deprecations in Exchange Web Services for Exchange Online -

Microsoft Tech Community
Authenticate an EWS application by using OAuth
What to do with EWS Managed API PowerShell scripts that use Basic
Authentication

Outlook, MAPI, RPC, and Offline Address Book (OAB)

All versions of Outlook for Windows since 2016 have Modern authentication enabled by
default, so it's likely that you're already using Modern authentication. Outlook Anywhere
(formerly known as RPC over HTTP) has been deprecated in Exchange Online in favor of
MAPI over HTTP. Outlook for Windows uses MAPI over HTTP, EWS, and OAB to access
mail, set free/busy and out of office, and download the Offline Address Book. All of these
protocols support Modern authentication.

Outlook 2007 or Outlook 2010 cannot use Modern authentication, and will eventually be
unable to connect. Outlook 2013 requires a setting to enable Modern authentication, but
once you configure the setting, Outlook 2013 can use Modern authentication with no
issues. As announced earlier here, Outlook 2013 requires a minimum update level to
connect to Exchange Online. See: New minimum Outlook for Windows version
requirements for Microsoft 365 .
Outlook for Mac supports Modern Authentication.

For more information about Modern authentication support in Office, see How modern
authentication works for Office client apps.

If you need to migrate Public Folders to Exchange online, see Public Folder Migration
Scripts with Modern Authentication Support .

Autodiscover
In November 2022 we announced we would disable basic authentication for the
Autodiscover protocol once EAS and EWS are disabled in a tenant.

How do you know if your users will be

impacted?
There are several ways to determine if you're using Basic authentication or Modern
authentication. If you're using Basic authentication, you can determine where it's coming
from and what to do about it.

Authentication dialog
A simple way to tell if a client app (for example, Outlook) is using Basic authentication or
Modern authentication is to observe the dialog that's presented when the user logs in.

Modern authentication displays a web-based login page:

Basic authentication presents a dialog credential modal box:

On a mobile device, you'll see a similar web-based page when you authenticate if the
device is trying to connect using Modern authentication.

You can also check the connection status dialog box, by CTRL + right-clicking the
Outlook icon in the system tray, and choosing Connection Status.

When using Basic authentication, the Authn column in the Outlook Connection Status
dialog shows the value of Clear.
Once you switch to Modern authentication, the Authn column in the Outlook Connection
Status dialog shows the value of Bearer.

Check the Message Center

Starting at the end of 2021, we started sending Message Center posts to tenants
summarizing their usage of Basic authentication. If you don't use Basic authentication,
you'll probably have had Basic authentication turned off already (and received a Message
Center post saying so) – so unless you start using it, you won't be impacted.

If you did get a summary of usage, you'll know how many unique users we saw using
Basic authentication in the previous month, and which protocols they used. These
numbers are indicative only, and do not necessarily reflect successful access to mailboxes
or data. For example, a user may authenticate using IMAP, but be denied access to the
mailbox due to configuration or policy. But the usage summary does indicate that
something or someone is successfully authenticating to your tenant using Basic
authentication. To investigate this usage further, we recommend that you use the Azure
Active Directory Sign-in events report – a report that can provide detailed user, IP, and
client details for these authentication attempts (more details below).

Check the Azure Active Directory Sign-in report

The best place to get the most up-to-date picture of Basic authentication usage by
tenants is by using the Azure AD Sign-In report. To learn more, see: New tools to block
legacy authentication in your organization - Microsoft Tech Community .
Exporting logs for analysis requires a premium license for your Azure AD tenant. If you
have a premium license, you can use the following methods to export logs:

Azure Event Hubs, Azure Storage, or Azure Monitor (best methods): All of these
export pathways are capable of handling the load from even large customers with
hundreds of thousands of users. For more information, see Stream Azure Active
Directory logs to Azure Monitor logs.
Graph APIs: We recommend that you use MS Graph paging logic to ensure you can
pull in all of the logs. For more information, see Access Azure AD logs with the
Microsoft Graph API.
Direct download from web browser: For large customers, the amount of data can
cause browser timeouts.

Client options
Some of the options available for each of the impacted protocols are listed below.

Protocol recommendation
For Exchange Web Services (EWS), Remote PowerShell (RPS), POP and IMAP, and
Exchange ActiveSync (EAS):

If you have written your own code using these protocols, update your code to use
OAuth 2.0 instead of Basic Authentication, or migrate to a newer protocol (Graph
API).
If you or your users are using a 3rd party application which uses these protocols,
reach out to the 3rd party app developer who supplied this application to update it
to support OAuth 2.0 authentication or assist your users to switch to an application
that's built using OAuth 2.0.

Key Impacted Clients Client Specific Special Other Protocol

Protocol Recommendation Recommendation Info / Notes
Service for Office 365
Operated by
21Vianet
(Gallatin)
Key Impacted Clients Client Specific Special Other Protocol
Protocol Recommendation Recommendation Info / Notes
Service for Office 365
Operated by
21Vianet
(Gallatin)

Outlook All versions of Upgrade to Outlook Enabling

Outlook for 2013 or later for Modern Auth for
Windows and Mac Windows and Outlook – How
Outlook 2016 or Hard Can It
later for Mac Be?
If you are using
Outlook 2013 for
Windows, turn on
modern auth
through the registry
key

Exchange Third-party Modify app to use Follow this article What to do with
Web Services applications not modern auth. to migrate your EWS Managed
(EWS) supporting OAuth Migrate app to use customized API PowerShell
Graph API and Gallatin scripts that use
modern auth. application to use Basic
EWS with OAuth Authentication
Popular Apps: No EWS
Microsoft Teams feature updates
Microsoft Teams
and Cisco Unity starting July
Rooms: Enable
not currently 2018
modern
available in
authentication by
Gallatin
following the steps
in Authentication in
Microsoft Teams
Rooms
Dynamics 365 /
PowerApps: Use of
Basic authentication
with Exchange
Online
Cisco Unity: Cisco
Unity Connection
Service Bulletin for
Unified Messaging
with Microsoft
Office 365 Product
Bulletin
Key Impacted Clients Client Specific Special Other Protocol
Protocol Recommendation Recommendation Info / Notes
Service for Office 365
Operated by
21Vianet
(Gallatin)

Remote Exchange Use either: Azure Cloud Shell Learn more

PowerShell administrators Exchange Online is not available in about
(RPS) Delegated PowerShell module. Gallatin Automation and
Admin PowerShell within certificate-based
Privileges Azure Cloud Shell . authentication
Automated support for the
management Exchange Online
tools PowerShell
module and
Understanding
the Different
Versions of
Exchange Online
PowerShell
Modules and
Basic Auth .

POP and Third party mobile Recommendations: Follow this article IMAP is popular
IMAP clients such as Move away from to configure POP for Linux and
Thunderbird first these protocols as and IMAP with education
party clients they don't enable OAuth in Gallatin customers.
configured to use full features. with sample OAuth 2.0
POP or IMAP Move to OAuth 2.0 code support started
for POP/IMAP when rolling out in
your client app April 2020.
supports it.
Authenticate an
IMAP, POP, or
SMTP
connection using
OAuth
Key Impacted Clients Client Specific Special Other Protocol
Protocol Recommendation Recommendation Info / Notes
Service for Office 365
Operated by
21Vianet
(Gallatin)

Exchange Mobile email clients Move to Outlook for Apple's native Mobile devices
ActiveSync from Apple, iOS and Android or mail app on iOS that use a native
(EAS) Samsung etc. another mobile does not currently app to connect
email app that work in Gallatin, to Exchange
supports Modern we recommend Online generally
Auth you use Outlook use this
Update the app mobile protocol.
settings if it can do Windows
OAuth but the 10/11 Mail app is
device is still using not supported
Basic with Gallatin
Switch to Outlook Follow this
on the web or article to
another mobile configure EAS
browser app that with OAuth and
supports modern sample code
auth.

Popular Apps:

Apple
iPhone/iPad/macOS:
All up to date
iOS/macOS devices
are capable of using
modern
authentication, just
remove and add
back the account.
Microsoft Windows
10 Mail client:
Remove and add
back the account,
choosing Office 365
as the account type

Autodiscover EWS and EAS apps Upgrade code/app Autodiscover

using Autodiscover to one supporting web service
to find service OAuth reference for
endpoints Exchange
What if I want to block Basic authentication
now?
Here's a table summarizing the options for proactively disabling basic authentication

Method Pros Cons

Security Defaults - Blocks all legacy - Cannot be used together with Azure AD
authentication at the tenant Conditional Access policies
level for all protocols - Potential other impact such as requiring
- No additional licensing all users to register for and require MFA
required

Exchange Online - Allows for a phased approach Admin UI available to disable basic
Authentication with disablement options per authentication at org-level but exceptions
Policies protocol require PowerShell
- No additional licensing
required
- Blocks basic authentication
pre-auth

Azure AD - Can be used to block all basic - Requires additional licensing (Azure AD
Conditional authentication for all protocols P1)
Access - Can be scoped to users, - Blocks basic authentication post-auth
groups, apps, etc.
- Can be configured to run in
report-only mode for additional
reporting

Resources
To learn more on how to block Basic authentication, check out the following articles:

Security Defaults:

What are Security Defaults?

Enabling Security Defaults

Exchange Online Authentication Policies:

Manage Basic Authentication in the Microsoft 365 Admin Center (Simple)

Authentication Policy Procedures in Exchange Online (Advanced)

Azure AD Conditional Access:

Conditional Access: Block Legacy Authentication (Simple)

 How to: Block Legacy Authentication to Azure AD with Conditional Access
(Detailed)

Summary and next steps

The changes described in this article can affect your ability to connect to Exchange
Online, and so you should take steps to understand if you are impacted and determine
the steps you need to take to ensure you can continue to connect once they roll out.

It's recommended that you first investigate the impact on your tenant and users. Look
out for Message Center posts that either summarize your usage or report you don't have
any.

If you have usage, or are unsure, take a look at the Azure AD Sign-In report. More
information can be found here: New tools to block legacy authentication in your
organization - Microsoft Tech Community . The report can help you track down and
identify clients and devices using Basic authentication.

Once you have an idea of the users and clients you know are using Basic authentication,
come up with a remediation plan. That might mean upgrading client software,
reconfiguring apps, updating scripts, or reaching out to third-party app developers to get
updated code or apps.
Disable Basic authentication in
Exchange Online
Article • 02/22/2023

） Important

Effective from December 2022, the classic Exchange Admin Center will be
deprecated for worldwide customers. Microsoft recommends using the new
Exchange Admin Center , if not already doing so.

While most of the features have been migrated to new EAC, some have been
migrated to other admin centers and remaining ones will soon be migrated to New
EAC. Find features that are not yet there in new EAC at Other Features or use
Global Search that will help you navigate across new EAC.

７ Note

If you've enabled security defaults in your organization, Basic authentication is

already disabled in Exchange Online. For more information, see What are security
defaults?.

If you've reached this page because Basic authentication isn't working in your
tenant, and you haven't set up security defaults or authentication policies, then we
might have disabled Basic authentication in your tenant as part of our wider
program to improve security across Exchange Online. Check your Message Center
for any posts referring to Basic authentication, and read Basic Authentication and
Exchange Online for the latest announcements concerning Basic authentication.

Basic authentication in Exchange Online uses a username and a password for client
access requests. Blocking Basic authentication can help protect your Exchange Online
organization from brute force or password spray attacks. When you disable Basic
authentication for users in Exchange Online, their email clients and apps must support
modern authentication. Those clients are:

Outlook 2013 or later (Outlook 2013 requires a registry key change. For more
information, see Enable Modern Authentication for Office 2013 on Windows
devices.
Outlook 2016 for Mac or later
Outlook for iOS and Android
 Mail for iOS 11.3.1 or later

If your organization has no legacy email clients, you can use authentication policies in
Exchange Online to disable Basic authentication requests. Disabling Basic authentication
forces all client access requests to use modern authentication. For more information
about modern authentication, see Using modern authentication with Office clients.

This topic explains how Basic authentication is used and blocked in Exchange Online,
and the corresponding procedures for authentication policies.

How Basic authentication works in Exchange

Online
Basic authentication is also known as proxy authentication because the email client
transmits the username and password to Exchange Online, and Exchange Online
forwards or proxies the credentials to an authoritative identity provider (IdP) on behalf of
the email client or app. The IdP depends your organization's authentication model:

Cloud authentication: The IdP is Azure Active Directory.

Federated authentication: The IdP is an on-premises solution like Active Directory
Federation Services (AD FS).

These authentication models are described in the following sections. For more
information, see Choose the right authentication method for your Azure Active Directory
hybrid identity solution.

Cloud authentication
The steps in cloud authentication are described in the following diagram:
 1. The email client sends the username and password to Exchange Online.

Note: When Basic authentication is blocked, it's blocked at this step.

2. Exchange Online sends the username and password to Azure Active Directory.

3. Azure Active Directory returns a user ticket to Exchange Online and the user is
authenticated.

Federated authentication
The steps in federated authentication are described in the following diagram:

1. The email client sends the username and password to Exchange Online.

Note: When Basic authentication is blocked, it's blocked at this step.

2. Exchange Online sends the username and password to the on-premises IdP.

3. Exchange Online receives a Security Assertion Markup Language (SAML) token

from the on-premises IdP.

4. Exchange Online sends the SAML token to Azure Active Directory.

5. Azure Active Directory returns a user ticket to Exchange Online and the user is
authenticated.

How Basic authentication is blocked in

Exchange Online
You block Basic authentication in Exchange Online by creating and assigning
authentication policies to individual users. The policies define the client protocols where
Basic authentication is blocked, and assigning the policy to one or more users blocks
their Basic authentication requests for the specified protocols.

When it's blocked, Basic authentication in Exchange Online is blocked at the first pre-
authentication step (Step 1 in the previous diagrams) before the request reaches Azure
Active Directory or the on-premises IdP. The benefit of this approach is brute force or
password spray attacks won't reach the IdP (which might trigger account lock-outs due
to incorrect login attempts).

Because authentication policies operate at the user level, Exchange Online can only
block Basic authentication requests for users that exist in the cloud organization. For
federated authentication, if a user doesn't exist in Exchange Online, the username and
password are forwarded to the on-premises IdP. For example, consider the following
scenario:

1. An organization has the federated domain contoso.com and uses on-premises AD

FS for authentication.

2. The user ian@contoso.com exists in the on-premises organization, but not in

Office 365 or Microsoft 365 (there's no user account in Azure Active Directory and
no recipient object in the Exchange Online global address list).

3. An email client sends a login request to Exchange Online with the username
ian@contoso.com. An authentication policy can't be applied to the user, and the
authentication request for ian@contoso.com is sent to the on-premises AD FS.

4. The on-premises AD FS can either accept or reject the authentication request for
ian@contoso.com. If the request is accepted, a SAML token is returned to
Exchange Online. As long as the SAML token's ImmutableId value matches a user
in Azure Active Directory, Azure AD will issue a user ticket to Exchange Online (the
ImmutableId value is set during Azure Active Directory Connect setup).

In this scenario, if contoso.com uses on-premises AD FS server for authentication, the

on-premises AD FS server will still receive authentication requests for non-existent
usernames from Exchange Online during a password spray attack.

In an Exchange hybrid deployment, authentication for your on-premises mailboxes will

be handled by your on-premises Exchange servers, and authentication policies won't
apply. For mailboxes moved to Exchange Online, the Autodiscover service will redirect
them to Exchange Online, and then some of the previous scenarios will apply.
Authentication policy procedures in Exchange
Online
You manage all aspects of authentication policies in Exchange Online PowerShell. The
protocols and services in Exchange Online that you can block Basic authentication for
are described in the following table.

Protocol or Description Parameter name

service

Exchange Used by some email clients on mobile AllowBasicAuthActiveSync

Active Sync devices.
(EAS)

Autodiscover Used by Outlook and EAS clients to find AllowBasicAuthAutodiscover

and connect to mailboxes in Exchange
Online

IMAP4 Used by IMAP email clients. AllowBasicAuthImap

MAPI over Used by Outlook 2010 and later. AllowBasicAuthMapi

HTTP
(MAPI/HTTP)

Offline A copy of address list collections that are AllowBasicAuthOfflineAddressBook

Address Book downloaded and used by Outlook.
(OAB)

Outlook Used by the Mail and Calendar app for AllowBasicAuthOutlookService

Service Windows 10.

POP3 Used by POP email clients. AllowBasicAuthPop

Reporting Web Used to retrieve report data in Exchange AllowBasicAuthReportingWebServices

Services Online.

Outlook Used by Outlook 2016 and earlier. AllowBasicAuthRpc

Anywhere
(RPC over
HTTP)

Authenticated Used by POP and IMAP clients to send AllowBasicAuthSmtp

SMTP email messages.

Exchange Web A programming interface that's used by AllowBasicAuthWebServices

Services (EWS) Outlook, Outlook for Mac, and third-
party apps.
 Protocol or Description Parameter name
service

PowerShell Used to connect to Exchange Online AllowBasicAuthPowerShell

with remote PowerShell. For instructions,
see Connect to Exchange Online
PowerShell.

Typically, when you block Basic authentication for a user, we recommend that you block
Basic authentication for all protocols. However, you can use the AllowBasicAuth*
parameters (switches) on the New-AuthenticationPolicy and Set-AuthenticationPolicy
cmdlets to selectively allow or block Basic authentication for specific protocols.

For email clients and apps that don't support modern authentication, you need to allow
Basic authentication for the protocols and services that they require. These protocols
and services are described in the following table:

Client Protocols and services

Older EWS clients Autodiscover

EWS

Older ActiveSync clients Autodiscover

ActiveSync

POP clients POP3

Authenticated SMTP

IMAP clients IMAP4

Authenticated SMTP

Outlook 2010 Autodiscover

MAPI over HTTP
Offline Address Book
Outlook Anywhere (RPC over HTTP)
Exchange Web Services (EWS)

７ Note

Blocking Basic authentication will block app passwords in Exchange Online. For
more information about app passwords, see Create an app password .
What do you need to know before you begin?
Verify that modern authentication is enabled in your Exchange Online organization
(it's enabled by default). For more information, see Enable or disable modern
authentication for Outlook in Exchange Online.

Verify your email clients and apps support modern authentication (see the list at
the beginning of the topic). Also, verify that your Outlook desktop clients are
running the minimum required cumulative updates. For more information, see
Outlook Updates.

To learn how to connect to Exchange Online PowerShell, see Connect to Exchange

Online PowerShell.

Create and apply authentication policies

The steps to create and apply authentication policies to block Basic authentication in
Exchange Online are:

1. Create the authentication policy.

2. Assign the authentication policy to users.

3. Wait 24 hours for the policy to be applied to users, or force the policy to be
immediately applied.

These steps are described in the following sections.

Step 1: Create the authentication policy

To create a policy that blocks Basic authentication for all available client protocols in
Exchange Online (the recommended configuration), use the following syntax:

PowerShell

New-AuthenticationPolicy -Name "<Descriptive Name>"

This example creates an authentication policy named Block Basic Auth.

PowerShell

New-AuthenticationPolicy -Name "Block Basic Auth"

For detailed syntax and parameter information, see New-AuthenticationPolicy.

Notes:

You can't change the name of the policy after you create it (the Name parameter
isn't available on the Set-AuthenticationPolicy cmdlet).

To enable Basic authentication for specific protocols in the policy, see the Modify
authentication policies section later in this topic. The same protocol settings are
available on the New-AuthenticationPolicy and Set-AuthenticationPolicy cmdlets,
and the steps to enable Basic authentication for specific protocols are the same for
both cmdlets.

Step 2: Assign the authentication policy to users

The methods that you can use to assign authentication policies to users are described in
this section:

Individual user accounts: Use the following syntax:

PowerShell

Set-User -Identity <UserIdentity> -AuthenticationPolicy

<PolicyIdentity>

This example assigns the policy named Block Basic Auth to the user account
laura@contoso.com.

PowerShell

Set-User -Identity laura@contoso.com -AuthenticationPolicy "Block Basic

Auth"

Filter user accounts by attributes: This method requires that the user accounts all
share a unique filterable attribute (for example, Title or Department) that you can
use to identify the users. The syntax uses the following commands (two to identify
the user accounts, and the other to apply the policy to those users):

PowerShell

$<VariableName1> = Get-User -ResultSize unlimited -Filter <Filter>

$<VariableName2> = $<VariableName1>.MicrosoftOnlineServicesID
$<VariableName2> | foreach {Set-User -Identity $_ -AuthenticationPolicy
"Block Basic Auth"}
 This example assigns the policy named Block Basic Auth to all user accounts whose
Title attribute contains the value "Sales Associate".

PowerShell

$SalesUsers = Get-User -ResultSize unlimited -Filter "(RecipientType -

eq 'UserMailbox') -and (Title -like '*Sales Associate*')"
$Sales = $SalesUsers.MicrosoftOnlineServicesID
$Sales | foreach {Set-User -Identity $_ -AuthenticationPolicy "Block
Basic Auth"}

Use a list of specific user accounts: This method requires a text file to identify the
user accounts. Values that don't contain spaces (for example, the Office 365 or
Microsoft 365 work or school account) work best. The text file must contain one
user account on each line like this:

akol@contoso.com
tjohnston@contoso.com
kakers@contoso.com

The syntax uses the following two commands (one to identify the user accounts,
and the other to apply the policy to those users):

PowerShell

$<VariableName> = Get-Content "<text file>"

$<VariableName> | foreach {Set-User -Identity $_ -AuthenticationPolicy
<PolicyIdentity>}

This example assigns the policy named Block Basic Auth to the user accounts
specified in the file C:\My Documents\BlockBasicAuth.txt.

PowerShell

$BBA = Get-Content "C:\My Documents\BlockBasicAuth.txt"

$BBA | foreach {Set-User -Identity $_ -AuthenticationPolicy "Block
Basic Auth"}

Filter on-premises Active Directory user accounts that are synchronized to

Exchange Online: For details, see the Filter on-premises Active Directory user
accounts that are synchronized to Exchange Online section in this topic.

７ Note
 To remove the policy assignment from users, use the value $null for the
AuthenticationPolicy parameter on the Set-User cmdlet.

Step 3: (Optional) Immediately apply the authentication policy to

users
By default, when you create or change the authentication policy assignment on users or
update the policy, the changes take effect within 24 hours. If you want the policy to take
effect within 30 minutes, use the following syntax:

PowerShell

Set-User -Identity <UserIdentity> -STSRefreshTokensValidFrom

$([System.DateTime]::UtcNow)

This example immediately applies the authentication policy to the user

laura@contoso.com.

PowerShell

Set-User -Identity laura@contoso.com -STSRefreshTokensValidFrom

$([System.DateTime]::UtcNow)

This example immediately applies the authentication policy to multiple users that were
previously identified by filterable attributes or a text file. This example works if you're
still in the same PowerShell session and you haven't changed the variables you used to
identify the users (you didn't use the same variable name afterwards for some other
purpose). For example:

PowerShell

$Sales | foreach {Set-User -Identity $_ -STSRefreshTokensValidFrom

$([System.DateTime]::UtcNow)}

or

PowerShell

$BBA | foreach {Set-User -Identity $_ -STSRefreshTokensValidFrom

$([System.DateTime]::UtcNow)}
View authentication policies
To view a summary list of the names of all existing authentication policies, run the
following command:

PowerShell

Get-AuthenticationPolicy | Format-Table Name -Auto

To view detailed information about a specific authentication policy, use this syntax:

PowerShell

Get-AuthenticationPolicy -Identity <PolicyIdentity>

This example returns detailed information about the policy named Block Basic Auth.

PowerShell

Get-AuthenticationPolicy -Identity "Block Basic Auth"

For detailed syntax and parameter information, see Get-AuthenticationPolicy.

Modify authentication policies

By default, when you create a new authentication policy without specifying any
protocols, Basic authentication is blocked for all client protocols in Exchange Online. In
other words, the default value of the AllowBasicAuth* parameters (switches) is False for
all protocols.

To enable Basic authentication for a specific protocol that's disabled, specify the
switch without a value.

To disable Basic authentication for a specific protocol that's enabled, you can only
use the value :$false .

You can use the Get-AuthenticationPolicy cmdlet to see the current status of the
AllowBasicAuth* switches in the policy.

This example enables basic authentication for the POP3 protocol and disables basic
authentication for the IMAP4 protocol in the existing authentication policy named Block
Basic Auth.
 PowerShell

Set-AuthenticationPolicy -Identity "Block Basic Auth" -AllowBasicAuthPop -

AllowBasicAuthImap:$false

For detailed syntax and parameter information, see Set-AuthenticationPolicy.

Configure the default authentication policy

The default authentication policy is assigned to all users who don't already have a
specific policy assigned to them. Note that the authentication policies assigned to users
take precedence over the default policy. To configure the default authentication policy
for the organization, use this syntax:

PowerShell

Set-OrganizationConfig -DefaultAuthenticationPolicy <PolicyIdentity>

This example configures the authentication policy named Block Basic Auth as the default
policy.

PowerShell

Set-OrganizationConfig -DefaultAuthenticationPolicy "Block Basic Auth"

７ Note

To remove the default authentication policy designation, use the value $null for
the DefaultAuthenticationPolicy parameter.

Use the following example to verify that a default authentication policy is configured.

PowerShell

Get-OrganizationConfig | Format-Table DefaultAuthenticationPolicy

Remove authentication policies

To remove an existing authentication policy, use this syntax:

PowerShell
 Remove-AuthenticationPolicy -Identity <PolicyIdentity>

This example removes the policy named Test Auth Policy.

PowerShell

Remove-AuthenticationPolicy -Identity "Test Auth Policy"

For detailed syntax and parameter information, see Remove-AuthenticationPolicy.

How do you know that you've successfully disabled Basic

authentication in Exchange Online?
To confirm that an authentication policy was directly applied to users:

７ Note

Take into account that a default authentication policy could be already configured.
See Configure the default authentication policy for details.

1. Run the following command to find the distinguished name (DN) value of the
authentication policy:

PowerShell

Get-AuthenticationPolicy | Format-List Name,DistinguishedName

2. Use the DN value of the authentication policy in the following command:

PowerShell

Get-User -Filter "AuthenticationPolicy -eq '<AuthPolicyDN>'"

For example:

PowerShell

Get-User -Filter "AuthenticationPolicy -eq 'CN=Block Basic Auth,CN=Auth

Policies,CN=Configuration,CN=contoso.onmicrosoft.com,CN=ConfigurationUn
its,DC=NAMPR11B009,DC=PROD,DC=OUTLOOK,DC=COM'"
When an authentication policy blocks Basic authentication requests from a specific user
for a specific protocol in Exchange Online, the response is 401 Unauthorized . No
additional information is returned to the client to avoid leaking any additional
information about the blocked user. An example of the response looks like this:

Output

HTTP/1.1 401 Unauthorized

Server: Microsoft-IIS/10.0
request-id: 413ee498-f337-4b0d-8ad5-50d900eb1f72
X-CalculatedBETarget: DM5PR2101MB0886.namprd21.prod.outlook.com
X-BackEndHttpStatus: 401
Set-Cookie: MapiRouting=#################################################;
path=/mapi/; secure; HttpOnly
X-ServerApplication: Exchange/15.20.0485.000
X-RequestId: {3146D993-9082-4D57-99ED-9E7D5EA4FA56}:8
X-ClientInfo: {B0DD130A-CDBF-4CFA-8041-3D73B4318010}:59
X-RequestType: Bind
X-DiagInfo: DM5PR2101MB0886
X-BEServer: DM5PR2101MB0886
X-Powered-By: ASP.NET
X-FEServer: MA1PR0101CA0031
WWW-Authenticate: Basic Realm="",Basic Realm=""
Date: Wed, 31 Jan 2018 05:15:08 GMT
Content-Length: 0

Manage Basic authentication in the Microsoft

365 admin center
In the Microsoft 365 admin center at https://admin.microsoft.com , go Settings > Org
Settings > Modern Authentication. In the Modern authentication flyout that appears,
you can identify the protocols that no longer require Basic authentication.

Behind the scenes, these settings use authentication policies. If authentication policies
were created in the past, modifying any of these selections will automatically create the
first new authentication policy. This policy is visible only through PowerShell. For
advanced customers that may already be using authentication policies, changes in the
Microsoft 365 admin center will modify their existing default policy. Look through Azure
AD Sign-in logs to see which protocols that clients are using before making any
changes.

Turning off Basic authentication in the Microsoft 365 admin center does not turn off the
following legacy services:

AllowBasicAuthOutlookService
 AllowBasicAuthReportingWebServices

You can only turn off these settings in Exchange Online PowerShell.

1. Run the following command to find the name of the existing authentication policy:

PowerShell

Get-AuthenticationPolicy

2. Replace <AuthenticationPolicyName> with the value from the previous step, and
then run the following command:

PowerShell

Set-AuthenticationPolicy -Identity "<AuthenticationPolicyName>" -

AllowBasicAuthReportingWebServices:$false -
AllowBasicAuthOutlookService:$false

3. The previous command affects any new mailboxes that you'll create, but not
existing mailboxes. To apply the policy to existing mailboxes, use the
<AuthenticationPolicyName> value in the following command:

PowerShell

$mbx = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize

unlimited
$mbx | foreach {Set-User -Identity $_.ExchangeObjectID.tostring() -
AuthenticationPolicy <AuthenticationPolicyName>}

Filter on-premises Active Directory user

accounts that are synchronized to Exchange
Online
This method uses one specific attribute as a filter for on-premises Active Directory
group members that will be synchronized with Exchange Online. This method allows you
to disable legacy protocols for specific groups without affecting the entire organization.

Throughout this example, we'll use the Department attribute, because it's a common
attribute that identifies users based on their department and role. To see all Active
Directory user extended properties, go to Active Directory: Get-ADUser Default and
Extended Properties .
Step 1: Find the Active Directory users and set the Active
Directory user attributes

Get the members of an Active Directory group

These steps require the Active Directory module for Windows PowerShell. To install this
module on your PC, you need to download and install the Remote Server Administration
Tools (RSAT) .

Run the following command in Active Directory PowerShell to return all groups in Active
Directory:

PowerShell

Get-ADGroup -Filter * | select -Property Name

After you get the list of groups, you can query which users belong to those groups and
create a list based on any of their attributes. We recommend using the objectGuid
attribute because the value is unique for each user.

PowerShell

Get-ADGroupMember -Identity "<GroupName>" | select -Property objectGuid

This example returns the objectGuid attribute value for the members of the group
named Developers.

PowerShell

Get-ADGroupMember -Identity "Developers" | select -Property objectGuid

Set the filterable user attribute

After you identify the Active Directory group that contains the users, you need to set the
attribute value that will be synchronized with Exchange Online to filter users (and
ultimately disable Basic authentication for them).

Use the following syntax in Active Directory PowerShell to configure the attribute value
for the members of the group that you identified in the previous step. The first
command identifies the group members based on their objectGuid attribute value. The
second command assigns the Department attribute value to the group members.
 PowerShell

$variable1 = Get-ADGroupMember -Identity "<GroupName>" | select -

ExpandProperty "objectGUID"; Foreach ($user in $variable1) {Set-ADUser -
Identity $user.ToString() -Add@{Department="<DepartmentName>"}}

This example sets the Department attribute to the value "Developer" for users that
belong to the group named "Developers".

PowerShell

$variable1 = Get-ADGroupMember -Identity "Developers" | select -

ExpandProperty "objectGUID"; Foreach ($user in $variable1) {Set-ADUser -
Identity $user.ToString() -Add@{Department="Developer"}}

Use the following syntax in Active Directory PowerShell to verify the attribute was
applied to the user accounts (now or in the past):

PowerShell

Get-ADUser -Filter "Department -eq '<DepartmentName>'" -Properties

Department

This example returns all user accounts with the value "Developer" for the Department
attribute.

PowerShell

Get-ADUser -Filter "Department -eq 'Developer'" -Properties Department

Step 2: Disable legacy authentication in Exchange Online

７ Note

The attribute values for on-premises users are synchronized to Exchange Online
only for users that have a valid Exchange Online license. For more information, see
Add users individually or in bulk.

The Exchange Online PowerShell syntax uses the following commands (two to identify
the user accounts, and the other to apply the policy to those users):

PowerShell
 $<VariableName1> = Get-User -ResultSize unlimited -Filter <Filter>
$<VariableName2> = $<VariableName1>.MicrosoftOnlineServicesID
$<VariableName2> | foreach {Set-User -Identity $_ -AuthenticationPolicy
"Block Basic Auth"}

This example assigns the policy named Block Basic Auth to all synchronized user
accounts whose Department attribute contains the value "Developer".

PowerShell

$developerUsers = Get-User -ResultSize unlimited -Filter "(RecipientType -eq

'UserMailbox') -and (department -like '*developer*')"
$developers = $developerUsers.MicrosoftOnlineServicesID
$developers | foreach {Set-User -Identity $_ -AuthenticationPolicy "Block
Basic Auth"}

If you connect to Exchange Online PowerShell in an Active Directory PowerShell session,

you can use the following syntax to apply the policy to all members of an Active
Directory group.

This example creates a new authentication policy named Marketing Policy that disables
Basic authentication for members of the Active Directory group named Marketing
Department for ActiveSync, POP3, authenticated SMTP, and IMAP4 clients.

７ Note

A known limitation in Active Directory PowerShell prevents the Get-

AdGroupMember cmdlet from returning more than 5000 results. Therefore, the
following example only works for Active Directory groups that have less than 5000
members.

PowerShell

New-AuthenticationPolicy -Name "Marketing Policy" -AllowBasicAuthActiveSync

$false -AllowBasicAuthPop $false -AllowBasicAuthSmtp $false -
AllowBasicAuthImap $false
$users = Get-ADGroupMember "Marketing Department"
foreach ($user in $users) {Set-User -Identity $user.SamAccountName -
AuthenticationPolicy "Marketing Policy"}
Enable or disable employee access to
the new Outlook for Windows
Article • 06/12/2023

The new Outlook for Windows is enabled by default for all users with an Azure Active
Directory account and Exchange Online account. Following are the two controls in this
article that can be configured to enable or disable employee access to the new Outlook
for Windows.

1. Outlook Desktop registry key to enable or hide the New Outlook toggle.

2. Exchange Online PowerShell to prevent or allow access to mailboxes by the new

Outlook for Windows. This setting has no effect on the new Outlook toggle in
Outlook Desktop. It allows users to add their mailbox to the new Outlook for
Windows.

What do you need to know before you begin?

Estimated time to complete this procedure: 5 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Outlook on the web
mailbox policies" entry in the Feature permissions in Exchange Online article.

To connect to Exchange Online PowerShell, see Connect to Exchange Online

PowerShell.

 Tip

Having problems? Ask for help in the Exchange Online forum.

Enable or disable the new Outlook for

Windows for an individual mailbox
In Exchange Online PowerShell, use the following syntax:

PowerShell

Set-CASMailbox -Identity <MailboxIdentity> -OneWinNativeOutlookEnabled

<$true | $false>
<MailboxIdentity> is any value that uniquely identifies the mailbox. For example:

Name
Alias
Email address
User ID

This example disables the new Outlook for Windows for the specified user.

PowerShell

Set-CASMailbox -Identity colin@contoso.onmicrosoft.com -

OneWinNativeOutlookEnabled $false

For more information, see Set-CASMailbox.

To enable the new Outlook for Windows for the mailbox, use the value $true for the
OneWinNativeOutlookEnabled parameter.

Enable or disable the new Outlook for

Windows for multiple mailboxes
You can use the Get-Mailbox , Get-User or Get-Content cmdlets to identify the
mailboxes that you want to modify. For example:

Filter mailboxes by attributes: This method requires that the mailboxes all share a
unique filterable attribute. For example:
Title, Department, or address information for user accounts as seen by the Get-
User cmdlet.

CustomAttribute1 through CustomAttribute15 for mailboxes as seen by the Get-

Mailbox cmdlet.

For more information, see Filterable Properties for the -Filter Parameter and Get-
Mailbox.

The syntax uses the following two commands: one command to identify the
mailboxes, and the other to enable or disable the new Outlook for Windows for
the mailbox:

PowerShell
 $<VariableName> = <Get-User | Get-Mailbox> -ResultSize unlimited -
Filter <Filter>
$<VariableName> | foreach {Set-CASMailbox -Identity
$_.MicrosoftOnlineServicesID -OneWinNativeOutlookEnabled <$true |
$false>}

This example disables the new Outlook for Windows for all mailboxes whose Title
attribute contains "Vendor" or "Contractor".

PowerShell

$Mgmt = Get-User -ResultSize unlimited -Filter "(RecipientType -eq

'UserMailbox') -and (Title -like '*Vendor*' -or Title -like
'*Contractor*')"
$Mgmt | foreach {Set-CASMailbox -Identity $_.MicrosoftOnlineServicesID
-OneWinNativeOutlookEnabled $false}

Use a list of specific mailboxes: This method requires a text file to identify the
mailboxes. The text file must contain one mailbox on each line like this:

akol@contoso.com
ljohnston@contoso.com
kakers@contoso.com

The syntax uses the following two commands: one command to identify the
mailboxes, and the other to enable or disable the new Outlook for Windows for
the mailbox:

PowerShell

$<VariableName> = Get-Content "<text file>"

$<VariableName> | foreach {Set-CASMailbox -Identity $_ -
OneWinNativeOutlookEnabled <$true | $false>}

This example disables the new Outlook for Windows for the mailboxes specified in
the file C:\My Documents\Management.txt.

PowerShell

$Mgrs = Get-Content "C:\My Documents\Management.txt"

$Mgrs | foreach {Set-CASMailbox -Identity $_ -
OneWinNativeOutlookEnabled $false}
Verify access to mailboxes by the new Outlook
for Windows
To verify the new Outlook for Windows is enabled or disabled for a specific mailbox,
replace <MailboxIdentity> with the name, alias, email address or user ID of the mailbox,
and run the following command:

PowerShell

Get-CASMailbox -Identity <MailboxIdentity> | Format-List

OneWinNativeOutlookEnabled

The value False for the OneWinNativeOutlookEnabled property means the new Outlook
for Windows is disabled for the mailbox. True or absence of value means it's enabled.

To verify if the new Outlook for Windows is enabled or disabled for all mailboxes, run
the following command to verify the value of the OneWinNativeOutlookEnabled property:

PowerShell

Get-CASMailbox -ResultSize unlimited -Filter "RecipientTypeDetailsValue -eq

'UserMailbox'" | Format-Table Name OneWinNativeOutlookEnabled

Use an OwaMailboxPolicy to enable or disable

the new Outlook for Windows for multiple
mailboxes
You can enable or disable the users' access to the new Outlook for Windows by
modifying the flag on the OWAMailboxPolicy assigned to those users or modifying the
OWAMailboxPolicy- of the Organization when the policy isn't explicitly assigned to users.

To set the correct flag on the OWAMailboxPolicy :

PowerShell

$<VariableName1> = Get-OwaMailboxPolicy -Organization <Organization name>

$<VariableName1>|SetOwaMailboxPolicy -OneWinNativeOutlookEnabled $false

This example disables the new Outlook for Windows for all mailboxes within that
organization by setting the OneWinNativeOutlookEnabled flag to false on all OWAMailbox
Policies in the organization.
Enable or disable the Outlook Desktop New
Outlook toggle,

Use a registry key to hide or enable the "Try the new Outlook” toggle:

Registry Key:
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Options\General REG_DWORD
“HideNewOutlookToggle”

0 (default) - "Try the new Outlook” toggle, if available in selected update channel, is
displayed to users.

1 - "Try the new Outlook” toggle is hidden.

"Try the new Outlook” toggle is now in Current Channel and Monthly Enterprise
Channel (MEC). We'll update this article as the toggle becomes available in other
channels. The current estimate is SAEC-P in Fall 2023 and SAC January 2024. You can
also hide the toggle by setting the registry key to 1 prior to its availability.

The Outlook Team is implementing the setting as group policy (GPO) to be managed via
Cloud Policy. The policy functionality is expected to go into Current Channel in Version
2306 in the late June 2023 release and then into Monthly Enterprise Channel in the July
2023 timeframe.

FAQ

1. If user has already manually toggled to enable Outlook, then for

PowerShell cmdlet Set-CASMailbox -Identity <MailboxIdentity> -
OneWinNativeOutlookEnabled $true , how long does user have to wait
to be disabled? Do they have to restart Outlook? Does this have
any impact on the toggle?
The IT Admin would need to set OneWinNativeOutlookEnabled to $false to disable
mailbox access. If an end user is already trying out the new Outlook with their work or
school account, then access becomes disabled by their IT Admin, their account is
disabled in the new Outlook and they'll no longer be able to use the app with that
account.

The user can choose to delete the account and use the new Outlook with another
account. The OneWinNativeOutlookEnabled parameter doesn't impact the "Try the new
Outlook" toggle in classic Outlook for Windows. IT Admins can manage the toggle
separately.

For example, they may want to allow users to try the new Outlook, but not have the
toggle visible in the classic Outlook.

７ Note

If the admin sets OneWinNativeOutlookEnabled to $false and the user toggles "Try
the new Outlook" to enable the New Outlook they will see an error similar to the
following: We ran into and error –
Microsoft.Exchange.Data.Storage.AccountDisabledException .

2. If user has already manually toggled to enable, then

HideNewOutlookToggle regkey is set, what does user observe in
Outlook?

This depends on how the user is launching the new Outlook. If they're launching the
new Outlook via selecting the classic Outlook app icon, then they would be toggled out
of the new Outlook on next classic Outlook launch, so classic Outlook would start to
launch again.
If they're launching the new Outlook directly via the new Outlook executable (selecting
the new Outlook app icon), then they would continue to launch into the new Outlook
and it would appear that the new Outlook toggle was enabled--this is because we only
run the 'toggle out' logic when the classic Outlook sees the HideNewOutlookToggle
regkey is enabled on boot (the new Outlook is unaware of its existence).

So, it really depends on whether the user is launching classic Outlook as they normally
would or have pinned the new Outlook app icon and launch it from there.

3. If user toggles to enable, then at any point after, toggles to

disable, what action is required (Outlook restart, wait x number of
minutes, other?)

Once the user decides to switch back, the new Outlook closes and the classic Outlook
launches. This happens immediately. These are two separate apps that are installed and
they both remain regardless of what you set the toggle to.

The toggle is used to switch quickly between the two apps and provide the Outlook
Team an opportunity to ask users for their feedback when they're switching back to
classic Outlook.

4. If HideNewOutlookToggle regkey is set first, does it remove/grey

out/disable the toggle if the -OneWinNativeOutlookEnabled policy is
set after?

The reg key is separate from the OwaMailboxPolicy . The reg key is for the appearance of
the "Try the new Outlook" toggle in the classic Outlook, and the OwaMailboxPolicy
parameter OneWinNativeOutlookEnabled is for whether the work or school mailbox is
allowed to use the new Outlook client.

The classic Outlook doesn't have the ability to check the mailbox policy and thus these
are separate. Also, as mentioned above, there may be cases where IT Admins choose to
allow users to try the new Outlook, but don't want the "Try the new Outlook" toggle
itself appearing in the classic Outlook.

Remember there's also a similar toggle in the Windows Mail app (Universal) and soon
users are able to search for the new Outlook in the Microsoft/Windows Store and
download/install the app there.

So, in that sense, the reg key is targeted to classic Outlook, where the mailbox policy is
more focused to capture users who install the new Outlook from any location on any
device (whether personal or work).
Related articles:
Toggling out of the new Outlook for Windows preview

Release notes for Current Channel

Release notes for Monthly Enterprise Channel

Outlook on the web in Exchange Online
Article • 02/22/2023

By default, Outlook on the web (formerly known as Outlook Web App) is enabled in
Exchange Online, and lets users access their mailbox from almost any web browser.

For information about client access mailbox methods in Exchange Online, see Clients
and mobile in Exchange Online.

Overview of Outlook on the web

Fully supported web browsers give users access to features such as conversation view,
Inbox rules, the reading pane, and the Scheduling Assistant. Browsers that aren't fully
supported can still be used, but users will see the light version of Outlook on the web,
which has fewer features.

Managing Outlook on the web

In Exchange Online, the most common Outlook on the web management tasks can be
accomplished in the Exchange admin center (EAC). All these tasks, and many others, can
be accomplished by using Exchange Online PowerShell.
Outlook on the web mailbox policies in
Exchange Online
Article • 02/22/2023

In Exchange Online, Outlook on the web mailbox policies control the availability of
settings and features in Outlook on the web (formerly known as Outlook Web App). A
mailbox can only have one Outlook on the web mailbox policy applied to it. You can
create different policies for different types of users in your Exchange Online
organization.

Every Exchange Online organization has a default Outlook on the web mailbox policy
named OwaMailboxPolicy-Default that's applied to all user mailboxes. You can use this
policy or create additional policies as necessary to meet the needs of your organization.

For the procedures that you can do on Outlook on the web mailbox policies, see
Outlook on the web mailbox policy procedures in Exchange Online.

７ Note

All mailbox policies set for Outlook on the web will also affect new Outlook for
Windows.
Mailbox policy procedures in Exchange
Online for Outlook on the web and the
new Outlook for Windows
Article • 02/22/2023

Create a mailbox policy in Exchange Online for Outlook on the web and the new
Outlook for Windows

Apply or remove a mailbox policy on a mailbox in Exchange Online for Outlook on the
web and the new Outlook for Windows

Remove a mailbox policy from Exchange Online for Outlook on the web and the new
Outlook for Windows

View or configure mailbox policy properties for Outlook on the web and the new
Outlook for Windows
Create a mailbox policy in Exchange
Online for Outlook on the web and the
new Outlook for Windows
Article • 02/22/2023

You can create mailbox policies to apply settings to users in Outlook on the web
(formerly known as Outlook Web App) and the new Outlook for Windows. Outlook on
the web mailbox policies are useful for applying and standardizing settings, for example,
attachment settings, for specific groups of users.

For more information about Outlook on the web mailbox policies, see Outlook on the
web mailbox policies.

What do you need to know before you begin?

Estimated time to complete each procedure: 5 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Outlook on the web
mailbox policies" entry in the Feature permissions in Exchange Online article.

To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online. To connect to Exchange Online PowerShell, see Connect to Exchange
Online PowerShell.

For information about keyboard shortcuts that may apply to the procedures in this
article, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the EAC to create a mailbox policy for

Outlook on the web and the new Outlook for
Windows
 1. In the EAC, go to Permissions > Outlook Web App policies, and click New

2. In the new policy window that opens, configure the following settings:

Policy name: Enter a unique name for your policy.

Use the check boxes to enable or disable features. By default, the most
common features are displayed. To see all features that can be enabled or
disabled, click More options.

Note: You can configure settings for individual users by using the Set-CASMailbox
cmdlet in Exchange Online PowerShell.

3. Click Save to save the policy.

The following list contains the features you can configure when you create a mailbox
policy using the EAC for Outlook on the web and the new Outlook for Windows:

Communication management:
Instant messaging: if enabled, users have access to instant messaging
functionality such as the ability to send and receive instant messages, view
presence information for other users, and change their own presence
information.
Text messaging: when enabled, users can send and receive text messages and
create text message notification rules using Outlook on the web and the new
Outlook for Windows.
Exchange ActiveSync: if enabled, users can manage their linked mobile devices
using Options in Outlook on the web.
Contacts: if Enabled, users can use Contacts in Outlook on the web and the new
Outlook for Windows.
LinkedIn contact sync: if enabled, users will be able to add their LinkedIn
connections to their mailbox as contacts. When a user's connection updates
their information in LinkedIn, the contact will be automatically updated.
Mobile device contact sync: if enabled, users have access to personal contacts on
their devices outside of Outlook on the web.
All address lists: if enabled, users can view all address lists. If it's set to Disabled,
the user can only view the default global address list.

Information management:
Journaling: if enabled, the Journal folder will be visible in Outlook on the web
and the new Outlook for Windows.
Notes: if enabled, the Notes folder will be visible in Outlook on the web and the
new Outlook for Windows.
 Inbox Rules: if enabled, a user can create and edit custom rules in Outlook on
the web and the new Outlook for Windows.
Recover deleted items if enabled, users can view items that have been deleted
from the Deleted Items folder and choose whether to recover them to the
Deleted Items folder or to delete them permanently using Outlook on the web
and the new Outlook for Windows.

Security:
Change password: if enabled, people can change their passwords by going to
Options in Outlook on the web and the new Outlook for Windows.

User experience:
Themes: if enabled, users can change the color scheme in Outlook on the web
and the new Outlook for Windows.
Premium client: if enabled, users can use the standard version of Outlook on the
web. If you clear the check box, users will be switched to the light version of
Outlook on the web and get a simplified experience.
Email signature: if enabled, users can create a custom signature and choose
whether to automatically include it in messages they send.
Weather: if enabled, users can see weather information on their calendar.
Places: if enabled, users can see location suggestions for meetings.
Local events: if enabled, users can see the events happening in their area.
Interesting calendars: if enabled, users can browse and add interesting
calendars.

Time management:
Calendar: if enabled, users can use the Calendar in Outlook on the web and the
new Outlook for Windows.
Tasks: if enabled, users can use Tasks in Outlook on the web and the new
Outlook for Windows.
Reminders and notifications: if enabled, users will receive new email notifications
and task and calendar reminders.

Select how users can view and access attachments from public or private
computers:
Public or shared computer - Direct file access: if enabled, users will be able to
open attachments by selecting them and then selecting Open.
Private computer or OWA for Devices - Direct file access: if enabled, users will be
able to open attachments by selecting them and then selecting Open.
Use Exchange Online PowerShell to create a
mailbox policy for Outlook on the web and the
new Outlook for Windows
In Exchange Online PowerShell, creating a mailbox policy for Outlook on the web and
the new Outlook for Windows is a two-step process:

1. Create the policy by using the following syntax:

PowerShell

New-OwaMailboxPolicy -Name "<Unique Name>"

This example creates a mailbox policy for Outlook on the web and the new
Outlook for Windows named Executives.

PowerShell

New-OwaMailboxPolicy -Name Policy1

For detailed syntax and parameter information, see New-OwaMailboxPolicy.

2. Modify the default settings of the policy.

For more information, see [Use Exchange Online PowerShell to modify mailbox
policies for Outlook on the web and the new Outlook for Windows](configure-
outlook-web-app-mailbox-policy-properties.md#use-exchange-online-powershell-
to-modify-mailbox-policies-for-outlook-on-the web-and-the-new-outlook-for-
windows).

How do you know this worked?

To verify that you've successfully created a mailbox policy for Outlook on the web and
the new Outlook for Windows:

In the EAC, click Permissions > Outlook Web App Policies, and look for your new
mailbox policy.

To verify that you've successfully created a mailbox policy for Outlook on the web and
the new Outlook for Windows, do either of the following steps:
 In the EAC, click Permissions > Outlook Web App Policies, and verify the policy is
listed. You can select the policy and click Edit to verify the properties of the
policy.

In Exchange Online PowerShell, run the following command to verify the policy is
listed:

PowerShell

Get-OwaMailboxPolicy | Format-Table Name

In Exchange Online PowerShell, replace <Policy Name> with the name of the
policy, and run the following command to verify the settings:

PowerShell

Get-OwaMailboxPolicy -Identity "<Policy Name>"

Next steps
To modify an existing Outlook on the web mailbox policy, see View or configure Outlook
on the web mailbox policy properties in Exchange Online.
Apply or remove mailbox policy on a
mailbox in Exchange Online for Outlook
on the web and the new Outlook for
Windows
Article • 02/22/2023

Assigning an Outlook on the web mailbox policy to a mailbox controls the Outlook on
the web (formerly known as Outlook Web App) and new Outlook for Windows
experience for the user. You can apply Outlook on the web mailbox policies to one or
more mailboxes or remove the policy assignments in the Exchange admin center (EAC)
or Exchange Online PowerShell.

What do you need to know before you begin?

Estimated time to complete each procedure: 5 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Outlook on the web
mailbox policies" entry in the Feature permissions in Exchange Online article.

To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online. To connect to Exchange Online PowerShell, see Connect to Exchange
Online PowerShell.

For information about keyboard shortcuts that may apply to the procedures in this
article, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Apply mailbox policies to Outlook on the web

and the new Outlook for Windows mailboxes
Use the EAC to apply an Outlook on the web mailbox
policy to a mailbox
1. In the EAC, go to Recipients > Mailboxes.

2. Do one of the following steps:

Select a mailbox and then click Edit .

a. In the properties of the mailbox window that opens, click Mailbox

features.

b. In the Email connectivity section under Outlook on the web: Enabled,

click View details.

c. In the Outlook Web App mailbox policy policy window that opens, click
Browse to find and select the policy to apply, and then click OK when
you're finished. By default, the default policy named OwaMailboxPolicy-
Default is applied.

d. When you're finished, click Save multiple times.

Select multiple mailboxes.

a. In the Details pane, find Outlook on the web and click Assign a policy.

b. In the bulk assign window that opens, click Browse to find and select the
policy to apply, and then click OK when you're finished.

c. When you're finished, click Save.

Use Exchange Online PowerShell to apply a mailbox

policy to Outlook on the web or the new Outlook or
Windows mailboxes
There are three basic methods you can use to apply a mailbox policy to Outlook on the
web and the new Outlook for Windows mailboxes:

Individual mailboxes: Use the following syntax:

PowerShell

Set-CasMailbox -Identity <MailboxIdentity> -OwaMailboxPolicy "<Policy

Name>"
This example applies the mailbox policy named Sales Associates to
tony@contoso.com for Outlook on the web and the new Outlook for Windows.

PowerShell

Set-CASMailbox -Identity tony@contoso.com -OwaMailboxPolicy "Sales

Associates"

Filter mailboxes by attributes: This method requires that the mailboxes all share a
unique filterable attribute. For example:

Title, Department, or address information for user accounts as seen by the Get-
User cmdlet.

CustomAttribute1 through CustomAttribute15 for mailboxes by as seen the

Get-Mailbox cmdlet.

The syntax uses the following two commands (one to identify the mailboxes, and
the other to apply the policy to the mailboxes):

PowerShell

$<VariableName> = <Get-User | Get-Mailbox> -ResultSize unlimited -

Filter <Filter>

PowerShell

$<VariableName> | foreach {Set-CasMailbox -Identity

$_.MicrosoftOnlineServicesID -OwaMailboxPolicy "<Policy Name>"}

This example assigns the policy named Managers and Executives to all mailboxes
whose Title attribute contains "Manager" or "Executive".

PowerShell

$Mgmt = Get-User -ResultSize unlimited -Filter "(RecipientType -eq

'UserMailbox') -and (Title -like '*Manager*' -or Title -like
'*Executive*')"

PowerShell

$Mgmt | foreach {Set-CasMailbox -Identity $_.MicrosoftOnlineServicesID

-OwaMailboxPolicy "Managers and Executives"}
 Use a list of specific mailboxes: This method requires a text file to identify the
mailboxes. Values that don't contain spaces (for example, the user account) work
best. The text file must contain one user account on each line like this:

akol@contoso.com
ljohnston@contoso.com
kakers@contoso.com

The syntax uses the following two commands (one to identify the user accounts,
and the other to apply the policy to those users):

PowerShell

$<VariableName> = Get-Content "<text file>"

PowerShell

$<VariableName> | foreach {Set-CasMailbox -Identity $_ -

OwaMailboxPolicy "<Policy Name>"}

This example assigns the policy named Managers and Executives to the mailboxes
specified in the file C:\My Documents\Management.txt.

PowerShell

$Mgrs = Get-Content "C:\My Documents\Management.txt"

PowerShell

$Mgrs | foreach {Set-CasMailbox -Identity $_ -OwaMailboxPolicy

"Managers and Executives"}

For detailed syntax and parameter information, see Set-CASMailbox.

How do you know this worked?

To verify that you've applied a mailbox policy to a mailbox for Outlook on the web and
the new Outlook for Windows, use any of the following steps:

In the EAC, go to Recipients > Mailboxes and select the mailbox. In the Details
pane, go to Email Connectivity, click View details, and verify the name of the
policy in the Outlook Web App mailbox policy window that appears.
 In the EAC, go to Recipients > Mailboxes, select the mailbox, and click Edit . In
the properties of the mailbox window that opens, click Mailbox features. In the
Email connectivity section under Outlook on the web: Enabled, click View details,
and verify the name of the policy in the Outlook Web App mailbox policy window
that appears.

In Exchange Online PowerShell, replace <MailboxIdentity> with the name, alias,

email address, or account name of the mailbox, and run the following command to
verify the value of the OwaMailboxPolicy property:

PowerShell

Get-CasMailbox -Identity "<MailboxIdentity>" | Format-List

OwaMailboxPolicy

In Exchange Online PowerShell, run the following command to verify the value of
the OwaMailboxPolicy property for all mailboxes:

PowerShell

Get-CasMailbox -ResultSize unlimited | Format-Table

Name,OwaMailboxPolicy -Auto

Remove a mailbox policy assignments from

mailboxes for Outlook on the web or the new
Outlook for Windows

Use the EAC to remove a mailbox policy assignment from

a mailbox for Outlook on the web or the new Outlook for
Windows
1. In the EAC, go to Recipients > Mailboxes, and select the mailbox that you want to
modify.

2. Scroll down in the details pane to Email Connectivity and click View details.

If a mailbox policy has been assigned, click Clear X to remove the policy
assignment from the mailbox.

3. When you're finished, click Save to save.

Use Exchange Online PowerShell to remove a mailbox
policy assignment from a mailbox for Outlook on the web
and the new Outlook for Windows
To remove the policy assignment from the mailbox, use the following syntax:

PowerShell

Set-CasMailbox -Identity "<MailboxIdentity>" -OwaMailboxPolicy $null

This example removes the mailbox policy from mailbox of the user tony@contoso.com
for Outlook on the web and the new Outlook for Windows.

PowerShell

Set-CASMailbox -Identity tony@contoso.com -OwaMailboxPolicy $null

For detailed syntax and parameter information, see Set-CASMailbox.

How do you know this worked?

To verify that you've removed an Outlook on the web mailbox policy assignment from a
mailbox, use any of the following steps:

In the EAC, go to Recipients > Mailboxes and select the mailbox. In the Details
pane, go to Email Connectivity, click View details, and verify the policy is blank in
the Outlook Web App mailbox policy window that appears.

In the EAC, go to Recipients > Mailboxes. In the properties of the mailbox window
that opens, click Mailbox features. In the Email connectivity section under
Outlook on the web: Enabled, click View details, and verify the policy is blank in
the Outlook Web App mailbox policy window that appears.

In Exchange Online PowerShell, replace <MailboxIdentity> with the name, alias,

email address, or account name of the mailbox, and run the following command to
verify the value of the OwaMailboxPolicy property:

PowerShell

Get-CasMailbox -Identity "<MailboxIdentity>" | Format-List

OwaMailboxPolicy
In Exchange Online PowerShell, run the following command to verify the value of
the OwaMailboxPolicy property:

PowerShell

Get-CasMailbox -ResultSize unlimited | Format-Table

Name,OwaMailboxPolicy -Auto
Remove a mailbox policy from Exchange
Online for Outlook on the web and the
new Outlook for Windows
Article • 02/22/2023

You can remove a mailbox policy from Outlook on the web (formerly known as an
Outlook Web App mailbox policy) and the new Outlook for Windows using either the
Exchange admin center (EAC) or Exchange Online PowerShell.

Note: Don't remove the built-in mailbox policy named OwaMailboxPolicy-Default.

For additional management tasks related to Outlook on the web mailbox policies, see
Outlook on the web mailbox policies.

What do you need to know before you begin?

Estimated time to complete each procedure: 3 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Outlook on the web
mailbox policies" entry in the Feature permissions in Exchange Online article.

To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online. To connect to Exchange Online PowerShell, see Connect to Exchange
Online PowerShell.

For information about keyboard shortcuts that may apply to the procedures in this
article, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the EAC to remove a mailbox policy for

Outlook on the web and the new Outlook for
Windows
 1. In the EAC, go to Permissions > Outlook Web App policies, select the policy that
you want to remove, and then click Delete .

2. In the confirmation window that appears, click Yes to remove the mailbox policy, or
click No to cancel.

Use Exchange Online PowerShell to remove a

mailbox policy for Outlook on the web and the
new Outlook for Windows
To remove a mailbox policy for Outlook on the web and the new Outlook for Windows,
use the following syntax:

PowerShell

Remove-OwaMailboxPolicy -Identity "<Policy Name>"

This example removes the mailbox policy named Sales Associates from Outlook on the
web and the new Outlook for Windows.

PowerShell

Remove-OwaMailboxPolicy -Identity "Sales Associates"

For detailed syntax and parameter information, see Remove-OwaMailboxPolicy.

How do you know this worked?

To verify that you've successfully removed an Outlook on the web mailbox policy, do any
of the following steps:

In the EAC, go to Permissions > Outlook Web App policies and verify the policy is
no longer listed.

In Exchange Online PowerShell, run the following command to verify the policy is
no longer listed:

PowerShell

Get-OwaMailboxPolicy
View or configure mailbox policy
properties in Exchange Online for
Outlook on the web and the new
Outlook for Windows
Article • 02/22/2023

After you create a mailbox policy for Outlook on the web and the new Outlook for
Windows, you can configure a variety of options to control the features available to
users in Outlook on the web (formerly known as Outlook Web App) and the new
Outlook for Windows. For example, you can enable or disable Inbox rules or create a list
of allowed file types for attachments.

For more information about mailbox policies for Outlook on the web and the new
Outlook for Windows, see Outlook on the web mailbox policies.

What do you need to know before you begin?

Estimated time to complete each procedure: 3 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Outlook on the web
mailbox policies" entry in the Feature permissions in Exchange Online article.

To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online. To connect to Exchange Online PowerShell, see Connect to Exchange
Online PowerShell.

For information about keyboard shortcuts that may apply to the procedures in this
article, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the EAC to view or configure mailbox

policies for Outlook on the web and the new
Outlook for Windows
1. In the EAC, go to Permissions > Outlook Web App policies and select the policy
that you want to view or configure.

2. The Details pane shows the enabled features in the policy. To see more
information, click Edit . In the properties window that opens you can view and
configure the following settings:

On the General tab, you can view and edit the name of the policy.

On the Features tab, use the check boxes to enable or disable features. By
default, the most common features are displayed. To see all features that can
be enabled or disabled, click More options.

７ Note

You can configure settings for individual users by using the Set-
CASMailbox cmdlet in Exchange Online PowerShell.

On the File Access tab, use the Direct file access check boxes to configure
the file access and viewing options for users. File access lets a user open or
view the contents of files attached to an email message.

File access can be controlled based on whether a user has signed in on a public or
private computer. The option for users to select private computer access or public
computer access is available only when you're using forms-based authentication.
All other forms of authentication default to private computer access.

On the Offline access tab, use the option buttons to configure offline access
availability.

3. When you're finished, click Save to update the policy.

Use Exchange Online PowerShell to modify

mailbox policies for Outlook on the web and
the new Outlook for Windows
To modify a mailbox policy for Outlook on the web and the new Outlook for Windows,
use the following syntax:
 PowerShell

Set-OwaMailboxPolicy -Identity "<Policy Name>" [Settings]

This example enables calendar access in the default mailbox policy.

PowerShell

Set-OwaMailboxPolicy -Identity Default -CalendarEnabled $true

For detailed syntax and parameter information, see Set-OwaMailboxPolicy.

Use Exchange Online PowerShell to view

mailbox policies for Outlook on the web and
the new Outlook for Window
To view a mailbox policy for Outlook on the web and the new Outlook for Windows, use
the following syntax:

PowerShell

Get-OwaMailboxPolicy [-Identity "<Policy Name>"]

This example returns a summary list of all policies in the organization

PowerShell

Get-OwaMailboxPolicy | Format-Table Name

This example retrieves detailed information for the policy named Executives.

PowerShell

Get-OwaMailboxPolicy -Identity Executives

For detailed syntax and parameter information, see Get-OwaMailboxPolicy.

How do you know this worked?

To verify that you've successfully modified an Outlook on the web mailbox policy, do
either of the following steps:
In the EAC, click Permissions > Outlook Web App Policies, select the policy, click
Edit , and verify the properties of the policy.

In Exchange Online PowerShell, replace <Policy Name> with the name of the
policy, and run the following command to verify the settings:

PowerShell

Get-OwaMailboxPolicy -Identity "<Policy Name>"

Outlook for iOS and Android in
Exchange Online
Article • 02/22/2023

The Outlook app for iOS and Android is designed to bring together email, calendar,
contacts, and other files, enabling users in your organization to do more from their
mobile devices. This article provides an overview of the architecture, so that
administrators can deploy and maintain Outlook for iOS and Android in their
organizations.

７ Note

The Outlook for iOS and Android Help Center is available for users, including
help for using the app on specific devices and troubleshooting information.

Outlook for iOS and Android architecture

The Outlook for iOS and Android app is fully powered by the Microsoft Cloud. All Office
365 Enterprise, Government, Business, and Education accounts are supported natively,
which means there is no mailbox data cached outside of Microsoft 365 or Office 365.
Data simply stays in its current Exchange Online mailbox, and it's secured with TLS
version 1.2 over HTTPS connections end-to-end, between Microsoft 365 or Office 365
and the app. Outlook for iOS and Android is fully delivered through Microsoft services
that provide a strong commitment to security, privacy, and compliance.

The Microsoft 365- or Office 365-based architecture provides the following benefits:

1. Data locality: User mailbox data stays in place, and therefore continues to respect
the data locality and regionality promises of Microsoft 365 or Office 365 for data at
rest. In other words, the user's mailbox data is stored within the region in which
the tenant (or mailbox in the case of a Multi-Geo tenant) is located.

2. Device ID: Each Outlook for iOS and Android connection registers in the Microsoft
365 or Office 365 Admin console and is able to be managed as a unique
connection.

3. Modern Authentication (OAuth): Outlook for iOS and Android leverages Modern
Authentication (OAuth) to protect user's credentials. Modern authentication
provides Outlook for iOS and Android with a secure mechanism to access
 Microsoft 365 or Office 365 data without ever touching a user's credentials. At sign
in, the user authenticates directly against an identity platform (either Azure AD or
an on-premises identity provider like ADFS) and receives an access token in return,
which grants Outlook for iOS and Android access to the user's mailbox or files. At
no time does the service have access to the user's password in any form.

4. Enterprise Mobility + Security support: Customers can take advantage of

Microsoft Enterprise Mobility + Security (EMS) including Microsoft Intune and
Azure Active Directory Premium, to enable conditional access and Intune app
protection policies, which control and secure corporate messaging data on the
mobile device.

Within the Microsoft 365- or Office 365-based architecture, Outlook for iOS and
Android uses the native Microsoft sync technology as the protocol for data
synchronization.

The native Microsoft sync technology offers several benefits:

1. Eliminates middle tier services: Data synchronization with the native Microsoft
sync technology occurs between the app and Microsoft 365 or Office 365,
eliminating the need for any middle tier services.

2. Latency reduction: By replacing the proprietary Outlook device API and Stateless
Protocol Translator, there is a reduction in end-to-end latency between the app
and Microsoft 365 or Office 365.

3. Additional instance support: Removing the intermediary Stateless Protocol

Translator for data connections enables Microsoft to support other unique
Microsoft 365 or Office 365 instances, like Office 365 Government Community
Cloud High and Office 365 Department of Defense, that were previously blocked
from using Outlook for iOS and Android.
4. Protocol consolidation: Today, each Outlook client platform utilizes a different
data sync protocol, which hinders the ability to innovate and deploy new features
quickly across all Outlook clients. The native Microsoft sync technology that
Outlook for iOS and Android is adopting has been in use by the native Windows
10 mail client for a number of years, and in the future, will be used by Outlook for
Mac.

5. Unlocking new features: The native Microsoft sync technology will enable Outlook
for iOS and Android to take advantage of native Microsoft 365 or Office 365
features it does not support today, such as S/MIME, sensitivity labels, and shared
mailboxes. These and more Microsoft 365 or Office 365 features will roll out soon
after the architecture update.
How to use Outlook on the web
(formerly know as Outlook Web App)
and the new Outlook for Windows to
remotely wipe an ActiveSync device in
Microsoft 365
Article • 02/22/2023

Introduction
This article describes how to use Outlook on the web (formerly known as Outlook Web
App OWA) and the new Outlook for Windows to remotely wipe a mobile device in
Microsoft 365.

To remotely wipe a mobile device in Outlook on the web or the new Outlook for
Windows, the mobile device must be connected to Exchange Online by using Microsoft
Exchange ActiveSync. If you lose the mobile device, you can use the remote wiping
feature to prevent someone from obtaining your personal information from the device.

Procedure
To remotely wipe a device by using Outlook Web App or Outlook on the web, follow
these steps:

1. Sign in to the Microsoft 365 portal.

2. Click Mail.
3. Click Settings, and then click Options.
4. In the left navigation pane, click Phone.
5. Select the device that you want to wipe.
6. Click Wipe Device, and then click Yes when you're prompted.
7. When the wipe operation is completed, you should remove the device completely.
To do this, click Delete, and then click Yes when you're prompted.

More information
Still need help? Go to Microsoft Community .
Public attachment handling in Exchange
Online
Article • 02/22/2023

As an admin, you can set up both private and public attachment handling in Outlook on
the web (formerly known as Outlook Web App) depending on how you configure your
Outlook on the web mailbox policies. The settings for private (internal) and public
(external) networks define how users can open, view, send, or receive attachments
depending on whether a user is signed in to Outlook on the web on a computer that is
part of a private or of a public network.

How can I control public attachment handling?

Although there are both private (internal network) and public (external network) settings
to control attachments using Outlook on the web mailbox policies, admins require more
consistent and reliable attachment handling when a user signs in to Outlook on the web
from a computer on a public network such as at a coffee shop or library. To set up the
ability to enforce attachment handling from external networks for an entire organization
in Exchange Online, first use the Set-OrganizationConfig cmdlet, set the
PublicComputersDetectionEnabled parameter to $true , configure the correct Outlook on
the web mailbox policy either by using the Exchange admin center (EAC) or the Set-
OwaMailboxPolicy cmdlet and create claim rules in AD FS. Enabling this setting the on
the Set-OrganizationConfig cmdlet and creating the claim rules will enable Exchange
Online to tell if a user is signing in to Outlook on the web from a private and public
network or computer.

The Outlook on the web mailbox policy parameters in the following table should be set
to $true to enable an admin to control attachment handling for public computers and
networks.

Parameter* Description

DirectFileAccessOnPublicComputersEnabled Specifies left-click and other options available for

attachments when the user has signed in to Outlook
on the web from a computer outside of a private or
corporate network. If this parameter is set to $true ,
Open and other options are available. If it's set to
$false , the Open option is disabled.
Parameter* Description

ForceWacViewingFirstOnPublicComputers Specifies whether a user who signed in to Outlook

on the web from a computer outside of a private or
corporate network can open an Office file directly
without first viewing it as a webpage.

WacViewingOnPublicComputersEnabled Specifies whether a user who has signed into

Outlook on the web from a computer outside of the
corporate network can view supported Office files
using Outlook on the web.

What do you need to know before you begin?

Procedures in this topic require specific permissions. See each procedure for its
permissions information.

Create one or more mailboxes for users.

Enable Outlook on the web on a user's mailbox if it has been disabled.

Verify that cookies have been enabled in the Web browser for all of the users in
your organization.

Set up and configure single sign on using AD FS:

Checklist: Use AD FS to implement and manage single sign-on

Set up ADFS for Single Sign-On

Configure single sign on

To learn how to use Windows PowerShell to connect to Exchange Online, see

Connect to Exchange Online PowerShell.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
Task 1 - Enable public attachment handling for
your organization
Run the following command:

PowerShell

Set-OrganizationConfig -PublicComputersDetectionEnabled $true

Note: Setting this parameter to $true won't affect the settings for the following
parameters:

ForceWacViewingFirstOnPublicComputers
WSSAccessOnPublicComputersEnabled
UNCAccessOnPublicComputersEnabled

Task 2 - Add and create claim rules in AD FS 2.0

You must create a custom claim rule because an AD FS server relies on the presence of
the x-ms-proxy claim to detect whether user is coming from an internal or external
network. When an AD FS proxy is deployed for external or public access, and if the user
is coming from outside a private network, there will be an x-ms-proxy claim sent from
AD FS proxy to an AD FS server. To learn more about claim rules in AD FS, see Create a
Rule to Send Claims Using a Custom Rule

1. On the Start Screen, type AD FS Management, and then press Enter.

2. In AD FS console tree, under AD FS\Trust Relationships > Relying Party Trusts and
select O365 Identity Platform.

3. In O365 Identity Platform, click Edit Claim Rules > Add Rule > Issuance
Transform Rules.

4. On the Select Rule Template page, under Claim rule template, select Send Claims
Using a Custom Rule from the list, and then click Next.

5. On the Configure Rule page under Claim rule name type the display name for this
rule.

6. Under Custom rule, input the following text:

text
 exists ([Type ==
"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-
proxy"]) => issue(Type =
"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value
= "false");

7. Next, input the following text:

text

NOT exists ([Type ==

"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-
proxy"]) => issue(Type =
"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value
= "true");

8. Click Finish.

9. In the Edit Claim Rules dialog box, click OK to save the rule.

Task 3 - Enable public attachment handling on

an Outlook on the web mailbox policy

Use EAC to enable public attachment handling settings

1. In the EAC, click Permissions > Outlook Web App policies.

2. In the result pane, click the mailbox policy you want to view or configure, and click
Edit.

3. On File Access, use the check boxes to configure the file access and viewing
options for users. File access lets a user open or view the contents of files attached
to an email message.

File access can be controlled based on whether a user has logged on to a public or
private computer. The option for users to select private computer access or public
computer access is available only when you're using forms-based authentication.
All other forms of authentication default to private computer access.

Direct file access: Select this check box if you want to enable direct file access.
Direct file access lets users open files attached to email messages.

4. Click Save to update the policy.

Use Exchange Online PowerShell to enable public
attachment handling settings
Run the following command:

PowerShell

Set-OwaMailboxPolicy -Identity MyOWAPublicPolicy -

DirectFileAccessOnPublicComputersEnabled $true -
ForceWacViewingFirstOnPublicComputers $true -
WacViewingOnPublicComputersEnabled $true

What you need to know about attachments?

An attachment can be a file that's created in any program, for example, a Word
document, an Excel spreadsheet, a .wav file, or a bitmap file. Users can attach or include
one or more files on any item that they create in their mailbox, for example, an email
message, calendar item, or contact. Outlook on the web allows you to send and receive
many common files types. Continuously

Some attachments might be removed or blocked by antivirus software used by your

organization, by the organization of the recipients of your email, or you might be
required to save them on your computer before you can open them. By default, Outlook
on the web allows you to open attached Word, Excel, PowerPoint, text files and many
media files directly. The files you can open from Outlook on the web vary depending on
your account settings. The following list describes the default file name extensions that
you can open in Outlook on the web.

File name extensions allowed by default:

.avi
.bmp
.doc
.doc
.docm
.docx
.gif
.jpeg
.mp3
.one
.pdf
.png
.ppsm
.ppsx
.ppt
.pptm
.pptx
.pub
.rpmsg
.rtf
.tif
.txt
.vsd
.wav
.wma
.wmv
.xls
.xls
.xlsb
.xlsm
.xlsx
Modify the space used by Inbox rules in
Exchange Online
Article • 02/22/2023

Inbox rules in Outlook on the web (formerly known as Outlook Web App) and the
Outlook desktop apps are limited to 256 KB total for all rules. Each rule you create will
take up space in your mailbox. The actual amount of space a rule uses depends on
several factors, such as how long the name is and how many conditions you've applied.
When you reach the 256 KB limit, you'll be warned that you can't create any more rules
or that you can't update a rule. You can't increase the amount of space that's allocated
to store Inbox rules in Exchange Online, but you can decrease it to suit your business
needs.

Notes:

The valid range for the Inbox rules quota is 32 KB to 256 KB.

There isn't a maximum number of rules that users can create.

The quota for Inbox rules applies only to enabled rules. There's no restriction on
the number of disabled rules that a mailbox can have. However, the total size of
rules that are enabled or active in the mailbox can't exceed the quota value

What do you need to know before you begin?

Estimated time to complete each procedure: 5 minutes or less.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Mailbox settings" entry in
the Feature permissions in Exchange Online article.

You can only use Exchange Online PowerShell to perform the procedure in this
article. To connect to Exchange Online PowerShell, see Connect to Exchange Online
PowerShell.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
Use Exchange Online PowerShell to increase
the limit for Inbox rules
There are three basic methods you can use to modify the rules quota for a mailbox:

Individual mailboxes: Use the following syntax:

PowerShell

Set-Mailbox -Identity <MailboxIdentity> -RulesQuota "<32 KB to 256 KB>"

This example decreases the rules quota to 200 KB for the user
douglas@contoso.com.

PowerShell

Set-Mailbox -Identity douglas@contoso.com -RulesQuota "200 KB"

Filter mailboxes by attributes: This method requires that the mailboxes all share a
unique filterable attribute. For example:

Title, Department, or address information for user accounts as seen by the Get-
User cmdlet.

CustomAttribute1 through CustomAttribute15 for mailboxes by as seen the

Get-Mailbox cmdlet.

The syntax uses the following two commands (one to identify the mailboxes, and
the other to apply the rules quota to the mailboxes):

PowerShell

$<VariableName> = <Get-User | Get-Mailbox> -ResultSize unlimited -

Filter <Filter>

PowerShell

$<VariableName> | foreach {Set-Mailbox -Identity

$_.MicrosoftOnlineServicesID -RulesQuota "<32 KB to 256 KB>"}

This example decreases the rules quota to 32 KB to all mailboxes whose Title
attribute contains "Vendor" or "Contractor".
 PowerShell

$V = Get-User -ResultSize unlimited -Filter "(RecipientType -eq

'UserMailbox') -and (Title -like '*Vendor*' -or Title -like
'*Contractor*')"

PowerShell

$V | foreach {Set-Mailbox -Identity $_.MicrosoftOnlineServicesID -

RulesQuota "32 KB"}

Use a list of specific mailboxes: This method requires a text file to identify the
mailboxes. Values that don't contain spaces (for example, the user account) work
best. The text file must contain one user account on each line like this:

akol@contoso.com
tjohnston@contoso.com
kakers@contoso.com

The syntax uses the following two commands (one to identify the user accounts,
and the other to apply the rules quota to those users):

PowerShell

$<VariableName> = Get-Content "<text file>"

PowerShell

$<VariableName> | foreach {Set-Mailbox -Identity $_ RulesQuota "<32

KB to 256 KB>"}

This example decreases the rules quota to 150 KB to the mailboxes specified in the
file C:\My Documents\Junior Managers.txt.

PowerShell

$Jr = Get-Content "C:\My Documents\Junior Managers.txt"

PowerShell

$Jr | foreach {Set-Mailbox -Identity $_ -RulesQuota "150 KB"}

How do you know this worked?
To verify that you've modified the Inbox rules quota on a mailbox, use any of the
following steps in Exchange Online PowerShell:

Replace <MailboxIdentity> with the name, alias, email address, or account name of
the mailbox, and run the following command to verify the value of the RulesQuota
property:

PowerShell

Get-Mailbox -Identity "<MailboxIdentity>" | Format-List RulesQuota

Run the following command to verify the value of the RulesQuota property for all
mailboxes:

PowerShell

Get-Mailbox -ResultSize unlimited | Format-Table Name,RulesQuota -Auto

What else do I need to know?

Inbox rules are run from top to bottom in the order in which they appear in the
Rules window. To change the order of rules, click the rule you want to move, and
then click the up or down arrow to move the rule to the position you want in the
list.

When you create a forwarding rule, you can add more than one address to forward
to. The number of addresses you can forward may be limited, depending on the
settings for your account. If you add more addresses than are allowed, your
forwarding rule won't work. If you create a forwarding rule with more than one
address, test it to be sure it works.
Outlook for iOS and Android in
Exchange Online
Article • 02/22/2023

The Outlook app for iOS and Android is designed to bring together email, calendar,
contacts, and other files, enabling users in your organization to do more from their
mobile devices. This article provides an overview of the architecture, so that
administrators can deploy and maintain Outlook for iOS and Android in their
organizations.

７ Note

The Outlook for iOS and Android Help Center is available for users, including
help for using the app on specific devices and troubleshooting information.

Outlook for iOS and Android architecture

The Outlook for iOS and Android app is fully powered by the Microsoft Cloud. All Office
365 Enterprise, Government, Business, and Education accounts are supported natively,
which means there is no mailbox data cached outside of Microsoft 365 or Office 365.
Data simply stays in its current Exchange Online mailbox, and it's secured with TLS
version 1.2 over HTTPS connections end-to-end, between Microsoft 365 or Office 365
and the app. Outlook for iOS and Android is fully delivered through Microsoft services
that provide a strong commitment to security, privacy, and compliance.

The Microsoft 365- or Office 365-based architecture provides the following benefits:

1. Data locality: User mailbox data stays in place, and therefore continues to respect
the data locality and regionality promises of Microsoft 365 or Office 365 for data at
rest. In other words, the user's mailbox data is stored within the region in which
the tenant (or mailbox in the case of a Multi-Geo tenant) is located.

2. Device ID: Each Outlook for iOS and Android connection registers in the Microsoft
365 or Office 365 Admin console and is able to be managed as a unique
connection.

3. Modern Authentication (OAuth): Outlook for iOS and Android leverages Modern
Authentication (OAuth) to protect user's credentials. Modern authentication
provides Outlook for iOS and Android with a secure mechanism to access
 Microsoft 365 or Office 365 data without ever touching a user's credentials. At sign
in, the user authenticates directly against an identity platform (either Azure AD or
an on-premises identity provider like ADFS) and receives an access token in return,
which grants Outlook for iOS and Android access to the user's mailbox or files. At
no time does the service have access to the user's password in any form.

4. Enterprise Mobility + Security support: Customers can take advantage of

Microsoft Enterprise Mobility + Security (EMS) including Microsoft Intune and
Azure Active Directory Premium, to enable conditional access and Intune app
protection policies, which control and secure corporate messaging data on the
mobile device.

Within the Microsoft 365- or Office 365-based architecture, Outlook for iOS and
Android uses the native Microsoft sync technology as the protocol for data
synchronization.

The native Microsoft sync technology offers several benefits:

1. Eliminates middle tier services: Data synchronization with the native Microsoft
sync technology occurs between the app and Microsoft 365 or Office 365,
eliminating the need for any middle tier services.

2. Latency reduction: By replacing the proprietary Outlook device API and Stateless
Protocol Translator, there is a reduction in end-to-end latency between the app
and Microsoft 365 or Office 365.

3. Additional instance support: Removing the intermediary Stateless Protocol

Translator for data connections enables Microsoft to support other unique
Microsoft 365 or Office 365 instances, like Office 365 Government Community
Cloud High and Office 365 Department of Defense, that were previously blocked
from using Outlook for iOS and Android.
4. Protocol consolidation: Today, each Outlook client platform utilizes a different
data sync protocol, which hinders the ability to innovate and deploy new features
quickly across all Outlook clients. The native Microsoft sync technology that
Outlook for iOS and Android is adopting has been in use by the native Windows
10 mail client for a number of years, and in the future, will be used by Outlook for
Mac.

5. Unlocking new features: The native Microsoft sync technology will enable Outlook
for iOS and Android to take advantage of native Microsoft 365 or Office 365
features it does not support today, such as S/MIME, sensitivity labels, and shared
mailboxes. These and more Microsoft 365 or Office 365 features will roll out soon
after the architecture update.
Outlook for iOS and Android in
Exchange Online: FAQ
Article • 02/22/2023

） Important

Effective from December 2022, the classic Exchange Admin Center will be
deprecated for worldwide customers. Microsoft recommends using the new
Exchange Admin Center , if not already doing so.

While most of the features have been migrated to new EAC, some have been
migrated to other admin centers and remaining ones will soon be migrated to New
EAC. Find features that are not yet there in new EAC at Other Features or use
Global Search that will help you navigate across new EAC.

Summary: This article covers the most common questions asked by customers and
administrators about using Outlook for iOS and Android with Exchange Online and
Microsoft 365 or Office 365.

The Outlook for iOS and Android app is designed to enable users in your organization
to do more from their mobile devices, by bringing together email, calendar, contacts,
and other files. The following sections highlight the most common questions we receive,
across three key areas:

Outlook for iOS and Android architecture and security

Managing and maintaining Outlook for iOS and Android in your Exchange
organization after it has been deployed

Common questions from end users who access information in your Exchange
organization with the Outlook for iOS and Android app on their mobile devices

Architecture and security

The following questions are about the overall architecture of Outlook for iOS and
Android in Exchange Online, as well as user authentication and other security concerns.

Q: What cloud architecture is utilized by Outlook for iOS

and Android for Microsoft 365 or Office 365 accounts?
For more information on the architecture, see Outlook for iOS and Android in Exchange
Online.

Q: Can I add two different Microsoft 365 or Office 365

accounts from different regions to Outlook for iOS and
Android?
Yes, provided both accounts do not have Intune App Protection Policies assigned.
However, for Government Community Cloud customers, users may only add their own
account and OneDrive for Business storage account to the app; adding personal or
other commercial accounts is prevented to meet FedRAMP requirements. For more
information on Government Community Cloud restrictions with Outlook for iOS and
Android, see Using Outlook for iOS and Android in the Government Community Cloud.

Q: What authentication mechanism is used for Outlook

for iOS are Android? Are credentials stored in Microsoft
365 or Office 365?
See Account setup with modern authentication in Exchange Online.

Q: Do Outlook for iOS and Android and other Microsoft

Office mobile apps support single sign-on?
See Account setup with modern authentication in Exchange Online.

Q: What is the lifetime of the tokens generated and used

by the Active Directory Authentication Library (ADAL) in
Outlook for iOS and Android?
See Account setup with modern authentication in Exchange Online.

Q: What happens to the access token when a user's

password is changed?
See Account setup with modern authentication in Exchange Online.

Q: Does Outlook for iOS and Android support certificate-

based authentication?
Yes, Outlook for iOS and Android supports certificate-based authentication for modern
authentication-enabled accounts (Microsoft 365 or Office 365 accounts or on-premises
accounts using hybrid modern authentication). For more information, see:

Configuring Active Directory Federation Services (ADFS)

Certificate-based authentication on iOS

Certificate-based authentication on Android

Q: What does background synchronization enable? I

notice that when I launch the app with it enabled, I still
have to wait for messages to download, even after I've
received new mail notifications for them; and sometimes,
I get reminders for appointments that had been canceled.
Background synchronization enables new message notifications, calendar reminders,
badge count updates, and background synchronization of mailbox and calendar
information for Outlook for iOS and Android.

If background synchronization is disabled by the user in the mobile operating system's

settings, then the user must launch the app and keep it in the foreground in order to
synchronize messages and have an up-to-date calendar.

Background synchronization in Outlook for iOS and Android can also be temporarily
disabled by the following actions:

Force quitting Outlook for iOS.

Restarting the iOS device.

Outlook for iOS crashes and is not restarted by the user.

Not opening the app for a given period of time. iOS will automatically freeze third-
party apps , like Outlook, based on usage patterns. Android doze mode and app
standby features can also prevent background updates to the app while those
features are active.

On some Android devices, you can also restrict background processing or network
access per-app. In these cases, Outlook for Android will not be able to process
updates in the background. Android device manufacturers can modify the way you
can interact with settings, therefore it is not possible to document every device
 scenario, but in general, the following steps can be followed to remove battery
optimization:

1. Open Settings.

2. Tap Battery.

3. Tap the ellipse and tap Battery optimization.

4. Tap the down arrow and tap All apps.

5. For the Microsoft Authenticator, Intune Company Portal and Outlook apps,
tap Not optimized to turn off battery optimization.

If the mobile operating system prevents background synchronization, users will

experience the following results:

New mail notifications will continue to be delivered, however, upon launching the
app, the new messages will have to be downloaded.

Calendar reminders will fire for appointments that have been canceled because the
app was unable to download and process the meeting cancellation.

７ Note

Apple allows its native Mail and Calendar apps to do background refreshes without
any restrictions. Therefore, users may notice a difference in the background
synchronization experience between the apps. However, this also results in
improved battery life and less data consumption with Outlook for iOS.

Q: Does each user's instance of Outlook for iOS and

Android have a unique device ID in the Microsoft 365- or
Office 365-based architecture? How is the device ID
generated and is this same device ID used in Intune?
Upon initial account login, Outlook for iOS and Android establishes a connection to the
Microsoft 365- or Office 365-based architecture. A unique device ID is generated, and
this device ID is what appears in Active Directory device records (which can be retrieved
with cmdlets such as Get-MobileDevice in Exchange Online PowerShell) and which
appears in HTTP request headers.

Intune uses a different device ID. The basic workflow for how Intune assigns a device ID
is described in App-based conditional access with Intune. In Intune, the device ID is
assigned when the device workplace joins for all device-conditional access scenarios.
This ID is an AAD-generated unique ID for the device. Intune uses that unique ID when
sending compliance information, and ADAL uses that unique ID when authenticating to
services.

Q: Does Outlook for iOS and Android support RMS?

Yes. Outlook for iOS and Android supports reading protected messages. Outlook for iOS
and Android works differently than desktop versions of Outlook when it comes to RMS.
For desktop versions of Outlook, once a protected message is received and access is
attempted, and Outlook verifies that the user can read RM messages, Outlook connects
to Exchange to request an encryption key. The Outlook desktop client uses that
encryption key to decrypt the message in front of the user (client-side). Mobile clients
operate differently. When Outlook for iOS and Android sets up its initial relationship
with Exchange, it notifies Exchange that it supports RMS. Exchange decrypts any
protected messages before passing them to the client. In other words, decryption is
performed server-side. Outlook for iOS and Android doesn't perform any decryption
itself.

In cases where Outlook for iOS and Android receives protected messages and prompts
end users to use an RM client to open the file, it means that Exchange hasn't decrypted
the message, which is due to an issue on the Exchange side.

７ Note

Outlook for iOS uses iOS's native preview technology to quickly expose
attachments to end users. iOS's preview technology does not support rights
management and will report error "The operation couldn't be completed.
(OfficeImportErrorDomain error 912)" when a user attempts to open a rights-
protected attachment. Users will need to tap the respective Word, Excel, or
PowerPoint app icon to open the rights-protected attachment in the native app.

Q: Does Outlook for iOS and Android support Teams

meetings?
Yes, Outlook for iOS and Android supports both Skype for Business and Teams
meetings. The Teams coexistence mode at the Microsoft 365 or Office 365 organization
level and the user level (the user setting takes precedence over the tenant setting)
determines the meeting creation experience in Outlook for iOS and Android:
 Coexistence Mode Outlook for iOS and Android
experience

Islands Skype for Business

Skype for Business Only Skype for Business

Skype for Business with Teams Collaboration Skype for Business

Teams Only Teams

Skype for Business with Teams Collaboration and Teams

Meetings

In addition, for users using the native Microsoft sync technology, a Teams Join button is
available in calendar events. This provision makes it easy to Join a Teams meeting and
will be available for all coexistence modes. Users who are not using the native Microsoft
sync technology will be able to join Teams Meetings using the weblink in the meeting
description.

For more information on the Teams coexistence modes, see Choose your upgrade
journey from Skype from Business to Teams.

Q: What ports and end points does Outlook for iOS and
Android use?
Outlook for iOS and Android communicates via TCP port 443. The app accesses various
end points, depending on the activities of the user. Complete information is available in
URLs and IP address ranges.

Q: Does Outlook for iOS and Android support proxy

configurations?
Yes, Outlook for iOS and Android supports proxy configurations when the proxy
infrastructure meets the following requirements:

Supports HTTP protocol without TLS decryption and inspection.

Does not perform authentication.

Outlook for iOS and Android will consume the proxy configuration as defined by the
platform operating system. Typically, this configuration information is deployed via a
PAC file. The PAC file must be configured to use hostnames instead of protocol; no extra
custom settings are supported. For a list of hostnames that Outlook for iOS and Android
accesses, see URLs and IP address ranges.

For tenants that have not been migrated to the native Microsoft sync technology, the
following extra requirement applies:

Supports and has SOCKS proxy capability enabled. The Outlook for iOS and
Android client utilizes TCP connections to our Microsoft 365- or Office 365-based
architecture. The IP ranges for the SOCKS connections are not restricted to a
subset of Azure IP ranges, which means that customers cannot define an allowlist
range. The PAC must be configured to use hostnames instead of protocol and
return the SOCKS proxy information given the host URL; no extra custom settings
are supported.

Q: Does Outlook for iOS and Android support shared

mailboxes?
Yes, Outlook for iOS and Android supports shared mailboxes when the user mailbox and
shared mailbox are located in Exchange Online and using the native Microsoft sync
technology.

A shared mailbox is a special mailbox type that is created using the -Shared parameter.
Access to the shared mailbox by a user is obtained via permissions and not by using
alternate credentials. For more information, see Shared mailboxes in Exchange Online.

Q: Does Outlook for iOS and Android support delegate

mailboxes?
Yes, Outlook for iOS and Android has extended the shared mailbox capability to now
allow users to add another person's mailbox when the user has been granted FullAccess
permissions to the other person's mailbox. Granting SendAs or Send on Behalf of
permissions also allows the user to send messages as the other person's mailbox. For
more information on permission assignment, see Manage permissions for recipients in
Exchange Online.

Q: How many accounts does Outlook for iOS and Android

support?
Outlook for iOS and Android supports a maximum of 25 accounts.
Q: Does Outlook for iOS and Android support contact
management functionality? What about integration with
the operating system features?
Yes, Outlook for iOS and Android supports contact management. Within the app, users
can initiate phone calls, text messages, video chat (for example, FaceTime), etc.
Integration with the operating system, and contact management functionality, depend
on the client platform, where the mailbox resides, and the authentication type used:

Functionality Office On-premises mailbox On-premises

365 using Hybrid Modern mailbox using Basic
mailbox Authentication Authentication

Export Outlook contacts to iOS iOS iOS

native Contacts app Android

Bi-directional sync of Outlook Android Android Not supported

contacts with native Contacts
app

Add a new contact from iOS iOS Not supported

Outlook Android Android

Edit an existing contact from iOS iOS Not supported

Outlook Android Android

Delete an existing contact from iOS Not supported Not supported

Outlook Android

Sync profile picture between Android Android Not supported

Outlook contacts and the native
Contacts app

For information on consumer accounts, see Outlook's in-app support FAQ on People .

By enabling contact synchronization between Outlook and the native contacts app,
users receive the rich experience that the native operating system provides (for example,
inbound and outbound caller-ID, text messaging name resolution, and so on). Only
Outlook for iOS should be used for managing contact data and not the native iOS
Contacts app. With Outlook for Android, users can utilize either the native Contacts app
or Outlook for managing contact data, as contact changes are synchronized bi-
directionally.

７ Note
 In order to manage contacts (add/edit/delete) in Outlook for Android, contact sync
must be enabled. This is because Outlook for Android delegates CRUD operations
to the native Contacts app.

Administrators have extra capabilities with respect to contact synchronization between

Outlook and the native Contacts app:

Administrators can disable contact synchronization via an Intune App Protection

Policy. For more information, see iOS app protection policy settings and Android
app protection policy settings in Microsoft Intune.
Administrators can enable contact synchronization by default on enrolled devices.
For more information, see Deploying Outlook for iOS and Android app
configuration settings.
Administrators can reduce the amount of data that is exported to the native
Contacts app via an Intune App Protection Policy with contact field export controls.
For more information, see Deploying Outlook for iOS and Android app
configuration settings.

Q: Is Outlook for iOS and Android available in China?

Yes, Outlook for iOS is available in Apple's App Store in China.

The Google Play Store is not available in China. However, Microsoft has distributed the
Outlook for Android app in the following third-party app stores that are available in
China:

Baidu
Xiaomi
Tencent (QQ)
Huawei
Lenovo
Wandoujia

As Google's notification service, Firebase Cloud Messaging , is not available in China,

new mail push notifications do not function. Instead, Outlook for Android relies on
polling notifications. For the native Microsoft sync technology, background polling
occurs every 15 minutes while the app is in the background (assuming background
synchronization is not disabled).

Native Microsoft sync technology migration

The following questions are about the migration from the REST API data sync protocol
to the native Microsoft sync technology used by Outlook for iOS and Android for
accessing mailbox data.

Q: Is there a minimum version of Outlook for iOS and

Android required to use the native Microsoft sync
technology?
For Outlook for iOS, users should install 3.10.1 or later. For Outlook for Android, users
should install 3.0.14 or later. As always, we recommend users keep the Outlook app up
to date.

Q: What will my users experience when our tenant is

migrated to the native Microsoft sync technology?
Assuming the user is running a supported version of Outlook for iOS and Android, after
your tenant is migrated, your users may see a brief notice indicating that we are
updating their email and calendar data. Otherwise the user experience to migrate to the
updated architecture will be seamless.

Q: As a tenant administrator, can I control which of my

users will be migrated to the native Microsoft sync
technology?
No, the migration to the native Microsoft sync technology will be on a tenant-by-tenant
basis and not a per-user basis. While the tenant selection order for migration is random,
we are being deliberate about migrating Microsoft 365 or Office 365 mailboxes first
before we migrate on-premises mailbox accounts. If you are a customer operating in a
hybrid configuration where a portion of your mailboxes remains on-premises, the on-
premises users using hybrid modern authentication will be migrated to the native
Microsoft sync technology at a later date. This system means that your Microsoft 365
and Office 365 users will migrate to the native Microsoft sync technology, while the on-
premises users continue to use the REST API to connect to Exchange Online.

Once your tenant is migrated, a user will not switch to the native Microsoft sync
technology, until after they launch/resume Outlook for iOS and Android.

Q: If my user doesn't upgrade to a supported build of

Outlook for iOS and Android prior to my tenant's
migration, does that mean the user will lose access to
email and calendar data while mobile?
No, the user will continue to connect using the existing REST-based data sync protocol.

Q: Will my Intune App Protection Policies or Azure AD

Conditional Access policies be affected by this migration?
No, both Intune App Protection Policies and Azure AD Conditional Access policies will
continue to be applied to the targeted identity, regardless of the data sync protocol
used by Outlook for iOS and Android.

Q: Will I have to update my Exchange mobile device

access policies (allow block quarantine (ABQ) rules)?
No, the user agent string that Outlook for iOS and Android uses does not change. For
more information on what that user agent is, see Securing Outlook for iOS and Android
in Exchange Online.

Q: As an Exchange administrator, is there a way for me to

determine which data sync protocol Outlook for iOS and
Android clients are utilizing in the Microsoft 365- or
Office 365-based architecture?
Yes, execute the following command from Exchange Online PowerShell:

PowerShell

Get-MobileDevice | where {$_.DeviceModel -eq "Outlook for iOS and Android"}

| Format-List FriendlyName,DeviceID,DeviceOS,ClientType

The ClientType property indicates which data sync protocol is in use. If the value is
REST, then the client is utilizing the REST API. If the value is Outlook, then the client is
using the native Microsoft sync technology.

Alternatively, a user can log in to Outlook on the web and, from within Options, select
Mobile Devices to view the details of a mobile device. Like the cmdlet, the user can see
the value for the ClientType property.
Administrating and monitoring Outlook for iOS
and Android in your organization
The following questions are about managing and monitoring the Outlook for iOS and
Android app within your organization after the app has been deployed.

Q: Is it necessary to file an in-app support ticket when I

experience an issue with Outlook for iOS and Android?
Yes, if you want to troubleshoot and resolve the issue, or if you want to inform us of a
product defect or limitation, you will need to file an in-app support ticket. Only through
filing an in-app support ticket can the Outlook app's logs get collected and analyzed by
our product engineers.

Customers with a Microsoft Premier agreement can open support cases with Customer
Service & Support (CSS). Instead of having the user initiate an in-app support ticket, the
user can use Collect Diagnostics to upload the logs and share the incident ID with
CSS/Premier. Collect Diagnostics will capture data from Outlook for iOS and Android,
Authenticator, and the Company Portal and upload all the relevant logs to Microsoft.
Microsoft Support Escalation Engineers can use the incident ID to access the diagnostic
logs and troubleshoot the user's issue.

To gather the logs:

1. Within Outlook for iOS and Android's settings, tap Help & Feedback.

2. Tap Collect Diagnostics.

3. Tap Get Started.

4. Tap Upload Outlook Logs (iOS) or Collect Logs (Android).

5. Share the incident ID with CSS.

Q: As an Exchange administrator, I would like to deploy

Outlook for iOS and Android, but in my testing I can't log
in. What might be the issue?
Assuming authentication is not the issue, there are two areas you can check:

1. Check whether you have an EWS application policy that restricts which client
applications can connect.
 2. Check whether you have EWS enabled for the account.

For more information, see Securing Outlook for iOS and Android in Exchange Online. If
one of the above checks doesn't resolve the issue, open an in-app support ticket.

Q: Will Outlook for iOS and Android support third-party

unified endpoint management (MDM, EMM, or UEM)
solutions?
For more information, see Managing Outlook for iOS and Android in Exchange Online.

Q: Is a license required to use Outlook for iOS and

Android?
Outlook for iOS and Android is free for consumer usage from the iOS App store and
from Google Play. However, commercial users require an Office 365 or Microsoft 365
subscription that includes the Office desktop applications: Microsoft 365 Apps for
Business, Microsoft 365 Business Standard, Microsoft 365 Apps for enterprise, Office 365
Enterprise E3, Office 365 Enterprise E5, or the corresponding versions of those plans for
Government or Education. Commercial users with the following subscriptions are
allowed to use the Outlook mobile app on devices with integrated screens 10.1"
diagonally or less: Office 365 Enterprise E1, Office 365 F1, Office 365 A1, Microsoft 365
Business Basic, and if you only have an Exchange Online license (without Office). If you
only have an Exchange on-premises (Exchange Server) license, you are not licensed to
use the app.

Common questions from end users

The following questions concern end users in your organization who are using Outlook
for iOS and Android on their devices to access their Exchange mailboxes.

Q: My users enabled the "Save Contacts" advanced

settings option. However, they are complaining that not
all contacts have synchronized on their iOS devices. Are
there limitations with synchronization?
The initial export of contacts can only begin when Outlook is in the foreground. A user
can switch between apps and the export will continue while Outlook is active in
memory. There are iOS limitations when syncing with iCloud that may result in data
inconsistency, but Outlook will automatically trigger a reconciliation to ensure that the
contacts are always consistently exported (for example, reconciliation will remove
duplicates if Outlook detects exported contacts from a previous export activity). Reasons
for missing/duplicate contacts might include:

Outlook for iOS being suspended during sync.

Enabling "Save Contacts" simultaneously on multiple devices (such as an iPad and
an iPhone).
Accrued sync errors over time.

If you are seeing an inconsistency and it has not been resolved after a short period of
time, wait for 24 hours and then restart the app to trigger the reconciliation process. If
that does not work, perform the following steps:

1. Disable "Save Contacts" for the affected account.

2. Check that all instances of the contacts are removed from the native iOS contacts
app. If duplicates remain, go to Settings > Help & Feedback > Delete All Saved
Contacts in order to remove any lingering duplicates.
3. Re-enable "Save Contacts" for the affected account.
4. Follow the on-screen prompts, which may instruct you to keep the phone open
and plugged in during initial sync.

Q: Why are the Office mobile apps required to be

installed on Android in order to render attachments in
Outlook, while iOS devices provide a preview of the
attachments within Outlook?
This requirement is due to the differences in the base operating systems. iOS provides
native content rendering for known attachment types, which Outlook for iOS uses to
provide basic attachment rendering. Android provides nothing similar. Android users
have to install the Office apps and/or third-party apps in order to render attachment
content.

Q: A new message included an attachment, but while I

was offline I couldn't open the attachment. Why is that?
Outlook (like other mobile clients) does not download attachments automatically. This
behavior is by design, in order to conserve device space. Attachments are only
downloaded at the request of the user.
Q: A week ago I accessed an attachment in a message,
but now that I'm offline I can no longer access that
attachment on my iOS device. However, I can access it on
my Android device. Why is that?
Outlook for iOS stores attachments in our own database. As a result, every attachment
we download to the client takes up a considerable amount of space in our database. To
ensure the client is able to provide fast performance and take a small amount of space,
we purge data rather aggressively based on usage (attachments will be cached up to
seven days).

Unlike iOS, Android uses an accessible file system, so when Outlook for Android
downloads an attachment, it doesn't go into the database, rather it is stored as a
temporary file.

Q: Why does data within Outlook for iOS disappear and

then reappear after I toggle the Focused Inbox or the
Organize by Thread settings?
Whenever those options are changed, Outlook for iOS performs a soft reset. This
operation wipes the existing data that has been downloaded to the app and requires a
resynchronization.

Q: Can I view organization chart information in Outlook

for iOS?
Yes. Outlook for iOS provides your company's organization information as part of a
person's contact card details. Your company's reporting structure and a list of colleagues
is also provided, to help employees connect with the people and teams they need to
work with.

The list of people displayed as part of the Other Colleagues list under Show
Organization is based on common email distribution lists, group memberships, and
degrees of separation in the Organization structure defined in Azure Active Directory.

If you do not have organization chart data exposed in the app, consult with your
directory administrator. There are two main scenarios to consider:

1. Your company has a hybrid topology where an on-premises directory is

synchronized with Azure Active Directory. You will need to update Active Directory
with the organization chart information, either directly in the directory or via your
 Human Resources system. Data will be synchronized into AAD automatically and
will be accessible via the Global Address List in Exchange Online.

2. Your company only uses Azure Active Directory for directory management. You will
need to update Azure Active Directory with the organization chart information,
either directly in the directory or via your Human Resources system. This data will
be accessible via the Global Address List in Exchange Online.

Q: How much of my mailbox data is synchronized with

Outlook for iOS and Android?
For initial folder synchronization, Outlook for iOS and Android synchronizes 500 items
per folder, with up to 1000 items per folder if the user taps Load more conversations.
The app periodically trims the items per folder down to the default number, in order to
ensure optimal app performance.

Q: Why are tasks and notes not available with Outlook for
iOS and Android?
Microsoft's strategic direction for task management and note taking on mobile devices
is the To-Do and OneNote apps, respectively. OneNote provides access to notes stored
in an Exchange Online mailbox with Sticky Notes. To-Do provides integration with the
tasks stored in Exchange Online mailboxes; however, Outlook for iOS and Android
provides users the ability to create tasks from messages and exposes top tasks in the
Zero Query search pane.

Q: Does Outlook for iOS and Android support moderator

message approval or rejection scenarios?
No, Outlook for iOS and Android does not support moderated message requests for
approving or rejecting email. Outlook for iOS and Android does not provide an
approve/reject button, so a moderator cannot approve or reject moderated messages
when using Outlook for iOS and Android.
Account setup with modern
authentication in Exchange Online
Article • 02/22/2023

Summary: How users with modern authentication-enabled accounts can quickly set up
their Outlook for iOS and Android accounts in Exchange Online.

Users with modern authentication-enabled accounts (Microsoft 365 or Office 365

accounts or on-premises accounts using hybrid modern authentication) have two ways
to set up their own Outlook for iOS and Android accounts: AutoDetect and single sign-
on. In addition, Outlook for iOS and Android also offers IT administrators the ability to
"push" account configurations to their Microsoft 365 and Office 365 users, and to
control whether Outlook for iOS and Android supports personal accounts.

Modern authentication
Modern authentication is an umbrella term for a combination of authentication and
authorization methods that include:

Authentication methods: Multi-factor Authentication; Client Certificate-based

authentication.

Authorization methods: Microsoft's implementation of Open Authorization

(OAuth).

Modern authentication is enabled by using the Microsoft Authentication Library (MSAL).

MSAL-based authentication is what Outlook for iOS and Android uses to access
Exchange Online mailboxes in Microsoft 365 or Office 365. MSAL authentication, used
by Office apps on both desktop and mobile devices, involves users signing in directly to
Azure Active Directory, which is the identity provider for Microsoft 365 and Office 365,
instead of providing credentials to Outlook.

MSAL-based authentication uses OAuth for modern authentication-enabled accounts

(Microsoft 365 or Office 365 accounts or on-premises accounts using hybrid modern
authentication). It also provides a secure mechanism for Outlook for iOS and Android to
access email, without requiring access to user credentials. At sign-in, the user
authenticates directly with Azure Active Directory and receives an access/refresh token
pair in return. The access token grants Outlook for iOS and Android access to the
appropriate resources in Microsoft 365 or Office 365 (for example, the user's mailbox). A
refresh token is used to obtain a new access or refresh token pair when the current
access token expires. OAuth provides Outlook with a secure mechanism to access
Microsoft 365 or Office 365, without needing or storing a user's credentials. For more
information, see the Office Blog post New access and security controls for Outlook for
iOS and Android .

For information on token lifetimes, see Configurable token lifetimes in Microsoft identity
platform. Token lifetime values can be adjusted; for more information, see Configure
authentication session management with conditional access. If you choose to reduce
token lifetimes, you can also reduce the performance of Outlook for iOS and Android,
because a smaller lifetime increases the number of times the application must acquire a
fresh access token.

A previously granted access token is valid until it expires. The identity model being
utilized for authentication will have an impact on how password expiration is handled.
There are three scenarios:

1. For a federated identity model, the on-premises identity provider needs to send
password expiry claims to Azure Active Directory, otherwise, Azure Active Directory
will not be able to act on the password expiration. For more information, see
Configure AD FS to Send Password Expiry Claims.

2. Password Hash Synchronization does not support password expiration. This

scenario means that the apps that had previously obtained an access and refresh
token pair will continue to function until the lifetime of the token pair is exceeded
or the user changes the password. For more information, see Implement password
synchronization with Azure AD Connect sync.

3. Pass-through Authentication requires that password writeback enabled in AAD

Connect. For more information, see Azure Active Directory Pass-through
Authentication: Frequently asked questions.

Upon token expiration, the client will attempt to use the refresh token to obtain a new
access token, but because the user's password has changed, the refresh token will be
invalidated (assuming directory synchronization has occurred between on-premises and
Azure Active Directory). The invalidated refresh token will force the user to
reauthenticate in order to obtain a new access token and refresh token pair.

AutoDetect
Outlook for iOS and Android offers a solution called AutoDetect that helps end-users
quickly setup their accounts. AutoDetect will first determine which type of account a
user has, based on the SMTP domain. Account types that are covered by this service
include Microsoft 365, Office 365, Outlook.com, Google, Yahoo, and iCloud. Next,
AutoDetect will make the appropriate configurations to the app on the user's device
based on that account type. This solution saves time for users and eliminates the need
for manual input of configuration settings like hostname and port number.

For modern authentication, which is used by all Microsoft 365 or Office 365 accounts
and on-premises accounts using hybrid modern authentication, AutoDetect queries
Exchange Online for a user's account information and then configures Outlook for iOS
and Android on the user's device so that the app can connect to Exchange Online.
During this process, the only information required from the user is their SMTP address
and credentials.

The following images show an example of account configuration via AutoDetect:

If AutoDetect fails for a user, the following images show an alternative account
configuration path using manual configuration:
Single sign-on
All Microsoft apps that use the Microsoft Authentication Library (MSAL) support single
sign-on. In addition, single sign-on is also supported when the apps are used with either
the Microsoft Authenticator or Microsoft Company Portal apps.

Tokens can be shared and reused by other Microsoft apps (such as Word mobile) under
the following scenarios:

1. When the apps are signed by the same signing certificate, and use the same
service endpoint or audience URL (such as the Microsoft 365 or Office 365 URL). In
this case, the token is stored in app shared storage.

2. When the apps use or support single sign-on with a broker app, and the tokens
are stored within the broker app. Microsoft Authenticator is an example of a broker
app. In the broker app scenario, after you attempt to sign in to Outlook for iOS
and Android, MSAL will launch the Microsoft Authenticator app, which will make a
connection to Azure Active Directory to obtain the token. It will then hold on to
the token and reuse it for authentication requests from other apps, for as long as
the configured token lifetime allows.

For more information, see Configure SSO on macOS and iOS.

If a user is already signed in to another Microsoft app on their device, like Word or
Company Portal, Outlook for iOS and Android will detect that token and use it for its
own authentication. When such a token is detected, users adding an account in Outlook
for iOS and Android will see the discovered account available as "Found" under
Accounts on the Settings menu. New users will see their account in the initial account
setup screen.
The following images show an example of account configuration via single sign-on for a
first-time user:

If a user already has Outlook for iOS and Android, such as for a personal account, but a
Microsoft 365 or Office 365 account is detected because they recently enrolled, the
single-sign on path will look as follows:

Account setup configuration via enterprise

mobility management
Outlook for iOS and Android offers IT administrators the ability to "push" account
configurations to Microsoft 365 or Office 365 accounts or on-premises accounts using
hybrid modern authentication. This capability works with any Unified Endpoint
Management (UEM) provider who uses the Managed App Configuration channel for
iOS or the Android in the Enterprise channel for Android.

For users enrolled in Microsoft Intune, you can deploy the account configuration
settings using Intune in the Azure portal.

Once account setup configuration has been set up in the UEM provider and the user
enrolls their device, Outlook for iOS and Android will detect that an account is "Found"
and will then prompt the user to add the account. The only information the user needs
to enter to complete the setup process is their password. Then, the user's mailbox
content will load and the user can begin using the app.

For more information on the account setup configuration keys needed to enable this
functionality, see the Account setup configuration section in Deploying Outlook for iOS
and Android App Configuration Settings.

Organization allowed accounts mode

Respecting the data security and compliance policies of our largest and highly regulated
customers is a key pillar to the Microsoft 365 and Office 365 value. Some companies
have a requirement to capture all communications information within their corporate
environment, and, ensure the devices are only used for corporate communications. To
support these requirements, Outlook for iOS and Android on corporate-managed
devices can be configured to only allow a single, corporate account to be provisioned
within Outlook for iOS and Android. Like with account setup configuration, this
capability works with any UEM provider who uses the Managed App Configuration
channel for iOS or the Android in the Enterprise channel for Android. This capability is
supported with Microsoft 365 and Office 365 accounts or on-premises accounts using
hybrid modern authentication, however, only a single corporate account can be added
to Outlook for iOS and Android.

For more information on the settings that need to be configured to deploy Organization
Allowed Accounts mode, see the Organization allowed accounts mode section in
Deploying Outlook for iOS and Android App Configuration Settings.

７ Note

Account setup configuration and Organization allowed accounts mode can be

configured together to simplify account setup.
To ensure these users can only access corporate email on enrolled devices (whether it be
iOS or Android Enterprise) with Intune, you will need to use an Azure Active Directory
conditional access policy with the grant controls Require devices to be marked as
compliant and Require approved client app. Details on creating this type of policy can
be found in Azure Active Directory app-based conditional access.

） Important

Require devices to be marked as compliant grant control requires the device to be

managed by Intune.

1. The first policy allows Outlook for iOS and Android, and it blocks OAuth capable
Exchange ActiveSync clients from connecting to Exchange Online. See "Step 1 -
Configure an Azure AD conditional access policy for Exchange Online", but for the
fifth step, select "Require device to be marked as compliant", "Require approved
client app", and "Require all the selected controls".

2. The second policy prevents Exchange ActiveSync clients using basic authentication
from connecting to Exchange Online. See "Step 2 - Configure an Azure AD
conditional access policy for Exchange Online with Active Sync (EAS)."
Managing Outlook for iOS and Android
in Exchange Online
Article • 02/22/2023

Summary: This article describes best practices for managing mobile devices with
Outlook for iOS and Android in Exchange Online.

Outlook for iOS and Android provides users the fast, intuitive email and calendar
experience users expect from a modern mobile app, while being the only app to provide
support for the best features of Microsoft 365 and Office 365. In addition, Microsoft
provides a number of utilities for managing and protecting company data on mobile
devices in your Exchange Online organization.

Options for managing devices and applications

Customers looking to manage Outlook for iOS and Android have the following options:

1. Recommended: The Enterprise Mobility + Security suite, which includes Microsoft

Intune and Azure Active Directory conditional access.

2. Basic Mobility and Security for Microsoft 365.

3. Third-party Unified Endpoint Management solutions.

4. Mobile Device Access and Mobile Device Mailbox Policies.

７ Note

For implementation details on each of these three options, see Securing Outlook
for iOS and Android in Exchange Online.

Microsoft recommends that customers use the features of the Enterprise Mobility +
Security suite to protect corporate data on mobile devices, due to the advanced
capabilities provided by these services.

） Important

When the user authenticates in Outlook for iOS and Android, Exchange Online
mobile device access rules (allow, block, or quarantine) are skipped if there are any
Azure Active Directory conditional access policies applied to the user that include:
 Cloud app condition: Exchange Online or Office 365
Device platform condition: iOS and/or Android
Client apps condition: Mobile apps and desktop client
One of the following Grant access controls: Require device to be marked as
compliant, Require approved client app or Require app protection policy

７ Note

When using mobile device cmdlets such as Get-MobileDevice to check the status of
a device, the timestamp for Outlook for iOS and Android synchronization, indicated
by the LastSyncTime property, may be up to 15 minutes behind the actual time of
synchronization. While device synchronization does occur in real time, the returned
time stamp may lag behind.

Using Enterprise Mobility + Security

The richest and broadest protection capabilities for Microsoft 365 and Office 365 data
are available when you subscribe to the Enterprise Mobility + Security suite, which
includes Microsoft Intune, Azure Information Protection, and Azure Active Directory
Premium features, such as conditional access.

７ Note

While the Enterprise Mobility + Security suite subscription includes licenses for
both Microsoft Intune and Azure Active Directory, customers can purchase
Microsoft Intune licenses and Azure Active Directory Premium licenses separately.
All users must be licensed to leverage the conditional access and Intune app
protection policies discussed in this article.

Intune provides mobile application management (MAM) capabilities, as well as other

conditional access and device management capabilities. With Intune app protection
policies, you can restrict actions such as cut, copy, paste, and "save as" of corporate data
between Intune-managed apps and apps that are not managed by Intune. More
information is available in How to create and assign app protection policies.
Additionally, the Intune-managed Outlook apps include a new multi-identity
management feature that enables users to access both their personal and work email
accounts in the same Outlook app while only applying the Intune app protection
policies to the user's work account. This provides a much more seamless user
experience.

Conditional access is a capability of Azure Active Directory that enables you to enforce
controls on the access to apps in your environment based on specific conditions from a
central location. By using conditional access policies, you can apply the right access
controls under the required conditions. Azure Active Directory conditional access
provides you with added security when such security is needed, and it stays out of your
users' way when it isn't.

Key features of the Enterprise Mobility + Security suite with Outlook for iOS and
Android:

Conditional access. Azure Active Directory ensures that Exchange Online email can
be accessed only when the conditional access requirements are met. For more
information on device enrollment, see Conditional access in Azure Active Directory.

Intune app protection. Outlook for iOS and Android allows you to protect your
corporate data with Intune app protection policies. This is a great option for "bring
your own device" (BYOD) scenarios where you want to keep corporate data safe
without managing a user's devices. For more information on Intune app protection
policies, see Protect app data using mobile app management policies with
Microsoft Intune.

Device enrollment. Intune lets you manage your workforce's devices and apps,
and how they access your company data. In this model, Outlook for iOS and
Android ensures that Exchange Online email can be accessed only on phones and
tablets that are managed by your company and are compliant with your
organization's policy. When users log on to the Outlook app on an unmanaged
mobile device, Outlook prompts users to enroll the device in Intune by leveraging
the Azure conditional access policy, and then validates that the device meets
organizational standards of device compliance.

Device management and reporting. The enrollment process allows organizations

to set and manage security policies that, for example, enforce device-level PIN
lock, require data encryption, and block compromised devices in order to prevent
untrusted devices from accessing corporate email and data. Each enrolled device
appears in the Microsoft 365 admin center, and reporting is available to provide
details on the devices that access your corporate data.

Selective wipe. Microsoft Intune can remove email data from Outlook for iOS and
Android, while leaving any personal email accounts intact (whether the device is
 enrolled or not). This is an increasingly important requirement as more businesses
adopt a "bring your own device" approach to phones and tablets.

Using Basic Mobility and Security for Microsoft 365

Basic Mobility and Security for Microsoft 365 provides device management capabilities
at no additional cost. Microsoft Intune powers these basic capabilities, providing a core
set of controls in the Microsoft 365 admin center for organizations that need the basics.

Because this is a device management solution, there is no native capability to control

which apps can be used, even after a device is enrolled. If you want to limit access to
Outlook for iOS and Android, you will need to obtain Azure Active Directory Premium
licenses and leverage conditional access policies.

Outlook for iOS and Android fully supports the capabilities provided by Basic Mobility
and Security for Microsoft 365.

For detailed information, see the following resources:

Overview of Basic Mobility and Security for Microsoft 365 .

Manage settings and features on your devices with Microsoft Intune policies

Instructions for your end-users to enroll a device in Basic Mobility and Security:
Enroll your mobile device using Basic Mobility and Security

Using Third-Party Unified Endpoint Management

Solutions
Third-party unified endpoint management providers can deploy the Outlook for iOS and
Android the same way they would deploy any iOS or Android app, using their existing
tools. They can also apply device management controls like device PIN, device
encryption, device wipe, and more, all of which are important for a secure email
experience, but are also completely independent of Outlook for iOS and Android.

Third-party providers can also deploy certain app configuration settings, like account
setup, organization allowed accounts mode, and general app configuration settings, to
Outlook for iOS and Android; for more information, please see Deploying Outlook for
iOS and Android app configuration settings.

In order to manage and protect corporate data within the app (such as restricting
actions with corporate data like cut, copy, paste, and "save as"), customers will need to
use Microsoft's Enterprise Mobility + Security suite.
Using Mobile Device Access and Mobile Device Mailbox
Policies
Microsoft recommends that customers use either the Enterprise Mobility + Security
suite or the built-in Basic Mobility and Security for Microsoft 365 to manage company
data on mobile devices, due to the advanced capabilities provided by those services.
Outlook for iOS and Android does support mobile device access and mobile device
mailbox policies (formerly known as Exchange Active Sync policies), which are available
through the Exchange admin center.

Outlook for iOS and Android supports the following Exchange mobile device mailbox
policy settings:

Device encryption enabled

Min password length (only on Android)

Password enabled

Allow Bluetooth (used to manage the Outlook for Android wearable app when
Intune App Protection Policies are not in use)

When AllowBluetooth is enabled (default behavior) or configured for

HandsfreeOnly, wearable synchronization between Outlook on the Android
device and Outlook on the wearable is allowed for the work or school account.

When AllowBluetooth is disabled, Outlook for Android will disable

synchronization between Outlook on the Android device and Outlook on the
wearable for the specified work or school account (and delete any data
previously synced for the account). Disabling the synchronization is controlled
entirely within Outlook itself; Bluetooth is not disabled on the device or
wearable nor is any other wearable app affected.

For information on how to create or modify an existing mobile device mailbox policy,
see Mobile device mailbox policies in Exchange Online.

Exchange administrators can also initiate a remote device wipe against Outlook for iOS
and Android using Exchange admin center. Upon receiving the remote wipe request, the
app will remove the Outlook profile and all data associated with it.

７ Note

Outlook for iOS and Android only supports the Wipe Data remote wipe command
and does not support Account Only Remote Wipe Device as defined in the
 Exchange admin center. For more information on how to perform a remote wipe,
see Perform a remote wipe on a mobile phone.

For more about Microsoft Intune see Documentation for Microsoft Intune.
Securing Outlook for iOS and Android in
Exchange Online
Article • 02/22/2023

Outlook for iOS and Android provides users the fast, intuitive email and calendar
experience that users expect from a modern mobile app, while being the only app to
provide support for the best features of Microsoft 365 or Office 365.

Protecting company or organizational data on users' mobile devices is extremely

important. Begin by reviewing Setting up Outlook for iOS and Android, to ensure your
users have all the required apps installed. After that, choose one of the following
options to secure your devices and your organization's data:

1. Recommended: If your organization has an Enterprise Mobility + Security

subscription, or has separately obtained licensing for Microsoft Intune and Azure
Active Directory Premium, follow the steps in Leveraging Enterprise Mobility +
Security suite to protect corporate data with Outlook for iOS and Android to
protect corporate data with Outlook for iOS and Android.

2. If your organization doesn't have an Enterprise Mobility + Security subscription or

licensing for Microsoft Intune and Azure Active Directory Premium, follow the
steps in Leveraging Basic Mobility and Security for Microsoft 365, and use the Basic
Mobility and Security capabilities that are included in your Office 365 or Microsoft
365 subscription.

3. Follow the steps in Leveraging Exchange Online mobile device policies to

implement basic Exchange mobile device mailbox and device access policies.

If, on the other hand, you don't want to use Outlook for iOS and Android in your
organization, see Blocking Outlook for iOS and Android.

７ Note

See Exchange Web Services (EWS) application policies later in this article if you'd
rather implement an EWS application policy to manage mobile device access in
your organization.

Setting up Outlook for iOS and Android

For devices enrolled in a unified endpoint management (UEM) solution, users will utilize
the UEM solution, like the Intune Company Portal, to install the required apps: Outlook
for iOS and Android and Microsoft Authenticator.

For devices that are not enrolled in an UEM solution, users need to install:

Outlook for iOS and Android via the Apple App Store or Google Play Store

Microsoft Authenticator app via the Apple App Store or Google Play Store

Intune Company Portal app via Apple App Store or Google Play Store

Once the app is installed, users can follow these steps to add their corporate email
account and configure basic app settings:

Set up email account in Outlook for iOS mobile app

Set up email in the Outlook for Android app

Optimizing the Outlook mobile app for your iOS or Android phone

） Important

To leverage app-based conditional access policies, the Microsoft Authenticator app

must be installed on iOS devices. For Android devices, the Intune Company Portal
app is required. For more information, see App-based Conditional Access with
Intune.

Leveraging Enterprise Mobility + Security suite

to protect corporate data with Outlook for iOS
and Android

） Important

The Allow/Block/Quarantine (ABQ) list provides no security guarantees (if a client

spoofs the DeviceType header, it might be possible to bypass blocking for a
particular device type). To securely restrict access to specific device types, we
recommend that you configure conditional access policies. For more information,
see App-based conditional access with Intune.
The richest and broadest protection capabilities for Microsoft 365 and Office 365 data
are available when you subscribe to the Enterprise Mobility + Security suite, which
includes Microsoft Intune and Azure Active Directory Premium features, such as
conditional access. At a minimum, you will want to deploy a conditional access policy
that only allows connectivity to Outlook for iOS and Android from mobile devices and
an Intune app protection policy that ensures the corporate data is protected.

７ Note

While the Enterprise Mobility + Security suite subscription includes both Microsoft
Intune and Azure Active Directory Premium, customers can purchase Microsoft
Intune licenses and Azure Active Directory Premium licenses separately. All users
must be licensed in order to leverage the conditional access and Intune app
protection policies that are discussed in this article.

Block all email apps except Outlook for iOS and Android
using conditional access
When an organization decides to standardize how users access Exchange data, using
Outlook for iOS and Android as the only email app for end users, they can configure a
conditional access policy that blocks other mobile access methods. To do this, you will
need several conditional access policies, with each policy targeting all potential users.
These policies are described in Conditional Access: Require approved client apps or app
protection policy.

1. Follow the steps in Require approved client apps or app protection policy with
mobile devices. This policy allows Outlook for iOS and Android, but blocks OAuth
and basic authentication capable Exchange ActiveSync mobile clients from
connecting to Exchange Online.

７ Note

This policy ensures mobile users can access all Microsoft 365 endpoints using
the applicable apps.

2. Follow the steps in Block Exchange ActiveSync on all devices, which prevents
Exchange ActiveSync clients using basic authentication on non-mobile devices
from connecting to Exchange Online.
 The above policies leverages the grant access control Require app protection
policy, which ensures that an Intune App Protection Policy is applied to the
associated account within Outlook for iOS and Android prior to granting access. If
the user isn't assigned to an Intune App Protection Policy, isn't licensed for Intune,
or the app isn't included in the Intune App Protection Policy, then the policy
prevents the user from obtaining an access token and gaining access to messaging
data.

3. Follow the steps in How to: Block legacy authentication to Azure AD with
Conditional Access to block legacy authentication for other Exchange protocols on
iOS and Android devices; this policy should target only Office 365 Exchange Online
cloud app and iOS and Android device platforms. This ensures mobile apps using
Exchange Web Services, IMAP4, or POP3 protocols with basic authentication
cannot connect to Exchange Online.

７ Note

After the conditional access policies are enabled, it may take up to 6 hours for any
previously connected mobile device to become blocked.

When the user authenticates in Outlook for iOS and Android, Exchange Online
mobile device access rules (allow, block, or quarantine) are skipped if there are any
Azure Active Directory conditional access policies applied to the user that include:

Cloud app condition: Exchange Online or Office 365

Device platform condition: iOS and/or Android
Client apps condition: Mobile apps and desktop client
One of the following Grant access controls: Require device to be marked as
compliant, Require approved client app or Require app protection policy

To leverage app-based conditional access policies, the Microsoft Authenticator app

must be installed on iOS devices. For Android devices, the Intune Company Portal
app is required. For more information, see App-based Conditional Access with
Intune.

Protect corporate data in Outlook for iOS and Android

using Intune app protection policies
App Protection Policies (APP) define which apps are allowed and the actions they can
take with your organization's data. The choices available in APP enable organizations to
tailor the protection to their specific needs. For some, it may not be obvious which
policy settings are required to implement a complete scenario. To help organizations
prioritize mobile client endpoint hardening, Microsoft has introduced taxonomy for its
APP data protection framework for iOS and Android mobile app management.

The APP data protection framework is organized into three distinct configuration levels,
with each level building off the previous level:

Enterprise basic data protection (Level 1) ensures that apps are protected with a
PIN and encrypted and performs selective wipe operations. For Android devices,
this level validates Android device attestation. This is an entry level configuration
that provides similar data protection control in Exchange Online mailbox policies
and introduces IT and the user population to APP.
Enterprise enhanced data protection (Level 2) introduces APP data leakage
prevention mechanisms and minimum OS requirements. This is the configuration
that is applicable to most mobile users accessing work or school data.
Enterprise high data protection (Level 3) introduces advanced data protection
mechanisms, enhanced PIN configuration, and APP Mobile Threat Defense. This
configuration is desirable for users that are accessing high risk data.

To see the specific recommendations for each configuration level and the minimum
apps that must be protected, review Data protection framework using app protection
policies.

Regardless of whether the device is enrolled in an UEM solution, an Intune app

protection policy needs to be created for both iOS and Android apps, using the steps in
How to create and assign app protection policies. These policies, at a minimum, must
meet the following conditions:

1. They include all Microsoft mobile applications, such as Edge, OneDrive, Office, or
Teams, as this will ensure that users can access and manipulate work or school data
within any Microsoft app in a secure fashion.

2. They are assigned to all users. This ensures that all users are protected, regardless
of whether they use Outlook for iOS or Android.

3. Determine which framework level meets your requirements. Most organizations

should implement the settings defined in Enterprise enhanced data protection
(Level 2) as that enables data protection and access requirements controls.

For more information on the available settings, see Android app protection policy
settings in Microsoft Intune and iOS app protection policy settings.
 ） Important

To apply Intune app protection policies against apps on Android devices that are
not enrolled in Intune, the user must also install the Intune Company Portal. For
more information, see What to expect when your Android app is managed by app
protection policies.

Leveraging Basic Mobility and Security for

Microsoft 365
If you don't plan to leverage the Enterprise Mobility + Security suite, you can use Basic
Mobility and Security for Microsoft 365. This solution requires that mobile devices be
enrolled. When a user attempts to access Exchange Online with a device that is not
enrolled, the user is blocked from accessing the resource until they enroll the device.

Because this is a device management solution, there is no native capability to control

which apps can be used even after a device is enrolled. If you want to limit access to
Outlook for iOS and Android, you will need to obtain Azure Active Directory Premium
licenses and leverage the conditional access policies discussed in Block all email apps
except Outlook for iOS and Android using conditional access.

A global admin must complete the following steps to activate and set up enrollment.
See Set up Basic Mobility and Security for complete steps. In summary, these steps
include:

1. Activating Basic Mobility and Security by following the steps in the Microsoft 365
Security Center.

2. Setting up unified endpoint management by, for example, creating an APNs

certificate to manage iOS devices.

3. Creating device policies and apply them to groups of users. When you do this,
your users will get an enrollment message on their device. And when they've
completed enrollment, their devices will be restricted by the policies you've set up
for them.

７ Note

Policies and access rules created in Basic Mobility and Security will override both
Exchange mobile device mailbox policies and device access rules created in the
Exchange admin center. After a device is enrolled in Basic Mobility and Security, any
 Exchange mobile device mailbox policy or device access rule that is applied to that
device will be ignored.

Leveraging Exchange Online mobile device

policies
If you don't plan on leveraging either the Enterprise Mobility + Security suite or the
Basic Mobility and Security functionality, you can implement an Exchange mobile device
mailbox policy to secure the device, and device access rules to limit device connectivity.

Mobile device mailbox policy

Outlook for iOS and Android supports the following mobile device mailbox policy
settings in Exchange Online:

Device encryption enabled

Min password length (only on Android)

Password enabled

Allow Bluetooth (used to manage the Outlook for Android wearable app)

When AllowBluetooth is enabled (default behavior) or configured for

HandsfreeOnly, wearable synchronization between Outlook on the Android
device and Outlook on the wearable is allowed for the work or school account.

When AllowBluetooth is disabled, Outlook for Android will disable

synchronization between Outlook on the Android device and Outlook on the
wearable for the specified work or school account (and delete any data
previously synced for the account). Disabling the synchronization is controlled
entirely within Outlook itself; Bluetooth is not disabled on the device or
wearable nor is any other wearable app affected.

For information on how to create or modify an existing mobile device mailbox policy,
see Mobile device mailbox policies in Exchange Online.

In addition, Outlook for iOS and Android supports Exchange Online's device-wipe
capability. With Outlook, a remote wipe only wipes data within the Outlook app itself
and does not trigger a full device wipe. For more information on how to perform a
remote wipe, see Perform a remote wipe on a mobile phone in Exchange Online.
Device access policy
Outlook for iOS and Android should be enabled by default, but in some existing
Exchange Online environments the app may be blocked for a variety of reasons. Once
an organization decides to standardize how users access Exchange data and use
Outlook for iOS and Android as the only email app for end users, you can configure
blocks for other email apps running on users' iOS and Android devices. You have two
options for instituting these blocks within Exchange Online: the first option blocks all
devices and only allows usage of Outlook for iOS and Android; the second option allows
you to block individual devices from using the native Exchange ActiveSync apps.

７ Note

Because device IDs are not governed by any physical device ID, they can change
without notice. When this happens, it can cause unintended consequences when
device IDs are used for managing user devices, as existing 'allowed' devices may be
unexpectedly blocked or quarantined by Exchange. Therefore, we recommend
administrators only set mobile device access policies that allow/block devices
based on device type or device model.

Option 1: Block all email apps except Outlook for iOS and Android
You can define a default block rule and then configure an allow rule for Outlook for iOS
and Android, and for Windows devices, using the following Exchange Online PowerShell
commands. This configuration will prevent any Exchange ActiveSync native app from
connecting, and will only allow Outlook for iOS and Android.

1. Create the default block rule:

PowerShell

Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Block

2. Create an allow rule for Outlook for iOS and Android

PowerShell

New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString

"Outlook for iOS and Android" -AccessLevel Allow
Option 2: Block native Exchange ActiveSync apps on Android and
iOS devices

Alternatively, you can block native Exchange ActiveSync apps on specific Android and
iOS devices or other types of devices.

1. Confirm that there are no Exchange ActiveSync device access rules in place that
block Outlook for iOS and Android:

PowerShell

Get-ActiveSyncDeviceAccessRule | Where-Object { $_.AccessLevel -eq

"Block" -and $_.QueryString -like "Outlook*" } | Format-Table Name,
AccessLevel, QueryString -AutoSize

If any device access rules that block Outlook for iOS and Android are found, type
the following to remove them:

PowerShell

Get-ActiveSyncDeviceAccessRule | Where-Object { $_.AccessLevel -eq

"Block" -and $_.QueryString -like "Outlook*" } | Remove-
ActiveSyncDeviceAccessRule

2. You can block most Android and iOS devices with the following commands:

PowerShell

New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString

"Android" -AccessLevel Block
New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString
"iPad" -AccessLevel Block
New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString
"iPhone" -AccessLevel Block
New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString
"iPod" -AccessLevel Block

3. Not all Android device manufacturers specify "Android" as the DeviceType.

Manufacturers may specify a unique value with each release. In order to find other
Android devices that are accessing your environment, execute the following
command to generate a report of all devices that have an active Exchange
ActiveSync partnership:

PowerShell
 Get-MobileDevice | Select-Object DeviceOS,DeviceModel,DeviceType |
Export-CSV c:\temp\easdevices.csv

4. Create additional block rules, depending on your results from Step 3. For example,
if you find your environment has a high usage of HTCOne Android devices, you can
create an Exchange ActiveSync device access rule that blocks that particular device,
forcing the users to use Outlook for iOS and Android. In this example, you would
type:

PowerShell

New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString

"HTCOne" -AccessLevel Block

７ Note

The -QueryString parameter does not accept wildcards or partial matches.

Additional resources:

New-ActiveSyncDeviceAccessRule

Get-MobileDevice

Set-ActiveSyncOrganizationSettings

Blocking Outlook for iOS and Android

If you don't want users in your organization to access Exchange data with Outlook for
iOS and Android, the approach you take depends on whether you are using Azure
Active Directory conditional access policies or Exchange Online's device access policies.

Option 1: Block mobile device access using a conditional

access policy
Azure Active Directory conditional access does not provide a mechanism whereby you
can specifically block Outlook for iOS and Android while allowing other Exchange
ActiveSync clients. With that said, conditional access policies can be used to block
mobile device access in two ways:

Option A: Block mobile device access on both the iOS and Android platforms
 Option B: Block mobile device access on a specific mobile device platform

Option A: Block mobile device access on both the iOS and Android
platforms

If you want to prevent mobile device access for all users, or a subset of users, using
conditional access, follow these steps.

Create conditional access policies, with each policy either targeting all users or a subset
of users via a security group. Details are in Azure Active Directory app-based conditional
access.

1. The first policy blocks Outlook for iOS and Android and other OAuth capable
Exchange ActiveSync clients from connecting to Exchange Online. See "Step 1 -
Configure an Azure AD conditional access policy for Exchange Online," but for the
fifth step, choose Block access.

2. The second policy prevents Exchange ActiveSync clients leveraging basic

authentication from connecting to Exchange Online. See "Step 2 - Configure an
Azure AD conditional access policy for Exchange Online with ActiveSync (EAS)."

Option B: Block mobile device access on a specific mobile device

platform

If you want to prevent a specific mobile device platform from connecting to Exchange
Online, while allowing Outlook for iOS and Android to connect using that platform,
create the following conditional access policies, with each policy targeting all users.
Details are in Azure Active Directory app-based conditional access.

1. The first policy allows Outlook for iOS and Android on the specific mobile device
platform and blocks other OAuth capable Exchange ActiveSync clients from
connecting to Exchange Online. See "Step 1 - Configure an Azure AD conditional
access policy for Exchange Online," but for step 4a, select only the desired mobile
device platform (such as iOS) to which you want to allow access.

2. The second policy blocks the app on the specific mobile device platform and other
OAuth capable Exchange ActiveSync clients from connecting to Exchange Online.
See "Step 1 - Configure an Azure AD conditional access policy for Exchange
Online," but for step 4a, select only the desired mobile device platform (such as
Android) to which you want to block access, and for step 5, choose Block access.

3. The third policy prevents Exchange ActiveSync clients leveraging basic

authentication from connecting to Exchange Online. See "Step 2 - Configure an
 Azure AD conditional access policy for Exchange Online with ActiveSync (EAS)."

Option 2: Block Outlook for iOS and Android using

Exchange mobile device access rules
If you are managing your mobile device access via Exchange Online's device access
rules, you have two options:

Option A: Block Outlook for iOS and Android on both the iOS and Android
platforms

Option B: Block Outlook for iOS and Android on a specific mobile device platform

Every Exchange organization has different policies regarding security and device
management. If an organization decides that Outlook for iOS and Android doesn't meet
their needs or is not the best solution for them, administrators have the ability to block
the app. Once the app is blocked, mobile Exchange users in your organization can
continue accessing their mailboxes by using the built-in mail applications on iOS and
Android.

The New-ActiveSyncDeviceAccessRule cmdlet has a Characteristic parameter, and there

are three Characteristic options that administrators can use to block the Outlook for
iOS and Android app. The options are UserAgent, DeviceModel, and DeviceType. In the
two blocking options described in the following sections, you will use one or more of
these characteristic values to restrict the access that Outlook for iOS and Android has to
the mailboxes in your organization.

The values for each characteristic are displayed in the following table:

Characteristic String for iOS String for Android

DeviceModel Outlook for iOS and Android Outlook for iOS and Android

DeviceType Outlook Outlook

UserAgent Outlook-iOS/2.0 Outlook-Android/2.0

Option A: Block Outlook for iOS and Android on both the iOS and
Android platforms

With the New-ActiveSyncDeviceAccessRule cmdlet, you can define a device access rule,
using either the DeviceModel or DeviceType characteristic. In both cases, the access rule
blocks Outlook for iOS and Android across all platforms, and will prevent any device, on
both the iOS platform and Android platform, from accessing an Exchange mailbox via
the app.

The following are two examples of a device access rule. The first example uses the
DeviceModel characteristic; the second example uses the DeviceType characteristic.

PowerShell

New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString

"Outlook" -AccessLevel Block

PowerShell

New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString

"Outlook for iOS and Android" -AccessLevel Block

Option B: Block Outlook for iOS and Android on a specific mobile

device platform
With the UserAgent characteristic, you can define a device access rule that blocks
Outlook for iOS and Android across a specific platform. This rule will prevent a device
from using Outlook for iOS and Android to connect on the platform you specify. The
following examples show how to use the device-specific value for the UserAgent
characteristic.

To block Android and allow iOS:

PowerShell

New-ActiveSyncDeviceAccessRule -Characteristic UserAgent -QueryString

"Outlook-Android/2.0" -AccessLevel Block
New-ActiveSyncDeviceAccessRule -Characteristic UserAgent -QueryString
"Outlook-iOS/2.0" -AccessLevel Allow

To block iOS and allow Android:

PowerShell

New-ActiveSyncDeviceAccessRule -Characteristic UserAgent -QueryString

"Outlook-Android/2.0" -AccessLevel Allow
New-ActiveSyncDeviceAccessRule -Characteristic UserAgent -QueryString
"Outlook-iOS/2.0" -AccessLevel Block
Exchange Online controls
Beyond Microsoft Endpoint Manager, Basic Mobility and Security for Microsoft 365, and
Exchange mobile device policies, you can manage the access that mobile devices have
to information in your organization through various Exchange Online controls, as well
as, whether to allow users access to add-ins within Outlook for iOS and Android.

Exchange Web Services (EWS) application policies

An EWS application policy can control whether or not applications are allowed to
leverage the REST API. Note that when you configure an EWS application policy that
only allows specific applications access to your messaging environment, you must add
the user-agent string for Outlook for iOS and Android to the EWS allow list.

The following example shows how to add the user-agent strings to the EWS allow list:

PowerShell

Set-OrganizationConfig -EwsAllowList @{Add="Outlook-iOS/*","Outlook-

Android/*"}

Exchange User controls

With the native Microsoft sync technology, administrators can control usage of Outlook
for iOS and Android at the mailbox level. By default, users are allowed to access mailbox
data using Outlook for iOS and Android. The following example shows how to disable a
user's mailbox access with Outlook for iOS and Android:

PowerShell

Set-CASMailbox jane@contoso.com -OutlookMobileEnabled $false

Managing add-ins
Outlook for iOS and Android lets users integrate popular apps and services with the
email client. Add-ins for Outlook are available on the web, Windows, Mac, and mobile.
Since add-ins are managed via Microsoft 365 or Office 365, users are able to share data
and messages between Outlook for iOS and Android and the unmanaged add-in (even
when the account is managed by an Intune App Protection policy), unless add-ins are
turned off for the user within the Microsoft 365 admin center.
If you want to stop your end users from accessing and installing Outlook add-ins (which
affects all Outlook clients), execute the following changes to roles in the Microsoft 365
admin center:

To prevent users from installing Office Store add-ins, remove the My Marketplace
role from them.
To prevent users from side loading add-ins, remove the My Custom Apps role from
them.
To prevent users from installing all add-ins, remove both, My Custom Apps and My
Marketplace roles from them.

For more information, please see Add-ins for Outlook and how to Manage deployment
of add-ins in the Microsoft 365 admin center.
Deploying Outlook for iOS and Android app configuration
settings in Exchange Online
Article • 05/23/2023

Summary: How to customize the behavior of Outlook for iOS and Android in your Exchange organization.

Outlook for iOS and Android supports app settings that allow unified endpoint management (UEM) administrators (using tools such as
Microsoft Endpoint Manager) and Microsoft 365 or Office 365 administrators to customize the behavior of the app.

App configuration can be delivered either through the mobile device management OS channel on enrolled devices (Managed App
Configuration channel for iOS or the Android in the Enterprise channel for Android or through the Intune App Protection Policy
(APP) channel. Outlook for iOS and Android supports the following configuration scenarios:

Account setup configuration

Organization allowed accounts mode
General app configuration settings
S/MIME settings
Data protection settings

） Important

For configuration scenarios that require device enrollment on Android, the devices must be enrolled in Android Enterprise, and
Outlook for Android must be deployed via the managed Google Play store. For more information, see Set up enrollment of
Android work profile devices and Add app configuration policies for managed Android devices.

Each configuration scenario highlights its specific requirements for example, whether the configuration scenario requires device
enrollment, and thus works with any UEM provider, or requires Intune App Protection Policies. The following flowchart outlines which
channel needs to be used for the above configuration scenarios:

７ Note

With Microsoft Endpoint Manager, app configuration delivered through the mobile device management OS channel is referred to as
a Managed Devices App Configuration Policy (ACP); app configuration delivered through the App Protection Policy (APP) channel is
referred to as a Managed Apps App Configuration Policy.
Account configuration scenarios
Outlook for iOS and Android offers administrators the following app configuration scenarios with enrolled devices:

Account setup configuration

Organization allowed accounts mode

These configuration scenarios only work with enrolled devices. However, any UEM provider is supported. If you aren't using Microsoft
Endpoint Manager, you need to refer your UEM documentation on how to deploy these settings. For more information on the
configuration keys, see Configuration keys.

Account setup configuration scenario

Outlook for iOS and Android offers administrators the ability to "push" account configurations to their Office 365 and on-premises users
leveraging hybrid Modern Authentication users. For more information on account setup configuration, see Account setup with modern
authentication in Exchange Online.

Organization allowed accounts mode scenario

Outlook for iOS and Android offers administrators the ability to restrict email and storage provider accounts to only corporate accounts.
For more information on organization allowed accounts mode, see Account setup with modern authentication in Exchange Online.

General app configuration scenarios

Outlook for iOS and Android offers administrators the ability to customize the default configuration for several in-app settings. This
capability is offered for both enrolled devices via any UEM provider and for devices that aren't enrolled when Outlook for iOS and
Android has an Intune App Protection Policy applied.

７ Note
 If an App Protection Policy is targeted to the users, the recommendation is to deploy the general app configuration settings in a
Managed Apps device enrollment model. This deployment ensures the App Configuration Policy is deployed to both enrolled
devices and unenrolled devices.

Outlook supports the following settings for configuration:

Setting Default Notes Recommended

app configuration
behavior

Open Links in Edge On Users will be prompted to open links in Edge. Admins now have the option to disable this feature App Default
for their company.

Focused Inbox On Focused Inbox separates your inbox into two tabs, Focused and Other. Your most important App default
emails are on the Focused tab while the rest remains easily accessible (but out of the way) on the
Other tab.

Require Biometrics Off Biometrics, such as TouchID or FaceID, can be required for users to access the app on their device. Disable
to access the app When required, biometrics is used in addition to the authentication method selected in this
profile.
This setting is only available for Outlook for iOS.

If using App Protection Policies, Microsoft recommends disabling this setting to prevent dual
access prompts.

Save (or Sync) Off Saving contacts to the mobile device's native address book allows new calls and text messages to Enable
Contacts be linked with the user's existing Outlook contacts.
The user must grant access to the native Contacts app for contact synchronization to occur.

Sync Calendars Off Outlook for Android provides users the ability to synchronize Outlook calendar data with the App default
native Calendar app.
The user must grant access to the native Calendar app for calendar synchronization to occur.

This feature is only supported with Outlook for Android.

External Recipients On p>If the sender adds a recipient that's external or adds a distribution group that contains external App default
MailTip recipients, the External Recipients MailTip is displayed. This MailTip informs senders if a message
they're composing will leave the organization, helping them make the correct decisions about
wording, tone, and content.
Exchange Online MailTipsExternalRecipientsTipsEnabled parameter must be set to $true for
Outlook for iOS and Android to see the External Recipients MailTip. For more information, see
MailTips.

Block external Off When Block external images is enabled, the app prevents the download of images hosted on the Enable
images Internet which are embedded in the message body by default (The user can still choose to
download the images.).

Default app On Indicates whether the app uses its default signature, "Get Outlook for [OS]", during message App default
signature composition, if a custom signature isn't defined. Users can add their own signatures even when
the default signature is disabled.

Suggested replies On By default, Outlook for iOS and Android suggests replies in the quick reply compose window. If App default
you select a suggested reply, you can edit the reply before sending it.

Recommendations On The Recommendations feed is powered by Microsoft Graph and provides a feed of your App default
feed organization's Office files connected to the people in your organization. This feature is located in
the Recommended section within the Search experience and only shows documents to which the
user has access. Recommendations based on insights from other users in the organization can be
controlled through the itemInsights setting.

Organize mail by On By default, Outlook for iOS and Android collates related emails into a single threaded App default
thread conversation view.

Play My Emails On By default, Play My Emails is promoted to eligible users via a banner in the inbox. App default

Text Predictions On By default, Outlook for iOS and Android can suggest words and phrases as you compose App default
messages.

Themes On By default, Outlook for iOS and Android supports visual themes that can be enabled for certain App default
beliefs or events.

Louder Mandatory Off Organizations have mandatory labeling enabled without default labeling, and would like to have App default
labeling the label selection first before going to compose the email. Then when the users click Send, the
email could just be sent without any forgotten labeling pop ups. Outlook mobile will introduce a
new MDM setting (com.microsoft.outlook.Mail.LouderMandatoryLabelEnabled) to allow admins
 Setting Default Notes Recommended
app configuration
behavior

to enable this louder mandatory configuration for Outlook mobile clients (iOS and Android)
specifically.

Settings that are security-related in nature have an additional option, Allow user to change setting. For these settings (Save Contacts,
Block external images, and Require Biometrics to access the app), organizations can prevent the user from changing the app's
configuration. The organization's configuration can't be overridden.

Allow user to change setting doesn't change the app's behavior. For example, if the admin enables Block external images and prevents a
user change, then by default, external images aren't downloaded in messages; however, the user can manually download the images for
that message body.

The following conditions describe Outlook's behavior when implementing various app configurations:

If the admin configures a setting with its default value, and the app is configured with the default value, then the admin's
configuration doesn't have any effect. For example, if the admin sets External recipients MailTip=on, the default value is also on, so
Outlook's configuration doesn't change.
If the admin configures a setting with the non-default value and the app is configured with the default value, then the admin's
configuration is applied. For example, the admin sets Focused Inbox=off, but app default value is on, so Outlook's configuration for
Focused Inbox is off.
If the user has configured a non-default value, but the admin has configured a default value and allows user choice, then Outlook
retains the user's configured value. For example, the user has enabled contact synchronization, but the admin sets Save
Contacts=off and allows user choice, so Outlook keeps contact synchronization on and doesn't break caller-ID for user.
If the admin disables user choice, Outlook always enforces the admin-defined configuration, regardless of the user's configuration
or default app configuration. For example, the user has enabled contact synchronization, but the admin sets Save Contacts=off and
disables user choice, so contact synchronization gets disabled and the user is prevented from enabling it.
After the app configuration is applied, if the user changes the setting value to not match the admin desired value (and user choice
is allowed), then the user's configuration is retained. For example, Block external images is off by default, admin set Block external
images=on, but afterwards, user changes Block external images back to off. In this scenario, Block external images remains off the
next time the policy is applied.

Users are alerted to configuration changes via a notification toast in the app:
This notification toast will automatically dismiss after 10 seconds. There are two scenarios where this notification toast won't appear:

If the app has previously shown the notification in the last hour.
If the app has been installed in less than 24 hours.

Save Contacts
The Save Contacts setting is a special case scenario because unlike the other settings, this setting requires user interaction: the user
needs to grant Outlook permissions to access the native Contacts app and the data stored within. If the user doesn't grant access, then
contact synchronization can't be enabled.

７ Note

With Android Enterprise, administrators can configure the default permissions assigned to the managed app. Within the policy, you
can define that Outlook for Android is granted READ_CONTACTS and WRITE_CONTACTS within the work profile; for more
information on how to assign permissions, see Add app configuration policies for managed Android devices. When assigning
default permissions, it's important to understand which Android Enterprise deployment models are in use, as the permissions
may grant access to personal data.
 When enabling Outlook for Android's Save Contacts within Android Enterprise's work profile, Outlook for Android is limited in only
being able to access the native Contacts app within the work profile context; this limitation in accessibility provides a clear
separation between work and personal profile data. However, Android Enterprise allows for the dialer and messaging apps within
the personal profile to access the local contacts within the work profile. This behavior is enabled by default, but can be controlled
via device restrictions; for more information, see Android Enterprise device settings to allow or restrict features using Intune. It's
possible that some dialer or messaging apps, whether pre-installed by the device manufacturer or installed from the Play Store,
don't properly support this capability.

The workflow for enabling Save Contacts is the same for new accounts and existing accounts.

1. The user is notified that the administrator has enabled contact synchronization. In Outlook for iOS, the notification occurs within
the app, whereas in Outlook for Android, a persistent notification is delivered via the Android notification center.

2. If the user taps on the notification, the user is prompted to grant access:
3. If the user allows Outlook to access the native Contacts app, access is granted, and contact synchronization is enabled. If the user
denies Outlook access to the native Contacts app, then the user is prompted to go into the OS settings and enable contact
synchronization:
4. In the event the user denies Outlook access to the native Contacts app and dismisses the previous prompt, the user may later
enable access by navigating to the account configuration within Outlook and tapping Open Settings:
Calendar Sync

７ Note

Calendar sync support will begin rolling out in October 2020.

Calendar sync enables users to synchronize their Outlook for Android calendar data with the native Android Calendar app. Calendar sync
is off by default and requires user participation. ] Like Save Contacts, the Sync Calendars setting is another special case scenario because
this setting requires user interaction: the user needs to grant Outlook permissions to access the native Calendar app and the data stored
within. If the user doesn't grant access, then calendar synchronization can't be enabled.

７ Note

With Android Enterprise, administrators can configure the default permissions assigned to the managed app. Within the policy, you
can define that Outlook for Android is granted READ_CALENDAR and WRITE_CALENDAR within the work profile; for more
information on how to assign permissions, see Add app configuration policies for managed Android devices. When assigning
default permissions, it's important to understand which Android Enterprise deployment models are in use, as the permissions
may grant access to personal data.
 When enabling Outlook for Android's Sync Calendar within Android Enterprise's work profile, Outlook for Android is limited in only
being able to access the native Calendar app within the work profile context; this limitation in accessibility provides a clear
separation between work and personal profile data.

S/MIME scenarios
On enrolled devices, Outlook for iOS and Android supports automated certificate delivery. Outlook for iOS and Android also supports
app configuration settings that enable or disable S/MIME in the app, as well as the user's ability to change the setting. For more
information on how to deploy these settings via Microsoft Endpoint Manager, see Understanding S/MIME. For more information on the
configuration keys, see Configuration keys.

Data protection scenarios

Outlook for iOS and Android supports app configuration policies for the following data protection settings when the app is managed by
Microsoft Endpoint Manager with an Intune App Protection Policy applied:

Managing the use of wearable technology

Managing sensitive data in mail and calendar reminder notifications
Managing the contact fields synchronized to the native contacts app
Managing calendar sync availability
Managing add-ins availability

These settings can be deployed to the app regardless of device enrollment status. For more information on the configuration keys, see
Configuration keys.

Configure Wearables for Outlook for iOS and Android

By default, Outlook for iOS and Android supports wearable technology, allowing the user to receive message notifications and event
reminders, and the ability to interact with messages and view daily calendars. Organizations that want to disable the ability to access
corporate data on wearables can block wearables with an App Configuration Policy.

Configure Notifications for Outlook for iOS and Android

Mobile app notifications are critical in alerting users of new content or reminding them to act. Users interact with these notifications via
the lock screen and in the operating system's notification center. Notifications often include detailed information, which can be sensitive
in nature. This information, unfortunately, can inadvertently be leaked to casual observers.

Outlook for iOS and Android has designed its notifications to enable users to triage email and alert users to upcoming meetings,
including incorporating Time to Leave suggestions. Mail notifications include the sender's address, the subject of the message, and a
short message preview of the message body. Calendar reminders include the subject, location, and start time of the meeting.

Recognizing that these notifications may include sensitive data, organizations can use an Intune App Protection Policy setting, Org Data
Notifications to remove the sensitive data. As this is an App Protection Policy setting, it applies on all devices (phones, tablets, and
wearables) of the user for the apps that support the setting. For more information on the setting, see iOS App Protection Policy settings
and Android App Protection Policy settings.

In addition to the App Protection Policy setting, Outlook for iOS and Android has a data protection App Configuration Policy setting,
Calendar Notifications that provides additional flexibility with calendar notifications – organizations can block sensitive information in
mail notifications, while allowing sensitive information in calendar notifications. After all, users might just need to know where they're
going and when they should leave, at a glance.

The following table outlines the notification experience in Outlook for iOS and Android based on the combination of the App Protection
and App Configuration policy settings:

Org Data Notifications Calendar Notifications Notification behavior

value value

Allow (default) Not Configured (default) Default client behavior where sensitive data is exposed in mail and calendar notifications

Block Not Configured Sensitive data is exposed in mail and calendar notifications as Outlook ignores the block
setting
 Org Data Notifications Calendar Notifications Notification behavior
value value

Block Org Data Not Configured Sensitive data isn't available in mail or calendar notifications

Block Org Data Allowed Sensitive data isn't available in mail notifications
Calendar notifications expose sensitive data

Configure Contact Field Sync to native Contacts for Outlook for iOS and Android
The settings allow organizations to control the contact fields that synchronize between Outlook on iOS and Android and the native
Contacts apps.

７ Note

Outlook for Android supports bi-directional contact synchronization. However, if a user edits a field in the native contacts app that
is restricted (such as the Notes field), then that data won't synchronize back into Outlook for Android.

Configure Calendar Sync availability with Outlook for Android

Calendar sync enables users to synchronize their Outlook for Android calendar data with the native Android Calendar app. Organizations
can control whether calendar sync is available to the work or school account with the following methods:

With Intune App Protection Policies, the setting Sync policy managed app data with native apps or add-ins defines whether Save
Contacts, Sync Calendars, and Add-ins are available for use within the work or school account. By default, this setting is set to Allow.
If this setting is set to Block, Save Contacts, Sync Calendars, and Add-ins are disabled for the work or school account and their
associated App Configuration Policy settings are ignored.
When the Intune App Protection Policy setting Sync policy managed app data with native apps or add-ins is set to Allow,
organizations can also choose to define the availability of Sync Calendars through a managed apps App Configuration Policy. This
flexibility allows for feature granularity control from a data protection perspective; for example, organizations can enable Save
Contacts (by setting Sync policy managed app data with native apps or add-ins to Allow) but disable Sync Calendars (by setting
the Allow Calendar Sync setting within a managed apps App Configuration Policy to Off).
Finally, if organizations allow the availability of Sync Calendars, through an App Configuration Policy setting Sync Calendars,
organizations can define the default sync state of calendar sync. This setting removes the need for the user to enable calendar
synchronization manually.

Configure Add-ins availability with Outlook for iOS and Android

Users can synchronize work or school account data into other services using add-ins. The availability of add-ins within the work or school
account can be controlled with the following methods:

With Intune App Protection Policies, the setting Sync policy managed app data with native apps or add-ins defines whether Save
Contacts, Sync Calendars, and Add-ins are available for use within the work or school account. By default, this setting is set to Allow.
If this setting is set to Block, Save Contacts, Sync Calendars, and Add-ins are disabled for the work or school account and their
associated App Configuration Policy settings are ignored.
When the Intune App Protection Policy setting Sync policy managed app data with native apps or add-ins is set to Allow,
organizations can also choose to define the availability of Add-ins through a managed apps App Configuration Policy. This flexibility
allows for feature granularity control from a data protection perspective; for example, organizations can enable Save Contacts (by
setting Sync policy managed app data with native apps to Allow) but disable Add-ins (by setting the Allow Add-ins setting within
a managed apps App Configuration Policy to Off).

） Important

When configuring add-ins for your users, issues can occur when add-in policies are set in both Microsoft Intune and the Microsoft
365 Admin Center. We recommend choosing between add-in policy in Microsoft Intune or the Microsoft 365 Admin Center but not
both at the same time. For granular add-in control, the Microsoft 365 Admin Center provides more specific configurations than
Microsoft Intune, so you can choose which solution best fits your organization needs.
Deploying configuration scenarios with Microsoft Endpoint Manager for
enrolled devices
Microsoft Endpoint Manager enables administrators to easily deploy these settings to Outlook for iOS and Android via App
Configuration Policies.

The following steps allow you to create an app configuration policy. After the configuration policy is created, you can assign its settings
to groups of users.

７ Note

Intune notifies the enrolled device to check in with the Intune service for policy changes. The notification times vary, including
immediately up to a few hours. For more information, see Common questions, issues, and resolutions with device policies and
profiles in Microsoft Intune.

） Important

When deploying app configuration policies to managed devices, issues can occur when multiple policies have different values for
the same configuration key and are targeted for the same app and user. These issues are due to the lack of a conflict resolution
mechanism for resolving the differing values. You can prevent these issues by ensuring that only a single app configuration policy
for managed devices is defined and targeted for the same app and user.

Create a managed devices app configuration policy for Outlook for iOS and Android
1. Log in to Microsoft Endpoint Manager .

2. Select Apps and then select App configuration policies.

3. On the App Configuration policies blade, choose Add and select Managed devices to start the app configuration policy creation
flow.

4. On the Basics section, enter a Name, and optional Description, for the app configuration settings.

5. For Platform, choose either iOS/iPadOS or Android Enterprise.

6. If Android Enterprise is selected as the platform, for Profile Type, choose All Profile Types.

7. For Targeted app, choose Select app, and then, on the Associated app blade, choose Microsoft Outlook. Click OK.

７ Note

If Outlook isn't listed as an available app, then you must add it by following the instructions in Assign apps to Android work
profile devices with Intune and Add iOS store apps to Microsoft Intune.

8. Click Next to complete the basic settings of the app configuration policy.

9. On the Settings section, select Use configuration designer for the Configuration settings format.

10. If you want to deploy account setup configuration, select Yes for Configure email account settings and configure appropriately:

７ Note

If an App Protection Policy is targeted to the users, the recommendation is to deploy the general app configuration settings in
a Managed Apps device enrollment model instead of using Managed devices. This method ensures the App Configuration
Policy is deployed to both enrolled devices and unenrolled devices.

For Authentication type, select Modern authentication. This setting is required for Microsoft 365 or Office 365 accounts or
on-premises accounts using hybrid modern authentication.
For Username attribute from AAD, select User Principal Name.
For Email address attribute from AAD, select Primary SMTP Address.
 If you want to configure Outlook for iOS and Android such that only the work or school account can be used, select Require
for Allow only work or school accounts. This configuration will only allow a single corporate account to be added to Outlook
for iOS and Android.

11. If you want to deploy general app configuration settings, configure the desired settings accordingly:

For Focused Inbox, choose from the available options: Not configured (default), On (app default), and Off.

For Require Biometrics to access the app, choose from the available options: Not configured (default), On, and Off (app
default). When selecting On or Off, administrators can choose to allow the user to change the app setting's value. Select Yes
(app default) to allow the user to change the setting or select No if you want to prevent the user from changing the setting's
value. This setting is only available in Outlook for iOS.

） Important

If the account is protected by an Intune App Protection Policy that requires a PIN to access the protected account, then
the Require Biometrics to access the app setting should be disabled, otherwise the user is prompted with multiple
authentication prompts when accessing the app.

For Save Contacts, choose from the available options: Not configured (default), On, and Off (app default). When selecting On
or Off, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to allow the user
to change the setting or select No if you want to prevent the user from changing the setting's value.

For Suggested Replies, choose from the available options: Not configured (default), On (app default), and Off. When
selecting On or Off, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to
allow the user to change the setting or select No if you want to prevent the user from changing the setting's value.

For Recommendations feed, choose from the available options: Not configured (default), On (app default), and Off.

For External recipients MailTip, choose from the available options: Not configured (default), On (app default), and Off.

For Default app signature, choose from the available options: Not configured (default), On (app default), and Off.

For Block external images, choose from the available options: Not configured (default), On, and Off (app default). When
selecting On or Off, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to
allow the user to change the setting or select No if you want to prevent the user from changing the setting's value.

For Organize mail by thread, choose from the available options: Not configured (default), On (app default), and Off.

For Play My Emails, choose from the available options: Not configured (default), On (app default), and Off.

For Themes, choose from the available options: Not configured (default), On (app default), and Off.

For Sync Calendars, choose from the available options: Not configured (default), On (app default), and Off. When selecting
On or Off, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to allow the
user to change the setting or select No if you want to prevent the user from changing the setting's value. This feature is only
available in Outlook for Android.

For Text Predictions, choose from the available options: Not configured (default), On (app default), and Off. When selecting
On or Off, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to allow the
user to change the setting or select No if you want to prevent the user from changing the setting's value.

12. If you want to configure S/MIME settings, see Outlook for iOS automated certificate delivery or Outlook for Android automated
certificate delivery.

13. When you're finished selecting settings, select Next.

14. On the Assignments section, select Select groups to include. Select the Azure AD group to which you want to assign the app
configuration policy, and then select Select.

15. When you're finished with assignments, select Next.

16. On the Review + Create section, review the settings configured and select Create.

The newly created configuration policy is displayed on the App configuration blade.

７ Note
 For Managed devices, you will need to create a separate app configuration policy for each platform. Also, Outlook will need to be
installed from the Company Portal for the configuration settings to take effect.

Deploying configuration scenarios with Microsoft Endpoint Manager for

unenrolled devices
If you're using Microsoft Endpoint Manager as your mobile app management provider, the following steps allow you to create a
managed apps app configuration policy. After the configuration is created, you can assign its settings to groups of users.

７ Note

Microsoft Endpoint Manager managed apps will check-in with an interval of 30 minutes for Intune App Configuration Policy status,
when deployed in conjunction with an Intune App Protection Policy. If an Intune App Protection Policy isn't assigned to the user,
then the Intune App Configuration Policy check-in interval is set to 720 minutes.

Create a managed apps app configuration policy for Outlook for iOS and Android
1. Log in to Microsoft Endpoint Manager .

2. Select Apps and then select App configuration policies.

3. On the App Configuration policies blade, choose Add and select Managed apps.

4. On the Basics section, enter a Name, and optional Description, for the app configuration settings.

5. For Public apps, choose Select public apps, and then, on the Targeted apps blade, choose Outlook by selecting both the iOS and
Android platform apps. Click Select to save the selected public apps.

6. Click Next to complete the basic settings of the app configuration policy.

7. On the Settings section, expand the Outlook configuration settings.

8. If you want to deploy general app configuration settings, configure the desired settings accordingly:

For Focused Inbox, choose from the available options: Not configured (default), Yes (app default), and No.

For Require Biometrics to access the app, choose from the available options: Not configured (default), Yes, and No (app
default). When selecting Yes or No, administrators can choose to allow the user to change the app setting's value. Select Yes
(app default) to allow the user to change the setting or select No if you want to prevent the user from changing the setting's
value. This setting is only available in Outlook for iOS.

） Important

If the account is protected by an Intune App Protection Policy that requires a PIN to access the protected account, then
the Require Biometrics to access the app setting should be disabled, otherwise the user is prompted with multiple
authentication prompts when accessing the app.

For Save Contacts, choose from the available options: Not configured (default), Yes, and No (app default). When selecting Yes
or No, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to allow the user
to change the setting or select No if you want to prevent the user from changing the setting's value.

For External recipients MailTip, choose from the available options: Not configured (default), Yes (app default), and No.

For Block external images, choose from the available options: Not configured (default), Yes, and No (app default). When
selecting Yes or No, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to
allow the user to change the setting or select No if you want to prevent the user from changing the setting's value.

For Default app signature, choose from the available options: Not configured (default), Yes (app default), and No.

For Suggested Replies, choose from the available options: Not configured (default), Yes (app default), and No. When
selecting Yes or No, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to
allow the user to change the setting or select No if you want to prevent the user from changing the setting's value.
 For Organize mail by thread, choose from the available options: Not configured (default), Yes (app default), and No.

For Recommendations feed, choose from the available options: Not configured (default), Yes (app default), and No.

For Play My Emails, choose from the available options: Not configured (default), Yes (app default), and No.

For Sync Calendars, choose from the available options: Not configured (default), Yes (app default), and No. When selecting
Yes or No, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to allow the
user to change the setting or select No if you want to prevent the user from changing the setting's value. This feature is
available only in Outlook for Android.

For Text Predictions, choose from the available options: Not configured (default), Yes (app default), and No. When selecting
Yes or No, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to allow the
user to change the setting or select No if you want to prevent the user from changing the setting's value.

9. If you want to manage the data protection settings, configure the desired settings accordingly:

For Org data on wearables, choose from the available options: Not configured (default), Yes (app default), and No.
For Calendar Notifications, choose from the available options: Not configured (default) and Allowed. By default, calendar
notifications are allowed within the app and display sensitive information. Allowed only takes effect when the App Protection
Policy setting Org Data Notifications is set to Block org data.
For Allow Add-ins, choose from the available options: Not configured (default), Yes (app default), and No. For more
information on the setting choices, see Add-ins.
For Allow Calendar Sync, choose from the available options: Not configured (default), Yes (app default), and No. For more
information on the setting choices, see Calendar Sync.
If you want to manage which contact fields sync with the native contacts apps, configure the desired Sync contact fields to
native contacts app configuration settings accordingly. For each contact field setting, choose from the available options: Not
configured (default), Yes (app default), No.

10. If you want to manage the app's S/MIME configuration, configure the desired settings accordingly:

For Enable S/MIME, choose from the available options: Not configured (default), Yes, and No (app default). When selecting
Yes or No, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to allow the
user to change the setting or select No if you want to prevent the user from changing the setting's value.

） Important

S/MIME certificates must be available within Outlook for iOS and Android for the user sign or encrypt messages. For more
information, see S/MIME for Outlook for iOS and Android.

Choose whether to Encrypt all emails by selecting Yes or No. When selecting Yes or No, administrators can choose to allow
the user to change the app setting's value. Select Yes (app default) to allow the user to change the setting or select No if you
want to prevent the user from changing the setting's value.
Choose whether to Sign all emails by selecting Yes or No. When selecting Yes or No, administrators can choose to allow the
user to change the app setting's value. Select Yes (app default) to allow the user to change the setting or select No if you want
to prevent the user from changing the setting's value.
If needed, deploy a LDAP URL for recipient certificate lookup. For more information on the URL format, see LDAP support for
certificate lookup.

11. When you're finished configuring the settings, select Next.

12. On the Assignments section, choose Select groups to include. Select the Azure AD group to which you want to assign the app
configuration policy, and then select Select.

13. When you're finished with the assignments, select Next.

14. On the Create app configuration policy Review + Create blade, review the settings configured and select Create.

The newly created configuration policy is displayed on the App configuration blade.

Configuration keys
The following sections outline the app configuration keys and their supported values. Configuration keys identified with the Managed
apps device enrollment type are delivered through the App Protection Policy channel. Configuration keys identified with the Managed
devices device enrollment type are delivered through the mobile device management OS channel. If a configuration key is listed with
both device enrollment types, the key can be delivered through either channel; for more information, see General app configuration
scenarios.

） Important

App configuration keys are case sensitive. Use the proper casing to ensure the configuration takes effect.

iOS devices and third-party unified endpoint management solutions

If the Managed devices device enrollment type configuration keys are deployed with a third-party UEM provider, then the following
additional key must also be delivered for iOS devices:

key = IntuneMAMUPN, value = username@company.com

The exact syntax of the key/value pair may differ based on the third-party UEM provider used. The following table shows examples of
some third-party UEM providers and the exact values for the key/value pair:

Third-party UEM provider Configuration Key Value Type Configuration Value

Microsoft Intune IntuneMAMUPN String {{UserPrincipalName}}

Workspace ONE IntuneMAMUPN String {UserPrincipalName}

MobileIron IntuneMAMUPN String ${userUPN} or ${userEmailAddress}

Citrix Endpoint Management IntuneMAMUPN String ${user.userprincipalname}

ManageEngine Mobile Device Manager IntuneMAMUPN String %upn%

Account setup configuration

Outlook for iOS and Android offers administrators the ability to "push" account configurations to their Microsoft 365 and Office 365
users. For more information on account setup configuration, see Account setup with modern authentication in Exchange Online.

Key Value Device

Enrollment
Type

com.microsoft.outlook.Settings.OpenLinks.UseSystemDefaultBrowser This new app config policy disables Open Links feature and Managed
always uses system default browser. devices

com.microsoft.outlook.Settings.OpenLinks.UserChangeAllowed This new app config policy hides settings page for Open Links. Managed
devices

com.microsoft.outlook.EmailProfile.EmailAddress This key specifies the email address to be used for sending Managed
and receiving mail. devices
Value type: String

Accepted values: Email address

Default if not specified: <blank>

Required: Yes

Example: user@companyname.com

com.microsoft.outlook.EmailProfile.EmailUPN This key specifies the User Principal Name or username for the Managed
email profile that is used to authenticate the account. devices
Value type: String

Accepted values: UPN Address or username

Default if not specified: <blank>

Required: Yes

Example: userupn@companyname.com

com.microsoft.outlook.EmailProfile.AccountType This key specifies the account type being configured based on Managed
the authentication model. devices
 Key Value Device
Enrollment
Type

Value type: String

Accepted values: ModernAuth

Required: Yes

Example: ModernAuth

Organization allowed accounts mode settings

Outlook for iOS and Android offers administrators the ability to restrict email and storage provider accounts to only corporate accounts.
For more information on organization allowed accounts mode, see Account setup with modern authentication in Exchange Online.

Key Value Platform Device Enrollment

Type

IntuneMAMAllowedAccountsOnly This key specifies whether organization allowed account mode is iOS Managed devices
active.
Value type: String

Accepted values: Enabled, Disabled

Required: Yes

Value: Enabled

IntuneMAMUPN This key specifies the User Principal Name for the account. iOS Managed devices
Value type: String

Accepted values: UPN Address

Required: Yes

Example: userupn@companyname.com

com.microsoft.intune.mam.AllowedAccountUPNs This key specifies the UPNs allowed for organization allowed Android Managed devices
account mode.
Accepted values: UPN Address

Required: Yes

Example: userupn@companyname.com

General app configuration settings

Outlook for iOS and Android offers administrators the ability to customize the default configuration for several in-app settings.

Key Value Device

Enrollment
Type

com.microsoft.outlook.Mail.FocusedInbox This key specifies whether Focused Inbox is enabled. Managed

Setting the value to false will disable Focused Inbox. Devices,
Managed
Value type: Boolean Apps

Accepted values: true, false

Default if not specified: true

Required: No

Example: false

com.microsoft.outlook.Auth.Biometric This key specifies whether FaceID or TouchID is required Managed

to access the app. Setting the value to true will enable Devices,
biometric access. This key is only supported with Outlook Managed
for iOS. Apps

Value type: Boolean

Key Value Device
Enrollment
Type

Accepted values: true, false

Default if not specified: false

Required: No

Example: false

com.microsoft.outlook.Auth.Biometric.UserChangeAllowed This key specifies whether the biometric setting can be Managed
changed by the end user. This key is only supported with Devices,
Outlook for iOS. Managed
Value type: Boolean Apps

Accepted values:

true, false

Default if not specified: true

Required: No

Example: false

com.microsoft.outlook.Contacts.LocalSyncEnabled By default, Outlook doesn't sync contact data with the Managed
native Contacts app. This key defines the default sync Devices,
state behavior. Setting the value to true will enable Managed
contact sync. Apps

Value type: Boolean

Accepted values: true, false

Default if not specified: false

Required: No

Example: false

com.microsoft.outlook.Contacts.LocalSyncEnabled.UserChangeAllowed This key specifies whether the contact sync state can be Managed
changed by the end user. Devices,
Value type: Boolean Managed
Apps
Accepted values: true, false

Default if not specified: true

Required: No

Example: false

com.microsoft.outlook.Mail.ExternalRecipientsToolTipEnabled This key specifies whether the External Recipients Managed

MailTip is enabled. Setting the value to false will disable Devices,
the MailTip. Managed
Apps
Value type: Boolean

Accepted values: true, false

Default if not specified: true

Required: No

Example: false

com.microsoft.outlook.Mail.BlockExternalImagesEnabled This key specifies whether external images are blocked Managed
by default. Setting the value to true will enable blocking Devices,
external images. Managed
Apps
Value type: Boolean

Accepted values: true, false

Default if not specified: false

Required: No
Key Value Device
Enrollment
Type

Example: false

com.microsoft.outlook.Mail.BlockExternalImagesEnabled.UserChangeAllowed This key specifies whether the Block External Images Managed
setting can be changed by the end user. Devices,
Managed
Value type: Boolean Apps

Accepted values: true, false

Default if not specified: true

Required: No

Example: false

com.microsoft.outlook.Mail.DefaultSignatureEnabled This key specifies whether the app uses its default Managed
signature. Setting the value to false will disable the app's Devices,
default signature. Managed
Apps
Value type: Boolean

Accepted values: true, false

Default if not specified: true

Required: No

Example: false

com.microsoft.outlook.Mail.SuggestedRepliesEnabled This key specifies whether the app enables Suggested Managed
Replies. Setting the value to false will disable the app's Devices,
ability to suggest replies. Managed
Apps
Value type: Boolean

Accepted values: true, false

Default if not specified: true

Required: No

Example: false

com.microsoft.outlook.Mail.SuggestedRepliesEnabled.UserChangeAllowed This key specifies whether the Suggested Replies setting Managed
can be changed by the end user. Devices,
Value type: Boolean Managed
Apps
Accepted values: true, false

Default if not specified: true

Required: No

Example: false

com.microsoft.outlook.Mail.OfficeFeedEnabled This key specifies whether the app enables the Discover Managed
Feed which shows the user's and the user's coworkers Devices,
Office files. Setting the value to false will disable the Managed
Discover Feed. Apps

Value type: Boolean

Accepted values: true, false

Default if not specified: true

Required: No

Example: false

com.microsoft.outlook.Mail.OrganizeByThreadEnabled This key specifies whether the app enables Organize by Managed
thread view. Setting the value to false will disable mail Devices,
threaded conversation view. Managed
Apps
Value type: Boolean

Accepted values: true, false

Key Value Device
Enrollment
Type

Default if not specified: true

Required: No

Example: false

com.microsoft.outlook.Mail.PlayMyEmailsEnabled This key specifies whether the Play My Emails feature is Managed
promoted to eligible users via a banner in the inbox. Devices,
When set to Off, this feature won't be promoted to Managed
eligible users in the app. Users can choose to manually Apps
enable Play My Emails from within the app, even when
this feature is set to Off. When set as not configured, the
default app setting is On and the feature will be
promoted to eligible users.

Value type: Boolean

Accepted values: true, false

Default if not specified: true

Required: No

Example: false

com.microsoft.outlook.Calendar.NativeSyncEnabled By default, Outlook doesn't sync calendar data to the Managed

native Calendar app. This key defines the default sync Devices,
state behavior. Setting the value to true will enable Managed
calendar sync. This key is only supported with Outlook Apps
for Android.

Value type: Boolean

Accepted values: true, false

Default if not specified: false

Required: No

Example: false

com.microsoft.outlook.Calendar.NativeSyncEnabled.UserChangeAllowed This key specifies whether the calendar sync state can be Managed
changed by the end user. This key is only supported with Devices,
Outlook for Android. Managed
Value type: Boolean Apps

Accepted values: true, false

Default if not specified: true

Required: No

Example: false

com.microsoft.outlook.Mail.TextPredictionsEnabled Outlook can suggest words and phrases as you compose Managed
messages. When set as not configured, the default app Devices,
setting is set to On. Managed
Apps
Value type: Boolean

Accepted values: true, false

Default if not specified: true

Required: No

Example: false

com.microsoft.outlook.Mail.TextPredictionsEnabled.UserChangeAllowed This key specifies whether Smart Compose can be Managed

changed by the end user. Devices,
Managed
Value type: Boolean Apps

Accepted values: true, false

 Key Value Device
Enrollment
Type

Default if not specified: true

Required: No

Example: false

com.microsoft.outlook.Settings.ThemesEnabled Outlook supports custom visual themes. When set as not Managed
configured, the default app setting is set to On. Devices,
Managed
Value type: Boolean Apps

Accepted values: true, false

Default if not specified: true

Required: No

Example: false

com.microsoft.outlook.Mail.Blocksharing This key specifies whether the app enables the block Managed
sharing experience. Setting the value to true will block Devices,
sharing of the inbox in the app. Managed
Apps
Value type: Boolean

Accepted values: true, false

Default if not specified: false

Required: No

Example: false

com.microsoft.outlook.Calendar.Blocksharing This key specifies whether the app enables the block Managed
sharing experience. Setting the value to true will block Devices,
sharing of the calendar in the app. Managed
Apps
Value type: Boolean

Accepted values: true, false

Default if not specified: false

Required: No

Example: false

S/MIME settings
Outlook for iOS offers administrators the ability to customize the default S/MIME configuration in Outlook for iOS and Android.

Key Value Device

Enrollment
Type

com.microsoft.outlook.Mail.SMIMEEnabled This key specifies whether the app enables S/MIME. Managed
Use of S/MIME requires certificates available to Devices,
Outlook for iOS and Android. Setting the value to true Managed
will enable S/MIME support in the app. Apps

Value type: Boolean

Accepted values: true, false

Default if not specified: false

Required: No

Example: false

com.microsoft.outlook.Mail.SMIMEEnabled.UserChangeAllowed This key specifies whether the S/MIME setting can be Managed
changed by the end user. Devices,
Value type: Boolean Managed
Apps
Key Value Device
Enrollment
Type

Accepted values: true, false

Default if not specified: true

Required: No

Example: false

com.microsoft.outlook.Mail.SMIMEEnabled.EncryptAllMail This key specifies whether S/MIME encryption is Managed

required to send messages. Use of S/MIME requires Devices,
certificates available to Outlook for iOS and Android. Managed
Value type: Boolean Apps

Accepted values: true, false

Default if not specified: false

Required: No

Example: false

com.microsoft.outlook.Mail.SMIMEEnabled.EncryptAllMail.UserChangeAllowed This key specifies whether the S/MIME setting can be Managed
changed by the end user. Devices,
Value type: Boolean Managed
Apps
Accepted values: true, false

Default if not specified: true

Required: No

Example: false

com.microsoft.outlook.Mail.SMIMEEnabled.SignAllMail This key specifies whether S/MIME signing is required Managed

to send messages. Use of S/MIME requires certificates Devices,
available to Outlook for iOS and Android. Managed
Value type: Boolean Apps

Accepted values: true, false

Default if not specified: false

Required: No

Example: false

com.microsoft.outlook.Mail.SMIMEEnabled.SignAllMail.UserChangeAllowed This key specifies whether the S/MIME setting can be Managed
changed by the end user. Devices,
Value type: Boolean Managed
Apps
Accepted values: true, false

Default if not specified: true

Required: No

Example: false

com.microsoft.outlook.Mail.SMIMEEnabled.LDAPHostName This key specifies the LDAP directory endpoint to Managed

query for certificates. Devices,
Value type: String Managed
Apps
Accepted values: ldap://domainname:protocol,
ldaps://domainname:protocol, domainname:protocol

Default if not specified: N/A

Required: No

Example: ldap://contoso.com

ldaps://contoso.com

contoso.com

ldaps://contoso.com:636
 Key Value Device
Enrollment
Type

contoso.com:636

Data protection settings

Outlook for iOS and Android offers administrators additional data protection capabilities when Outlook is managed by Microsoft
Endpoint Manager and has an Intune App Protection Policy.

Key Value Device

Enrollment
Type

com.microsoft.outlook.Calendar.NativeSyncAvailable.IntuneMAMOnly By default, an App Protection Policy allows for calendar Managed

synchronization with the native Calendar app but can be used to apps
block calendar sync availability with the Sync policy managed app
data with native apps or add-ins setting. Configuring this setting
to false will block calendar synchronization when the App
Protection Policy setting is set to Allowed. This key is only
supported with Outlook for Android.

Accepted values: true, false

Default if not specified: No value specified

Example: false

com.microsoft.outlook.AddinsAvailable.IntuneMAMOnly By default, an App Protection Policy allows users to utilize third- Managed
party add-ins but can be used to block add-ins with the Sync apps
policy managed app data with native apps or add-ins setting.
Configuring this setting to false will block add-ins when the App
Protection Policy setting is set to Allowed.

Accepted values: true, false

Default if not specified: No value specified

Example: false

com.microsoft.outlook.Calendar.Notifications.IntuneMAMOnly (1) If APP NotificationRestrictions is set to BlockOrgData, only then Managed

check for apps
com.microsoft.outlook.Calendar.Notifications.IntuneMAMOnly:

If the app config value is set to null (doesn't exist), all sensitive data
properties are removed.

If the app config value is set to 0, all sensitive data are exposed.

If the app config value is set to 1, only the subject (and meeting
time) is exposed.

(2) If APP NotificationRestrictions is set to Allow or

NotificationRestrictions is set to Block, then all sensitive data
properties are exposed in calendar reminder notifications.

Important: To set the

com.microsoft.outlook.Calendar.Notifications.IntuneMAMOnly
value to 1, admins must create a policy using Intune scripts to inject
a value of 1 until the MEM portal is able to be updated.

com.microsoft.intune.mam.areWearablesAllowed This key specifies if Outlook data can be synchronized to a Managed

wearable device. Setting the value to false disables wearable apps
synchronization.

Accepted values: true, false

Default if not specified: true

Example: false

com.microsoft.outlook.ContactSync.AddressAllowed This key specifies if the contact's address should be synchronized Managed
with native contacts. apps
Accepted values: true, false
Key Value Device
Enrollment
Type

Default if not specified: true

Example: true

com.microsoft.outlook.ContactSync.BirthdayAllowed This value specifies if the contact's birthday should be synchronized Managed
with native contacts. apps
Accepted values: true, false

Default if not specified: true

Example: true

com.microsoft.outlook.ContactSync.CompanyAllowed This key specifies if the contact's company name should be Managed
synchronized with native contacts. apps
Accepted values: true, false

Default if not specified: true

Example: true

com.microsoft.outlook.ContactSync.DepartmentAllowed This key specifies if the contact's department should be Managed

synchronized with native contacts. apps
Accepted values: true, false

Default if not specified: true

Example: true

com.microsoft.outlook.ContactSync.EmailAllowed This key specifies if the contact's email address should be Managed
synchronized with native contacts. apps
Accepted values: true, false

Default if not specified: true

Example: true

com.microsoft.outlook.ContactSync.InstantMessageAllowed This key specifies if the contact's instant messaging address should Managed
be synchronized with native contacts. apps
Accepted values: true, false

Default if not specified: true

Example: true

com.microsoft.outlook.ContactSync.JobTitleAllowed This key specifies if the contact's job title should be synchronized Managed
to native contacts. apps
Accepted values: true, false

Default if not specified: true

Example: true

com.microsoft.outlook.ContactSync.NicknameAllowed This key specifies if the contact's nickname should be synchronized Managed
with native contacts. apps
Accepted values: true, false

Default if not specified: true

Example: true

com.microsoft.outlook.ContactSync.NotesAllowed This key specifies if the contact's notes should be synchronized Managed
with native contacts. apps
Accepted values: true, false

Default if not specified: true

Example: true

com.microsoft.outlook.ContactSync.PhoneHomeAllowed This key specifies if the contact's home phone number should be Managed
synchronized with native contacts. apps
Accepted values: true, false

Default if not specified: true

Example: true
Key Value Device
Enrollment
Type

com.microsoft.outlook.ContactSync.PhoneHomeFaxAllowed This key specifies if the contact's home fax number should be Managed
synchronized with native contacts. apps
Accepted values: true, false

Default if not specified: true

Example: true

com.microsoft.outlook.ContactSync.PhoneMobileAllowed This key specifies if the contact's mobile phone number should be Managed
synchronized with native contacts. apps
Accepted values: true, false

Default if not specified: true

Example: true

com.microsoft.outlook.ContactSync.PhoneOtherAllowed This key specifies if the contact's other phone number should be Managed
synchronized with native contacts. apps
Accepted values: true, false

Default if not specified: true

Example: true

com.microsoft.outlook.ContactSync.PhonePagerAllowed This key specifies if the contact's pager phone number should be Managed
synchronized with native contacts. apps
Accepted values: true, false

Default if not specified: true

Example: true

com.microsoft.outlook.ContactSync.PhoneWorkAllowed This key specifies if the work phone number should be Managed
synchronized with native contacts. apps
Accepted values: true, false

Default if not specified: true

Example: true

com.microsoft.outlook.ContactSync.PhoneWorkFaxAllowed This key specifies if the contact's work fax number should be Managed
synchronized with native contacts. apps
Accepted values: true, false

Default if not specified: true

Example: true

com.microsoft.outlook.ContactSync.PrefixAllowed This key specifies if the contact's name prefix should be Managed
synchronized with native contacts. apps
Accepted values: true, false

Default if not specified: true

Example: true

com.microsoft.outlook.ContactSync.SuffixAllowed This key specifies if the contact's name suffix should be Managed
synchronized with native contacts. apps
Accepted values: true, false

Default if not specified: true

Example: true

com.microsoft.outlook.WidgetsAvailable.IntuneMAMOnly By default, an App Protection Policy allows for the widget to sync Managed
with the Outlook app but can be used to block widget sync apps
availability with the Sync policy managed app data with native
apps or add-ins setting. Configuring this setting to false blocks the
widget synchronization when the App Protection Policy setting is
set to Allowed.

Accepted values: true, false

Default if not specified: No value specified

Key Value Device
Enrollment
Type

Example: Here is an example that allows calendar sync but

disallows widget sync:

Sync policy managed app data with native apps or add-ins == allow
com.microsoft.outlook.WidgetsAvailable.IntuneMAMOnly = false

Here's another example to block widget sync, calendar sync, and

add-ins:

Sync policy managed app data with native apps or add-ins == block

And another example that blocks calendar sync but allows widget
sync:

Sync policy managed app data with native apps or add-ins == allow
com.microsoft.outlook.WidgetsAvailable.IntuneMAMOnly = true
com.microsoft.outlook.Calendar.NativeSyncAvailable.IntuneMAMOnly
= false

Louder Mandatory labeling Off App

Organizations have mandatory labeling enabled without default default
labeling, and would like to have the label selection first before
going to compose the email. Then when the users click Send, the
email could just be sent without any forgotten labeling pop ups.
Outlook mobile will introduce a new MDM setting
(com.microsoft.outlook.Mail.LouderMandatoryLabelEnabled) to
allow admins to enable this louder mandatory configuration for
Outlook mobile clients (iOS and Android) specifically.

com.microsoft.outlook.Mail.Notifications.IntuneMAMOnly (1) If Intune App Protection Policy (APP) NotificationRestrictions = Managed

BlockOrgData, only then check for devices,
com.microsoft.outlook.Mail.Notifications.IntuneMAMOnly: managed
apps
If app config value is null (doesn't exist): All sensitive data
properties are removed.

If app config value is 0: Only subject and sender are exposed.

If app config value is 1: Only sender is exposed.

(2) Else, if APP NotificationRestrictions = Allow or

NotificationRestrictions = Block, then:

All sensitive data properties are exposed in mail notifications.

com.microsoft.outlook.Mail.VideoMessages.VideoCaptureAndUploadEnabled This key specifies if video capture and upload to OneDrive for Managed
Business is enabled. apps
Accepted values: true, false

Default if not specified: true

Sensitivity labeling and protection in
Outlook for iOS and Android in
Exchange Online
Article • 02/22/2023

Summary: How to classify and/or protect messages when using Outlook for iOS and
Android.

Protecting company or organizational data is extremely important. Outlook for iOS and
Android supports two scenarios for classifying and/or protecting content:

Sensitivity labeling
Secure/Multipurpose Internet Mail Extension (S/MIME)

Sensitivity labeling and S/MIME in Outlook for iOS and Android are supported with
Microsoft 365 or Office 365 accounts using the native Microsoft sync technology.

Understanding sensitivity labeling

Sensitivity labeling enables organizations to classify and protect sensitive content. For
more information, see Learn about sensitivity labels.

From a classification perspective, a sensitivity label is applied to a message and is

retained throughout the message's lifecycle (assuming the label is not removed). In
addition, sensitivity labels can be configured to mark content by adding a header or
footer to the message body.

Sensitivity labels can also be configured to protect messages with access restrictions or
encryption. Access restrictions include ensuring only users within the organization can
open the message, restricting editing rights, preventing forwarding, printing, or copying
the contents of the message. Encryption provides at-rest encryption and ensures only
authorized users can decrypt the message.

When a sensitivity label is configured with encryption, the encryption process depends
on the client platform. With Outlook for iOS and Android, encryption occurs within
Exchange Online transport after the message is sent from the sender, prior to recipient
delivery. Encryption does not occur within the app. For more information, see Manage
sensitivity labels in Office apps.
Likewise, Outlook for iOS and Android does not perform decryption of received
messages, either. Exchange Online performs the decryption prior to delivering the
message to Outlook for iOS and Android. For more information, see Outlook for iOS and
Android in Exchange Online: FAQ.

Deploying sensitivity Labeling with Outlook for

iOS and Android
For information about how to create and define sensitivity labels, as well as, publishing a
label policy, see Create and configure sensitivity labels and their policies. If you are new
to sensitivity labels, you might also find it useful to review Get started with sensitivity
labels for information about licensing, permissions, deployment strategies, and a list of
common scenarios that support sensitivity labels.

） Important

If your organization has previously deployed Azure Information Protection labels,

you must migrate to the unified labeling platform that supports sensitivity labels.
To determine which platform is being used, see Frequently asked questions for
Azure Information Protection. To complete the migration, see How to migrate
Azure Information Protection labels to unified sensitivity labels.

Using sensitivity labeling with Outlook for iOS

and Android
For information about the end user experience, see Apply sensitivity labels to your
documents and email within Office .

Understanding S/MIME
S/MIME provides encryption, which protects the content of email messages, and it
provides digital signatures, which verify the identity of the sender of an email message.
S/MIME in Outlook for iOS and Android is supported with Microsoft 365 or Office 365
accounts using the native Microsoft sync technology. For a general overview of S/MIME,
see S/MIME in Exchange Online.
Deploying and using S/MIME with Outlook for
iOS and Android
See S/MIME for Outlook for iOS and Android.
S/MIME for Outlook for iOS and
Android in Exchange Online
Article • 02/22/2023

S/MIME (Secure/Multipurpose Internet Mail Extensions) is a widely accepted protocol

for sending digitally signed and encrypted messages. For more information, see S/MIME
for message signing and encryption in Exchange Online.

To leverage S/MIME in Outlook for iOS and Android, you need to configure specific
S/MIME prerequisite in Exchange Online. After you have completed those steps, you can
deploy S/MIME certificates to Outlook for iOS and Android using the following
methods:

Manual certificate delivery

Automated certificate delivery

This article describes how to configure Exchange Online for S/MIME using Outlook for
iOS and Android, and how to use S/MIME in Outlook for iOS and Android.

S/MIME prerequisites
Ensure S/MIME has been properly configured in Exchange Online by following the steps
outlined in Configure S/MIME in Exchange Online. Specifically, this includes:

1. Setting up the virtual certificate collection.

2. Publishing the certificate revocation list to the internet.

In manual and automated certificate delivery solutions, it's expected that the certificate's
trusted root chain is available and discoverable within your Exchange Online tenant's
virtual certificate collection. Trust verification is performed on all digital certificates.
Exchange Online validates the certificate by validating each certificate in the certificate
chain until it reaches a trusted root certificate. This verification is done by obtaining the
intermediate certificates through the authority information access attribute in the
certificate until a trusted root certificate is located. Intermediate certificates can also be
included with digitally signed email messages. If Exchange Online locates a trusted root
certificate and can query the certificate revocation list for the certificate authority, the
digital certificate's chain for that digital certificate is considered valid and trusted and
can be used. If Exchange Online fails to locate a trusted root certificate or fails to contact
the certificate revocation list for the certificate authority, that certificate is considered
invalid and is not trusted.
Outlook for iOS and Android leverages the user's primary SMTP address for mail flow
activities, which is configured during account profile setup. The S/MIME certificate used
by Outlook for iOS and Android is calculated by comparing the user's primary SMTP
address as defined in the account profile with the certificate's subject value or the
subject alternative name value; if these do not match, then Outlook for iOS and Android
will report that a certificate is not available (see Figure 7) and will not allow the user to
sign and/or encrypt messages.

Manual certificate delivery

Outlook for iOS and Outlook for Android both support manual certificate delivery, which
is when the certificate is emailed to the user and the user taps on the certificate
attachment within the app to initiate the certificate's installation. The following image
shows how manual certificate delivery works in iOS.

A user can export their own certificate and mail it to themselves using Outlook. For
more information, see Exporting a digital certificate .

） Important

When exporting the certificate, ensure that the exported certificate is password-
protected with a strong password.

Automated certificate delivery

 ） Important

Outlook for iOS and Android only supports automated certificate delivery
when Microsoft Endpoint Manager is the enrollment provider.

For Outlook for iOS, this is due to the iOS keychain architecture. iOS offers a
system keychain and publisher keychains. iOS prevents third-party apps from
accessing the system keychain (only first-party apps and the Safari webview
controller can access the system keychain). In order to deliver certificates that
can be accessed by Outlook for iOS, the certificates must reside in the
Microsoft publisher keychain to which Outlook for iOS has access. Only
Microsoft published apps, like the Company Portal, can place certificates into
the Microsoft publisher keychain.

Outlook for Android relies on Endpoint Manager to deliver and approve the
S/MIME certificates. Automatic certificate delivery is supported with Android
enrollment scenarios: device administrator, Android Enterprise work profile,
and Android Enterprise fully managed.

With Endpoint Manager, organizations can import encryption certificate histories from
any Certification Authority. Endpoint Manager will then automatically deliver those
certificates to any device that the user enrolls. Generally, Simple Certificate Enrollment
Protocol (SCEP) is used for signing certificates. With SCEP, the private key is generated
and stored on the enrolled device and a unique certificate is delivered to each device
that a user enrolls, which can be used for non-repudiation. Lastly, Endpoint Manager
supports derived credentials for customers who need support for the NIST 800-157
standard. The Company Portal is used to retrieve signing and encryption certificates
from Intune.

In order to deliver certificates to Outlook for iOS and Android, you must complete the
following prerequisites:

Deploy trusted root certificates via Endpoint Manager. For more information, see
Create trusted certificate profiles.
Encryption certificates must be imported into Endpoint Manager. For more
information, see Configure and use imported PKCS certificates with Intune.
Install and Configure the PFX Connector for Microsoft Intune. For more
information, see Download, install, and configure the PFX Certificate Connector for
Microsoft Intune.
 Devices must be enrolled to receive trusted root and S/MIME certificates
automatically from Endpoint Manager.

Outlook for iOS automated certificate delivery

Use the following steps to create and configure the Outlook for iOS S/MIME policy in
Endpoint Manager. These settings provide automated delivery of the signing and
encryption certificates.

1. Sign into Microsoft Endpoint Manager .

2. Select Apps and then select App configuration policies.

3. On the App Configuration policies blade, choose Add and select Managed
devices to start the app configuration policy creation flow.

4. On the Basics section, enter a Name, and optional Description for the app
configuration settings.

5. For Platform, choose iOS/iPadOS.

6. For Targeted app, choose Select app, and then, on the Associated app blade,
choose Microsoft Outlook. Click OK.

７ Note

If Outlook is not listed as an available app, then you must add it by following
the instructions in Assign apps to Android work profile devices with Intune
and Add iOS store apps to Microsoft Intune.

7. Click Configuration settings to add configuration settings.

Select Use configuration designer next to Configuration settings format and

accept or modify the default settings. For more information, see Deploying
Outlook for iOS and Android app configuration settings.
 8. Click S/MIME to display the Outlook S/MIME settings.

9. Set Enable S/MIME to Yes. When selecting Yes or No, administrators can choose to
allow the user to change the app setting's value. Select Yes (app default) to allow
the user to change the setting or choose No if you want to prevent the user from
changing the setting's value.

10. Choose whether to Encrypt all emails by selecting Yes or No. When selecting Yes
or No, administrators can choose to allow the user to change the app setting's
value. Select Yes (app default) to allow the user to change the setting or choose
No if you want to prevent the user from changing the setting's value.

11. Choose whether to Sign all emails by selecting Yes or No. When selecting Yes or
No, administrators can choose to allow the user to change the app setting's value.
Select Yes (app default) to allow the user to change the setting or choose No if you
want to prevent the user from changing the setting's value.

12. If needed, deploy a LDAP URL for recipient certificate lookup. For more
information on the URL format, see LDAP support for certificate lookup.

13. Set Deploy S/MIME certificates from Intune to Yes.

14. Under Signing certificates next to Certificate profile type, choose one of the
following options:

SCEP: Creates a certificate that is unique for the device and user that can be
used by Microsoft Outlook for signing. For information on what is required to
use SCEP certificate profiles, see Configure infrastructure to support SCEP
with Intune.
PKCS imported certificates: Uses a certificate that is unique to the user, but
may be shared across devices and has been imported to Endpoint Manager
by the administrator on behalf of the user. The certificate is delivered to any
device that a user enrolls. Endpoint Manager will automatically pick the
imported certificate that supports signing to deliver to the device that
corresponds to the enrolled user. For information on what is required to use
PKCS imported certificates, see Configure and use PKCS certificates with
Intune.
Derived credentials: Uses a certificate that is already on the device that can
be used for signing. The certificate must be retrieved on the device using the
derived credentials flows in Intune.

15. Under Encryption certificates next to Certificate profile type, choose one of the
following options:

PKCS imported certificates: Delivers any encryption certificates that have

been imported to Endpoint Manager by the administrator across any device a
user enrolls. Endpoint Manager will automatically pick the imported
certificate or certificates that support encryption and deliver to the enrolled
user's devices.
Derived credentials: Uses a certificate that is already on the device that can
be used for signing. The certificate must be retrieved on the device using the
derived credentials flows in Intune.

16. Next to End-user notifications, choose how to notify end users to retrieve the
certificates by selecting Company Portal or Email.

On iOS, users must use the Company Portal app to retrieve their S/MIME
certificates. Endpoint Manager will inform the user that they need to launch the
Company Portal to retrieve their S/MIME certificates via the Notifications section of
Company Portal, a push notification, and/or an email. Clicking one of the
notifications will take the user to a landing page that informs them of progress
retrieving the certificates. Once the certificates are retrieved, the user can use
S/MIME from within Microsoft Outlook for iOS to sign and encrypt email.

The end-user notifications include the following options:

 Company Portal: If selected, users will receive a push notification on their
device, which will take them to the landing page in Company Portal where
S/MIME certificates will be retrieved.
Email: Sends an email to the end user informing them that they need to
launch Company Portal to retrieve their S/MIME certificates. If the user is on
their enrolled iOS device when they click the link in the email, they will be
redirected to the Company Portal to retrieve their certificates.

End-users will see an experience similar to the following for automated certificate
delivery:

17. Select Assignments to assign the app configuration policy to the Azure AD groups.
For more information, see Assign apps to groups with Microsoft Intune.

Outlook for Android automated certificate delivery

Use the following steps to create and configure the Outlook for iOS and Android
S/MIME policy in Endpoint Manager. These settings provide automated delivery of the
signing and encryption certificates.

1. Sign into Microsoft Endpoint Manager .

2. Create a SCEP certificate profile or PKCS certificate profile and assign it to your
mobile users.

3. Select Apps and then select App configuration policies.

4. On the App Configuration policies blade, choose Add and select Managed
devices to start the app configuration policy creation flow.
 5. On the Basics section, enter a Name, and optional Description for the app
configuration settings.

6. For Platform, choose Android Enterprise and for Profile Type, choose All Profile
Types.

7. For Targeted app, choose Select app, and then, on the Associated app blade,
choose Microsoft Outlook. Click OK.

７ Note

If Outlook is not listed as an available app, then you must add it by following
the instructions in Assign apps to Android work profile devices with Intune
and Add iOS store apps to Microsoft Intune.

8. Click Configuration settings to add configuration settings.

Select Use configuration designer next to Configuration settings format and

accept or modify the default settings. For more information, see Deploying
Outlook for iOS and Android app configuration settings.

9. Click S/MIME to display the Outlook S/MIME settings.

10. Set Enable S/MIME to Yes. When selecting Yes or No, administrators can choose to
allow the user to change the app setting's value. Select Yes (app default) to allow
the user to change the setting or choose No if you want to prevent the user from
changing the setting's value.

11. Choose whether to Encrypt all emails by selecting Yes or No. When selecting Yes
or No, administrators can choose to allow the user to change the app setting's
value. Select Yes (app default) to allow the user to change the setting or choose
No if you want to prevent the user from changing the setting's value.

12. Choose whether to Sign all emails by selecting Yes or No. When selecting Yes or
No, administrators can choose to allow the user to change the app setting's value.
Select Yes (app default) to allow the user to change the setting or choose No if you
want to prevent the user from changing the setting's value.

13. Select Assignments to assign the app configuration policy to the Azure AD groups.
For more information, see Assign apps to groups with Microsoft Intune.

Enabling S/MIME in the client

S/MIME must be enabled for Outlook for iOS and Android to view or create S/MIME-
related content.

End users will need to enable S/MIME functionality manually by accessing their account
settings, tapping Security, and tapping the S/MIME control, which is off by default. The
Outlook for iOS S/MIME security setting looks like the following:

When the S/MIME setting is enabled, Outlook for iOS and Android will automatically
disable the Organize By Thread setting. This is because S/MIME encryption becomes
more complex as a conversation thread grows. By removing the threaded conversation
view, Outlook for iOS and Android reduces the opportunity for issues with certificates
across recipients during signing and encryption. As this is an app-level setting, this
change affects all accounts added to the app. This threaded conversation dialog is
rendered in iOS as follows:
Once S/MIME is enabled and the S/MIME certificates are installed, users can view the
installed certificates by accessing their account settings and tapping Security.
Furthermore, users can tap on each individual S/MIME certificate and view the
certificate's details, including information like key usage and the validity period.
Users can configure Outlook to automatically sign or encrypt messages. This allows
users to save time sending email while being confident that their emails are being
signed/encrypted.

LDAP support for certificate lookup

Outlook for iOS and Android supports accessing public user certificate keys from secure
LDAP directory endpoints during recipient resolution. In order to utilize an LDAP
endpoint, the following requirements must be met:

The LDAP endpoint does not require authentication.

The LDAP endpoint configuration is delivered to Outlook for iOS and ANdroid
through an app configuration policy. For more information, see S/MIME settings.
The LDAP endpoint configuration is supported using the following formats:
 ldaps://contoso.com

ldap://contoso.com
ldap://contoso.com:389

ldaps://contoso.com:636
contoso.com

contoso.com:389

contoso.com:636

When Outlook for iOS and Android performs a certificate lookup for a recipient, the app
will search the local device first, then query Azure Active Directory, and then evaluate
any LDAP directory endpoint. When Outlook for iOS and Android connects to the LDAP
directory endpoint to search for a recipient's public certificate, certificate validation is
performed to ensure that the certificate is not revoked. The certificate is only considered
valid by the app if certificate validation completes successfully.

Using S/MIME in Outlook for iOS and Android

After the certificates have been deployed and S/MIME has been enabled in the app,
users can consume S/MIME related content and compose content using S/MIME
certificates. If the S/MIME setting is not enabled, then users will not be able to consume
S/MIME content.

View S/MIME messages

In the message view, users can view messages that are S/MIME signed or encrypted. In
addition, users can tap the S/MIME status bar to view more information about the
message's S/MIME status. The following screenshots show examples of how S/MIME
messages are consumed in Android.

） Important

In order to read an encrypted message, the recipient's private certificate key must
be available on the device.
Users can install a sender's public certificate key by tapping the S/MIME status bar. The
certificate will be installed on the user's device, specifically in the Microsoft publisher
keychain in iOS or the system KeyStore in Android . The Android version appears
similar to the following:
If there are certificate errors, Outlook for iOS and Android will warn the user. The user
can tap the S/MIME status bar notification to view more information about the
certificate error, such as in the following example.

Create S/MIME messages

Before a user can send a signed and/or encrypted message, Outlook for iOS and
Android performs a validity check on the certificate to ensure it's valid for signing or
encryption operations. If the certificate is near expiration, Outlook for iOS and Android
will alert the user to obtain a new certificate when the user attempts to sign or encrypt a
message, beginning 30 days before expiration.
When composing an email in Outlook for iOS and Android, the sender can choose to
encrypt and/or sign the message. By tapping on the ellipses and then Sign and Encrypt,
the various S/MIME options are presented. Selecting an S/MIME option enables the
respective encoding on the email as soon as the message is saved or sent, assuming the
sender has a valid certificate.

Outlook for iOS and Android can send S/MIME signed and encrypted messages to
distribution groups. Outlook for iOS and Android enumerates the certificates for the
users defined in the distribution group, including those in nested distribution groups,
though care should be taken on limiting the number of nested distribution groups to
minimize the processing impact.

） Important

Outlook for iOS and Android only supports sending clear-signed messages.
In order to compose an encrypted message, the target recipient's public
certificate key must be available either in the Global Address List or stored on
the local device. In order to compose a signed message, the sender's private
certificate key must be available on the device.

Here is how S/MIME options appear in Outlook for Android:

Outlook for iOS and Android will evaluate all recipients prior to sending an encrypted
message and confirm that a valid public certificate key exists for each recipient. The
Global Address List (GAL) is checked first; if a certificate for the recipient does not exist
in the GAL, Outlook queries the Microsoft publisher keychain in iOS or the system
KeyStore in Android to locate the recipient's public certificate key. For recipients without
a public certificate key (or an invalid key), Outlook will prompt for their removal. The
message will not be sent without encryption to any recipient unless the encryption
option is disabled by the sender during composition.
Using Outlook for iOS and Android in
the Government Community Cloud in
Exchange Online
Article • 02/22/2023

Summary: How organizations in the Office 365 U.S. Government Community Cloud
(GCC) can enable Outlook for iOS and Android for their Exchange Online users.

Outlook for iOS and Android is fully architected in the Microsoft Cloud and meets the
security and compliance requirements needs of all United States Government customers
when the mailboxes reside in Exchange Online.

For customers with Exchange Online mailboxes operating in the Government

Community Cloud (GCC Moderate, GCC High or Department of Defense), Outlook for
iOS and Android leverages the native Microsoft sync technology. This architecture is
FedRAMP-compliant (defined by NIST Special Publication 800-145) and approved, and
meets GCC High and DoD requirements DISA SRG Level 4 (GCC-High) and Level 5 (DoD),
Defense Federal Acquisition Regulations Supplement (DFARS), and International Traffic
in Arms Regulations (ITAR), which have been approved by a third-party assessment
organization and are FISMA-compliant based on the NIST 800-53 rev 4.

For more information, please see the Office 365 FedRAMP System Security plan located
in the FedRAMP Audit Reports section of the Microsoft Service Trust Portal .

） Important

Customers operating in the Government Community Cloud may have user

mailboxes that also reside on-premises via an Exchange hybrid topology. Accessing
on-premises mailboxes with Outlook for iOS and Android does not utilize an
architecture that is FedRAMP-compliant. For more information on this architecture,
see Using Basic authentication with Outlook for iOS and Android.

This article covers how to:

Enable Outlook for iOS and Android for Office 365 GCC customers.
Unlock non-FedRAMP compliant features, if needed.
Enabling Outlook for iOS and Android for
Office 365 GCC customers
GCC (Moderate, High, and Department of Defense) customers can leverage Outlook for
iOS and Android without any special configuration.

For Office 365 GCC customers who are not currently using Outlook for iOS and Android,
enabling the app requires unblocking Outlook for iOS and Android in the organization,
downloading the app on users' devices, and having end users add their account on their
devices.

1. Unblock Outlook for iOS and Android

Remove any restrictions placed within your Exchange environment that may be blocking
Outlook for iOS and Android by updating your Exchange mobile device access rules or
any relevant Azure Active Directory Conditional Access policies so that the app is no
longer blocked. See Securing Outlook for iOS and Android in Exchange Online for
information about enabling Outlook as the only mobile messaging client in an
organization.

2. Download and install Outlook for iOS and Android

End users need to install the app on their devices. How the installation happens
depends on whether or not the devices are enrolled in a unified endpoint management
(UEM) solution, such as Microsoft Intune. Users with enrolled devices can install the app
through their UEM solution, like the Intune Company Portal. Users with devices that are
not enrolled in an UEM solution can search for "Microsoft Outlook" in the Apple App
Store or Google Play Store and download it from one of those locations.

７ Note

To leverage app-based conditional access policies, the Microsoft Authenticator app

must be installed on iOS devices. For Android devices, the Intune Company Portal
app is leveraged. For more information, see App-based conditional access with
Intune.

Disabled services and features

By default, certain services and features of Outlook for iOS and Android are disabled
automatically for the Office 365 U.S. Government Community Cloud (GCC) because they
do not meet FedRAMP requirements:

In-app support: Users are not able to submit support tickets from within the app
or upload diagnostic data using Collect Diagnostics. They should contact their
internal help desk and provide logs (via the Share Diagnostics Logs option in
Setting -> Help). If necessary, the organization's IT department can then contact
Microsoft Support directly.

） Important

Setting OutlookMobileGCCRestrictionsEnabled to false allows submission of

support, diagnostic, or crash data to be sent to Microsoft through in-app
support or by using Collect Diagnostics. The data are uploaded to Microsoft
systems that are outside of the Office 365 GCC compliance boundary,
including the Office 365 FedRAMP boundary. Customers should update
organizational training and policy materials to instruct users to avoid
including any sensitive US government information as part of the in-app
support submission.

In-app feature requests: Users are not able to submit in-app feature requests.

Multiple accounts: Only the user's Office 365 GCC account and OneDrive for
Business account can be added to a single device. Personal accounts cannot be
added. Customers can use another device for personal accounts, or an Exchange
ActiveSync client from another provider.

Calendar Apps: Calendar apps (Facebook, Wunderlist, Evernote, Meetup) are not
available with GCC accounts.

Add-Ins: Add-ins are not available with GCC accounts.

Storage Providers: Only the GCC account's OneDrive for Business storage account
can be added within Outlook for iOS and Android. Third-party storage accounts
(for example, Dropbox, Box) cannot be added.

Office Lens: Office Lens technology (for example, scanning business cards and
taking pictures) included in Outlook for iOS and Android is not available with GCC
accounts.

File picker: The file picker used for adding attachments during email composition
is limited to email attachments, iCloud & Device, OneDrive for Business files, and
 SharePoint sites. The Recent Files list is limited to email attachments.

TestFlight: GCC accounts are not able to access pre-release features when using
the TestFlight version of Outlook for iOS.

Executing the below Exchange Online cmdlet enables GCC users using Outlook for iOS
and Android access to the above features and services that are not FedRAMP compliant:

PowerShell

Set-OrganizationConfig -OutlookMobileGCCRestrictionsEnabled $false

At any time, access to the above features can be revoked by resetting the parameter
back to the default value:

PowerShell

Set-OrganizationConfig -OutlookMobileGCCRestrictionsEnabled $true

Changing this setting typically takes effect within 48 hours. As this setting is a tenant-
based change, all Outlook for iOS and Android users in the GCC organization are
affected.

For more information on the cmdlet, see Set-OrganizationConfig.

Services and features not available

Certain services and features of Outlook for iOS and Android are not available for the
Office 365 U.S. Government Community Cloud (GCC) because they do not meet
FedRAMP requirements:

Location services: Bing location services are not available with GCC accounts.
Features that rely on location services, like Cortana Time To Leave, are also
unavailable.
Privacy settings: Privacy settings cannot be configured through the Office cloud
policy service.
Play My Emails: Play My Emails is not available for GCC accounts.
To Do: To Do is currently not available for GCC accounts.

For more information on the cmdlet, please see Set-OrganizationConfig.

Exchange ActiveSync in Exchange
Online
Article • 02/22/2023

Exchange ActiveSync is a client protocol that lets you synchronize a mobile device with
your mailbox.

Overview of Exchange ActiveSync

Exchange ActiveSync is a Microsoft Exchange synchronization protocol that's optimized
to work together with high-latency and low-bandwidth networks. The protocol, based
on HTTP and XML, lets mobile phones access an organization's information on a server
that's running Microsoft Exchange. Exchange ActiveSync enables mobile phone users to
access their email, calendar, contacts, and tasks, and to continue to access this
information while they're working offline.

Features in Exchange ActiveSync

Exchange ActiveSync provides the following:

Support for HTML messages

Support for follow-up flags
Conversation grouping of email messages
Ability to synchronize or not synchronize an entire conversation
Support for viewing message reply status
Support for fast message retrieval
Meeting attendee information
Enhanced Exchange Search
PIN reset
Enhanced device security through password policies
Autodiscover for over-the-air provisioning
Support for setting automatic replies when users are away, on vacation, or out of
the office
Support for task synchronization
Direct Push
Support for availability information for contacts

Managing Exchange ActiveSync

By default, Exchange ActiveSync is enabled. All users who have an Exchange mailbox can
synchronize their mobile device with the Microsoft Exchange server.

You can perform the following Exchange ActiveSync tasks:

Enable and disable Exchange ActiveSync for users

Set policies such as minimum password length, device locking, and maximum
failed password attempts
Initiate a remote wipe to clear all data from a lost or stolen mobile phone
Run a variety of reports for viewing or exporting into a variety of formats
Control which types of mobile devices can synchronize with your organization
through device access rules

Managing mobile device access in Exchange ActiveSync

You can control which mobile devices can synchronize. You do this by monitoring new
mobile devices as they connect to your organization or by setting up rules that
determine which types of mobile devices are allowed to connect. Regardless of the
method you choose to specify which mobile devices can synchronize, you can approve
or deny access for any specific mobile device for a specific user at any time.

Device security features in Exchange ActiveSync

In addition to the ability to configure security options for communications between the
Exchange server and your mobile devices, Exchange ActiveSync offers the following
features to enhance the security of mobile devices:

Remote wipe: If a mobile device is lost, stolen, or otherwise compromised, you can
issue a remote wipe command from the Exchange Server computer or from any
web browser by using Outlook on the web (formerly known as Outlook Web App).
This command erases all data from the mobile device.

Device password policies: Exchange ActiveSync lets you configure several options
for device passwords. These options include the following:

Minimum password length (characters): This option specifies the length of the
password for the mobile device. The default length is 4 characters, but as many
as 18 can be included.

Minimum number of character sets: Use this text box to specify the complexity
of the alphanumeric password and force users to use a number of different sets
of characters from among the following: lowercase letters, uppercase letters,
symbols, and numbers.
 Require alphanumeric password: This option determines password strength.
You can enforce the usage of a character or symbol in the password in addition
to numbers.

Inactivity time (seconds): This option determines how long the mobile device
must be inactive before the user is prompted for a password to unlock the
mobile device.

Enforce password history: Select this check box to force the mobile phone to
prevent the user from reusing their previous passwords. The number that you
set determines the number of past passwords that the user won't be allowed to
reuse.

Enable password recovery: Select this check box to enable password recovery
for the mobile device. Users can use Outlook on the web to look up their
recovery password and unlock their mobile device. Administrators can use the
Exchange admin center to look up a user's recovery password.

Wipe device after failed (attempts): This option lets you specify whether you
want the phone's memory to be wiped after multiple failed password attempts.

Device encryption policies: There are a number of mobile device encryption

policies that you can enforce for a group of users. These policies include the
following:

Require encryption on device: Select this check box to require encryption on

the mobile device. This increases security by encrypting all information on the
mobile device.

Require encryption on storage cards: Select this check box to require

encryption on the mobile device's removable storage card. This increases
security by encrypting all information on the storage cards for the mobile
device.

） Important

Although the Exchange ActiveSync protocol provides support for the different
features listed above, it is up to the mobile device operating system and
manufacturers (OEMs) to build support for these features in their mobile operating
system and email apps (default or third-party). Not all EAS features listed above are
supported by third-party mobile devices such as iOS and Android. Microsoft has no
control over which EAS features are supported by these third-party mobile device
manufacturers. Contact the manufactures directly for help with EAS features on
third-party mobile devices.
Mobile device mailbox policies in
Exchange Online
Article • 02/22/2023

In Microsoft 365 or Office 365, you can create mobile device mailbox policies to apply a
common set of policies or security settings to a collection of users. A default mobile
device mailbox policy is created in every Microsoft 365 or Office 365 organization.

Overview of mobile device mailbox policies

You can use mobile device mailbox policies to manage many different settings. These
include the following:

Require a password
Specify the minimum password length
Allow a numeric PIN or require special characters in the password
Designate how long a device can be inactive before requiring the user to re-enter
a password
Wipe a device after a specific number of failed password attempts

Mobile device password settings and

biometrics
Many mobile devices support biometrics such as Apple Touch ID or Face ID. Exchange
mobile device mailbox policies do not control whether biometrics can be used instead
of typing the device PIN. Mobile device mailbox policies can be configured to require a
device PIN, but then the users control whether they use biometrics after complying with
the device PIN requirement.

Customers that need advanced control over the use of biometrics should consider
device enrollment solutions such as Microsoft Intune. See Deploying Outlook for iOS
and Android app configuration settings for more information.

Mobile device password settings and Android

Android 9.0 and earlier versions utilize Android's device admin functionality to manage
device password settings defined in a mobile device mailbox policy.
With Android 10.0 and later, Android has removed device admin functionality. Instead,
apps that require a screen lock query the device's (or the work profile's) screen lock
complexity using the getPasswordComplexity API. Apps that require a stronger screen
lock direct the user to the system screen lock settings, allowing the user to update the
security settings to become compliant. At no time is the app aware of the user's
password; the app is only aware of the password complexity level. Android supports the
following four password complexity levels:

Password Password requirements

complexity level

None No password requirements are configured

Low Password can be a pattern or a PIN with either repeating (4444) or ordered
(1234, 4321, 2468) sequences

Medium Passwords that meet one of the following criteria:

PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences
with a minimum length of 4 characters
Alphabetic passwords with a minimum length of 4 characters
Alphanumeric passwords with a minimum length of 4 characters

High Passwords that meet one of the following criteria:

PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences
with a minimum length of 8 characters
Alphabetic passwords with a minimum length of 6 characters
Alphanumeric passwords with a minimum length of 6 characters

Android's password complexity levels are mapped to the following Exchange mobile
device mailbox policy settings:

Mobile device mailbox policy setting Android password complexity level

Password enabled = false None

Allow simple password = true Low

Min password length < 4

Alphanumeric password required = false Medium

Min password length >= 4

Min password length < 8

 Mobile device mailbox policy setting Android password complexity level

Alphanumeric password required = true Medium

Min password length < 6

Alphanumeric password required = false High

Min password length >= 8

Alphanumeric password required = true High

Min password length >= 6

Mobile device mailbox policy settings

The following table summarizes the settings you can specify using mobile device
mailbox policies.

Mobile device mailbox policy settings:

Setting Description

Allow This setting specifies whether a mobile device allows Bluetooth connections.
Bluetooth The available options are Disable, HandsFree Only, and Allow. The default value
is Allow.

Allow Browser This setting specifies whether Pocket Internet Explorer is allowed on the mobile
device. This setting doesn't affect third-party browsers installed on the mobile
device. The default value is $true .

Allow Camera This setting specifies whether the mobile device camera can be used. The
default value is $true .

Allow This setting specifies whether the mobile device user can configure a personal
Consumer email account (either POP3 or IMAP4) on the mobile device. The default value
EMail is $true . This setting doesn't control access to email accounts that are using
third-party mobile device email programs.

Allow Desktop This setting specifies whether the mobile device can synchronize with a
Sync computer through a cable, Bluetooth, or IrDA connection. The default value is
$true .

Allow External This setting specifies whether an external device management program is
Device allowed to manage the mobile device.
Management
Setting Description

Allow HTML This setting specifies whether email synchronized to the mobile device can be
Email in HTML format. If this setting is set to $false , all email is converted to plain
text.

Allow Internet This setting specifies whether the mobile device can be used as a modem for a
Sharing desktop or a portable computer. The default value is $true .

AllowIrDA This setting specifies whether infrared connections are allowed to and from the
mobile device.

Allow Mobile This setting specifies whether the mobile device mailbox policy settings can be
OTA Update sent to the mobile device over a cellular data connection. The default value is
true .

Allow non- This setting specifies whether mobile devices that may not support application
provisionable of all policy settings are allowed to connect to Office 365 by using Exchange
devices ActiveSync. Allowing non-provisionable mobile devices has security
implications. For example, some non-provisionable devices may not be able to
implement an organization's password requirements.

Allow This setting specifies whether the user can configure a POP3 or an IMAP4 email
POPIMAPEmail account on the mobile device. The default value is $true . This setting doesn't
control access by third-party email programs.

Allow Remote This setting specifies whether the mobile device can initiate a remote desktop
Desktop connection. The default value is $true .

Allow simple This setting enables or disables the ability to use a simple password such as
password 1111 or 1234. The default value is $true .

Allow S/MIME This setting specifies whether the messaging application on the mobile device
encryption can negotiate the encryption algorithm if a recipient's certificate doesn't
algorithm support the specified encryption algorithm.
negotiation

Allow S/MIME This setting specifies whether S/MIME software certificates are allowed on the
software mobile device.
certificates

Allow storage This setting specifies whether the mobile device can access information that's
card stored on a storage card.

Allow text This setting specifies whether text messaging is allowed from the mobile
messaging device. The default value is $true .

Allow unsigned This setting specifies whether unsigned applications can be installed on the
applications mobile device. The default value is $true .
Setting Description

Allow unsigned This setting specifies whether an unsigned installation package can be run on
installation the mobile device. The default value is $true .
packages

Allow Wi-Fi This setting specifies whether wireless Internet access is allowed on the mobile
device. The default value is $true .

Alphanumeric This setting requires that a password contains numeric and non-numeric
password characters. The default value is $true .
required

Approved This setting stores a list of approved applications that can be run on the mobile
Application List device.

Attachments This setting enables attachments to be downloaded to the mobile device. The
enabled default value is $true .

Device This setting enables encryption on the mobile device. Not all mobile devices
encryption can enforce encryption. For more information, see the device and mobile
enabled operating system documentation.

Device policy This setting specifies how often the mobile device mailbox policy is sent from
refresh interval the server to the mobile device.

IRM enabled This setting specifies whether Information Rights Management (IRM) is enabled
on the mobile device.

Max This setting controls the maximum size of attachments that can be downloaded
attachment size to the mobile device. The default value is Unlimited.

Max calendar This setting specifies the maximum range of calendar days that can be
age filter synchronized to the mobile device. The following values are accepted:

All

TwoWeeks

OneMonth

ThreeMonths

SixMonths
Setting Description

Max email age This setting specifies the maximum number of days of email items to
filter synchronize to the mobile device. The following values are accepted:

All

OneDay

ThreeDays

OneWeek

TwoWeeks

OneMonth

Max email This setting specifies the maximum size at which email messages are truncated
body when synchronized to the mobile device. The value is in kilobytes (KB).
truncation size

Max email This setting specifies the maximum size at which HTML email messages are
HTML body truncated when synchronized to the mobile device. The value is in kilobytes
truncation size (KB).

Max inactivity This value specifies the length of time that the mobile device can be inactive
time lock before a password is required to reactivate it. You can enter any interval
between 30 seconds and 1 hour. The default value is 15 minutes.

Max password This setting specifies the number of attempts a user can make to enter the
failed attempts correct password for the mobile device. You can enter any number from 4
through 16. The default value is 8.

Min password This setting specifies the minimum number of complex characters required in
complex the mobile device's password. A complex character is a character that is not a
characters letter.

Min password This setting specifies the minimum number of characters in the mobile device
length password. You can enter any number from 1 through 16. The default value is 4.

Password This setting enables the mobile device password.

enabled

Password This setting enables the administrator to configure a length of time after which
expiration a mobile device password must be changed.

Password This setting specifies the number of past passwords that can be stored in a
history user's mailbox. A user can't reuse a stored password.
 Setting Description

Password When this setting is enabled, the mobile device generates a recovery password
recovery that's sent to the server. If the user forgets their mobile device password, the
enabled recovery password can be used to unlock the mobile device and enable the
user to create a new mobile device password.

Require device This setting specifies whether device encryption is required. If set to $true , the
encryption mobile device must be able to support and implement encryption to
synchronize with the server.

Require This setting specifies whether S/MIME messages must be encrypted. The
encrypted default value is $false .
S/MIME
messages

Require This setting specifies what required algorithm must be used when encrypting
encryption S/MIME messages.
S/MIME
algorithm

Require manual This setting specifies whether the mobile device must synchronize manually
synchronization while roaming. Allowing automatic synchronization while roaming will
while roaming frequently lead to larger-than-expected data costs for the mobile device data
plan.

Require signed This setting specifies what required algorithm must be used when signing a
S/MIME message.
algorithm

Require signed This setting specifies whether the mobile device must send signed S/MIME
S/MIME messages.
messages

Require storage This setting specifies whether the storage card must be encrypted. Not all
card encryption mobile device operating systems support storage card encryption. For more
information, see your mobile device and mobile operating system
documentation.

Unapproved This setting specifies a list of applications that cannot be run in ROM.
InROM
application list

Managing mobile device mailbox policies

Mobile device mailbox policies can be created, modified, or deleted in the Exchange
admin center (EAC) or Exchange Online PowerShell. If you create a policy in the EAC, you
can configure only a subset of the available settings. You can configure the rest of the
settings using Exchange Online PowerShell.

What do you need to know before you begin?

Estimated time to complete: 15 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Mobile devices" feature in
the Feature permissions in Exchange Online topic.

To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online. To connect to Exchange Online PowerShell, see Connect to Exchange
Online PowerShell.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online .

Create a new mobile device mailbox policy

Use the EAC to create a new mobile device mailbox policy

７ Note

You can only set a subset of mobile device mailbox policy settings in the EAC. To set
all the mobile device mailbox policy settings, you need to use the Exchange Online
PowerShell.

1. In the EAC, click Mobile > Mobile Device Mailbox Policies, and then click Add .

2. Use the various check boxes and drop-down lists to configure the settings for the
mobile device mailbox policy.
２ Warning
 Select This is the default policy to make the new mobile mailbox policy the
default mobile mailbox policy. After you make a mobile mailbox policy the
default policy, all new users will be assigned this policy automatically when
they are created.

3. Click Save.

Use the Exchange Online PowerShell to create a new mobile device

mailbox policy

You create a new mobile device mailbox policy using the New-
MobileDeviceMailboxPolicy cmdlet.

1. In the Exchange Online PowerShell, run the following command.

PowerShell

New-MobileDeviceMailboxPolicy -Name:"Management" -AllowBluetooth:$true

-AllowBrowser:$true -AllowCamera:$true -AllowPOPIMAPEmail:$false -
PasswordEnabled:$true -AlphanumericPasswordRequired:$true -
PasswordRecoveryEnabled:$true -MaxEmailAgeFilter:10 -AllowWiFi:$true -
AllowStorageCard:$true -AllowPOPIMAPEmail:$false

How do you know this worked?

To verify that you've successfully created a mobile device mailbox policy, use one of the
following options:

1. In the EAC, click Mobile > Mobile Device mailbox policies, and verify that your
new policy is displayed in the List view.

2. In the Exchange Online PowerShell, run the following command.

PowerShell

Get-MobileDeviceMailboxPolicy -Identity <PolicyName>

For more information about this cmdlet, see Get-MobileDeviceMailboxPolicy.

Use the EAC to edit a mobile device mailbox policy

７ Note
You can only edit a subset of mobile device mailbox policy settings in the EAC. To
edit all the mobile device mailbox policy settings, you need to use the Exchange
Online PowerShell.

1. In the EAC, click Mobile > Mobile Device Mailbox Policies.

2. Select a policy from the List view and then click Edit .

3. Use the General and Security tabs to edit the mobile device mailbox policy
settings.
 4. Click Save to update the policy.

Use the Exchange Online PowerShell to edit mobile device mailbox

policy settings

You edit a mobile device mailbox policy using the Set-MobileDeviceMailboxPolicy

cmdlet.

PowerShell

Set-MobileDeviceMailboxPolicy -Identity:Default -DevicePasswordEnabled:$true

-AlphanumericDevicePasswordRequired:$true -PasswordRecoveryEnabled:$true -
MaxEmailAgeFilter:ThreeDays -AllowWiFi:$false -AllowStorageCard:$true -
AllowPOPIMAPEmail:$false -IsDefault:$true -AllowTextMessaging:$true -
Confirm:$true
How do you know this worked?
To verify that you've successfully edited a mobile device mailbox policy, do one of the
following:

1. In the EAC, click Mobile > Mobile Device Mailbox Policy, and then choose a
specific policy. In the Details pane, you'll see a number of the policy settings listed.

2. In the Shell, run the following command.

PowerShell

Get-MobileDeviceMailboxPolicy -Identity <PolicyName>

For more information about this cmdlet, see Get-MobileDeviceMailboxPolicy.

Configure Exchange ActiveSync on
mobile devices in Exchange Online
Article • 02/22/2023

You can configure a mobile phone to use Microsoft Exchange ActiveSync. You should
perform this procedure on each mobile phone in your organization.

Prerequisites
You've reviewed the manufacturer's documentation for the mobile phone you want
to configure.
Exchange ActiveSync is enabled in your organization.

７ Note

For device-specific information about setting up Microsoft Exchange-based email

on a phone or tablet, see Set up Office apps and email on a mobile device .

Configure a mobile phone to use Exchange

ActiveSync
Most mobile phones and devices are capable of using Autodiscover to configure the
mobile email client to use Exchange ActiveSync. To configure an email account on most
mobile phones, you'll need two pieces of information.

The user's email address

The user's password

If the mobile phone is unable to contact the Exchange server automatically through
Autodiscover, you'll need to set up the mobile phone manually. Manual setup requires
the user's email address and password, as well as the Exchange ActiveSync server name.
In most organizations, the Exchange ActiveSync server name is the same as the Outlook
on the web (formerly known as Outlook Web App) server name without the /owa, for
example, mail.contoso.com.
Perform a remote wipe on a mobile
phone in Exchange Online
Article • 02/22/2023

Your users carry sensitive corporate information in their pockets every day. If one of
them loses their mobile phone, your data can end up in the hands of another person. If
one of your users loses their mobile phone, you can use the Exchange admin center
(EAC) or Exchange Online PowerShell to wipe their phone clean of all corporate and user
information.

７ Note

This topic also provides instructions for how to use Outlook on the web (formerly
known as Outlook Web App) to perform a remote wipe on a phone. The user must
be signed in to Outlook on the web to perform a remote wipe.

What do you need to know before you begin?

Estimated time to complete: 5 minutes.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Mobile devices" entry in
the Feature permissions in Exchange Online topic.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

７ Note

Prior to EAS v16.1, remote wipe would perform a device-level wipe, restoring the
device to factory conditions. With EAS v16.1 and later, EAS also supports account-
only remote wipe. In order for this to work, the client must support the EAS v16.1
protocol. If the client doesn't support v16.1, the wipe will fail and an error will be
given.

Ｕ Caution
 Exchange ActiveSync v16.1 supports two different remote wipe processes: A Wipe
Data remote wipe and also an Account Only Remote Wipe Device remote wipe.
There are important differences between how Outlook responds and how native
mail apps on iOS and Android respond to these different wipe commands.

Outlook for iOS and Outlook for Android support only the Wipe Data command,
which wipes only data within Outlook. The Outlook app will reset and all Outlook
email, calendar, contacts, and file data will be removed, but no other data is wiped
from the device. The Account Only Remote Wipe Device command is therefore
redundant and is not supported by Outlook for iOS or Android.

However, if a native iOS or Android mail app is connected to Exchange and receives
a Wipe Data command from Exchange ActiveSync, all data on the device will be
wiped, including photos, personal files, and so on.

If a native iOS or Android mail app is connected to Exchange and receives an

Account Only Remote Wipe Device command from Exchange ActiveSync, only the
native mail app's Exchange ActiveSync mail, calendar, and account data are wiped.

These commands are designed to destroy data. Exercise caution when using them.

After the remote wipe command is requested by the administrator, the wipe happens
within seconds of the Outlook app's next connection to Exchange.

Since Outlook for iOS and Android appears as a single mobile device association under
a user's mobile devices in Exchange, a remote wipe command will remove data and
delete sync relationships from all devices running Outlook (iPhone, iPad, Android)
associated with that user.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the classic EAC to wipe a user's phone

７ Note

The classic EAC will be fully deprecated by September 2022. For more information,
see Deprecation of the classic Exchange admin center in WW service .
You can use the classic EAC to wipe a user's phone or cancel a remote wipe that has not
yet completed.

1. In the EAC, navigate to Recipients > Mailboxes.

2. Select the user, and under Mobile Devices, choose View details.

3. On the Mobile Device Details page, select the lost mobile device, and then select
Wipe Data (or Account Only Remote Wipe Device if desired).

4. Select Save.

Use Exchange Online PowerShell to wipe a

user's phone
You can use the Clear-MobileDevice cmdlet in Exchange Online PowerShell to wipe a
user's phone.

The following command wipes the device named WM_TonySmith and sends a
confirmation message to admin@contoso.com.

PowerShell

Clear-MobileDevice -Identity WM_TonySmith -NotificationEmailAddresses

"admin@contoso.com"

If the device connects to Exchange using a mail app other than Outlook, you can use the
following command to wipe only the mail app's Exchange ActiveSync mail, calendar, and
account data and leave all other data on the device intact:

PowerShell

Clear-MobileDevice -AccountOnly -Identity WM_TonySmith -

NotificationEmailAddresses "admin@contoso.com"

The -AccountOnly switch has no effect on Outlook devices because an account-only

remote wipe is the only type of wipe that is supported by Outlook. See Clear-
MobileDevice for more information.

Use Outlook on the web to wipe a user's phone

1. In Outlook on the web, select the Settings icon.
 2. Click on View All Outlook settings.

3. Click General, and then select Mobile devices.

4. Select the mobile phone.

5. Click or tap the Wipe Device icon (or the Account Only Remote Wipe Device icon
if desired).

How do you know this worked?

There are several ways to verify that the remote wipe completed.

Run the Clear-MobileDevice cmdlet with the -NotificationEmailAddresses

parameter configured. A message will be sent to the supplied email address when
the remote wipe has completed.

In the EAC, check the status of the mobile device. The status will change from Wipe
Pending to Wipe Successful.

In Outlook on the web, check the status of the mobile device. The status will
change from Wipe Pending to Wipe Successful.
POP3 and IMAP4 in Exchange Online
Article • 02/22/2023

） Important

Effective from December 2022, the classic Exchange Admin Center will be
deprecated for worldwide customers. Microsoft recommends using the new
Exchange Admin Center , if not already doing so.

While most of the features have been migrated to new EAC, some have been
migrated to other admin centers and remaining ones will soon be migrated to New
EAC. Find features that are not yet there in new EAC at Other Features or use
Global Search that will help you navigate across new EAC.

By default, POP3 and IMAP4 are enabled for all users in Exchange Online.

To enable or disable POP3 and IMAP4 for individual users, see Enable or Disable
POP3 or IMAP4 access for a user.

To customize the POP3 or IMAP4 settings for a user, see Set POP3 or IMAP4
settings for a user.

７ Note

If you've enabled security defaults in your organization, POP3 and IMAP4 are
automatically disabled in Exchange Online. For more information, see What are
security defaults?.

To protect your Exchange Online tenant from brute force or password spray attacks,
your organization will need to Disable Basic authentication in Exchange Online
and only use Modern authentication for Outlook in Exchange Online. Disabling
Basic authentication will block legacy protocols, such as POP and IMAP.

Users can use any email programs that support POP3 and IMAP4 to connect to
Exchange Online (for example, Outlook, Windows Mail, and Mozilla Thunderbird). The
features supported by each email client programs vary. For information about features
offered by specific POP3 and IMAP4 client programs, see the documentation that's
included with each application.

POP3 and IMAP4 provide access to the basic email features of Exchange Online and
allow for offline email access, but don't offer rich email, calendaring, and contact
management, or other features that are available when users connect with Outlook,
Exchange ActiveSync, Outlook on the web (formerly known as Outlook Web App), or
Outlook Voice Access.

７ Note

Each time a person accesses a POP-based or IMAP-based email program to open

his or her Microsoft 365 or Office 365 email, that user will experience a delay of
several seconds. The delay results from using a proxy server, which introduces an
additional hop for authentication. The proxy server first looks up the assigned pod
server (client access server) and then authenticates against that.

Settings users use to set up POP3 or IMAP4

access to their Exchange Online mailboxes
After you enable POP3 and IMAP4 client access, you have to give users the information
in the following table so that they can connect their email programs to their Exchange
Online mailboxes.

POP3 and IMAP4 email programs don't use POP3 and IMAP4 to send messages to the
email server. Email programs that use POP3 and IMAP4 rely on SMTP to send messages.

Protocol Server name Port Encryption method

POP3 Outlook.office365.com 995 SSL/TLS

IMAP4 Outlook.office365.com 993 SSL/TLS

SMTP Smtp.office365.com 587 STARTTLS

Understanding the differences between POP3

and IMAP4
By default, POP3 clients remove downloaded messages from the email server. This
behavior makes it difficult to access email on multiple computers, since downloaded
messages are stored on the local computer. But, you can typically configure a POP3
client to keep copies of downloaded messages on the server.

POP3 client programs download messages to a single folder on the client computer
(typically, the Inbox). POP3 can't synchronize multiple folders on the email server with
multiple folders on the client computer. POP3 also doesn't support public folder access.

IMAP4 clients are much more flexible and generally offer more features than POP3
clients. By default, IMAP4 clients don't remove downloaded messages from the email
server. This behavior makes it easy to access email message from multiple computers.

IMAP4 clients support creating and accessing multiple email folders on the email server.
For example, most IMAP4 clients can be configured to keep a copy of sent items on the
server so these messages are accessible from any computer.

IMAP4 supports additional features that are supported by most IMAP4 clients (for
example, viewing message senders and subjects before downloading the entire
message).

Send and receive options for POP3 and IMAP4

email programs
POP3 and IMAP4 clients let users choose when they want to connect to the email server
to send and receive email. This section discusses some of the most common
connectivity options and provides some factors your users should consider when they
choose connection options available in their POP3 and IMAP4 email clients.

Common configuration settings

Three of the most common connection settings that can be set on the POP3 or IMAP4
client application are:

To send and receive messages every time the email application is started. When
this option is used, mail is sent and received only on starting the email application.

To send and receive messages manually. When this option is used, messages are
sent and received only when the user clicks a send-and-receive option in the client
user interface.

To send and receive messages every set number of minutes. When this option is
used, the client application connects to the server every set number of minutes to
send messages and download any new messages.

For information about how to configure these settings for the email application that you
use, see the Help documentation that's provided with the email application.

Considerations when selecting send and receive options

The default setting on some email programs is to not keep a copy of messages on the
server after they're retrieved. If the user wants to access messages from multiple email
programs or devices, they should keep a copy of messages on the server.

For always-connected clients, the user might configure the email application to send
and receive messages every set number of minutes. Connecting to the email server at
frequent intervals lets the user keep the email application up-to-date with the most
current information on the server.

However, if the client isn't always connected to the internet, the user might configure
the email application to send and receive messages manually.

７ Note

If the IMAP4 client supports the IMAP4 IDLE command, email transfers to and from
the Exchange Online mailbox might occur in nearly real time.
Enable or Disable POP3 or IMAP4 access
for a user in Exchange Online
Article • 02/22/2023

By default, POP3 and IMAP4 are enabled for all users in Exchange Online. You can
disable them for individual users. For additional information related to POP3 and IMAP4,
see POP3 and IMAP4.

What do you need to know before you begin?

Estimated time to finish: two minutes.

If you've enabled security defaults in your organization, POP3 and IMAP4 are
already disabled in Exchange Online. For more information, see What are security
defaults?.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "POP3 and IMAP4 settings"
section in the Feature permissions in Exchange Online topic.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use the EAC to enable or disable POP3 or

IMAP4 for a user
1. In the EAC, navigate to Recipients > Mailboxes.

2. In the result pane, select the user for which you want to enable or disable POP3,
and then select Edit .

3. In the User Mailbox dialog box, in the console tree, select Mailbox Features.

4. In the result pane, under Email Connectivity, do one of the following:

 To enable POP3 for the user, under POP3: Disabled, select Enable.

To enable IMAP4 for the user, under IMAP4: Disabled, select Enable.

To disable POP3 for the user, under POP3: Enabled, select Disable.

To disable IMAP4 for the user, under IMAP4: Enabled, select Disable.

5. Select Save.

Use Exchange Online PowerShell to enable or

disable POP3 or IMAP4 for a user
This example enables POP3 for the user Christa Knapp.

PowerShell

Set-CASMailbox -Identity "Christa Knapp" -POPEnabled $true

This example enables IMAP4 for the user Christa Knapp.

PowerShell

Set-CASMailbox -Identity "Christa Knapp" -IMAPEnabled $true

This example disables POP3 for the user Christa Knapp.

PowerShell

Set-CASMailbox -Identity "Christa Knapp" -POPEnabled $false

This example disables IMAP4 for the user Christa Knapp.

PowerShell

Set-CASMailbox -Identity "Christa Knapp" -IMAPEnabled $false

How do you know this worked?

1. In the EAC, navigate to Recipients > Mailboxes.
2. In the result pane, select the user for which you want to enable or disable POP3 or
IMAP4, and then select Edit.

3. In the User Mailbox dialog box, in the console tree, select Mailbox Features.

4. In the result pane, look under Email Connectivity.

If POP3 is disabled for the user, you'll see POP3: Disabled.

If IMAP4 is disabled for the user, you'll see IMAP4: Disabled.

If POP3 is enabled for the user, you'll see POP3: Enabled.

If IMAP4 is enabled for the user, you'll see IMAP4: Enabled.

5. Select Save.
Set POP3 or IMAP4 settings for a user in
Exchange Online
Article • 02/22/2023

You use the Set-CASMailbox cmdlet to configure the PO3 and IMAP4 options for each
user. The configuration options are described in the following table.

Parameter Description Values

PopForceICalForCalendarRetrievalOption Sets the preferred $true : Meeting requests are all

ImapForceICalForCalendarRetrievalOption format for Outlook on the web links
meeting requests. $false : Meeting requests are all
By default, iCal format
meeting requests
appear as
Outlook on the
web (formerly
known as Outlook
Web App) links.
You can change
them to iCal
format.
Parameter Description Values

PopSuppressReadReceipt Sets whether to $false : POP3 or IMAP4 users

ImapSuppressReadReceipt send read receipts are sent a read receipt each time
when a message a recipient downloads a
is downloaded message. Users are also sent a
and again when it read receipt when the user
is opened or just opens the message. This is the
when the default setting.
message is $true : POP3 or IMAP4 users that
opened use the send read receipt for
By default, if a messages I send option in their
read receipt is email client programs receive a
requested, two read receipt only when the
read receipts are recipient opens the message.
sent: one when a
user downloads a
message and
another when the
user opens the
message. You can
change it so that
only one read
receipt is sent:
when the user
opens the
message.

PopMessagesRetrievalMimeFormat Sets the preferred Use a numeral or a text value.

ImapMessagesRetrievalMimeFormat format for 0 or TextOnly : Text only
received 1 or HtmlOnly : HTML
messages. 2 or HtmlAndTextAlternative :
The default is to HTML and alternative text
use the best 3 or TextEnriched : Enriched text
format based on 4 or
the message. TextEnrichedAndTextAlternative :
Enriched text and alternative text
5 or BestBodyFormat : Best body
format. This is the default value.
6 or Tnef : Transport-Neutral
Encapsulation Format (TNEF).
Also known as rich text format,
Outlook rich text format, or
MAPI rich text format.
 Parameter Description Values

PopEnableExactRFC822Size Sets whether to $true : Use actual message size.

ImapEnableExactRFC822Size calculate the $false : Use estimated message
exact size of size. This is the default.
messages.
Changing this
value is not
recommended
unless the default
value causes
problems for your
email client. By
default, the
estimated
message size,
rather than the
exact message
size, is sent to the
email client.

For additional information related to POP3 and IMAP4, see POP3 and IMAP4.

What do you need to know before you begin?

Estimated time to finish each procedure: five minutes.

You can only use Exchange Online PowerShell to perform this procedure. To learn
how to use Windows PowerShell to connect to Exchange Online, see Connect to
Exchange Online PowerShell.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "POP3 and IMAP4 settings"
entry in the Feature permissions in Exchange Online topic.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use Exchange Online PowerShell to set the

meeting request format for a POP3 or IMAP4
user
The following example sets all meeting requests in incoming mail to USER01 to iCal
format for a POP3 user.

PowerShell

Set-CASMailbox USER01 -PopUseProtocolDefaults $false -

PopForceICalForCalendarRetrievalOption $true

The following example sets all meeting requests in incoming mail to USER01 to iCal
format for an IMAP4 user.

PowerShell

Set-CASMailbox USER01-ImapUseProtocolDefaults $false -

ImapForceICalForCalendarRetrievalOption $true

How do you know this worked?

To verify that you successfully set the meeting request format for a POP3 or an IMAP4
user, run the following command in Exchange Online PowerShell and verify that the
values displayed are the values that you configured:

PowerShell

Get-CASMailbox USER01 | format-list *ForceIcal*,*UseProtocolDefaults

Use Exchange Online PowerShell to set the

suppress read receipt option for a POP3 or
IMAP4 user
The following example sets it up so that the POP3 sender receives a read receipt only
when the message is opened.

PowerShell

Set-CASMailbox USER01 -PopUseProtocolDefaults $false -PopSuppressReadReceipt

$true
The following example sets it up so that the IMAP4 sender receives a read receipt only
when the message is opened.

PowerShell

Set-CASMailbox USER01 -ImapUseProtocolDefaults $false -

ImapSuppressReadReceipt $true

How do you know this worked?

To verify that you successfully set the read receipt option for a POP3 or an IMAP4 user,
run the following command in Exchange Online PowerShell and verify that the values
displayed are the values that you configured:

PowerShell

Get-CASMailbox USER01 | format-list

*SuppressReadReceipt,*UseProtocolDefaults

Use Exchange Online PowerShell to set the

message retrieval format for a POP3 or IMAP4
user
The following example sets the message retrieval format to text only for POP3 access for
USER01 .

PowerShell

Set-CASMailbox USER01 -PopUseProtocolDefaults $false -

PopMessagesRetrievalMimeFormat TextOnly

The following example sets the message retrieval format to text only for IMAP4 access
for USER01 .

PowerShell

Set-CASMailbox USER01 -ImapUseProtocolDefaults $false -

ImapMessagesRetrievalMimeFormat TextOnly

How do you know this worked?

To verify that you successfully set the message retrieval format for a POP3 or an IMAP4
user, run the following command in Exchange Online PowerShell and verify that the
values displayed are the values that you configured:

PowerShell

Get-CASMailbox USER01 | format-list

*MessagesRetrievalMimeFormat,*UseProtocolDefaults

Use Exchange Online PowerShell to set the

message size calculation for a POP3 or IMAP4
user
This example calculates the exact size of POP messages for USER01.

） Important

Set the PopEnableExactRFC822Size parameter to $true only if the POP client

doesn't work for this user.

PowerShell

Set-CASMailbox USER01 -PopUseProtocolDefaults $false -

PopEnableExactRFC822Size $true

This example calculates the exact size of IMAP messages for USER01.

） Important

Set the ImapEnableExactRFC822Size parameter to $true only if the IMAP client

doesn't work for this user.

PowerShell

Set-CASMailbox USER01 -ImapUseProtocolDefaults $false -

ImapEnableExactRFC822Size $true

How do you know this worked?

To verify that you successfully set the message size calculation for a POP3 or IMAP4
user, run the following command in Exchange Online PowerShell and verify that the
values displayed are the values that you configured::

PowerShell

Get-CASMailbox USER01 | format-list *EnableExact*,*UseProtocolDefaults

For more information

Connect to Exchange Online PowerShell

POP3 and IMAP4

Enable or Disable POP3 or IMAP4 access for a user

Set-CASMailbox
Opt in to the Exchange Online endpoint
for legacy TLS clients using POP3 or
IMAP4
Article • 01/26/2023

Exchange Online no longer supports use of TLS1.0 and TLS1.1 in the service as of
October 2020. This change is due to security and compliance requirements for our
service. While no longer supported, our servers still allow clients to use those older
versions of TLS when connecting to the POP3/IMAP4 endpoint (outlook.office365.com).

In 2022, we plan to completely disable those older TLS versions to secure our customers,
and meet those security and compliance requirements. However, due to significant
usage, we've created an opt-in endpoint that legacy clients can use with TLS1.0 and
TLS1.1.

７ Note

This opt-in endpoint isn't available in GCC, GCC-High, or DoD environments that
have legacy TLS permanently turned off.

Configuring the new endpoint

If customers have POP3/IMAP4 clients that only support older TLS versions, they need to
be configured to use the new endpoint for worldwide:

pop-legacy.office365.com
imap-legacy.office365.com

Customers who use Microsoft 365 operated by 21 Vianet need to configure their clients
to use the endpoint:

pop-legacy.partner.outlook.cn
imap-legacy.partner.outlook.cn

Consumer users can use these less secure endpoints directly. For Enterprise users, tenant
admins need to enable the following setting:

The value $true for the AllowLegacyTLSClients parameter on the Set-

TransportConfig cmdlet.
Opt in to legacy client endpoint
You can opt in (or opt out) for your organization in the new EAC or by using Exchange
Online PowerShell.

To opt in with the new EAC, go to the Mail Flow settings page under Settings and
toggle the setting labeled Turn on use of legacy TLS clients.

To opt in with Exchange Online PowerShell, run the following command:

PowerShell

Set-TransportConfig -AllowLegacyTLSClients $true

To view the current status of the property, run the following command in Exchange
Online PowerShell:

PowerShell

Get-TransportConfig | Format-List AllowLegacyTLSClients

See also
Enable or Disable POP3 or IMAP4 access for a user in Exchange Online
POP3 or IMAP4 settings
Opt in to the Exchange Online endpoint for legacy TLS clients using SMTP AUTH
Enable or disable authenticated client
SMTP submission (SMTP AUTH) in
Exchange Online
Article • 02/22/2023

） Important

Effective from December 2022, the classic Exchange Admin Center will be
deprecated for worldwide customers. Microsoft recommends using the new
Exchange Admin Center , if not already doing so.

While most of the features have been migrated to new EAC, some have been
migrated to other admin centers and remaining ones will soon be migrated to New
EAC. Find features that are not yet there in new EAC at Other Features or use
Global Search that will help you navigate across new EAC.

SMTP client email submissions (also known as authenticated SMTP submissions or SMTP
AUTH) are used in the following scenarios in Office 365 and Microsoft 365:

POP3 and IMAP4 clients. These protocols only allow clients to receive email
messages, so they need to use authenticated SMTP to send email messages.
Applications, reporting servers, and multifunction devices that generate and send
email messages.

The SMTP AUTH protocol is used for SMTP client email submissions, typically on TCP
port 587. SMTP AUTH supports modern authentication (Modern Auth) through OAuth in
addition to basic authentication. For more information, see Authenticate an IMAP, POP
or SMTP connection using OAuth.

Virtually all modern email clients that connect to Exchange Online mailboxes in Office
365 or Microsoft 365 (for example, Outlook, Outlook on the web, iOS Mail, Outlook for
iOS and Android, etc.) don't use SMTP AUTH to send email messages.

Therefore, we highly recommend that you disable SMTP AUTH in your Exchange Online
organization, and enable it only for the accounts (that is, mailboxes) that still require it.
There are two settings that can help you do this:

An organization-wide setting to disable (or enable) SMTP AUTH.

A per-mailbox setting that overrides the tenant-wide setting.
Note that these settings only apply to mailboxes that are hosted in Exchange Online
(Office 365 or Microsoft 365).

７ Note

If security defaults is enabled in your organization, SMTP AUTH is already

disabled in Exchange Online. For more information, see What are security
defaults?.
If your authentication policy disables basic authentication for SMTP, clients
cannot use the SMTP AUTH protocol even if you enable the settings outlined
in this article. For more information, see Disable Basic authentication in
Exchange Online.

Disable SMTP AUTH in your organization

You can disable (or enable) SMTP AUTH globally for your organization in the new EAC or
by using Exchange Online PowerShell.

To disable SMTP AUTH globally in your organization in the new EAC, go to the Mail
Flow settings page under Settings and toggle the setting labeled "Turn off SMTP
AUTH protocol for your organization"

To disable SMTP AUTH globally in your organization with PowerShell, run the following
command:

PowerShell

Set-TransportConfig -SmtpClientAuthenticationDisabled $true

Note: To enable SMTP AUTH if it's already disabled, use the value $false .

How do you know this procedure worked?

To verify that you've globally disabled SMTP AUTH in your organization, run the
following command and verify that the value of the SmtpClientAuthenticationDisabled
property is True :

PowerShell

Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled

Enable SMTP AUTH for specific mailboxes
The per-mailbox setting to enable (or disable) SMTP AUTH is available in the Microsoft
365 admin center or Exchange Online PowerShell.

Use the Microsoft 365 admin center to enable or disable

SMTP AUTH on specific mailboxes
1. Open the Microsoft 365 admin center and go to Users > Active users.

2. Select the user, and in the flyout that appears, click Mail.

3. In the Email apps section, click Manage email apps.

4. Verify the Authenticated SMTP setting: unchecked = disabled, checked = enabled.

5. When you're finished, click Save changes.

Use Exchange Online PowerShell to enable or disable

SMTP AUTH on specific mailboxes
Use the following syntax:

PowerShell

Set-CASMailbox -Identity <MailboxIdentity> -SmtpClientAuthenticationDisabled

<$true | $false | $null>

The value $null indicates the setting for the mailbox is controlled by the global setting
on the organization. You use the values $true (disabled) or $false (enabled) to override
the organization setting. The mailbox setting takes precedence over the organization
setting.

This example enables SMTP AUTH for mailbox sean@contoso.com.

PowerShell

Set-CASMailbox -Identity sean@contoso.com -SmtpClientAuthenticationDisabled

$false

This example disables SMTP AUTH for mailbox chris@contoso.com.

PowerShell
 Set-CASMailbox -Identity chris@contoso.com -SmtpClientAuthenticationDisabled
$true

Use Exchange Online PowerShell to enable or disable

SMTP AUTH on multiple mailboxes
Use a text file to identify the mailboxes. Values that don't contain spaces (for example,
alias, email address, or account name) work best. The text file must contain one mailbox
on each line like this:

akol@contoso.com
tjohnston@contoso.com
kakers@contoso.com

The syntax uses the following two commands (one to identify the mailboxes, and the
other to enable SMTP AUTH for those mailboxes):

PowerShell

$<VariableName> = Get-Content "<text file>"

$<VariableName> | foreach {Set-CASMailbox -Identity $_ -
SmtpClientAuthenticationDisabled <$true | $false | $null>}

This example enables SMTP AUTH for the mailboxes specified in the file C:\My
Documents\Allow SMTP AUTH.txt.

PowerShell

$Allow = Get-Content "C:\My Documents\Allow SMTP AUTH.txt"

$Allow | foreach {Set-CASMailbox -Identity $_ -
SmtpClientAuthenticationDisabled $false}

７ Note

To disable SMTP AUTH for the mailboxes, use the value $true . To return control to
the organization setting, use the value $null .

How do you know this worked?

To verify that you've enabled or disabled SMTP AUTH for a specific mailbox, do any of
the following steps:

Individual mailboxes in the Microsoft 365 admin center: Go to Users > Active
users > select the user > click Mail > click Manage email apps and verify the value
of Authenticated SMTP (checked = enabled, unchecked = disabled).

Individual mailboxes in Exchange Online PowerShell: Replace <MailboxIdentity>

with the name; alias; email address or account name of the mailbox; run the
following command; and verify the value of the
SmtpClientAuthenticationDisabled property ( False = enabled, True = disabled,
blank = use organization setting).

PowerShell

Get-CASMailbox -Identity <MailboxIdentity> | Format-List

SmtpClientAuthenticationDisabled

All mailboxes where SMTP AUTH is disabled: Run the following command:

PowerShell

$Users = Get-CASMailbox -ResultSize unlimited

$Users | where {$_.SmtpClientAuthenticationDisabled -eq $true}

All mailboxes where SMTP AUTH is enabled: Run the following command:

PowerShell

$Users = Get-CASMailbox -ResultSize unlimited

$Users | where {$_.SmtpClientAuthenticationDisabled -eq $false}

All mailboxes where SMTP AUTH is controlled by the organization setting: Run
the following command:

PowerShell

$Users = Get-CASMailbox -ResultSize unlimited

$Users | where {$_.SmtpClientAuthenticationDisabled -eq $null}
Opt in to the Exchange Online endpoint
for legacy TLS clients using SMTP AUTH
Article • 02/22/2023

７ Note

We have already disabled TLS 1.0 and 1.1 for most Microsoft 365 services in the
world wide environment. For Microsoft 365 operated by 21 Vianet, TLS1.0 and
TLS1.1 will be disabled on June 30, 2023.

Exchange Online no longer supports use of TLS1.0 and TLS1.1 in the service as of
October 2020. This change is due to security and compliance requirements for our
service. While no longer supported, our servers still allow clients to use those older
versions of TLS when connecting to the SMTP AUTH endpoint (smtp.office365.com).

In 2022, we plan to completely disable those older TLS versions to secure our customers
and meet those security and compliance requirements. However, due to significant
usage, we've created an opt-in endpoint that legacy clients can use with TLS1.0 and
TLS1.1. Note that this endpoint is not available in GCC, GCC-High, or DoD environments
that have legacy TLS permanently turned off.

Configuring the new endpoint

If customers have SMTP AUTH clients that only support older TLS versions, they need to
be configured to use the new endpoint for world wide:

smtp-legacy.office365.com

Customers who use Microsoft 365 operated by 21 Vianet need to configure their clients
to use the endpoint

smtp-legacy.partner.outlook.cn

To use this less secure endpoint, admins need to enable the following setting:

The value $true for the AllowLegacyTLSClients parameter on the Set-

TransportConfig cmdlet.

Make sure that the mailbox is configured to allow sending using SMTP AUTH. For more
info, visit: Enable or disable authenticated client SMTP submission (SMTP AUTH) in
Exchange Online

Opt in to legacy client endpoint

You can opt in (or opt out) for your organization in the new EAC or by using Exchange
Online PowerShell.

To opt in with the new EAC, go to the Mail Flow settings page under Settings and
toggle the setting labeled "Turn on use of legacy TLS clients"

To opt in, run the following command:

PowerShell

Set-TransportConfig -AllowLegacyTLSClients $true

To view the current status of the property, run the following command in Exchange
Online PowerShell:

PowerShell

Get-TransportConfig | Format-List AllowLegacyTLSClients

MailTips in Exchange Online
Article • 03/06/2023

MailTips are informative messages displayed to users while they're composing a

message. While a new message is open and being composed, Exchange analyzes the
message (including recipients). If a potential problem is detected, the user is notified
with a MailTip prior to sending the message. Using the information in the MailTip, the
user can adjust the message to avoid undesirable situations or non-delivery reports
(also known as NDRs or bounce messages).

How MailTips work

MailTips are implemented as a web service in Exchange. When a sender is composing a
message, the client software makes an Exchange web service call to the Client Access
server to get the list of MailTips. The server responds with the list of MailTips that apply
to that message, and the client software displays the MailTips to the sender.

The following unproductive messaging scenarios are common in any messaging

environment:

NDRs resulting from messages that violate organization-wide message restrictions

(for example, message size restrictions or maximum number of recipients per
message).

NDRs resulting from messages sent to non-existent recipients, restricted recipients,

or users with full mailboxes.

Sending messages to users with Automatic Replies configured.

All of these scenarios involve the user sending a message, expecting it to be delivered,
and instead receiving a response stating that the message isn't delivered. Even in the
best-case scenario, like the automatic reply, these events result in lost productivity. In
the case of an NDR, this scenario could result in a costly call to the help desk.

There are also several scenarios where sending a message won't result in an error, but
can have undesirable, even embarrassing consequences:

Messages sent to extremely large distribution groups.

Messages sent to inappropriate distribution groups.

Messages inadvertently sent to recipients outside your organization.

 Selecting Reply to All to a message that was received as a Bcc recipient.

All of these problematic scenarios can be mitigated by informing users of the possible
outcome of sending the message as they're composing the message. For example, if
senders are notified that the size of their message will exceed the maximum allowed
value, they won't attempt to send the message. Similarly, if senders are notified that
their message will be delivered to people outside the organization, they're more likely to
ensure that the content and the tone of the message are appropriate.

The following messaging clients support MailTips:

Outlook on the web (formerly known as Outlook Web App)

Microsoft Outlook 2010 or later for Microsoft Windows

Available MailTips in Exchange Online

The following table lists the available MailTips in Exchange Online.

MailTip Availability Scenario

Invalid Outlook The sender adds an internal recipient that doesn't exist. For example:
Internal The non-existent recipient resolves due to an entry in the
Recipient sender's Auto-Complete List (also known as the nickname
cache) or an entry in the sender's Contacts folder.
The sender types a non-existent internal email address, and the
email address is in an accepted domain (an authoritative
domain) for the Exchange organization.

The MailTip indicates the invalid recipient and gives the sender the
option to remove the recipient from the message.

Mailbox Outlook The sender adds an internal recipient whose mailbox exceeds the
Full Outlook on maximum mailbox size (the ProhibitSendReceive quota on the
the web mailbox or organization).

The MailTip indicates the recipient whose mailbox is full and gives the
sender the option to remove the recipient from the message.

The MailTip is accurate at the time of display. If the message isn't

immediately sent, the MailTip is updated every two hours. This also
applies to messages that were saved in the Drafts folder and
reopened after two hours.
MailTip Availability Scenario

Automatic Outlook The sender adds an internal recipient* who has turned on Automatic
Replies Outlook on Replies.
the web
The MailTip indicates the recipient has Automatic Replies turned on
and also displays the first 175 characters of the automatic reply text.

The MailTip is accurate at the time of display. If the message isn't

immediately sent, the MailTip is updated every two hours. This also
applies to messages that were saved in the Drafts folder and
reopened after two hours.

*If the recipient is external, but the recipient's domain is configured as

a remote domain, the AllowedOOFType and IsInternal settings
determine whether the sender receives the internal automatic reply,
the external automatic reply, or no automatic reply at all.

Custom Outlook The sender adds an internal recipient that has a custom MailTip
Outlook on configured.
the web
A custom MailTip can be useful for providing specific information
about a recipient. For example, you can create a custom MailTip for a
distribution group explaining its purpose to reduce its misuse. For
more information, see Configure custom MailTips for recipients.

Custom MailTips aren't displayed if the sender isn't allowed to send

messages to the recipient (the Restricted Recipient MailTip is
displayed instead).
MailTip Availability Scenario

Restricted Outlook The sender adds a recipient that they're not allowed to send
Recipient Outlook on messages to (delivery restrictions are configured between the sender
the web and the recipient).

The MailTip indicates the prohibited recipient and gives the sender
the option to remove the recipient from the message. It also clearly
informs the sender that the message can't be delivered to the
restricted recipient.

If the restricted recipient is a distribution group that contains nested

groups, the MailTips aren't displayed.

If the restricted recipient is external or is a distribution group that

contains external recipients, the MailTip will be displayed to the
sender. However, the following MailTips aren't displayed (if
applicable):

Automatic Replies
Mailbox Full
Custom MailTip
Moderated Recipient
Oversize Message

External Outlook The sender adds an external recipient* or a distribution group that
Recipients Outlook on contains external recipients.
the web
The MailTip informs the sender that the message will leave the
Outlook organization, which can help them make the correct decisions about
Mobile wording, tone, and content.

By default, this MailTip is turned off. You can turn it on using the Set-
OrganizationConfig cmdlet. For details, see MailTips over
organization relationships.

*Ifthe recipient is external, but the recipient's domain is configured as

a remote domain, the IsInternal setting determines whether the
sender receives this MailTip (the External Recipients MailTip doesn't
apply to internal recipients).

Note: The External Recipients MailTip isn't evaluated for external

distribution group recipients where the distribution group is in a
remote domain.

Note 2: Outlook Mobile only supports the External Recipients MailTip

for Microsoft 365 or Office 365, and for on-premises Exchange
mailboxes that use Hybrid Modern Authentication (HMA).
 MailTip Availability Scenario

Large Outlook The sender adds a distribution group that has more members than
Audience Outlook on the configured large audience size (the default size is more than 25
the web members). For details, see Configure the large audience size for your
organization.

The number of distribution group members isn't calculated each

time. Instead, the distribution group information is read from group
metrics data.

Moderated Outlook The sender adds a moderated recipient (a recipient that requires
Recipient Outlook on message approval).
the web The MailTip identifies the moderated recipient and informs the
sender that moderation might result in delayed delivery.

The MailTip is not displayed if:

The sender is a moderator for the recipient.

The sender has been explicitly allowed to send messages to
the recipient (by adding the sender's name to the Accept
Messages Only From list for the recipient).

To configure moderated recipients in Exchange Online, see

Configure moderated recipients in Exchange Online.

Reply-All Outlook on A Bcc recipient selects Reply All a message. The MailTip appears in
on Bcc the web the reply message.

Bcc recipients revealing themselves to other recipients is universally

bad, and the MailTip explains this.

Oversize Outlook The message is larger than the maximum allowed message size.
Message
The MailTip is displayed if the message size violates one of the
following message size restrictions:

Maximum send size setting on the sender's mailbox.

Maximum receive size setting on the recipient's mailbox.
Maximum message size restriction for the organization.

Note: Message size limits on connectors aren't evaluated for this

MailTip.

MailTip restrictions
MailTips are subject to the following restrictions:

MailTips aren't supported when working in offline mode in Outlook.

 When a message is addressed to a distribution group, the MailTips for individual
recipients that are members of that distribution group aren't evaluated. However, if
any of the members are external recipients, the External Recipients MailTip is
displayed, which shows the sender the number of external recipients in the
distribution group.

If the message is addressed to more than 200 recipients, individual mailbox

MailTips aren't evaluated due to performance reasons.

Custom MailTips are limited to 175 characters.

While older versions of Exchange Server would populate MailTips in their entirety,
Exchange Online will only display up to 1000 characters.

If the sender starts composing a message and leaves it open for an extended
period of time, the Automatic Replies and Mailbox Full MailTips are evaluated
every two hours.

For more information

Set-OrganizationConfig
Configure the large audience size for
your organization in Exchange Online
Article • 02/22/2023

You can use Exchange Online PowerShell to configure various settings that define how
you use MailTips in your organization.

What do you need to know before you begin?

Estimated time to complete: 5 minutes

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "MailTips" entry in the
Feature permissions in Exchange Online topic.

You can only use Exchange Online PowerShell to perform this procedure.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use Exchange Online PowerShell to configure

the large audience size for your organization
You use the Set-OrganizationConfig cmdlet to configure the large audience size for
your organization. When the sender adds a distribution group that has more members
than the configured large audience size, they are shown the Large Audience MailTip.
The large audience size is set to 25 by default. This example configures the large
audience size to 50 in your organization.

Set-OrganizationConfig

Set-OrganizationConfig -MailTipsLargeAudienceThreshold 50

For detailed syntax and parameter information, see set-OrganizationConfig.

Configure custom MailTips for
recipients in Exchange Online
Article • 02/22/2023

MailTips are informative messages displayed to users in the InfoBar in Outlook on the
web (formerly known as Outlook Web App) and Microsoft Outlook 2010 or later when a
user does any of the following while composing an e-mail message:

Add a recipient

Add an attachment

Reply or Reply all

Open a message from the Drafts folder that's already addressed to recipients

In addition to the built-in MailTips that are available, you can create custom MailTips for
all types of recipients. For more information about the built-in MailTips, see MailTips.

What do you need to know before you begin?

Estimated time to complete: 10 minutes

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "MailTips" entry in the
Feature permissions in Exchange Online topic.

You can configure the primary MailTip in the Exchange admin center (EAC) or in
Exchange Online PowerShell. However, you can only configure additional MailTip
translations in Exchange Online PowerShell.

When you add a MailTip to a recipient, two things happen:

HTML tags are automatically added to the text. For example, if you enter the
text: This mailbox is not monitored , the MailTip automatically becomes: <html>
<body>This mailbox is not monitored</body></html> . Additional HTML tags in
the MailTip aren't supported.

The text is automatically added to the MailTipTranslations property of the

recipient as the default value. If you modify the MailTip text, the default value is
automatically updated in the MailTipTranslations property.
 The length of a MailTip can't exceed 175 displayed characters.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Configure MailTips for recipients

Use the classic EAC to configure MailTips for recipients

1. In the classic EAC, navigate to Recipients.

2. Select any of the following recipient tabs based on the recipient type:

Mailboxes

Groups

Resources

Contacts

Shared

3. On the recipient tab, select the recipient you want to modify, and click Edit .

4. In the recipient properties page that appears, click MailTips.

5. Enter the text for the MailTip. When you are finished, click Save.

Use Exchange Online PowerShell to configure MailTips for

recipients
To configure a MailTip for a recipient, use the following syntax.

PowerShell

Set-<RecipientType> <RecipientIdentity> -MailTip "<MailTip text>"

<RecipientType> can be any type of recipient. For example, Mailbox , MailUser ,
MailContact , DistributionGroup , or DynamicDistributionGroup .

For example, suppose you have a mailbox named "Help Desk" for users to submit
support requests, and the promised response time is two hours. To configure a custom
MailTip that explains this, run the following command:

PowerShell

Set-Mailbox "Help Desk" -MailTip "A Help Desk representative will contact
you within 2 hours."

Use Exchange Online PowerShell to configure

additional MailTips in different languages
To configure additional MailTip translations without affecting the existing MailTip text or
other existing MailTip translations, use the following syntax:

PowerShell

Set-<RecipientType> -MailTipTranslations @{Add="<culture1>:<localized text

1>","<culture2>:<localized text 2>"...; Remove="<culture1>:<localized text
1>","<culture2>:<localized text 2>"...}

<culture> is a valid ISO 639 two-letter culture code associated with the language.

For example, suppose the mailbox named Notifications currently has the MailTip: "This
mailbox is not monitored." To add the Spanish translation, run the following command:

PowerShell

Set-Mailbox -MailTipTranslations @{Add="ES:Esta caja no se supervisa."}

How do you know this worked?

To verify that you have successfully configured a MailTip for a recipient, do the
following:

1. In Outlook on the web or Outlook 2010 or later, compose an email message

addressed to the recipient, but don't send it.

2. Verify the MailTip appears in the InfoBar.

3. If you configured additional MailTip translations, compose the message in Outlook
on the web where the language setting matches the language of the MailTip
translation to verify the results.
MailTips over organization relationships
in Exchange Online
Article • 02/22/2023

Exchange Online allows you to configure organization relationships with other Exchange
organizations. Establishing an organization relationship allows you to enhance the user
experience when dealing with the other organization. For example, you can share free or
busy data, configure secure message flow, and enable message tracking across both
organizations.

Controlling the MailTips access level

You may want to restrict certain types of MailTips. You can either allow all MailTips to be
returned or allow only a limited set that would prevent NDRs. You can configure this
setting with the MailTipsAccessLevel parameter on the Set-OrganizationRelationship
cmdlet. The following table shows which MailTips are returned over the organization
relationship.

MailTip Is the MailTip available when the access Is the MailTip available when the
level is set to All? access level is set to Limited?

Large Yes No
Audience

Automatic Yes Yes

Replies If the remote domain of the recipient is The external automatic reply is
specified as internal, the internal automatic displayed.
reply is displayed. Otherwise, the external
automatic reply is displayed.

Moderated Yes No
Recipient

Oversize Yes Yes

Message

Restricted Yes Yes

Recipient

Mailbox Yes No
Full

Custom Yes No
MailTips
 MailTip Is the MailTip available when the access Is the MailTip available when the
level is set to All? access level is set to Limited?

External Yes Yes

Recipients If the remote domain of the recipient is If the remote domain of the recipient
specified as internal, this MailTip is is specified as internal, this MailTip is
suppressed. Otherwise, the external MailTip suppressed. Otherwise, the external
is returned. MailTip is returned.

For detailed steps about how to configure MailTips access levels, see Manage MailTips
for organization relationships.

Controlling the MailTips access scope

When you enable MailTips over an organization relationship and set the access level to
All , the recipient-specific MailTips, Mailbox Full, Automatic Replies, and custom
MailTips, are returned for all users. However, you may only want to allow these MailTips
for a specific set of users. For example, if you set up an organization relationship with a
partner, you may want to allow these MailTips only for the users that work with that
partner.

To achieve this, you need to first create a group and add all users for whom you want to
share recipient-specific MailTips to that group. You can then specify that group on the
organization relationship.

After you implement this restriction, your Client Access servers will first verify whether
the recipient for whom they received a MailTips query is part of this group. If the
recipient is a member of this group, the Client Access servers will proxy back all MailTips
including the recipient-specific MailTips. Otherwise they won't include the recipient-
specific MailTips in their response.

For detailed steps about how to configure MailTips access levels, see Manage MailTips
for organization relationships.
Manage MailTips for organization
relationships in Exchange Online
Article • 02/22/2023

You can use Exchange Online PowerShell to configure custom settings for MailTips
between various organizations.

By establishing an organizational relationship, you can enhance the user experience for
both organizations by sharing free/busy data, configuring secure message flow, and
enabling message tracking. For more information about organizational relationships, see
MailTips over organization relationships.

You can use various settings to control how MailTips are used between two
organizations that have established an organizational relationship. The procedures in
this section illustrate these various controls. In all examples, the on-premises
organization is contoso.com, the remote organization is online.contoso.com, and the
organizational relationship is named Contoso Online.

You use the Set-OrganizationRelationship cmdlet to configure these settings.

What do you need to know before you begin?

Estimated time to complete each procedure: 5 minutes

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "MailTips" entry in the
Feature permissions in Exchange Online topic.

You can only use Exchange Online PowerShell to perform this procedure.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
Use Exchange Online PowerShell to enable or
disable MailTips between two organizations
This example configures the organizational relationship so that MailTips are returned to
senders in the remote organization when composing messages to recipients in your
organization.

PowerShell

Set-OrganizationRelationship "Contoso Online" -MailTipsAccessEnabled $true

This example configures the organizational relationship to prevent MailTips from being
returned to senders in the remote organization when composing messages to recipients
in your organization.

PowerShell

Set-OrganizationRelationship "Contoso Online" -MailTipsAccessEnabled $false

For detailed syntax and parameter information, see Set-OrganizationRelationship.

Use Exchange Online PowerShell to configure

which MailTips are returned to the remote
organization
For each organizational relationship, you can determine which set of MailTips are
returned to senders in the other organization. This example configures the
organizational relationship so that all MailTips are returned.

PowerShell

Set-OrganizationRelationship "Contoso Online" -MailTipsAccessLevel All

This example configures the organizational relationship so that only the Automatic
Replies, Oversize Message, Restricted Recipient, and Mailbox Full MailTips are returned.

PowerShell

Set-OrganizationRelationship "Contoso Online" -MailTipsAccessLevel Limited

This example configures the organizational relationship so that no MailTips are returned.

７ Note

Don't use this method to disable MailTips for this relationship. To disable MailTips,
set the MailTipsAccessEnabled parameter to $false .

PowerShell

Set-OrganizationRelationship "Contoso Online" -MailTipsAccessLevel None

For detailed syntax and parameter information, see Set-OrganizationRelationship.

Use Exchange Online PowerShell to configure a

specific group of users for whom recipient-
specific MailTips are returned
You can restrict the return of recipient-specific MailTips to a specific group of users. By
default, when you enable MailTips for an organizational relationship, the following
recipient-specific MailTips are returned for all users:

Automatic Replies

Mailbox Full

Custom MailTip

You can specify a MailTips access group on the organizational relationship. After you
specify a group, the recipient-specific MailTips are returned only for mailboxes, mail
contacts, and mail users that are members of that group. This example configures the
organizational relationship to return recipient-specific MailTips only for members of the
ShareMailTips@contoso.com group.

PowerShell

Set-OrganizationRelationship "Contoso Online" -MailTipsAccessScope

ShareMailTips@contoso.com

For detailed syntax and parameter information, see Set-OrganizationRelationship.

Add-ins for Outlook in Exchange Online
Article • 05/26/2023

Add-ins for Outlook are applications that extend the usefulness of Outlook clients by
adding information or tools that your users can use without having to leave Outlook.
Add-ins are built by third-party developers and can be installed either from a file or URL
or from the Office Store. By default, all users can install add-ins. Exchange Online admins
can control whether users can install add-ins for Office.

 Tip

For information about add-ins for Outlook from an end-user perspective, check out
Installed add-ins . The topic provides an overview of the add-ins and also shows
you some of the add-ins for Outlook that might be installed by default.

７ Note

The UI support for managing add-ins for Outlook in EAC will be discontinued.
However, you can still install them using the Powershell cmdlets mentioned here.

Office Store add-ins and custom add-ins

Outlook clients supports a variety of add-ins that are available through the Office Store.
Outlook also supports custom add-ins that you can create and distribute to users in
your organization.

Notes:

Access to the Office Store isn't supported for mailboxes or organizations in specific
regions. For more information, contact your service provider.

URLs with redirections aren't supported in Exchange Server 2016, Exchange Server
2019, and Exchange Online. Use a direct URL to the manifest.

Some add-ins for Outlook are installed by default. Default add-ins for Outlook only
activate on English language content. For example, German postal addresses in the
message body won't activate the Bing Maps add-in.

Add-in access and installation using UI

By default, all users can install and remove add-ins. Exchange Online admins have a
number of controls available for managing add-ins and users' access to them. Admins
can disable users from installing add-ins that aren't downloaded from the Office Store
(instead they are "side loaded" from a file or URL). Admins can also disable users from
installing Office Store add-ins, and from installing add-ins on behalf of other users.

To install add-ins for some or all users in your organization, see Get started with
Integrated apps.

Install add-ins for Outlook using cmdlets

You can manage Outlook add-ins using PowerShell cmdlets as a replacement for Add-
ins page experience in classic Exchange Admin Center.

The following cmdlets are a part of ExchangePowerShell module and are available in on-
premise Exchange and in the cloud-based service. Some parameters and settings might
be exclusive to one environment or the other, and details for the same can be found in
respective documentation for each section.

Deploying a new app

Use the New-App cmdlet to install apps for Outlook.

For more information, see New-App (ExchangePowerShell) | Microsoft Learn.

Removing a deployed app

Use the Remove-App cmdlet to uninstall an app. You can use Remove-App cmdlet to
uninstall a specified app that has been installed using only New-App cmdlet. Apps
installed by default can't be uninstalled, but can be disabled.

For more information, see Remove-App (ExchangePowerShell) | Microsoft Learn.

Getting list of deployed apps

Use the Get-App cmdlet to view installed apps. The Get-App cmdlet returns information
about all installed apps or the details of a specific installed app.

For more information, see Get-App (ExchangePowerShell) | Microsoft Learn.

Updating an app
Use the Set-App cmdlet to modify the availability of organization apps. The Set-App
cmdlet can only be used when configuring the availability of an organization app. This
task requires that the specified app has either been installed using New-App cmdlet or is
a default app for Outlook.

Default apps in Outlook on the web and apps that you've installed for use by users in
your organization are known as organization apps. End users cannot remove
organization apps, but can enable or disable them. If an app is an organization app
(scope - default or organization), the delete control on the toolbar is disabled for end
users. Administrators can remove organization apps. They can't remove default apps but
can disable them for the entire organization.

For more information, see Set-App (ExchangePowerShell) | Microsoft Learn.

Enabling an app
Use the Enable-App cmdlet to enable (turn on) a specific app for a specific user. The
Enable-App cmdlet requires that the specified app has already been installed (for

example, that it has been installed with the New-App cmdlet, or that it's a default app for
Microsoft Outlook).

For more information, see Enable-App (ExchangePowerShell) | Microsoft Learn.

Disabling an app
Use the Disable-App cmdlet to disable (turn off) a specific app for a specific user. The
Disable-App cmdlet requires that the specified app is an app that has either been
installed using New-app cmdlet or is a default app for Microsoft Outlook.

For more information, see Disable-App (ExchangePowerShell) | Microsoft Learn.

Specify the administrators and users
who can install and manage add-ins for
Outlook in Exchange Online
Article • 02/22/2023

You can specify which administrators in your organization have permissions to install
and manage add-ins for Outlook. You can also specify which users in your organization
have permission to install and manage add-ins for their own use.

This is done by assigning or removing management roles specific to add-ins. There are
five built-in roles you can use.

Administrative roles
Org Marketplace Apps: Enables an administrator to install and manage add-ins
that are available from the Office Store for their organization.
Org Custom Apps: Enables an administrator to install and manage custom add-ins
for their organization.

By default, all administrators who are in the Organization Management role group have
both of the above administrative roles enabled.

User roles
My Marketplace Apps: Enables a user to install and manage Office Store add-ins
for their own use.
My Custom Apps: Enables a user to install and manage custom add-ins for their
own use.
My ReadWriteMailbox Apps: Enables a user to install and manage add-ins that
request the ReadWriteMailbox permission level in their manifest.

By default, all end users have all of the above user roles enabled.

７ Note

If you are testing Outlook add-ins and none are showing up, then as a first
troubleshooting step, use the Get-OrganizationConfig PowerShell cmdlet to query
the AppsForOfficeEnabled parameter. If the query returns a value of False, set this
 parameter to True using the Set-OrganizationConfig cmdlet and then add-ins
should appear as expected.

We do not recommend that the AppsForOfficeEnabled parameter be set to False. A

value of False will override all of the above Administrative and User role settings
and prevent any new apps from being activated by any user in the organization.

For information about add-ins, see Add-ins for Outlook.

What do you need to know before you begin?

Estimated time to complete: 5 minutes.

You need to be assigned permissions before you can run this cmdlet. Although all
parameters for this cmdlet are listed in this topic, you may not have access to
some parameters if they're not included in the permissions assigned to you. To see
what permissions you need, see the "Role assignments" entry in the Feature
permissions in Exchange Online topic.

Access to the Office Store isn't supported for mailboxes or organizations in specific
regions. If you don't see Add from the Office Store as an option in the Exchange
admin center under Organization > Add-ins > New , you may be able to install
an add-in for Outlook from a URL or file location. For more information, contact
your service provider.

７ Note

URLs with redirections are not supported in Exchange Server 2016, Exchange
Server 2019, and Exchange Online. Use a direct URL to the manifest.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.

 Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
Assign administrators the permissions required
to install and manage add-ins for your
organization

Use the new EAC to assign permissions to administrators

You can use the new Exchange admin center (EAC) to assign administrators the
permissions required to install and manage add-ins that are available from the Office
Store for your organization.

1. Log in to the new EAC as a global administrator.

2. Go to Roles, and then select Admin Roles.
3. Select an existing group or create a new one.
4. If you are modifying an existing role, go to Permissions, add the permissions
required to install and manage add-ins, and then click Save. If you are creating a
new group, follow the wizard.

For detailed information about how to do this, see Manage role groups in Exchange
Online.

Assign users the permissions required to install

and manage add-ins for their own use

Use the classic EAC to assign permissions to users

You can use the classic EAC to assign users the permissions required to view and modify
custom add-ins for their own use.

1. Log in to the classic EAC as a global administrator.

2. Go to Permissions, and then select User Roles.
3. Select an existing role assignment policy or create a new one.
4. Type a name for the policy if you are creating a new one.
5. Select some or all of the roles: My Custom Apps, My MarketPlace Apps, and My
ReadWriteMailbox Apps.
6. Click Save.

For detailed information about how to do this, see Manage role groups in Exchange
Online.
Prevent add-in downloads by turning off the
Office Store across Outlook
The following steps will ensure that all end users with the default policy will no longer
be able to install or manage Add-ins for Outlook.

1. Log in to the EAC as a global administrator.

2. Go to Permissions, and then select User Roles.
3. Double-click Default Role with Add-Ins Management to open the edit window.
4. Modify Default Role Assignment Policy by deselecting My Custom Apps, My
MarketPlace Apps, and My ReadWriteMailbox Apps.
5. Click Save.

７ Note

If a user is assigned a single admin role (for example, Security Reader), removing
the user roles My Custom Apps, My MarketPlace Apps, and My
ReadWriteMailbox Apps will not prevent add-in downloads for the user. Our
recommendedation is to have a separate accounts for admin privileges and end-
user day-to-day use.

How do you know this worked?

To verify that you've successfully assigned permissions for a user, replace <Role Name>
with the name of the role to verify, and run the following command in Exchange Online
PowerShell:

PowerShell

Get-ManagementRoleAssignment -Role "<Role Name>" -GetEffectiveUsers

This example shows you how to verify whom you've assigned permissions to install add-
ins from the Office Store for the organization.

PowerShell

Get-ManagementRoleAssignment -Role "Org Marketplace Apps" -GetEffectiveUsers

In the results, review the entries in the Effective Users column.

For detailed syntax and parameter information, see Get-ManagementRoleAssignment.

Using third-party add-ins for online
meetings in Outlook for iOS and
Android in Exchange Online
Article • 02/22/2023

Setting up an online meeting is a core experience for Outlook users. To meet the needs
of an increasing number of remote workers and students, Outlook for iOS and Android
has enabled add-ins to provide online meetings from third-party providers such as
Zoom, BlueJeans, and Webex (among others). End-users in your organization will be
able to use these add-ins to set up online meetings on third-party platforms.

７ Note

Both Outlook for iOS and Android support joining meetings from third-party online
meeting providers. In addition, Outlook for Android also supports creating meeting
requests for third-party online meeting providers.

How to enable third-party online meeting

integration with Outlook for iOS and Android
Third-party online meeting integration is handled by add-ins that have enabled this
functionality specifically for Outlook for iOS and Android. To set up this third-party
meeting creation experience, an Exchange Online administrator must install the
supported add-in(s) to the mailbox of an end user. Once installed, the third-party
meeting creation button will appear on users' screens instead of a Microsoft Teams or
Skype meeting button.

７ Note

Add-ins installed by your end users will not override the default Teams or Skype
functionality.

The add-ins can be deployed using the following admin portals:

If all users are Microsoft 365 or Office 365 users, then use the centralized
deployment portal. Centralized deployment provides the capability to install add-
ins more granularly, such as to sub-groups within a given organization.
 If a tenant has users' mailboxes in on-premises Exchange Server, then use the
ECP/EAC portal. More information is available here.

Creating an online meeting with a third-party

add-in
The third-party online meeting provider will appear on the event creation screen in
Outlook for iOS and Android, as displayed below. The third-party add-in replaces the
Teams or the Skype buttons, but the button users do see will act in a similar way. After
tapping the toggle button, the online meeting URL and text is retrieved from the third-
party service and is inserted into the meeting body.

Users cannot save the meeting until the online meeting details have been retrieved.
Meeting providers displayed in the New Event
screen
On a user's New Event screen, only a single meeting provider will be shown. If there are
multiple options, the logic to select which provider is displayed is as follows:
 Priority 1: Any custom online meeting add-ins that are installed (this is a developer
scenario also known as "side loading").
Priority 2: An online meeting add-in that was installed by an administrator.
Default selection: If there are no admin-installed online Web conferencing add-ins,
the default option of Teams and Skype will be shown, as described in this article.

７ Note

Installing multiple add-in providers for online meetings on a user's device isn't
supported and may result in unexpected behavior.

Developing add-ins for remote meetings in

Outlook for iOS and Android
Add-in developers need to add the MobileOnlineMeetingCommandSurface extension
point in their add-in manifest.

Information for add-in developers is available in Create an Outlook mobile add-in for an
online-meeting provider.

Capabilities exposed to online meeting add-ins include:

UI-less command. Online meeting add-ins can only run in a UI-less mode, which
means the add-ins don't have the capability to launch a task pane.
Display dialogue. Login flow can be handled using full-screen dialog.
The specific APIs that are exposed are listed here.

How users join meetings

Support for third-party remote meeting add-ins includes making it easy for users to join
meetings. A Join button gets added to users' calendar events in Outlook for iOS and
Android. Clicking Join will launch the online meeting app, if the user has it installed. If
the app is not installed, the browser will launch and guide the user through the process
to join the meeting.

Note that recipients of meeting invitations don't need to have the add-in for the
corresponding third-party meeting provider installed on their devices in order to join
the meeting.
Remote Connectivity Analyzer tests for
Exchange Online
Article • 02/22/2023

The Microsoft Exchange Remote Connectivity Analyzer (ExRCA) helps you make sure
that connectivity for your Exchange service is set up correctly. If you're having problems,
it can also help you find and fix these problems. The ExRCA website can run tests to
check for Microsoft Exchange ActiveSync, Exchange Web Services, Microsoft Outlook,
and internet email connectivity.

Remote Connectivity Analyzer tests

You can perform several tests with the ExRCA. The following tests work on Exchange
2010 and later versions, including Exchange Online:

Exchange DNS (only available in the Office 365 tab)

Exchange ActiveSync

Exchange Web Services

Outlook

Internet email

Exchange Domain Name Server (DNS) tests

You can run the following tests for Exchange DNS:

Help Identify My Issue with Exchange DNS (only available in the Office 365 tab):
This test will check the external domain name settings for your verified domain in
Office 365. The test will look for issues with mail delivery such as not receiving
incoming email from the Internet and Outlook client connectivity issues that
involve connecting to Outlook and Exchange Online.

Exchange ActiveSync tests

You can run the following tests for Exchange ActiveSync:

Exchange ActiveSync: This test simulates the steps that a mobile device uses to
connect to an Exchange server using Exchange ActiveSync.
Exchange Web Services connectivity tests
The Exchange Web Services tests check the settings for many of the Exchange Web
Services. You can run the following tests for Exchange Web Services:

Synchronization, Notification, Availability, and Automatic Replies: These tests

walk through many basic Exchange Web Services tasks to confirm that they're
working. This is useful for IT administrators who want to troubleshoot external
access using Entourage EWS or other Web Services clients.

Service Account Access (Developers): This test verifies a service account's ability
to access a specified mailbox, create and delete items in it, and access it via
Exchange impersonation. This test is primarily used by application developers to
test the ability to access mailboxes with alternate credentials.

Free/Busy (only available in the Office 365 tab): This test verifies that an Office
365 mailbox can access the free/busy information of an on-premises mailbox, and
vice versa (one direction per test run).

Microsoft Office Outlook Connectivity tests

You can run the following tests for Outlook connectivity:

Outlook Connectivity: This test walks through the steps Outlook uses to connect
from the internet. It tests connectivity using both the RPC over HTTP and the MAPI
over HTTP protocols.

Internet email tests

You can run the following tests for internet email:

Inbound SMTP E-Mail: This test walks through the steps an internet email server
uses to send inbound SMTP email to your domain.

Outbound SMTP E-Mail: This test checks your outbound IP address for certain
requirements. This includes Reverse DNS, Sender ID, and RBL checks.

POP Email: This test walks through the steps an email client uses to connect to a
mailbox using POP3.

IMAP Email: This test walks through the steps an email client uses to connect to a
mailbox using IMAP.
Client Access Rules in Exchange Online
Article • 03/17/2023

Summary: Learn how administrators can use Client Access Rules to allow or block different types of client connections to Exchange
Online.

Client Access Rules help you control access to your Exchange Online organization based on client properties or client access requests.
Client Access Rules are like mail flow rules (also known as transport rules) for client connections to your Exchange Online organization.
You can prevent clients from connecting to Exchange Online based on their IP address (IPv4 and IPv6), authentication type, and user
property values, and the protocol, application, service, or resource that they're using to connect. For example:

Allow access to Exchange ActiveSync clients from specific IP addresses, and block all other ActiveSync clients.
Block access to Exchange Web Services (EWS) for users in specific departments, cities, or countries/regions.
Block access to an offline address book (OAB) for specific users based on their usernames.
Prevent client access using federated authentication.
Prevent client access using Exchange Online PowerShell.
Block access to the classic Exchange admin center (EAC) for users in a specific country or region.

For Client Access Rule procedures, see Procedures for Client Access Rules in Exchange Online.

７ Note

Block service account access when using EWS impersonation is not supported with Client Access Rules.

Beginning in October 2022, we've disabled access to client access rules for all existing Exchange Online organizations that weren't
using them. In October 2023, support for client access rules will end for all Exchange Online organizations. For more information,
see Deprecation of Client Access Rules in Exchange Online .

Client Access Rule components

A rule is made of conditions, exceptions, an action, and a priority value.

Conditions: Identify the client connections to apply the action to. For a complete list of conditions, see the Client Access Rule
conditions and exceptions section later in this topic. When a client connection matches the conditions of a rule, the action is
applied to the client connection, and rule evaluation stops (no more Rules are applied to the connection).

Exceptions: Optionally identify the client connections that the action shouldn't apply to. Exceptions override conditions and
prevent the rule action from being applied to a connection, even if the connection matches all of the configured conditions. Rule
evaluation continues for client connections that are allowed by the exception, but a subsequent rule could still affect the
connection.

Action: Specifies what to do to client connections that match the conditions in the rule, and don't match any of the exceptions.
Valid actions are:

Allow the connection (the AllowAccess value for the Action parameter).

Block the connection (the DenyAccess value for the Action parameter).

Note: When you block connections for a specific protocol, other applications that rely on the same protocol might also be
affected.

Priority: Indicates the order that the rules are applied to client connections (a lower number indicates a higher priority). The
default priority is based on when the rule is created (older rules have a higher priority than newer rules), and higher priority rules
are processed before lower priority rules. Remember, rule processing stops once the client connection matches the conditions in
the rule.

For more information about setting the priority value on rules, see Use Exchange Online PowerShell to set the priority of Client
Access Rules.

How Client Access Rules are evaluated

How multiple rules with the same condition are evaluated, and how a rule with multiple conditions, condition values, and exceptions
are evaluated are described in the following table.

Component Logic Comments

Multiple rules that The first rule is For example, if your highest priority rule blocks Outlook on the web connections, and you create another
contain the same applied, and rule that allows Outlook on the web connections for a specific IP address range, all Outlook on the web
condition subsequent rules are connections are still blocked by the first rule. Instead of creating another rule for Outlook on the web,
ignored you need to add an exception to the existing Outlook on the web rule to allow connections from the
specified IP address range.

Multiple conditions AND A client connection must match all conditions in the rule. For example, EWS connections from users in
in one rule the Accounting department.

One condition with OR For conditions that allow more than one value, the connection must match any one (not all) of the
multiple values in a specified conditions. For example, EWS or IMAP4 connections.
rule

Multiple exceptions OR If a client connection matches any one of the exceptions, the actions are not applied to the client
in one rule connection. The connection doesn't have to match all the exceptions. For example, IP address
19.2.168.1.1 or Basic authentication.

You can test how a specific client connection would be affected by Client Access Rules (which rules would match and therefore affect
the connection). For more information, see Use Exchange Online PowerShell to test Client Access Rules.

７ Note

Client Access Rules are evaluated after authentication and cannot be used to block raw connection or authentication attempts.

Important notes

Client connections from your internal network

Connections from your local network aren't automatically allowed to bypass Client Access Rules. Therefore, when you create Client
Access Rules that block client connections to Exchange Online, you need to consider how connections from your internal network
might be affected. The preferred method to allow internal client connections to bypass Client Access Rules is to create a highest
priority rule that allows client connections from your internal network (all or specific IP addresses). That way, the client connections are
always allowed, regardless of any other blocking rules that you create in the future.

Client Access Rules and middle-tier applications

Many applications that access Exchange Online use a middle-tier architecture (clients talk to the middle-tier application, and the
middle-tier application talks to Exchange Online). A Client Access Rule that only allows access from your local network might block
middle-tier applications. So, your rules need to allow the IP addresses of middle-tier applications.

Middle-tier applications owned by Microsoft (for example, Outlook for iOS and Android) will bypass blocking by Client Access Rules,
and will always be allowed. To provide additional control over these applications, you need to use the control capabilities that are
available in the applications.

Timing for rule changes

To improve overall performance, Client Access Rules use a cache, which means changes to rules don't immediately take effect. The first
rule that you create in your organization can take up to 24 hours to take effect. After that, modifying, adding, or removing rules can
take up to one hour to take effect.

Administration

You can only use PowerShell to manage Client Access Rules, so you need to be careful about rules that block your access to remote
PowerShell. If you create a rule that blocks your access to remote PowerShell, or if you create a rule that blocks all protocols for
everyone, you'll lose the ability to fix the rules yourself. You'll need to call Microsoft Customer Service and Support, and they will create
a rule that gives you remote PowerShell access from anywhere so you can fix your own rules. Note that it can take up to one hour for
this new rule to take effect.
As a best practice, create a Client Access Rule with the highest priority to preserve your access to remote PowerShell. For example:

PowerShell

New-ClientAccessRule -Name "Always Allow Remote PowerShell" -Action Allow -AnyOfProtocols RemotePowerShell -Priority 1

Authentication types and protocols in Client Access Rules

Not all authentication types are supported for all protocols in Client Access Rules. The supported authentication types per protocol are
described in this table:

Protocol AdfsAuthentication BasicAuthentication CertificateBasedAuthentication NonBasicAuthentication OAuthAuthentication

ExchangeActiveSync n/a supported supported n/a supported

ExchangeAdminCenter 1 supported supported n/a n/a n/a

IMAP4 n/a supported n/a n/a supported

OutlookWebApp supported supported n/a n/a n/a

POP3 n/a supported n/a n/a supported

RemotePowerShell n/a supported n/a supported n/a

1
This protocol only applies to the classic Exchange admin center (EAC).

Client Access Rule conditions and exceptions

Conditions and exceptions in Client Access Rules identify the client connections that the rule is applied to or not applied to. For
example, if the rule blocks access by Exchange ActiveSync clients, you can configure the rule to allow Exchange ActiveSync connections
from a specific range of IP addresses. The syntax is the same for a condition and the corresponding exception. The only difference is
conditions specify client connections to include, while exceptions specify client connections to exclude.

This table describes the conditions and exceptions that are available in Client Access Rules:

Condition parameter in Exception parameter in Exchange Description

Exchange Online PowerShell Online PowerShell

AnyOfAuthenticationTypes ExceptAnyOfAuthenticationTypes Valid values are:

AdfsAuthentication
BasicAuthentication
CertificateBasedAuthentication
NonBasicAuthentication
OAuthAuthentication

You can specify multiple values separated by commas. You can use
quotation marks around each individual value ("value1","value2"), but
not around all values (don't use "value1,value2").
Note: If specifying ExceptAnyOfAuthenticationTypes ,
AnyOfAuthenticationTypes must also be specified.

AnyOfClientIPAddressesOrRanges ExceptAnyOfClientIPAddressesOrRanges IPv4 and IPv6 addresses are supported. Valid values are:
A single IP address: For example, 192.168.1.1 or
2001:DB8::2AA:FF:C0A8:640A.
An IP address range: For example, 192.168.0.1-192.168.0.254
or 2001:DB8::2AA:FF:C0A8:640A-2001:DB8::2AA:FF:C0A8:6414.
Classless Inter-Domain Routing (CIDR) IP: For example,
192.168.3.1/24 or 2001:DB8::2AA:FF:C0A8:640A/64.

You can specify multiple values separated by commas.

For more information about IPv6 addresses and syntax, see this
Exchange 2013 topic: IPv6 address basics.

AnyOfProtocols ExceptAnyOfProtocols Valid values are:

ExchangeActiveSync
ExchangeAdminCenter 1
ExchangeWebServices
 Condition parameter in Exception parameter in Exchange Description
Exchange Online PowerShell Online PowerShell

IMAP4
OfflineAddressBook
OutlookAnywhere (includes MAPI over HTTP)
OutlookWebApp (Outlook on the web)
POP3
PowerShellWebServices
RemotePowerShell
REST

You can specify multiple values separated by commas. You can use
quotation marks around each individual value (" value1","value2"),
but not around all values (don't use "value1,value2").
Note: If you don't use this condition in a rule, the rule is applied to all
protocols.

Scope n/a Specifies the type of connections that the rule applies to. Valid values
are:
Users : The rule only applies to end-user connections.
All : The rule applies to all types of connections (end-users and
middle-tier apps).

UsernameMatchesAnyOfPatterns ExceptUsernameMatchesAnyOfPatterns Accepts text and the wildcard character (*) to identify the user's
account name in the format <Domain>\<UserName> (for example,
contoso.com\jeff or *jeff* , but not jeff* ). Non-alphanumeric
characters don't require an escape character.
You can specify multiple values separated by commas.

UserRecipientFilter n/a Uses OPath filter syntax to identify the user that the rule applies to.
For example, "City -eq 'Redmond'" . The filterable attributes are:

City
Company
CountryOrRegion
CustomAttribute1 to CustomAttribute15
Department
Office
PostalCode
StateOrProvince
StreetAddress
The search criteria uses the syntax "<Property> -<Comparison
operator> '<Value>'" .
<Property> is a filterable property.
-<Comparison Operator> is an OPATH comparison operator. For
example -eq for exact matches (wildcards are not supported)
and -like for string comparison (which requires at least one
wildcard in the property value). For more information about
comparison operators, see about_Comparison_Operators.
<Value> is the property value. Text values with or without
spaces or values with wildcards (*) need to be enclosed in
quotation marks (for example, '<Value>' or '*<Value>' ). Don't
use quotation marks with the system value $null (for blank
values).

You can chain multiple search criteria together using the logical
operators -and and -or . For example, "<Criteria1> -and
<Criteria2>" or "(<Criteria1> -and <Criteria2>) -or <Criteria3>" .
For more information about OPATH filter syntax, see Additional
OPATH syntax information.

1
This protocol only applies to the classic Exchange admin center (EAC).
Procedures for Client Access Rules in
Exchange Online
Article • 03/17/2023

Summary: Learn how to view, create, modify, delete, and test Client Access Rules in
Exchange Online.

Client Access Rules allow or block client connections to your Exchange Online
organization based on the properties of the connection. For more information about
Client Access Rules, see Client Access Rules in Exchange Online.

７ Note

Beginning in October 2022, we've disabled access to client access rules for all
existing Exchange Online organizations that weren't using them. In October 2023,
support for client access rules will end for all Exchange Online organizations. For
more information, see Deprecation of Client Access Rules in Exchange Online .

Verify that your rules work the way you expect. Be sure to thoroughly test each rule
and the interactions between rules. For more information, see the Use Exchange
Online PowerShell to test Client Access Rules section later in this topic.

What do you need to know before you begin?

Estimated time to complete each procedure: less than 5 minutes.

The procedures in this topic are only available in Exchange Online PowerShell. To
learn how to use Windows PowerShell to connect to Exchange Online, see Connect
to Exchange Online PowerShell.

Client Access Rules support IPv4 and IPv6 addresses. For more information about
IPv6 addresses and syntax, see this Exchange 2013 topic: IPv6 address basics.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "Mail flow" entry in Feature
permissions in Exchange Online.

For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.
  Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .

Use Exchange Online PowerShell to view Client

Access Rules
To return a summary list of all Client Access Rules, run this command:

PowerShell

Get-ClientAccessRule

To return detailed information about a specific rule, use this syntax:

PowerShell

Get-ClientAccessRule -Identity "<RuleName>" | Format-List [<Specific

properties to view>]

This example returns all the property values for the rule named "Block Client
Connections from 192.168.1.0/24".

PowerShell

Get-ClientAccessRule -Identity "Block Client Connections from

192.168.1.0/24" | Format-List

This example returns only the specified properties for the same rule.

PowerShell

Get-ClientAccessRule -Identity "Block Client Connections from

192.168.1.0/24" | Format-List Name,Priority,Enabled,Scope,Action

For detailed syntax and parameter information, see Get-ClientAccessRule.

Use Exchange Online PowerShell to create

Client Access Rules
To create Client Access Rules in Exchange Online PowerShell, use this syntax:

PowerShell

New-ClientAccessRule -Name "<RuleName>" [-Priority <PriorityValue>] [-

Enabled <$true | $false>] -Action <AllowAccess | DenyAccess> [<Conditions>]
[<Exceptions>]

This example creates a new Client Access Rule named Block ActiveSync that blocks
access for Exchange ActiveSync clients, except for clients in the IP address range
192.168.10.1/24.

PowerShell

New-ClientAccessRule -Name "Block ActiveSync" -Action DenyAccess -

AnyOfProtocols ExchangeActiveSync -ExceptAnyOfClientIPAddressesOrRanges
192.168.10.1/24

Notes:

As a best practice, create a Client Access Rule with the highest priority to preserve
your administrator access to remote PowerShell. For example: New-
ClientAccessRule -Name "Always Allow Remote PowerShell" -Action Allow -

AnyOfProtocols RemotePowerShell -Priority 1 .

The rule has the default priority value, because we didn't use the Priority
parameter. For more information, see the Use Exchange Online PowerShell to set
the priority of Client Access Rules section later in this topic.
The rule is enabled, because we didn't use the Enabled parameter, and the default
value is $true .

This example creates a new Client Access Rule named Restrict EAC Access that blocks
access for the Classic Exchange admin center, except if the client is coming from an IP
address in the 192.168.10.1/24 range or if the user account name contains "tanyas".

PowerShell

New-ClientAccessRule -Name "Restrict EAC Access" -Action DenyAccess -

AnyOfProtocols ExchangeAdminCenter -ExceptAnyOfClientIPAddressesOrRanges
192.168.10.1/24 -ExceptUsernameMatchesAnyOfPatterns *tanyas*

For detailed syntax and parameter information, see New-ClientAccessRule.

How do you know this worked?

To verify that you've successfully created a Client Access Rule, use any of these
procedures:

Run this command in Exchange Online PowerShell to see the new rule in the list of
rules:

PowerShell

Get-ClientAccessRule

Replace <RuleName> with the name of the rule, and run this command to see the
details of the rule:

PowerShell

Get-ClientAccessRule -Identity "<RuleName>" | Format-List

See which Client Access Rules would affect a specific client connection to Exchange
Online by using the Test-ClientAccessRule cmdlet. For more information, see the
Use Exchange Online PowerShell to test Client Access Rules section later in this
topic.

Use Exchange Online PowerShell to modify

Client Access Rules
No additional settings are available when you modify a Client Access Rule. They're the
same settings that were available when you created the rule.

To modify a Client Access Rule in Exchange Online PowerShell, use this syntax:

PowerShell

Set-ClientAccessRule -Identity "<RuleName>" [-Name "<NewName>"] [-Priority

<PriorityValue>] [-Enabled <$true | $false>] -Action <AllowAccess |
DenyAccess> [<Conditions>] [<Exceptions>]

This example disables the existing Client Access Rule named Allow IMAP4.

PowerShell

Set-ClientAccessRule -Identity "Allow IMAP4" -Enabled $false

An important consideration when you modify Client Access Rules is modifying
conditions or exceptions that accept multiple values:

The values that you specify will replace any existing values.
To add or remove values without affecting other existing values, use this syntax:
@{Add="<Value1>","<Value2>"...; Remove="<Value1>","<Value2>"...}

This example adds the IP address range 172.17.17.27/16 to the existing Client Access
Rule named Allow IMAP4 without affecting the existing IP address values.

PowerShell

Set-ClientAccessRule -Identity "Allow IMAP4" -AnyOfClientIPAddressesOrRanges

@{Add="172.17.17.27/16"}

For detailed syntax and parameter information, see Set-ClientAccessRule.

How do you know this worked?

To verify that you've successfully modified a Client Access Rule, use any of these
procedures:

Replace <RuleName> with the name of the rule, and run this command to see the
details of the rule:

PowerShell

Get-ClientAccessRule -Identity "<RuleName>" | Format-List

See which Client Access Rules would affect a specific client connection to Exchange
Online by using the Test-ClientAccessRule cmdlet. For more information, see the
Use Exchange Online PowerShell to test Client Access Rules section later in this
topic.

Use Exchange Online PowerShell to set the

priority of Client Access Rules
By default, Client Access Rules are given a priority that's based on the order they were
created in (newer rules are lower priority than older rules). A lower priority number
indicates a higher priority for the rule, and rules are processed in priority order (higher
priority rules are processed before lower priority rules). No two rules can have the same
priority.
The highest priority you can set on a rule is 1. The lowest value you can set depends on
the number of rules. For example, if you have five rules, you can use the priority values 1
through 5. Changing the priority of an existing rule can have a cascading effect on other
rules. For example, if you have five rules (priorities 1 through 5), and you change the
priority of a rule from 5 to 2, the existing rule with priority 2 is changed to priority 3, the
rule with priority 3 is changed to priority 4, and the rule with priority 4 is changed to
priority 5.

To set the priority of a Client Access Rule in Exchange Online PowerShell, use this syntax:

PowerShell

Set-ClientAccessRule -Identity "<RuleName>" -Priority <Number>

This example sets the priority of the rule named Disable IMAP4 to 2. All existing rules
that have a priority less than or equal to 2 are decreased by 1 (their priority numbers are
increased by 1).

PowerShell

Set-ClientAccessRule -Identity "Disable IMAP" -Priority 2

Note: To set the priority of a new rule when you create it, use the Priority parameter on
the New-ClientAccessRule cmdlet.

How do you know this worked?

To verify that you've successfully set the priority of a Client Access Rule, use either of
these procedures:

Run the this command in Exchange Online PowerShell to see the list of rules and
their Priority values:

PowerShell

Get-ClientAccessRule

Replace <RuleName> with the name of the rule, and run this command:

PowerShell

Get-ClientAccessRule -Identity "<RuleName>" | Format-List Name,Priority

Use Exchange Online PowerShell to remove
Client Access Rules
To remove Client Access Rules in Exchange Online PowerShell, use this syntax:

PowerShell

Remove-ClientAccessRule -Identity "<RuleName>"

This example removes the Client Access Rule named Block POP3.

PowerShell

Remove-ClientAccessRule -Identity "Block POP3"

Note: To disable a Client Access Rule without deleting it, use the Enabled parameter with
the value $false on the Set-ClientAccessRule cmdlet.

For detailed syntax and parameter information, see Remove-ClientAccessRule.

How do you know this worked?

To verify that you've successfully removed a Client Access Rule, run this command in
Exchange Online PowerShell to verify that the rule is no longer listed:

PowerShell

Get-ClientAccessRule

Use Exchange Online PowerShell to test Client

Access Rules
To see which Client Access Rules would affect a specific client connection to Exchange
Online, use this syntax:

PowerShell

Test-ClientAccessRule -User <MailboxIdentity> -AuthenticationType

<AuthenticationType> -Protocol <Protocol> -RemoteAddress <ClientIPAddress> -
RemotePort <TCPPortNumber>
This example returns the Client Access Rules that would match a client connection to
Exchange Online that has these properties:

Authentication type: Basic

Protocol: OutlookWebApp
Remote address: 172.17.17.26
Remote port: 443
User: julia@contoso.com

PowerShell

Test-ClientAccessRule -User julia@contoso.com -AuthenticationType

BasicAuthentication -Protocol OutlookWebApp -RemoteAddress 172.17.17.26 -
RemotePort 443

For detailed syntax and parameter information, see Test-ClientAccessRule.

Archive, Client, and Compliance &
Security feature details
Article • 01/26/2023

Archive features

The following sections describe the archive features of Microsoft Exchange Online
Archiving.

Archive mailbox
Exchange Online Archiving offers users advanced archiving capabilities with the
archive mailbox feature. An archive mailbox is a specialized mailbox that appears
alongside the users' primary mailbox folders in Outlook or Outlook on the web.
Users can access the archive in the same way that they access their primary
mailboxes. In addition, they can search both their archives and primary mailboxes.

Administrators can use the Exchange admin center (EAC) or remote Windows
PowerShell to enable the archive feature for specific users. For more information,
see Enable or disable archive mailboxes in Exchange Online.

） Important

Using journaling, transport rules, or auto-forwarding rules to copy messages to

Exchange Online Archiving for the purposes of archiving is not permitted.

A user's archive mailbox is intended for just that user. Microsoft reserves the
right to deny additional archive storage space in instances where a user's
archive mailbox is used to store archive data for other users or in other cases
of inappropriate use.

Move messages to Exchange Online Archiving

Users can drag and drop messages from .pst files into the archive, for easy online
access. Users can also move email items from the primary mailbox to the archive
mailbox automatically, using Archive Polices, to reduce the size and improve the
performance of the primary mailbox.
Import data to the archive
Users can import data to the archive in the following ways:

Import data from a .pst file using Outlook's Import and Export wizard.

Drag email messages from .pst files into the archive.

Drag email messages from the primary mailbox into the archive.

Let archive policies automatically move email messages from the primary
mailbox, based on the age of the messages. For more information, see
Retention Tags and Retention Policies.

７ Note

Administrators can also use Office 365 Import service to import .pst files to
users' cloud-based archive mailboxes. For more information, see Use network
upload to import PST files to Office 365.

Deleted item recovery

Users can restore items they have deleted from any email folder in their archive.
When an item is deleted, it is kept in the archive's Deleted Items folder. It remains
there until it is manually removed by the user, or automatically removed by
retention policies.

After an item has been removed from the archive's Deleted Items folder, the item is
kept in the archive's Recoverable Items folder for an additional 14 days before
being permanently removed. Users can recover these items using the Recover
Deleted Items feature in Microsoft Outlook or Outlook on the web.

If a user has manually purged an item from the Recoverable Items folder, an
administrator can recover the item within the same 14 day window, through a
feature called Single Item Recovery. This feature allows administrators to conduct a
multi-mailbox search to find purged items and then use the Search-Mailbox
Windows PowerShell cmdlet to move the items from the discovery mailbox to users'
mailboxes. For more information, see Enable or disable single item recovery for a
mailbox.

７ Note
 The Single Item Recovery period is 14 days by default, but it can be customized
in some circumstances.

If an administrator has placed a user's mailbox on In-Place Hold or Litigation

Hold, purged items are retained indefinitely and the 14-day window does not
apply.

Deleted mailbox recovery

When administrators delete users from the on-premises Exchange Server, the users'
archives are also deleted. If the deleted archive mailboxes need to be recovered, the
Microsoft support team can perform this recovery. A recovered archive will contain
all of the mail stored in it at the time it was deleted.

） Important

Administrators have 30 days from the time a user's mailbox is deleted to

request an archive mailbox recovery. After 30 days, the archive mailbox is not
recoverable.

Mailbox service redundancy

Archive mailboxes in Exchange Online Archiving are replicated to multiple database
copies, in geographically dispersed Microsoft data centers, to provide data
restoration capability in the event of a messaging infrastructure failure. For large-
scale failures, business continuity management is initiated.

Feature availability
To view feature availability across plans, standalone options, and on-premises
solutions, see Exchange Online Archiving service description.
Enable or disable modern
authentication for Outlook in Exchange
Online
Article • 02/22/2023

） Important

Effective from December 2022, the classic Exchange Admin Center will be
deprecated for worldwide customers. Microsoft recommends using the new
Exchange Admin Center , if not already doing so.

While most of the features have been migrated to new EAC, some have been
migrated to other admin centers and remaining ones will soon be migrated to New
EAC. Find features that are not yet there in new EAC at Other Features or use
Global Search that will help you navigate across new EAC.

Modern authentication in Exchange Online enables authentication features like multi-

factor authentication (MFA), smart cards, certificate-based authentication (CBA), and
third-party SAML identity providers. Modern authentication is based on the Active
Directory Authentication Library (ADAL) and OAuth 2.0.

When you enable modern authentication in Exchange Online, Windows-based Outlook

clients that support modern authentication (Outlook 2013 or later) use modern
authentication to connect to Exchange Online mailboxes. For more information, see
How modern authentication works for Office client apps.

When you disable modern authentication in Exchange Online, Windows-based Outlook

clients that support modern authentication use basic authentication to connect to
Exchange Online mailboxes. They don't use modern authentication.

Notes:

Modern authentication is enabled by default in Exchange Online, Skype for

Business Online, and SharePoint Online.

７ Note

For tenants created before August 1, 2017, modern authentication is turned off by
default for Exchange Online and Skype for Business Online.
 Enabling or disabling modern authentication in Exchange Online as described in
this topic only affects modern authentication connections by Windows-based
Outlook clients that support modern authentication (Outlook 2013 or later).

Enabling or disabling modern authentication in Exchange Online as described in

this topic does not affect other email clients that support modern authentication
(for example, Outlook Mobile, Outlook for Mac 2016, and Exchange ActiveSync in
iOS 11 or later). These other email clients always use modern authentication to log
in to Exchange Online mailboxes.

Enabling or disabling modern authentication has no effect on IMAP or POP3

clients. However, if you've enabled security defaults in your organization, POP3 and
IMAP4 are already disabled in Exchange Online. For more information, see What
are security defaults?.

When you enable modern authentication in Exchange Online, Windows-based

Outlook clients that support modern authentication will be prompted to log in
again. Further, the Basic Auth login dialog box and the Modern Auth dialog box
look very different. See the Outlook and Basic Auth section of the Basic Auth and
Exchange Online blog post for details.

You should synchronize the state of modern authentication in Exchange Online

with Skype for Business Online to prevent multiple log in prompts in Skype for
Business clients. For instructions, see Skype for Business Online: Enable your tenant
for modern authentication .

A user with multiple accounts configured in their Outlook profile might receive an
error when they try to connect to their mailbox. For more information, see KB
4516672

Enable or disable modern authentication in

Exchange Online for client connections in
Outlook 2013 or later

Using Exchange Online PowerShell

1. Connect to Exchange Online PowerShell.

2. Do one of these steps:

 Run the following command to enable modern authentication connections to
Exchange Online by Outlook 2013 or later clients:

PowerShell

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

Note that the previous command does not block or prevent Outlook 2013 or
later clients from using basic authentication connections.

Run the following command to prevent modern authentication connections

(force the use of basic authentication connections) to Exchange Online by
Outlook 2013 or later clients:

PowerShell

Set-OrganizationConfig -OAuth2ClientProfileEnabled $false

3. To verify that the change was successful, run the following command:

PowerShell

Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

Using the Microsoft 365 admin center

In the Microsoft 365 admin center , go to Settings > Org Settings > Modern
Authentication. In the Modern authentication flyout that appears, click to enable or
disable Turn on modern authentication for Outlook 2013 for Windows and later
(recommended).

See also
How modern authentication works for Office 2013 and Office 2016 client apps

Set up multi-factor authentication

Backing up email in Exchange Online
Article • 02/22/2023

One of the questions we often hear is "How does Exchange Online back up my data?"
You may be asking this because you're concerned about how to recover your data if
there is a failure. Alternatively, you may be wondering how to recover your data if it gets
accidentally deleted. This topic answers these questions.

How does Exchange Online protect mailbox

data?
Lots of things can disrupt service availability, such as hardware failure, natural disasters,
or human error. To ensure that your data is always available and that services continue,
even when unexpected events occur, Exchange Online uses the same technologies
found in Exchange Server. For example, Exchange Online uses the Exchange Server
feature known as Database Availability Groups (DAGs) to replicate Exchange Online
mailboxes to multiple databases in separate Microsoft datacenters.

As a result, you can readily access up-to-date mailbox data in the event of a failure that
affects one of the database copies. In addition to having multiple copies of each mailbox
database, the different datacenters enforce the data using replication (data resiliency). If
one fails, the affected data are transferred to another data center with limited service
interruption, and users experience seamless connectivity.

７ Note

You can get the latest information related to a service interrupting event by logging
into the Service Health Dashboard. For more information, see How to check
Microsoft 365 service health.

What happens if users accidentally delete data

from their mailboxes?
Deleted items are stored in the Deleted Items folder of the mailbox. Items removed
from the Deleted Items folder or deleted by pressing Shift+Delete are most likely
recoverable if they're dealt with promptly.
For more information about how admins can recover deleted items in Exchange Online,
see the following topics:

Recoverable Items folder in Exchange Online.

Enable or disable single item recovery for a mailbox in Exchange Online

Change how long permanently deleted items are kept for an Exchange Online
mailbox.

７ Note

Point in time restoration of mailbox items is out of scope for the Exchange Online
service, though there might be third-party solutions available that provide this
functionality. Exchange Online offers great retention and recovery support for your
organization's email infrastructure, and your mailbox data is available when you
need it, no matter what happens. For more information about additional options,
see the following topics:

High availability and business continuity

Exchange Online service description
In-place hold and litigation hold
Retention policies
Inactive mailboxes

How do users backup Outlook data?

Exchange Online does not provide a way to perform a traditional backup of mailboxes.
That is, there is no way to restore a mailbox to the state the mailbox was in when the
backup was taken.

However, if you need to provide additional storage for user emails, the best way is to
use Exchange Online Archiving. Using Outlook to backup data into PST files isn't
recommended due to the loss of discoverability and control of the content.

For more information about Exchange Online Archiving, see:

Enable archive mailboxes in the compliance portal

Unlimited archiving in Office 365

For more information about the licensing requirements for Exchange Online Archiving,
see the Exchange Online Archiving service description.

How your data is protected

To learn how the service is protected using Data Resiliency, see Exchange Online Data
Resiliency in Office 365.

When Can I Restore Outlook data on a

Microsoft 365 or Office 365 account without a
license?
After the expiration or removal of a Microsoft 365 or Office 365 license, your data is not
instantly removed. The default retention time is 30 days; this means that you can renew
or backup your data into PST before the data is entirely removed from Microsoft 365 or
Office 365.

How do users restore Outlook data?

To learn how to restore deleted items in Outlook, see Recover deleted items in Outlook
for Windows .

To learn how to restore deleted items in Outlook on the web (formerly known as
Outlook Web App), see Recover deleted items or email in Outlook on the web .

Offboard a user from Microsoft 365 or Office

365
For more info what to do when a user in your organization leaves, check out Remove a
former employee. This topic discusses the steps you should take and how to secure your
data after an employee leaves your organization.
Accessibility in Exchange Online
Article • 02/22/2023

Microsoft wants to provide the best possible experience for all customers, including
customers with disabilities. This article contains links to articles written for people who
use the screen reader JAWS from Freedom Scientific or who use Narrator, the screen
reader built-in to Windows 10.

These articles provide help that depends only on specified keyboard shortcuts and a
screen reader.

Technical support for people with disabilities

Microsoft offers free technical support for people with disabilities in many locations
around the world. If you have a disability or have questions related to accessibility,
please contact the Microsoft Disability Answer Desk for technical assistance.

The Disability Answer Desk support team is trained in using many popular assistive
technologies and can offer assistance in English, Spanish, French, and American Sign
Language. Please visit the Microsoft Disability Answer Desk site to find out the contact
details for your region.

Accessibility help content for the Exchange

admin center in Exchange Online

Perform basic tasks

Accessibility in the Exchange admin center in Exchange Online

Get started using a screen reader in the Exchange admin center in Exchange Online

Keyboard shortcuts for the Exchange admin center in Exchange Online

Use a screen reader to open the Exchange admin center in Exchange Online

Use a screen reader to identify your admin role in the Exchange admin center in
Exchange Online

Work with mailboxes

 Use a screen reader to add a new equipment mailbox in the Exchange admin
center in Exchange Online

Use a screen reader to add a new room mailbox in the Exchange admin center in
Exchange Online

Use a screen reader to add a new shared mailbox in the Exchange admin center in
Exchange Online

Use a screen reader to edit the mailbox display name in the Exchange admin
center in Exchange Online

Use a screen reader to archive mailbox items in the Exchange admin center in
Exchange Online

Work with distribution groups

Use a screen reader to create a new distribution group in the Exchange admin
center in Exchange Online

Use a screen reader to add members to a distribution group in the Exchange

admin center in Exchange Online

Configure features
Use a screen reader to add a new mail contact in the Exchange admin center in
Exchange Online

Use a screen reader to work with mobile clients in the Exchange admin center in
Exchange Online

Use a screen reader to configure collaboration in the Exchange admin center in

Exchange Online

Use a screen reader to define rules that encrypt or decrypt email messages in the
Exchange admin center in Exchange Online

Use a screen reader to configure mail flow rule rules in the Exchange admin center
in Exchange Online

Track content with audit and trace

Use a screen reader to run an audit report in the Exchange admin center in
Exchange Online
Use a screen reader to export and review audit logs in the Exchange admin center
in Exchange Online

Use a screen reader to trace an email message in the Exchange admin center in
Exchange Online
Accessibility in the Exchange admin
center in Exchange Online
Article • 02/22/2023

The Exchange admin center (EAC) in Exchange Online includes accessibility features that
make it easy for users with limited dexterity, low vision, or other disabilities to work with
files. This means you can use keyboard shortcuts, a screen reader, or a speech
recognition tool to work with the EAC.

Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have
the appropriate Office 365 or Microsoft 365 subscription and admin role to work in the
EAC. Then, open the EAC and get started. For more information about the EAC, see
Exchange admin center in Exchange Online.

Use your browser and keyboard to navigate in the EAC

Exchange Online, which includes the EAC, is a web-based application, so the keyboard
shortcuts and navigation may be different from those in Exchange 2016.

For best results when working in the EAC in Exchange Online, use Internet Explorer as
your browser. Learn more about Internet Explorer keyboard shortcuts .

Many tasks in the EAC require the use of pop-up windows. In your browser, be sure to
enable pop-up windows for Microsoft 365 or Office 365.

Confirm your Office 365 or Microsoft 365 subscription

plan
Exchange Online is included in several different subscription plans, but capabilities may
differ by plan. If your EAC doesn't include a function described in this article, your plan
might not include it.

For more information about the Exchange Online capabilities in your subscription plan,
go to What Microsoft 365 or Office 365 business product or license do I have? and
Exchange Online Service Description.

Open the EAC, and confirm your admin role

Use a screen reader to open the Exchange admin centerUse a screen reader to open the
Exchange admin center and check that your global administrator has assigned you to
any admin role group, for example, Organization Management. You know you are
assigned to at least one admin role group if you can open the EAC. Learn how to Use a
screen reader to identify your admin role in the Exchange admin center.

Explore the EAC user interface

The EAC user interface exists within your web browser as part of Exchange Online.
Within that window, "Office 365 Admin" shows in the title bar. At the left edge of the
title bar is the app launcher that contains the list of Microsoft services and Microsoft 365
or Office applications, including Mail (Outlook.com), Excel, OneNote, and more. On the
right side of the title bar are commands to get notifications, manage your options, get
help, and sign out.

Under the title bar is the name, "Exchange admin center." The left pane lists about a
dozen Exchange administrative categories, for example, dashboard, permissions, and
mail flow. By default, dashboard has the focus.

The administrative category selected in the left feature pane affects the content of the
main window to its right. For example, when you select dashboard in the left pane, all
administrative categories display in the main window list view, along with their
subcategories. Likewise, when you select recipients in the left feature pane, a list of all
user mailbox names and addresses appears in the main window list view.

When you select an item in the main window list view, often a right pane presents a
details view about that item. For example, when you select the permissions
administrative category in the left features pane, a list of admin roles appears in the
main window list view, and the first admin role, Compliance Management, has the
focus. Information about Compliance Management appears in the right pane details
view.

Across the top of the main window list view, a set of menu tabs appears which lists
subcategories for the administrative category that has the focus. For example, when you
select protection in the left feature pane, menu tabs, such as malware filter and spam
filter, appear across the top of the main window. In addition, sometimes a toolbar
appears, with commands such as New, Edit, Delete, and Refresh.

The bottom of the main window is a status bar which indicates how many records are
selected.
Use a screen reader and keyboard shortcuts
The EAC includes accessible names that can be read by a screen reader as you work in
the application. You can use Narrator, the built-in screen reader in Windows, or a third-
party screen reader, such as JAWS . For more information, refer to Get started using a
screen reader in the Exchange admin center. You can also use Windows Speech
Recognition or a third-party speech tool to give voice commands to the EAC.

To navigate in the EAC and to cycle through groups of screen elements, press Ctrl+F6
(forward) or Ctrl+Shift+F6 (backward). To cycle through screen elements, including lists
of items, press the Tab key (forward) or Shift+Tab (backward). To select an item, press
Enter. To browse within menus or lists, press the Up Arrow key or the Down Arrow key,
and then, to make a selection, press Enter. To exit a menu or mode, press Esc. For more
details, go to Keyboard shortcuts for the Exchange admin center.

As you move around the areas of the EAC, your screen reader provides information
about the area that has the focus, whether it's the left feature pane (you hear "Primary
navigation, Link"), menu tabs, toolbar, main window list view (you hear "Secondary
navigation"), or details view in the right pane (in Narrator, you hear the contents of the
pane).

Technical support for customers with

disabilities
Microsoft wants to provide the best possible experience for all our customers. If you
have a disability or have questions related to accessibility, please contact the Microsoft
Disability Answer Desk for technical assistance.

The Disability Answer Desk support team is trained in using many popular assistive
technologies and can offer assistance in English, Spanish, French, and American Sign
Language. Please visit the Microsoft Disability Answer Desk site to find the contact
details for your region.
Get started using a screen reader in the
Classic Exchange admin center in
Exchange Online
Article • 02/22/2023

You can use a screen reader with the Classic Exchange admin center (Classic EAC) in
Exchange Online to carry out administrative tasks. The EAC works with Narrator, the
built-in screen reader in Windows, or JAWS, a third-party screen reader. These screen
readers convert text to speech to read the contents of the EAC window.

Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have
the appropriate Office 365 or Microsoft 365 subscription and admin role to work in the
EAC. Then, open the EAC and get started. For more information about the EAC, see
Exchange admin center in Exchange Online.

Use your browser and keyboard to navigate in the EAC

Exchange Online, which includes the EAC, is a web-based application, so the keyboard
shortcuts and navigation may be different from those in Exchange 2016. Accessibility in
the Exchange admin center.

For best results when working in the EAC in Exchange Online, use Internet Explorer as
your browser. Learn more about Internet Explorer keyboard shortcuts .

Many tasks in the EAC require the use of pop-up windows. In your browser, be sure to
enable pop-up windows for Microsoft 365 or Office 365.

Confirm your Office 365 or Microsoft 365 subscription

plan
Exchange Online is included in several different business and enterprise subscription
plans, but capabilities may differ by plan. If your EAC doesn't include a function
described in this article, your plan might not include it.

For more information about the Exchange Online capabilities in your subscription plan,
go to What Office 365 business product or license do I have? and Exchange Online
Service Description.

Open the EAC, and confirm your admin role

Use a screen reader to open the Exchange admin center and check that your global
administrator has assigned you to any admin role group, for example, Organization
Management. You know you are assigned to at least one admin role group if you can
open the EAC. Learn how to Use a screen reader to identify your admin role in the
Exchange admin center.

Work with screen readers

The EAC works with the Narrator and JAWS screen readers, among others. These screen
readers convert text to speech and read you commands, locations, alt text on images,
and the contents of EAC screens and pop-up windows.

To turn Narrator on or off on a PC, in Windows, press Windows logo key+Enter.

To turn Narrator on or off on a tablet, press Windows logo button+Volume Up.

If Narrator doesn't read a newly opened window, press F5. Refreshing the browser
window resets the focus and Narrator reads the window.

If your screen reader stops reading, press Alt+Tab to leave the current window, and
then press Alt+Tab again to return to it. This resets the focus on the current
window to get your screen reader to read the window properly.

For more information about Narrator, refer to Hear text read aloud with Narrator . For
more information about JAWS, refer to the JAWS Screen Reader documentation .

Do more tasks with the EAC and a screen

reader
Explore specific tasks that use the screen reader to work in the EAC.

Get started with the EAC

Accessibility in the Exchange admin center in Exchange Online

Keyboard shortcuts for the Exchange admin center in Exchange Online

Use a screen reader to open the Exchange admin center in Exchange Online
Work with mailboxes and recipients
Use a screen reader to edit the mailbox display name in the Exchange admin
center in Exchange Online

Use a screen reader to add a new mail contact in the Exchange admin center in
Exchange Online

Use a screen reader to add a new room mailbox in the Exchange admin center in
Exchange Online

Use a screen reader to add a new equipment mailbox in the Exchange admin
center in Exchange Online

Manage distribution groups and collaboration

Use a screen reader to create a new distribution group in the Exchange admin
center in Exchange Online

Use a screen reader to add members to a distribution group in the Exchange

admin center in Exchange Online

Use a screen reader to add a new shared mailbox in the Exchange admin center
2016

Use a screen reader to configure collaboration in the Exchange admin center in

Exchange Online

Administer mail flow and security

Use a screen reader to configure mail flow rules in the Exchange admin center in
Exchange Online

Use a screen reader to define rules that encrypt or decrypt email messages in the
Exchange admin center 2016

Use a screen reader to work with mobile clients in the Exchange admin center in
Exchange Online

Set up permissions and compliance

Use a screen reader to identify your admin role in the Exchange admin center in
Exchange Online
 Use a screen reader to run an audit report in the Exchange admin center in
Exchange Online

Use a screen reader to trace an email message in the Exchange admin center in
Exchange Online

Use a screen reader to export and review audit logs in the Exchange admin center
in Exchange Online

Technical support for customers with

disabilities
Microsoft wants to provide the best possible experience for all our customers. If you
have a disability or have questions related to accessibility, please contact the Microsoft
Disability Answer Desk for technical assistance.

The Disability Answer Desk support team is trained in using many popular assistive
technologies and can offer assistance in English, Spanish, French, and American Sign
Language. Please visit the Microsoft Disability Answer Desk site to find the contact
details for your region.
Keyboard shortcuts for the Exchange
admin center in Exchange Online
Article • 02/22/2023

Many users find that keyboard shortcuts for the Exchange admin center (EAC) in
Exchange Online help them work more efficiently. For users with impaired mobility or
vision, keyboard shortcuts are an essential alternative to using the mouse.

Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have
the appropriate Office 365 or Microsoft 365 subscription and admin role to work in the
EAC. Then, open the EAC and get started. For more information about the EAC, see
Exchange admin center in Exchange Online.

Use your browser and keyboard to navigate in the EAC

Exchange Online, which includes the EAC, is a web-based application, so the keyboard
shortcuts and navigation may be different from those in Exchange 2016. Accessibility in
the Exchange admin center.

For best results when working in the EAC in Exchange Online, use Internet Explorer as
your browser. Learn more about Internet Explorer keyboard shortcuts .

Many tasks in the EAC require the use of pop-up windows. In your browser, be sure to
enable pop-up windows for Microsoft 365 or Office 365.

Confirm your Office 365 or Microsoft 365 subscription

plan
Exchange Online is included in several different subscription plans, but capabilities may
differ by plan. If your EAC doesn't include a function described in this article, your plan
might not include it.

For more information about the Exchange Online capabilities in your subscription plan,
go to What Office 365 business product or license do I have? and Exchange Online
Service Description.
Use keyboard shortcuts
Notes:

The shortcuts in this topic refer to the US keyboard layout. Keys for other layouts
might not correspond exactly to the keys on a US keyboard.
If a shortcut requires pressing two or more keys at the same time, this topic
separates the keys with a plus sign (+). If you have to press one key immediately
after another, the keys are separated by a comma (,).
The EAC runs in your web browser, so it does not use accelerator keys or KeyTips.
For example, pressing Alt moves the focus to the browser menu bar, and familiar
shortcuts, like Ctrl+P (Print) and F1 (Help), run browser commands rather than EAC
commands.

Navigate in the EAC

To do this Press

Move among The Up Arrow key or Down Arrow key

regions or Note: The Tab key and Shift + Tab aren't supported for moving between EAC
individual menu items.
controls

Move within lists The Up Arrow key, the Down Arrow key, Home, End, Page Up, or Page Down
from one item to Note: You can also use the Up Arrow key, the Down Arrow key, the Left
another Arrow key, or the Right Arrow key to move between option buttons or within
a group of check boxes.

Select an item Enter or the Spacebar

Exit a menu or Esc

mode
Use a screen reader to open the Classic
Exchange admin center in Exchange
Online
Article • 02/22/2023

The Classic Exchange admin center (Classic EAC) is a web-based app that lets you
manage your Exchange Online organization in a web browser. Using a screen reader and
keyboard shortcuts, you can open the EAC and perform administrative tasks (based on
your permissions).

７ Note

When you work in the EAC, we recommend that you use Internet Explorer as your
web browser. For more information about the keyboard shortcuts you can use to
navigate the EAC and about other accessibility features that are available for
Exchange Online, see Learn more about Internet Explorer keyboard shortcuts
and Accessibility in Exchange Online.

1. Sign in to your organization's Microsoft 365 or Office 365 account. In the App
launcher, move the focus to the Admin app. You hear "Go to the Microsoft 365
admin center, Link." Press Enter.

 Tip

If you use the My apps page to open your apps, to quickly move to the
Admin app (sometimes one of the last apps on the list), move the focus to the
Search apps box (one of the first elements on the page). In JAWS, you hear
"Leaving menus, My apps, Edit, Type text." In Narrator, you hear "Search apps,
Editing." Type admin, and then move the focus to the only search result on
the page: Admin app. You hear "Admin link." Press Enter.

2. As the Microsoft 365 admin center opens, in JAWS, you hear "Office 365,
Microsoft admin center, Home." In Narrator, you hear "Office 365, Editing..

3. To move the focus to the Expand link in the navigation pane, press the Tab key
until you hear one of the following two options.
 "Expand navigation menu button." To expand the navigation pane, press
Spacebar.

"Collapse navigation menu button." The navigation pane is already expanded,

so no action is required.

4. To move the focus to Admin centers (the last item in the navigation pane), press
the Tab key until you hear "Admin centers..

5. To ensure that the Admin centers list is expanded so that you can access the items
in it, press the Tab key. Then, based on the audible feedback you hear, perform one
of the following two actions.

If you hear "Exchange link, Open Exchange admin center in a new tab," the
list is already expanded and you've selected Exchange.

If you hear something other than "Exchange link, Open Exchange admin
center in a new tab," the list is collapsed. To move the focus back to the
Admin centers list, press Shift+Tab. To expand the list, press Enter. In the
expanded Admin centers list, to select Exchange, press the Tab key until you
hear "Exchange link, Open Exchange admin center in a new tab..

6. To open the Exchange admin center, press Enter. As the Exchange admin center
opens in a new tab in your web browser, in JAWS, you hear "Exchange admin
center." In Narrator, you hear "Microsoft Exchange..

7. To move the focus to Dashboard (the first link), in the navigation pane of the
Exchange admin center, press Ctrl+F6 twice. In Narrator, you hear "Dashboard,
Primary navigation link..

 Tip

To move to the rest of the items in the navigation pane, press the Tab key. To
open an item, press Enter. After you've opened an item, to move directly to
one of its elements in the content area on a page, press Ctrl+F6. To identify
the admin role groups to which you've been assigned, which determine the
tasks you can perform in the EAC, refer to Use a screen reader to identify
your admin role in the Exchange admin center.
Use a screen reader to add a new
equipment mailbox in the Classic
Exchange admin center in Exchange
Online
Article • 02/22/2023

Create mailboxes in the Classic Exchange admin center (Classic EAC) for any printer,
projector, or other device that's attached to your corporate network by using your
keyboard and any screen reader.

Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have
the appropriate Office 365 or Microsoft 365 subscription plan and admin role to work in
the EAC. Then, open the EAC and get started.

Use your browser and keyboard to navigate in the EAC

Exchange Online, which includes the EAC, is a web-based application, so the keyboard
shortcuts and navigation may be different from those in Exchange 2016. Accessibility in
the Exchange admin center.

For best results when working in the EAC in Exchange Online, use Internet Explorer as
your browser. Learn more about Internet Explorer keyboard shortcuts .

Many tasks in the EAC require the use of pop-up windows. In your browser, be sure to
enable pop-up windows for Microsoft 365 or Office 365.

Confirm your Office 365 or Microsoft 365 subscription

plan
Exchange Online is included in Microsoft 365 and Office 365 business and enterprise
subscription plans; however, capabilities may differ by plan. If your EAC doesn't include a
function described in this article, your plan might not include it.

For more information about the Exchange Online capabilities in your subscription plan,
go to What Office 365 business product or license do I have? and Exchange Online
Service Description..
Open the EAC, and confirm your admin role
To add a new equipment mailbox, Use a screen reader to open the Exchange admin
center and check that your global administrator has assigned you to the Organization
Management admin role group. Learn how to Use a screen reader to identify your
admin role in the Exchange admin center

Add a new equipment mailbox

1. After you are on the EAC Dashboard (home) page, to navigate to the page body,
press Ctrl+F6. You hear "Welcome."

2. Press the Tab key until you hear "Resources," which is the second link after
"Recipients."

3. To go to the Resources tab on the Mailboxes page, press Enter. The focus is on the
Resources tab.

4. To get to the New button in the Resources pane, press Ctrl+F6. You hear "New
button..

5. To open the New Item submenu, press Spacebar.

6. To go to the Equipment Mailbox option, press the Down Arrow key. You hear
"Equipment mailbox." (Narrator says, "Blank line.".

7. To open a New Equipment Mailbox form in a pop-up window, press Enter. You
hear the URL of the pop-up window and, eventually, "Equipment name." The focus
is in the Equipment Name box.

 Tip

There are only three boxes on this form: Equipment Name, Email Address,
and Domain. All three are required.

8. Type in the name of the device and, to move to the Email Address box, press the
Tab key. You hear "Email address..

 Tip

This name will appear in users' Outlook Address Book. To make rooms easier
for users to find, use a consistent naming convention within your
 organization.

9. The email address is also required. Type in the first portion of the email address
(before the at sign) and, to get to the domain drop-down list, press the Tab key.
You hear the selected domain option.

10. If the default selection in the domain drop-down menu is not the domain you want
to choose, to access other available domains, press the Down Arrow key. As you
move through the available options, you hear the domain name and suffix. When
you find the domain you want to use, to select it, press Enter.

 Tip

You cannot type any values into the domain box. It is a prepopulated drop-
down list. To add domains to that drop-down list, contact your Office admin.

11. To go to the Save button, press the Tab key. You hear "Save..

12. Press Enter. This saves the mailbox you created with the values you assigned, and
the pop-up window closes, returning you to the Resources list on the Resources
tab. The focus is on the New Mailbox button. You hear "New mailbox..

 Tip

It may take a few minutes to save the new mailbox and close the pop-up window.
You do not hear any additional feedback during this wait time.

If you want to add additional information to your new room mailbox, learn about all the
options available in Use a screen reader to use mailbox properties and options in EAC
on Exchange Online.

Technical support for customers with

disabilities
Microsoft wants to provide the best possible experience for all our customers. If you
have a disability or have questions related to accessibility, please contact the Microsoft
Disability Answer Desk for technical assistance.

The Disability Answer Desk support team is trained in using many popular assistive
technologies and can offer assistance in English, Spanish, French, and American Sign
Language. Please visit the Microsoft Disability Answer Desk site to find the contact
details for your region.
Use a screen reader to add a new mail
contact in the Classic Exchange admin
center in Exchange Online
Article • 02/22/2023

Using a screen reader with Exchange Online, you can use the Classic Exchange admin
center (Classic EAC) to set up a mail contact: a mail-enabled directory service object
containing information about a person or entity that exists outside of your Exchange
Online organization. Each mail contact has an external email address. For more
information about mail contacts, refer to the Recipients in Exchange Online article.

Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have
the appropriate Microsoft 365 or Office 365 subscription plan and admin role to work in
the EAC. Then, open the EAC and get started.

Use your browser and keyboard to navigate in the EAC

Exchange Online, which includes the EAC, is a web-based application, so the keyboard
shortcuts and navigation may be different from those in Exchange 2016. Accessibility in
the Exchange admin center.

For best results when working in the EAC in Exchange Online, use Internet Explorer as
your browser. Learn more about Internet Explorer keyboard shortcuts .

Many tasks in the EAC require the use of pop-up windows. In your browser, be sure to
enable pop-up windows for Microsoft 365 or Office 365.

Confirm your Office 365 or Microsoft 365 subscription

plan
Exchange Online is included in several different subscription plans. But capabilities may
differ by plan. If your EAC doesn't include a function described in this article, your plan
might not include it.

For more information about the Exchange Online capabilities in your subscription plan,
go to What Office 365 business product or license do I have? and Exchange Online
Service Description..

Open the EAC, and confirm your admin role

To add a new mail contact, Use a screen reader to open the Exchange admin center in
Exchange Online and check that your global administrator has assigned you to the
Organization Management and Recipient Management admin role group. Learn how to
Use a screen reader to identify your admin role in the Exchange admin center.

Use the EAC to create a mail contact

1. In the EAC, in the primary navigation pane, tab to Recipients. You hear "Recipients,
Primary navigation." Press Enter.

2. To move the focus to the menu bar, press Ctrl+F6. You hear "Mailboxes, Secondary
navigation."

3. Press the Left Arrow key until you hear "Contacts, Secondary navigation," and then
press Enter. A table listing mail contacts appears.

4. To move the focus to the contacts menu bar, press Ctrl+F6 until you hear "New
button menu."

5. Press Spacebar, and then press the Down Arrow key until you hear "Mail contact."
Then, press Enter. The new mail contact window opens.

Note: In Narrator, if the menu options for the New button are not read, you hear
"Empty line." Mail contact is the first option. Mail user is the second option. When
you select Mail contact, if Narrator doesn't announce the name of the new mail
contact window or the First name box, to refresh the window and reestablish the
focus, press F5.

6. Tab to the following boxes, and complete the contact information:

Note: Required boxes are designated with an asterisk. In screen readers, you hear
"star" or "asterisk" before the label. For example, in the required Display Name
box, you hear "Star display name" or "Asterisk display name.

First name. Type the contact's first name.

Initials. Type the contact's initial.

Last name: Type the contact's last name.

 *Display name. To change the default, type the name as it will appear in the
contacts list in the EAC and in your organization's address book. By default,
Exchange uses the names you entered in the First name, Initials, and Last
name boxes. This name can't exceed 64 characters.

*Alias. Type a unique alias (64 characters or less) for the contact.

*External email address. Type the contact's email address that is outside of
your organization. Email sent to the contact is forwarded to this email
address.

7. When you're finished, tab to the Save button. The new mail contact window
closes, and the contact is added to the table in the contacts window.
Use a screen reader to add a new room
mailbox in the Classic Exchange admin
center in Exchange Online
Article • 02/22/2023

Add a mailbox for conference rooms in the Exchange admin center (Classic EAC) in
Exchange Online by using keyboard shortcuts and your screen reader.

Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have
the appropriate Microsoft 365 or Office 365 subscription plan and admin role to work in
the EAC. Then, open the EAC and get started.

Use your browser and keyboard to navigate in the EAC

Exchange Online, which includes the EAC, is a web-based application, so the keyboard
shortcuts and navigation may be different from those in Exchange 2016. Accessibility in
the Exchange admin center.

For best results when working in the EAC in Exchange Online, use Internet Explorer as
your browser. Learn more about Internet Explorer keyboard shortcuts .

Many tasks in the EAC require the use of pop-up windows. In your browser, be sure to
enable pop-up windows for Microsoft 365 or Office 365.

Confirm your Office 365 or Microsoft 365 subscription

plan
Exchange Online is included in several different subscription plans; however, capabilities
may differ by plan. If your EAC doesn't include a function described in this article, your
plan might not include it.

For more information about the Exchange Online capabilities in your subscription plan,
go to What Office 365 business product or license do I have? and Exchange Online
Service Description..

Open the EAC, and confirm your admin role

To add a new room mailbox, Use a screen reader to open the Exchange admin center
and check that your global administrator has assigned you to the Organizational
Management admin role group. Learn how to Use a screen reader to identify your
admin role in the Exchange admin center.

Add a new room mailbox

1. After you are on the EAC Dashboard (home) page, to navigate to the page body,
press Ctrl+F6. You hear "Welcome."

2. Press the Tab key until you hear "Resources," which is the second link after
"Recipients."

3. To go to the Resources tab on the Mailboxes page, press Enter. The focus is on the
Resources tab.

4. To get to the New button on the Resources pane, press Ctrl+F6. You hear "New
button..

5. To open the New Item submenu, press Spacebar.

6. To go to the Room Mailbox option, press the Down Arrow key. You hear "Room
mailbox." (Narrator says, "Blank line.".

7. To open a New Room Mailbox form in a pop-up window, press Enter. You hear the
URL of the pop-up window and, eventually, "Room Name." The focus is in the
Room Name box. This is a required box.

8. Type in the name of the room and, to move into the Email Address box, press the
Tab key.

 Tip

This name will appear in users' Outlook Address Books. To make rooms easier
for users to find, use a consistent naming convention within your
organization.

9. The email address is also required. Type in the first portion of the email address
(before the at sign) and, to get to the domain drop-down list, press the Tab key.
You hear the selected domain option.

10. If the default selection in the domain drop-down menu is not the domain you want
to choose, to access other available domains, press the Down Arrow key. As you
 move through the available options, you hear the domain name and suffix. When
you find the domain you want to use, to select it, press Enter.

 Tip

You cannot type any values into the domain box. It is a prepopulated drop-down
list. To add domains to that drop-down list, contact your Office admin.

11. To go to the Save button, press the Tab key. You hear "Save..

12. Press Enter. This saves the mailbox you created with the values you assigned, and
the pop-up window closes, returning you to the Resources list on the Resources
tab. The focus is on the New Mailbox button. You hear "New mailbox..

 Tip

It may take a few minutes to save the new mailbox and close the pop-up window.
You do not hear any additional feedback during this wait time.

If you want to add additional information to your new room mailbox, learn about all the
options available in Use a screen reader to use mailbox properties and options in EAC
on Exchange Online.

Technical support for customers with

disabilities
Microsoft wants to provide the best possible experience for all our customers. If you
have a disability or have questions related to accessibility, please contact the Microsoft
Disability Answer Desk for technical assistance.

The Disability Answer Desk support team is trained in using many popular assistive
technologies and can offer assistance in English, Spanish, French, and American Sign
Language. Please visit the Microsoft Disability Answer Desk site to find the contact
details for your region.
Use a screen reader to add a new shared
mailbox in the Classic Exchange admin
center in Exchange Online
Article • 02/22/2023

You can use your screen reader to create a shared mailbox in the Classic Exchange
admin center (Classic EAC) in Exchange Online. Shared mailboxes make it easy for a
group of people in your organization to monitor and send email from a common
account, such as info@contoso.com or support@contoso.com. When a person in the
group replies to a message sent to the shared mailbox, the email looks like it was sent
by the shared mailbox, not from the individual user. Learn more about shared
mailboxes.

Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have
the appropriate Microsoft 365 or Office 365 subscription plan and admin role to work in
the EAC. Then, open the EAC and get started.

Use your browser and keyboard to navigate in the EAC

Exchange Online, which includes the EAC, is a web-based application, so the keyboard
shortcuts and navigation may be different from those in Exchange 2016. Accessibility in
the Exchange admin center.

For best results when working in the EAC in Exchange Online, use Internet Explorer as
your browser. Learn more about Internet Explorer keyboard shortcuts .

Many tasks in the EAC require the use of pop-up windows. In your browser, be sure to
enable pop-up windows for Microsoft 365 or Office 365.

Confirm your Office 365 or Microsoft 365 subscription

plan
Exchange Online is included in several different subscription plans, but capabilities may
differ by plan. If your EAC doesn't include a function described in this topic, your plan
might not include it.
For more information about the Exchange Online capabilities in your subscription plan,
go to What Office 365 business product or license do I have? and Exchange Online
Service Description..

Open the EAC, and confirm your admin role

To add a new shared mailbox, Use a screen reader to open the Exchange admin center
in Exchange Online and check that your global administrator has assigned you to the
Organization Management and Recipient Management admin role groups. Learn how to
Use a screen reader to identify your admin role in the Exchange admin center.

Create a shared mailbox

1. In the EAC, press Ctrl+F6 until the primary navigation pane has the focus and you
hear "Dashboard, primary navigation link."

2. Tab to Recipients, and press Enter.

3. To move to the menu bar, press Ctrl+F6. You hear "Region mailboxes, secondary
navigation." (In Narrator, you hear "Mailboxes, secondary navigation link.")

4. Tab to Shared. You hear "Shared, secondary navigation link." Press Enter.

5. To move to the toolbar, press Ctrl+F6. You hear "New button." Press Enter.

6. In the Shared Mailbox dialog box which opens, the Display name text box has the
focus, and you hear "Type in text." (In Narrator, you hear "Display name, editing.")
Type the display name for the shared mailbox you're creating.

7. Tab to the Email address text box, and type the email address for the new shared
mailbox.

8. To select the users who can view and send mail from this new shared mailbox, tab
to and select the Add button.

9. When the Select Shared Mailbox Users dialog box opens, the Search box has the
focus. You hear "Filter or search edit." Type all or part of the name of the first user
you want to add to the shared mailbox and then, to search for the name, press
Enter.

10. Press the Tab key four times until you hear the name of the user in the search
results list. The name is selected.
11. Tab to the Add button, and press Enter or Spacebar. The selected name is added to
the list of users for the new shared mailbox.

12. To add a second user, tab several times until you hear "Filter or search edit." Type
all or part of the name of the next user you want to add, and press Enter. Repeat
steps 10 and 11. Do this for all users you want to add to the new shared mailbox.

13. When you finish adding users, tab to the OK button, and press Enter. The Shared
Mailbox dialog box has the focus again, and the selected users are listed in the
Shared Mailbox Users box.

14. Tab to the Save button, and press Enter. An alert says "Please wait." After the
shared mailbox is created, you hear another alert that says the mailbox will be
available in approximately 15 minutes.

15. With the focus on the OK button, press Enter. The new shared mailbox display
name and email address are listed in the shared list view, and it has the focus.
Details about the new shared mailbox are listed in the details pane on the right. To
review these details, press Ctrl+F6 or the Tab key until the details pane has the
focus.
Use a screen reader to add members to
a distribution group in the Classic
Exchange admin center in Exchange
Online
Article • 02/22/2023

Using a screen reader with the Classic Exchange admin center (Classic EAC) in Exchange
Online, you can add and remove members of a distribution group.

Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have
the appropriate Microsoft 365 or Office 365 subscription plan and admin role to work in
the EAC. Then, open the EAC and get started.

Use your browser and keyboard to navigate in the EAC

Exchange Online, which includes the EAC, is a web-based application, so the keyboard
shortcuts and navigation may be different from those in Exchange 2016. Accessibility in
the Exchange admin center.

For best results when working in the EAC in Exchange Online, use Internet Explorer as
your browser. Learn more about Internet Explorer keyboard shortcuts .

Many tasks in the EAC require the use of pop-up windows. In your browser, be sure to
enable pop-up windows for Microsoft 365 or Office 365.

Confirm your Office 365 or Microsoft 365 subscription

plan
Exchange Online is included in several different subscription plans. But capabilities may
differ by plan. If your EAC doesn't include a function described in this article, your plan
might not include it.

For more information about the Exchange Online capabilities in your subscription plan,
go to What Office 365 business product or license do I have? and Exchange Online
Service Description..
Open the EAC, and confirm your admin role
To complete the tasks covered in this topic, Use a screen reader to open the Exchange
admin center and check that your global administrator has assigned you to the
Organization Management and Records Management admin role groups. Use a screen
reader to identify your admin role in the Exchange admin center.

Use the EAC to change distribution group

membership
1. In the EAC, in the primary navigation pane, tab to Recipients. You hear "Recipients,
Primary navigation." Press Enter.

2. To move the focus to the menu bar, press Ctrl+F6. You hear, "Mailboxes, Secondary
navigation."

3. Press the Left Arrow key until you hear "Groups, Secondary navigation," and then
press Enter. Options for distribution groups appear.

4. Press the Left Arrow key until you hear "Groups, Secondary navigation," and then
press Enter. Options for distribution groups appear.

5. To locate the distribution group you want to edit, use the Up Arrow and Down
Arrow keys and then press Enter. The Distribution Group window opens for the
group you selected. You hear "General tab..

6. Press the Down Arrow key until you hear "Membership tab." A list of members
appears with two controls: Add and Remove.

7. To add a member:

a. Tab to the Add button, and press Enter. The Select Members window opens and
lists all users in your organization. The focus is on the Search button.

b. Press Spacebar, and type all or part of a name. Users with that name appear in
the Display Name table.

c. Tab until you hear the first name listed, if any. (In JAWS, you hear "Out of table"
and the name of the first user, if any were found. In Narrator, if you hear
"Button" with no label, to move the focus into the table and hear the names,
press Spacebar.) Select the user you want, tab until you hear "Add button," and
then press Spacebar. You can add more names in this way.
 d. When you're finished, tab to the OK button and press Enter. The Select Member
window closes.

8. In the Distribution Group window, to remove a member, select a user in the

members table and then press Shift+Tab until you hear "Remove." Press Enter.

9. When you are finished, tab to the Save button and press Enter.

Technical support for customers with

disabilities
Microsoft wants to provide the best possible experience for all our customers. If you
have a disability or have questions related to accessibility, please contact the Microsoft
Disability Answer Desk for technical assistance.

The Disability Answer Desk support team is trained in using many popular assistive
technologies and can offer assistance in English, Spanish, French, and American Sign
Language. Please visit the Microsoft Disability Answer Desk site to find the contact
details for your region.
Use a screen reader to archive mailbox
items in the Classic Exchange admin
center in Exchange Online
Article • 02/22/2023

You can use your screen reader in the Classic Exchange admin center (Classic EAC) to
enable or disable archiving of items in an Exchange Online mailbox. You can also use
your screen reader in the EAC to apply retention policies to mailboxes. Learn more
about the archive mailboxes in Exchange Online.

Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have
the appropriate Microsoft 365 or Office 365 subscription plan and admin role to work in
the EAC. Then, open the EAC and get started.

For more information about creating distribution groups, refer to Use a screen reader to
create a new distribution group in the Exchange admin center.

Use your browser and keyboard to navigate in the EAC

Exchange Online, which includes the EAC, is a web-based application, so the keyboard
shortcuts and navigation may be different from those in Exchange 2016. Accessibility in
the Exchange admin center.

For best results when working in the EAC in Exchange Online, use Internet Explorer as
your browser. Learn more about Internet Explorer keyboard shortcuts .

Many tasks in the EAC require the use of pop-up windows. In your browser, be sure to
enable pop-up windows for Microsoft 365 or Office 365.

Confirm your Office 365 or Microsoft 365 subscription

plan
Exchange Online is included in several different subscription plans. But capabilities may
differ by plan. If your EAC doesn't include a function described in this article, your plan
might not include it.
For more information about the Exchange Online capabilities in your subscription plan,
go to What Office 365 business product or license do I have? and Exchange Online
Service Description..

Open the EAC, and confirm your admin role

To complete the tasks covered in this topic, Use a screen reader to open the Exchange
admin center and check that your global administrator has assigned you to the
Organization Management and Records Management admin role groups. Use a screen
reader to identify your admin role in the Exchange admin center.

Enable mailbox archiving for a user

With mailbox archiving in Exchange Online, also called "in-place archiving," users get
additional mailbox storage space. When enabled, archive mailboxes are accessible
through Outlook and Outlook on the web, and offer a convenient alternate repository
for old email messages.

1. In the EAC, press Ctrl+F6 until the primary navigation pane has the focus and you
hear "Dashboard, Primary navigation link."

2. Tab to recipients and press Enter.

3. To move to the menu bar, press Ctrl+F6. You hear "Mailboxes, Secondary
navigation link." To select the mailboxes link, press Enter.

4. To search for the user for whom you want to enable archiving, press Ctrl+F6 and
then press the Tab key until you hear "Search button." Press Enter.

5. Type all or part of the user's name and press Enter.

6. Press Ctrl+F6 until you hear the name of the user in the search results list. If the
search results list includes multiple names, press the Down Arrow key or the Up
Arrow key until you hear the name you want.

7. To move to the details pane, press Ctrl+F6. You hear "Unified Messaging link."

8. Press the Tab key about six times until you hear "Archiving link, Enable..

Tip: If the user is already enabled for archiving, you hear "Archiving link, Disable".

9. Press Enter. You hear "Are you sure you want to enable the archive?" With the
focus on the Yes button, press Enter.
  Tip

If you want to enable archiving for additional users, move the focus back
to the list of mailboxes by pressing Ctrl+Shift+F6. Select the name you
want by pressing the Down Arrow key or the Up Arrow key, and repeat
steps 7 through 9.

For more information, go to Enable archive mailboxes in the

compliance portal.

Disable mailbox archiving for a user

If you disable a user's archive, the existing content is retained for 30 days. This means if
you re-enable the archive within that 30 days, all existing content will still be intact. After
30 days, however, all information is permanently deleted, and if you enable the archive
after this time, a new archive mailbox is created.

1. In the EAC, press Ctrl+F6 until the primary navigation pane has the focus and you
hear "Dashboard, Primary navigation link."

2. Tab to recipients and press Enter.

3. To move to the menu bar, press Ctrl+F6. You hear "Mailboxes, Secondary
navigation link." To select the mailboxes link, press Enter.

4. To search for the user for whom you want to enable archiving, press Ctrl+F6 and
then press the Tab key until you hear "Search button." Press Enter.

5. Type all or part of the user's name and press Enter.

6. Press Ctrl+F6 until you hear the name of the user whose mailbox archiving you
want to disable in the search results list. If the search results list includes multiple
names, press the Down Arrow key or the Up Arrow key until you hear the name
you want.

7. To move to the details pane, press Ctrl+F6. You hear "Unified Messaging link."

8. Press the Tab key about six times until you hear "Archiving link, Disable..

9. Press Enter. You hear "Are you sure you want to disable this archive?" With the
focus on the Yes button, press Enter.
Apply a retention policy to a user
The messaging records management (MRM) feature in Exchange Online helps you
manage the life cycle of your organization's email; it allows you to set retention policies.
Retention policies specify when certain types of mailbox items (including regular email
messages, deleted items, and junk mail) should be moved, archived, or deleted.
Exchange Online automatically applies the Default MRM Policy when you create a new
mailbox with an archive or when you enable an archive for an existing mailbox user.

Note: You can customize the Default MRM Policy by adding or removing retention tags
or by modifying tag settings. You can also replace the default policy with any retention
policies you create. To view, edit, or create a retention policy, on the EAC primary
navigation pane, select the compliance management link and then, on the menu bar,
select the retention policies link. Learn more about retention policies.

You can apply the same retention policy to all users, or you can apply different policies
to certain users.

1. In the EAC, press Ctrl+F6 until the primary navigation pane has the focus and you
hear "Dashboard, Primary navigation link."

2. Tab to recipients and press Enter.

3. To move to the menu bar, press Ctrl+F6. You hear "Mailboxes, Secondary
navigation link." To select the mailboxes link, press Enter.

4. To search for the user for whom you want to enable archiving, press Ctrl+F6 and
then press the Tab key until you hear "Search button." Press Enter.

5. Type all or part of the user's name and press Enter.

6. Press Ctrl+F6 until you hear the name of the user in the search results list. If the
search results list includes multiple names, press the Down Arrow key or the Up
Arrow key until you hear the name you want. Press Enter.

7. In the Edit User Mailbox dialog box which opens, with the focus on the tab names,
press the Down Arrow key until the focus is on the mailbox features tab.

8. Tab to the Retention policy combo box. Default MRM Policy is the default entry.
Press the Down Arrow key or the Up Arrow key to move through the available
policies. Select the policy you want for this user.

9. Tab to the Save button and press Enter. The mailboxes list view has the focus
again.
Accessibility information
The Microsoft Accessibility website provides more information about assistive
technology.

Technical support for customers with disabilities

Microsoft wants to provide the best possible experience for all our customers. If you
have a disability or have questions related to accessibility, please contact the Microsoft
Disability Answer Desk for technical assistance.

The Disability Answer Desk support team is trained in using many popular assistive
technologies and can offer assistance in English, Spanish, French, and American Sign
Language. Please visit the Microsoft Disability Answer Desk site to find the contact
details for your region.
Use a screen reader to configure
collaboration in the Classic Exchange
admin center in Exchange Online
Article • 02/22/2023

You can use your screen reader in the Classic Exchange admin center (Classic EAC) in
Exchange Online to configure different methods of collaboration. These methods might
include public folders, distribution groups, or shared mailboxes.

Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have
the appropriate Microsoft 365 or Office 365 subscription plan and admin role to work in
the EAC. Then, open the EAC and get started.

Use your browser and keyboard to navigate in the EAC

Exchange Online, which includes the EAC, is a web-based application, so the keyboard
shortcuts and navigation may be different from those in Exchange 2016. Accessibility in
the Exchange admin center.

For best results when working in the EAC in Exchange Online, use Internet Explorer as
your browser. Learn more about Internet Explorer keyboard shortcuts .

Many tasks in the EAC require the use of pop-up windows. In your browser, be sure to
enable pop-up windows for Microsoft 365 or Office 365.

Confirm your Office 365 or Microsoft 365 subscription

plan
Exchange Online is included in several different subscription plans, but capabilities may
differ by plan. If your EAC doesn't include a function described in this article, your plan
might not include it.

For more information about the Exchange Online capabilities in your subscription plan,
go to What Office 365 business product or license do I have? and Exchange Online
Service Description.
Open the EAC, and confirm your admin role
To complete the tasks covered in this topic, Use a screen reader to open the Exchange
admin center and check that your global administrator has assigned you to the
Organization Management and Records Management admin role groups. Use a screen
reader to identify your admin role in the Exchange admin center.

Set up public folders

Members of workgroups can use public folders as an easy way to collect, organize, and
share information with others in the workgroup.

Public folders organize content in a hierarchy that's easy to browse. Users can discover
useful content by browsing through branches of the hierarchy that are relevant to their
work. The full hierarchy is visible to users in their Outlook folder view. Public folders can
be used for distribution group archiving. A public folder can be mail-enabled and added
as a member of the distribution group, so that email sent to the distribution group is
then automatically added to the public folder. Public folders also allow for simple
document sharing.

Create a public folder mailbox

To use public folders, you need to set up at least one public folder mailbox.

1. In the EAC, press Ctrl+F6 until the primary navigation pane has the focus and you
hear "Dashboard, Primary navigation link."

2. Tab to public folders and press Enter.

3. To move to the menu bar, press Ctrl+F6. You hear "Public folders, Secondary
navigation link..

4. Tab to public folder mailboxes. Press Enter.

5. To move to the toolbar, press Ctrl+F6. You hear "New public folder mailbox
button." Press Enter.

6. In the Public Folder Mailbox dialog box which opens, the Name text box has the
focus. Type the name for your public folder mailbox.

 Tip
 Public folder mailboxes contain the hierarchy information plus the content for
public folders. The first public folder mailbox you create becomes the primary
mailbox, which contains the one writable copy of the public folder hierarchy.
Any additional public folder mailboxes you create will be secondary
mailboxes, which contain a read-only copy of the hierarchy.

7. Tab to the Save button and press Enter. It might take up to a minute for the public
folder mailbox to be created, after which you hear an alert that says the mailbox
will be available in approximately 15 minutes.

8. With the focus on the OK button, press Enter. The new public folder mailbox is
added to the public folder mailboxes list view.

Learn more about creating public folders.

Create a public folder

After you create a public folder mailbox, you can add a public folder.

1. With the focus in the public folder mailboxes list view, to move to the menu bar,
press Ctrl+Shift+F6 twice. You hear "Public folders, Secondary navigation link."
Press Enter.

2. To move to the toolbar, press Ctrl+F6. You hear "New public folder button." Press
Enter. This creates a public folder at the root level in the public folder's hierarchy.

 Tip

You can create a subfolder within an existing public folder. First, with the focus
in the public folders list view, to select the parent folder, press the Down
Arrow key or the Up Arrow key, and then press the Tab key. To open the
folder, press Enter. Then, to move to the toolbar, press Ctrl+Shift+F6. Select
the New public folder button, which has the focus, press Enter, and then go
on to Step 3. (If you want to move back to the parent folder, on the toolbar,
tab to the Go to the parent folder button and press Enter..

3. In the Public Folder dialog box which opens, the Name text box has the focus.
Type the name for your public folder.

4. To move to the Path text box, press the Tab key. In this read-only text box, you
hear the path for the public folder. For example, if you're creating a public folder at
the root level, you hear "Backslash..
 5. Tab to the Save button and press Enter. The name of the new public folder is
added to the public folders list view.

Add users of a public folder

After you create a public folder, specify the users who can access it. Also specify these
users' roles in the public folder, including their read-write permissions.

1. With the focus in the public folders list view, to select the public folder you want to
add users to, press the Up Arrow key or the Down Arrow key.

2. To move to the details pane, press Ctrl+F6. The mail settings Enable link has the
focus.

3. To move to the folder permissions Manage link, press the Tab key and then press
Enter.

4. In the Public Folder Permissions dialog box which opens, the Add button has the
focus. Press Enter.

5. In the dialog box which opens, the Browse button has the focus. Press Enter.

6. In the Select Recipient dialog box which opens, the Search text box has the focus.
You hear "Filter or search edit." Type all or part of the name of the first user you
want to add to the shared mailbox and then, to search for the name, press Enter.

7. Press the Tab key about six times until you hear the name of the user in the search
results list. Press Enter.

 Tip

If the search results list includes multiple names, press the Up Arrow key or
the Down Arrow key until you hear the name you want. Press Enter.

8. Tab to the Permission level combo box. The default permission level is Publishing
Editor, which allows selected users to create items and subfolders, read items, and
edit or delete all items. Other permission levels include Reviewer, Contributor,
Non Editing Author, Author, Editor, Publishing Author, and Owner. You can also
create a custom permission level.

9. To select the permission level for the selected user, press the Up Arrow key or the
Down Arrow key.
  Tip

To review the rights allowed for a permission level, press the Tab key through
the 10 check boxes that specify the rights for the selected permission level. If
you change a check box setting, the permission level changes to Custom. If
you select the Custom permission level, all check boxes are cleared for you to
select what you want.

10. Tab to the Save button and press Enter. The user and associated permission level
are saved and added to the table of users in the Public Folder Permissions dialog
box.

11. To add another user, activate the Add button, which has the focus, by pressing
Enter. Repeat steps 5 through 10. Do this for all users you want to add to the new
public folder.

12. When you finish adding users, in the Public Folder Permissions dialog box, tab to
the Save button and press Enter. Wait several seconds for the information to be
saved. An alert specifies that the save operation is complete, and you hear "Close
button." To close the alert, press Enter. The public folders main page view has the
focus again.

７ Note

Public folders have size limits, and subfolders inherit permission settings from
parent folders in specific ways. In addition, you can enable mail settings for a public
folder. Learn more about creating public folders.

Create a distribution group

Another method for facilitating and configuring collaboration in Exchange Online is a
distribution group: a collection of two or more recipients that appears in the shared
address book. When an email message is sent to a distribution group, it's received by all
members of the group. Distribution groups can be organized by a particular discussion
subject (such as "Resource Management Best Practices") or by users who share a
common work structure (as in, a workgroup or project team) that requires them to
communicate frequently. Use a screen reader to create a new distribution group in the
Exchange admin center. Learn more about managing distribution groups.
Work with a shared mailbox
Shared mailboxes make it easy for a group of people to monitor and send email from a
common account, such as info@contoso.com or support@contoso.com. When a group
member replies to a message sent to the shared mailbox, the email looks like it was sent
by the shared mailbox, not by the group member. Use a screen reader to add a new
shared mailbox in the Exchange admin center 2016. Learn more about shared mailboxes.

Accessibility Information
The Microsoft Accessibility website provides more information about assistive
technology.

Technical support for customers with disabilities

Microsoft wants to provide the best possible experience for all our customers. If you
have a disability or have questions related to accessibility, please contact the Microsoft
Disability Answer Desk for technical assistance.

The Disability Answer Desk support team is trained in using many popular assistive
technologies and can offer assistance in English, Spanish, French, and American Sign
Language. Please visit the Microsoft Disability Answer Desk site to find the contact
details for your region.
Use a screen reader to create a new
distribution group in the Classic
Exchange admin center in Exchange
Online
Article • 02/22/2023

Using a screen reader and keyboard shortcuts, you can create a new distribution group
in the Classic Exchange admin center (Classic EAC) in Exchange Online. This topic
explains how to create a new distribution group in your Exchange organization and how
to mail-enable an existing group in Active Directory.

Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have
the appropriate Microsoft 365 or Office 365 subscription plan and admin role to work in
the EAC. Then, open the EAC and get started.

Notes:

The different types of groups that are covered in this topic are::

Distribution groups: Can be used only to deliver messages.

Mail-enabled security groups: Can be used to deliver messages as well as grant

permissions (a security group is a security principal that can has permissions
assigned to it).

For more information, see Create and manage distribution groups in Exchange
Online.

If your organization has a group naming policy, it's applied only to groups created
by users (not admins). For more information, see Create a distribution group
naming policy in Exchange Online and Override the distribution group naming
policy in Exchange Online.

Use your browser and keyboard to navigate in the EAC

Exchange Online, which includes the EAC, is a web-based application, so the keyboard
shortcuts and navigation may be different from those in Exchange 2016. Accessibility in
the Exchange admin center.

For best results when working in the EAC in Exchange Online, use Internet Explorer as
your browser. Learn more about Internet Explorer keyboard shortcuts .

Many tasks in the EAC require the use of pop-up windows. In your browser, be sure to
enable pop-up windows for Microsoft 365 or Office 365.

Confirm your Office 365 or Microsoft 365 subscription

plan
Exchange Online is included in several different subscription plans. But capabilities may
differ by plan. If your EAC doesn't include a function described in this article, your plan
might not include it.

For more information about the Exchange Online capabilities in your subscription plan,
go to What Microsoft 365 Apps for business product or license do I have? and
Exchange Online Service Description..

Open the EAC, and confirm your admin role

To complete the tasks covered in this topic, Use a screen reader to open the Exchange
admin center and check that your global administrator has assigned you to the
Organization Management and Records Management admin role groups. Use a screen
reader to identify your admin role in the Exchange admin center.

Use the EAC to create a distribution group

1. In the EAC, in the primary navigation pane, tab to Recipients. You hear "Recipients,
Primary navigation." Press Enter.

2. To move the focus to the menu bar, press Ctrl+F6. You hear, "Mailboxes, Secondary
navigation link..

3. Press the Left Arrow key until you hear "Groups, Secondary navigation link..

4. Press Enter. You hear "Groups options." A list of distribution groups appears.

5. To move the focus to the distribution group menu, press Ctrl+F6. You hear " New,"
which is the first button.

6. To open the New submenu, press Spacebar.

7. In the New menu, press the Down Arrow key until you hear "Distribution group."
Then, press Enter. (In Narrator, you may hear "Empty line" or nothing at all. The
three items on this menu are distribution group, security group, and dynamic
distribution group. Select the first item in the menu.) The new distribution group
page opens in a new browser window.

 Tip

The new distribution group window includes two buttons named Add and
two named Remove. The first set of Add and Remove buttons affects the
Select Owners box. The second set applies to the Select Members box.

8. Tab to the following options, and complete the group details.

 Tip

Required boxes are designated with an asterisk. In screen readers, you hear
"Star" or "Asterisk" before the label. For example, for the required Display
name box, you hear "Star display name" or "Asterisk display name." You also
hear the text of a tool tip that appears when you move the focus to an option.

*Display name. Type the name you want to appear in your organization's
address book. This name appears on the To: line when email is sent to this
group and in the Groups list in the EAC. The display name is required. Make it
recognizable for users and unique in the forest.

*Alias. Type a name of 64 characters or less for the group's alias. Make it
unique in the forest. When a user types the alias in the To: line of an email
message, it resolves to the group's display name.

*Email address. If you want to change the default name used for this group's
email address, type the name you want. The default is the alias you specified.

Notes. If you want to add a description for this distribution group, type a
note. The text you type appears on the group's contact card and in the
address book.

Add. To open the Select Owners window, where you can add owners to the
distribution group, select Add. By default, the person who creates a group is
the owner and is listed in the Owners box. All groups must have at least one
owner. For help using the Select Owners window, refer to Use a screen
reader in the Select Owners window later in this topic.
 Remove. To remove a selected name from the Owners box, use this option.

*Owners. This option lists the names of the distribution group's owners.
Screen readers read the selected name, not the label. For example, you hear
"Sara Davis, Button..

Add group owners as member. By default, this check box is selected.

Add. To add members to the distribution group, select this option. By default,
the group owners are members and are listed in the Members box. When
you select the Add button, the Select Members window opens and you can
search for or select the names you want. To return to the new distribution
group window, select the OK button. For detailed steps, refer to Use a screen
reader to add a member to a distribution group.

Remove. Use to remove the selected name from the Members box.

Members. This option lists the names of the distribution group's members. In
Narrator, you may hear "Please wait" or nothing, when this list is empty.

Choose whether owner approval is required to join the group. Screen

readers read the selected option. The default is Open. To require approval for
people to join the group, use an arrow key to select one of the other two
options: Closed or Owner Approval.

Choose whether the group is open to leave. Screen readers read the
selected option. The default is Open. To require approval for people to leave
the group, use an arrow key to select Closed.

9. When you've finished, tab to the Save button and press Enter.

７ Note

By default, new distribution groups require that all senders be authenticated.

This prevents external senders from sending messages to distribution groups.
To configure a distribution group to accept messages from all senders, you
must modify the message delivery restriction settings for that distribution
group.

Verify that you've successfully created a distribution

group
1. In the EAC, tab to Recipients and press Enter.
 2. To move the focus to the menu bar, press Ctrl+F6. You hear, "Mailboxes, Secondary
navigation."

3. Press the Left Arrow key until you hear "Groups, Secondary navigation," and then
press Enter. The table of current distribution groups appear.

4. Press Ctrl+F6 until you hear the name of a distribution group, indicating that the
focus is on the table of distribution groups.

5. To locate the distribution group you just created, use the Up Arrow and Down
Arrow keys. The screen reader reads the display name, group type, and e-mail
address.

Use a screen reader in the Select Owners window

In the new distribution group window, the Add button for the * Owners box opens the
Select Owners window, which some screen readers have difficulty reading. To add an
owner.

1. In the new distribution group window, tab to the Add button and press Enter. The
Select Owner window opens, and the focus is on a search box.

2. Type all or part of the name of the user you want to add, and then press Enter. A
list of names appears in the Display Name table. If there are no names, press
Shift+Tab until you hear "Filter or search edit" or the text of your previous search
and then type new search text.

3. To select a name, tab until you hear a name, indicating that the focus is on the
names in the Display Name table. (In JAWS, you hear "Out of table" and the name
of the first user listed..

4. To select the name you want, use the arrow keys.

5. Tab until you hear "Add button" and then press Spacebar. The name is added to a
text box. Each name you add includes a Remove link.

6. To add more names, tab to the Search button and repeat the previous steps.

7. When complete, tab to the OK button and press Enter. The Select Owner window
closes, and the focus is in the Owners box in the new distribution group window.

Technical support for customers with

disabilities
Microsoft wants to provide the best possible experience for all our customers. If you
have a disability or have questions related to accessibility, please contact the Microsoft
Disability Answer Desk for technical assistance.

The Disability Answer Desk support team is trained in using many popular assistive
technologies and can offer assistance in English, Spanish, French, and American Sign
Language. Please visit the Microsoft Disability Answer Desk site to find the contact
details for your region.
Use a screen reader to configure mail
flow rules in the Classic Exchange admin
center in Exchange Online
Article • 02/22/2023

Using a screen reader and keyboard shortcuts, you can create mail flow rules (also
known as transport rules) in Exchange Online in the Classic Exchange admin center (
Classic EAC) to look for specific conditions in messages that pass through your
organization and take action on them. The main difference between mail flow rules and
Inbox rules you would set up in an email client application (such as Outlook) is that mail
flow rules take action on messages while they're in transit as opposed to after the
message is delivered. Mail flow rules also contain a richer set of conditions, exceptions,
and actions, which provides you with the flexibility to implement many types of
messaging policies.

Note: To learn more about mail flow rules, see Mail flow rules (transport rules) in
Exchange Online.

Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have
the appropriate Office 365 or Microsoft 365 subscription plan and admin role to
perform this task. Then, open the EAC and get started.

Use your browser and keyboard to navigate in the EAC

Exchange Online, which includes the EAC, is a web-based application, so the keyboard
shortcuts and navigation may be different from those in Exchange 2016. Accessibility in
the Exchange admin center.

For best results when working in the EAC in Exchange Online, use Internet Explorer as
your browser. Learn more about Internet Explorer keyboard shortcuts .

Many tasks in the EAC require the use of pop-up windows. In your browser, be sure to
enable pop-up windows for Microsoft 365 or Office 365.

Confirm your Office 365 or Microsoft 365 subscription

plan
Exchange Online is included in several different subscription plans, but capabilities may
differ by plan. If your EAC doesn't include a function described in this article, your plan
might not include it.

For more information about the Exchange Online capabilities in your subscription plan,
go to What Office 365 business product or license do I have? and Exchange Online
Service Description.

Open the EAC, and confirm your admin role

To complete the tasks covered in this topic, Use a screen reader to open the Exchange
admin center and check that your global administrator has assigned you to the
Organization Management and Records Management admin role groups. Learn how to
Use a screen reader to identify your admin role in the Exchange admin center.

Create a mail flow rule

1. In the EAC, to move the focus to the first link in the navigation pane (Dashboard)
press Ctrl+F6 twice. You hear "Dashboard, Primary navigation link..

2. To move the focus to the mail flow link in the navigation pane, press the Tab key
until you hear "Mail flow, Primary navigation link." Press Enter.

3. To move the focus to the mail flow settings in the content area of the page, the
first of which is the rules link, press Ctrl+F6. You hear "Rules, Secondary navigation
link..

4. To create a new rule, move the focus to the New button by pressing the Tab key
until you hear "New button." Press Enter. You hear "Menu." To select the Create a
new rule option from the list of options that opens for the button, press the Down
Arrow key. You hear "Create a new rule." Press Enter.

5. As the focus moves to the Name text box in the new rule pop-up window, you
hear "New rule, Name, Edit." Type the name of the new rule. To move to the next
option in the window, press the Tab key.

6. As the focus moves to the Apply this rule if drop-down box, you hear "Apply this
rule if, Combo box." Press the Down Arrow or Up Arrow key until you hear the
condition you want to select. Press Enter. As the focus moves to the first user
interface (UI) element in the pop-up window that opens for the selected condition,
you hear the name of the pop-up window followed by the name of the first UI
 element in the window. The following table gives you an overview of the UI
elements in each condition's pop-up window. .

Condition UI elements in the condition's pop-up window

The sender is Search, Refresh, and More buttons.

The recipient is
Display Name and Email Address column headers.
The sender is a member
of List of names and email addresses.

The recipient is a member Add button and text box that includes the selected names.
of
Check names button and text box in which you type the name
you want to check.

OK and Cancel buttons.

The sender is located Drop-down box that opens a list of locations.

The recipient is located OK and Cancel buttons.

The subject or body Edit and Remove buttons.

includes Text box in which you type words, and an Add button to add
The sender address each entry.
includes
List of entries.
The recipient address
includes OK and Cancel buttons.

Any attachment's content

includes

[Apply to all messages] No pop-up window opens

 Tip

To move the focus to each setting that's listed in a pop-up window, press the
Tab key. As you select each setting, you hear information about it. To open
drop-down box lists, press Spacebar. To move between and select options in
drop-down box lists, press the Down Arrow and Up Arrow keys. To choose an
option, press Enter. You can also use the Spacebar to select or clear the
selection for check boxes.

7. After you've accepted your condition settings in the appropriate pop-up window,
move to the next option in the new rule pop-up window by pressing the Tab key.
8. As the focus moves to the Do the following drop-down box, you hear "Do the
following, Combo box." Press the Down Arrow or Up Arrow key until you hear the
action you want to select. Press Enter. As the focus moves to the first UI element in
the pop-up window that opens for the selected action, you hear the name of the
pop-up window followed by the name of the first UI element in the window. The
following table gives you an overview of the UI elements in each action's pop-up
window.

Action UI elements in the pop-up window

Forward the Search, Refresh, and More buttons.

message for
approval to Display Name and Email Address column headers.
Redirect the
List of names and email addresses.
message to
Add button and text box that includes the selected names.
Bcc the
message to Check names button and text box in which you type the name you want
to check.

OK and Cancel buttons.

Reject the Text box in which you type the explanation OK

message with OK and Cancel buttons.
the
explanation

Delete the No pop-up window opens

message
without
notifying
anyone

Append the No pop-up window opens, but an Enter text link and a Select one link are
disclaimer inserted in the window after the drop-down box.

If you select the Enter text link, a pop-up window opens that
includes a text box in which you type the disclaimer, and the OK
and Cancel buttons.
If you select the Select one link, a pop-up window opens that
includes a drop-down box that opens a list of fallback actions in
case the disclaimer can't be inserted, and the OK and Cancel
buttons.

9. After you've accepted your action settings in the appropriate pop-up window,
move to the next option in the new rule pop-up window by pressing the Tab key.
10. As the focus moves to the Audit this rule with severity level check box, you hear
"Checked" or "Unchecked" depending on whether the box is selected or not,
followed by "Audit this rule with severity level, Check box." To select or clear the
selection for the check box, press Spacebar. You hear "Checked" or "Unchecked."
Do either of the following two actions.

If you selected the Audit this rule with severity level check box, when you
press the Tab key, the focus moves to a drop-down box that lists severity
levels ( Low, Medium, or High ). To move between severity levels in the list,
press the Up Arrow or Down Arrow key. You hear the name of each severity
level. To select a severity level, press Enter. To move to the next option in the
window, press the Tab key.

If you didn't select the Audit this rule with severity level check box, to move
to the next available option in the window, press the Tab key.

11. As the focus moves to the first of three available modes for the rule, you hear the
name of the first mode ( Enforce ) followed by "Radio button." Do any of the
following three actions.

The Enforce mode is selected by default. To move to and select the next
mode, press the Down Arrow key. After you've selected the mode you want,
to move to the next area of options in the window, press the Tab key.

To select the Test with Policy Tips mode, press the Down Arrow key. You hear
"Test with Policy Tips" followed by "Radio button." To move to and select the
next mode, press the Down Arrow key. After you've selected the mode you
want, to move to the next area of options in the window, press the Tab key.

To select the Test without Policy Tips mode, press the Down Arrow key. You
hear "Test without Policy Tips" followed by "Radio button." To move to and
select the next mode, press the Down Arrow key. After you've selected the
mode you want, to move to the next area of options in the window, press the
Tab key.

12. As the focus moves to the More options link, you hear "More options link." If you
want to add more options for the rule, press Enter. The following nine UI elements
are added to the window.

After the Apply this rule if drop-down box, an add condition button is
added.

After the Do the following drop-down box, an add action button is added.
 After the add action button, an add exception button is added.

After the options for the modes for the rule, the following UI elements are
added:

Activate this rule on the following date check box, followed by a date drop-
down box and a time drop-down bo.

Deactivate this rule on the following date check box, followed by a date
drop-down box and a time drop-down bo.

Stop processing more rules check bo.

Defer the message if rule processing doesn't complete check bo.

Match sender address in message drop-down box that includes Header,

Envelope, and Header or Envelope option.

Comment text bo.

13. To save the new rule, move the focus to the Save button by pressing the Tab key
until you hear "Save button." Press Enter.

14. As the focus moves back to the New button on the rules content area of the page,
you hear "Rules, New button." The new rule is turned on by default.

 Tip

To turn off a new rule, press the Tab key to tab through the elements of the rules
content area of the page, use the Up Arrow and Down Arrow keys to select a rule,
and then press Spacebar. To hear the settings for a selected rule, press the Tab key
until the focus moves to the details pane for the selected rule, and you hear the
details for the rule.
Use a screen reader to define rules that
encrypt or decrypt email messages in
the Classic Exchange admin center in
Exchange Online
Article • 02/22/2023

In the Classic Exchange admin center (Classic EAC) in Exchange Online, you can create
mail flow rules (also known as transport rules) to enable or disable Microsoft Purview
Message Encryption. This lets you encrypt outgoing email messages and remove
encryption from encrypted messages coming from inside your organization or from
replies to encrypted messages sent from your organization.

Note: To learn more about message encryption, go to Encryption. Your organization

must have Set up new Message Encryption capabilities to complete the tasks in this
topic.

Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have
the appropriate Microsoft 365 or Office 365 subscription plan and admin role to
perform this task. Then, open the EAC and get started.

Use your browser and keyboard to navigate in the EAC

Exchange Online, which includes the EAC, is a web-based application, so the keyboard
shortcuts and navigation may be different from those in Exchange 2016. Accessibility in
the Exchange admin center.

For best results when working in the EAC in Exchange Online, use Internet Explorer as
your browser. Learn more about Internet Explorer keyboard shortcuts .

Many tasks in the EAC require the use of pop-up windows. In your browser, be sure to
enable pop-up windows for Microsoft 365 or Office 365.

Confirm your Office 365 or Microsoft 365 subscription

plan
Exchange Online is included in several different subscription plans, but capabilities may
differ by plan. If your EAC doesn't include a function described in this article, your plan
might not include it.

For more information about the Exchange Online capabilities in your subscription plan,
go to What Microsoft 365 Apps for business product or license do I have? and
Exchange Online Service Description..

Open the EAC, and confirm your admin role

To complete the tasks covered in this topic, Use a screen reader to open the Exchange
admin center and check that your global administrator has assigned you to the
Organization Management and Records Management admin role groups. Use a screen
reader to identify your admin role in the Exchange admin center.

Create a mail flow rule to encrypt email

messages
1. In the EAC, to move the focus to the first link in the navigation pane (Dashboard)
press Ctrl+F6 twice. You hear "Dashboard, Primary navigation link..

2. To move the focus to the mail flow link in the navigation pane, press the Tab key
until you hear "Mail flow, Primary navigation link." Press Enter.

3. To move the focus to the mail flow settings in the content area of the page, the
first of which is the rules link, press Ctrl+F6. You hear "Rules, Secondary navigation
link..

4. To create a new rule, move the focus to the New button by pressing the Tab key
until you hear "New button." Press Enter. You hear "Menu." To select the Create a
new rule option from the list of options that opens for the button, press the Down
Arrow key. You hear "Create a new rule." Press Enter.

5. As the focus moves to the Name text box in the new rule pop-up window, you
hear "New rule, Name, Edit." Type the name of the new rule (such as Encrypt email
for email address). To move to the next option in the window, press the Tab key.

6. As the focus moves to the Apply this rule if drop-down box, you hear "Apply this
rule if, Combo box." Press the Down Arrow or Up Arrow key until you hear the
condition you want to select. Press Enter. For example, if you want to encrypt
messages for a particular email address, perform the following five steps.
 a. In the Apply this rule if drop-down box, press the Down Arrow key until you
hear "The recipient is." Press Enter.

b. As the focus moves to the Search button in the Select Members pop-up
window that opens, you hear "Select Members, Search..

c. To move the focus to each of the following three elements of the user interface,
press the Tab key:

i. The Display Name column. You hear "Display Name, Column header..

ii. The list of names of each person in your organization in the Name column.
You hear the name of the first person followed by "Button..

iii. The first person in the list. You hear the name of the first person followed by
"Row."

d. The first person in the list. You hear the name of the first person followed by
"Row."

e. To accept your changes, move the focus to the OK button by pressing the Tab
key until you hear "Okay button." Press Enter.

7. As the focus moves back to the new rule pop-up window, you hear "New rule..

8. To move the focus to the More options link in the new rule pop-up window, press
the Tab key until you hear "More options link." Press Enter.

 Tip

When you select the More options link, more user interface (UI) elements are
added to the page and more options are added to the combo boxes. To have
access to the Modify the message security option that you need to select in
the next step, you must select the More options link.

9. To move the focus back to the Do the following drop-down box in the new rule
pop-up window, press Shift+Tab until you hear "Do the following, Combo box."
Perform the following two steps.

a. In the Do the following drop-down box, to select the Modify the message
security option, press the Down Arrow key until you hear "Modify the message
security." Press Enter.
 b. As the focus moves to a list of message security options, you hear the first
option in the list, "Apply rights protection." To select the Apply Office 365
Message Encryption option, press the Down Arrow key until you hear "Apply
Office 365 Message Encryption." Press Enter.

10. To save the new rule, move the focus to the Save button by pressing the Tab key
until you hear "Save button." Press Enter.

11. As the focus moves back to the New button on the rules content area of the page,
you hear "Rules, New button." The new rule is turned on by default.

 Tip

To turn off a new rule, press the Tab key to tab through the elements of the rules
content area of the page, use the Up Arrow and Down Arrow keys to select a rule,
and then press Spacebar. To hear the settings for a selected rule, press the Tab key
until the focus moves to the details pane for the selected rule, and you hear the
details for the rule.

Create a mail flow rule to decrypt email

messages
1. In the EAC, to move the focus to the first link in the navigation pane (Dashboard)
press Ctrl+F6 twice. You hear "Dashboard, Primary navigation link..

2. To move the focus to the mail flow link in the navigation pane, press the Tab key
until you hear "Mail flow, Primary navigation link." Press Enter.

3. To move the focus to the mail flow settings in the content area of the page, the
first of which is the rules link, press Ctrl+F6. You hear "Rules, Secondary navigation
link..

4. To create a new rule, move the focus to the New button by pressing the Tab key
until you hear "New button." Press Enter. You hear "Menu." To select the Create a
new rule option from the list of options that opens for the button, press the Down
Arrow key. You hear "Create a new rule." Press Enter.

5. As the focus moves to the Name text box in the new rule pop-up window, you
hear "New rule, Name, Edit." Type the name of the new rule (such as Remove
encryption from incoming mail). To move to the next option in the window, press
the Tab key.
6. As the focus moves to the Apply this rule if drop-down box, you hear "Apply this
rule if, Combo box." Press the Down Arrow or Up Arrow key until you hear the
condition you want to select. Press Enter. For example, if you want to decrypt all
incoming messages for your organization, perform the following four steps.

a. In the Apply this rule if drop-down box, press the Down Arrow key until you
hear "The recipient is located." Press Enter.

b. As the focus moves to a list of locations in the select recipient location pop-up
window that opens, you hear "Select recipient location..

c. To move between and select a location in the list, press the Down Arrow and Up
Arrow keys. You hear the name of each location. For example, to select the
Inside the organization location, press the Down Arrow key until you hear
"Inside the organization..

d. To accept your changes, move the focus to the OK button by pressing the Tab
key until you hear "Okay button." Press Enter.

7. As the focus moves back to the new rule pop-up window, you hear "New rule..

8. To move the focus to the More options link in the new rule pop-up window, press
the Tab key until you hear "More options link." Press Enter.

 Tip

When you select the More options link, more user interface (UI) elements are
added to the page and more options are added to the combo boxes. To have
access to the Modify the message security option that you need to select in
the next step, you must select the More options link.

9. To move the focus back to the Do the following drop-down box in the new rule
pop-up window, press Shift+Tab until you hear "Do the following, Combo box."
Perform the following two steps.

a. In the Do the following drop-down box, to select the Modify the message
security option, press the Down Arrow key until you hear "Modify the message
security." Press Enter.

b. As the focus moves to a list of message security options, you hear the first
option in the list, "Apply rights protection." To select the Remove Office 365
Message Encryption option, press the Down Arrow key until you hear "Remove
Office 365 Message Encryption." Press Enter.
10. To save the new rule, move the focus to the Save button by pressing the Tab key
until you hear "Save button." Press Enter.

11. As the focus moves back to the New button on the rules content area of the page,
you hear "Rules, New button." The new rule is turned on by default.

 Tip

To turn off a new rule, press the Tab key to tab through the elements of the rules
content area of the page, use the Up Arrow and Down Arrow keys to select a rule,
and then press Spacebar. To hear the settings for a selected rule, press the Tab key
until the focus moves to the details pane for the selected rule, and you hear the
details for the rule.
Use a screen reader to edit the mailbox
display name in the Classic Exchange
admin center in Exchange Online
Article • 02/22/2023

Use keyboard shortcuts and your screen reader to add or edit a mailbox's display name
in the Classic Exchange admin center (Classic EAC) in Exchange Online.

Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have
the appropriate Microsoft 365 or Office 365 subscription plan and admin role to
perform this task. Then, open the EAC and get started.

Use your browser and keyboard to navigate in the EAC

Exchange Online, which includes the EAC, is a web-based application, so the keyboard
shortcuts and navigation may be different from those in Exchange 2016.

For best results, when working in the EAC in Exchange Online, use Internet Explorer as
your browser. Learn more about Internet Explorer keyboard shortcuts .

Many tasks in the EAC require the use of pop-up windows. In your browser, be sure to
enable pop-up windows for Microsoft 365 or Office 365.

Confirm your Office 365 or Microsoft 365 subscription

plan
Exchange Online is included in several different subscription plans; however, capabilities
may differ by plan. If your EAC doesn't include a function described in this article, your
plan might not include it.

For more information on the Exchange Online capabilities in your subscription plan, go
to What Microsoft 365 Apps for business product or license do I have? and Exchange
Online Service Description.

Edit mailbox display name

1. Once you are in the EAC, to navigate to the page body, press Ctrl+F6. You hear
"Welcome."

2. Press the Tab key until you hear "Mailboxes." This is the first link after "Recipients."

3. To select the link and go to the Mailboxes page, press Enter. This takes you to the
Mailboxes tab on the Mailboxes page. The focus is on the Mailboxes tab.

4. To get to the Mailbox pane, press Ctrl+F6 twice. You hear the first name in the list
of mailboxes.

5. Use the arrow keys to select the mailbox you want to update. You hear each
mailbox user's name as that listing is selected.

6. When you have found the mailbox you want to edit, press Enter. This opens a pop-
up window. You hear the URL of that pop-up window. The focus is on the General
tab within the Edit Mailbox page.

7. To get to the Display Name field on the General tab, press the Tab key. You hear
"Display name..

8. Type in the new display name.

9. To get to the Save button, press the Tab key (you hear "Save button"), and press
Enter. This returns you to the Mailbox List tab. The focus will be on the name you
just edited.

 Tip

It may take a few minutes to save the new mailbox and close the pop-up
window. There is no additional feedback to provide during this wait time.
Use a screen reader to export and
review audit logs in the Classic
Exchange admin center in Exchange
Online
Article • 02/22/2023

You can export and review mailbox audit logs by using your screen reader in the Classic
Exchange admin center (Classic EAC) in Exchange Online. When enabled, Exchange
mailbox auditing logs information in the mailbox audit log whenever a user other than
the owner accesses the mailbox. Each log entry includes information about who
accessed the mailbox and the actions performed.

Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have
the appropriate Microsoft 365 or Office 365 subscription plan and admin role to
perform this task. Then, open the EAC and get started.

Use your browser and keyboard to navigate in the EAC

Exchange Online, which includes the EAC, is a web-based application, so the keyboard
shortcuts and navigation may be different from those in Exchange 2016. Accessibility in
the Exchange admin center.

For best results when working in the EAC in Exchange Online, use Internet Explorer as
your browser. Learn more about Internet Explorer keyboard shortcuts .

Many tasks in the EAC require the use of pop-up windows. In your browser, be sure to
enable pop-up windows for Microsoft 365 or Office 365.

Confirm your Office 365 or Microsoft 365 subscription

plan
Exchange Online is included in several different subscription plans, but capabilities may
differ by plan. If your EAC doesn't include a function described in this article, your plan
might not include it.
For more information about the Exchange Online capabilities in your subscription plan,
go to What Office 365 business product or license do I have? and Exchange Online
Service Description.

Open the EAC, and confirm your admin role

To export and review mailbox audit logs, Use a screen reader to open the Exchange
admin center and check that your global administrator has assigned you to the
Organization Management and Records Management admin role groups. Learn how to
Use a screen reader to identify your admin role in the Exchange admin center.

Configure mailbox audit logging

Before you can export and review audit logs, you or another admin must enable mailbox
audit logging and configure Outlook to allow XML attachments. These tasks are done in
Exchange Online PowerShell. For more information, go to Export mailbox audit logs in
Exchange Online.

Export a mailbox audit log

1. In the EAC, press Ctrl+F6 until the primary navigation pane has the focus and you
hear "Dashboard, Primary navigation link."

2. Tab to compliance management and press Enter.

3. To move to the menu bar, press Ctrl+F6.

4. Tab to auditing. You hear "Auditing, Secondary navigation link." Press Enter.

5. To access the main window list view, press Ctrl+F6. You hear "Audit reports..

6. Press the Tab key about six times until you hear " Export mailbox audit logs," and
press Enter.

7. In the Export Mailbox Audit Logs dialog box which opens, the Start date year
combo box has the focus, and you hear "Year of Start date combo box..

 Tip

By default, the start date is set to two weeks before yesterday's date. When
enabled, the mailbox audit log typically stores entries for 90 days.
 a. If necessary, type the start date year for the audit logs. You can also select the
start date year by pressing the Up Arrow key or the Down Arrow key.

b. Tab to the month text box, and type or select the start date month.

c. Tab to the day text box, and type or select the start date day.

8. Tab to the End date year combo box. You hear "Year of End date combo box..

 Tip

The default end date is today's date.

a. If necessary, type the end date year for the audit logs. You can also select the
end date year by pressing the Up Arrow key or the Down Arrow key.

b. Tab to the month text box, and type or select the end date month.

c. Tab to the day text box, and type or select the end date day.

9. To access the select users button, press the Tab key twice. You hear "Search these
mailboxes or leave blank to find all mailboxes accessed by non-owners..

 Tip

If you want to export audit logs for all mailboxes, don't select any users, and
go on to step 10. When the Search these users box is blank, the search
includes all mailboxes.

a. To open the Select Mailbox dialog box, with the focus on the select users
button, press Enter. The Search box has the focus, and you hear "Filter or search
edit." Type all or part of the name of the first mailbox whose audit logs you
want to export and then, to search for the name, press Enter.

b. To select a mailbox, press the Tab key four times until you hear the name of the
mailbox owner in the search results list. If there are multiple mailboxes in the
search results list, press the Down Arrow or Up Arrow key until you hear the
name of the mailbox owner.

 Tip

You can select multiple consecutive mailboxes. To work with all mailboxes,
leave the Search box blank, or enter all or part of the mailbox names you
 want to add. Tab to the search results. Press the Down Arrow key to hear
each name. To add them all, press Ctrl+A. To add several mailboxes listed
consecutively, press the Down Arrow key or the Up Arrow key until you
hear the first mailbox name you want to add, hold down the Shift key,
press the Down Arrow key or the Up Arrow key until you hear the last
mailbox name you want to add, and then release the Shift key. All
mailboxes between the first and last mailbox names are selected.

c. To add the selected mailbox(es) to the list to be included in the audit log export,
press Enter. The list of mailboxes retains the focus, so you can continue to add
more mailboxes by selecting them and pressing Enter.

 Tip

To check the mailboxes you've added, tab to the Add button. To hear the
list of mailboxes, press the Tab key again. You hear the first mailbox name
in the list. To hear the second mailbox name in the list, press the Tab key
one more time. Continue pressing the Tab key until you hear the names of
all the mailboxes you've added. To delete a mailbox from the list, activate
the Remove link by pressing Enter when you hear the mailbox name.

d. To search for another mailbox or set of mailboxes, tab several times until you
hear "Filter or search edit." Type all or part of the name of the next mailboxes
you want to add, and press Enter. Repeat steps b and c. Do this for all mailboxes
you want to add.

e. To add an external mailbox, press the Tab key until you hear "Check names edit,
Type in text." (In Narrator, you hear "Editing.") Type the email address of the
external recipient, press Shift+Tab to select the Check names button, and then
press Enter. This verifies the email address and adds it to the list of mailboxes.

 Tip

Be aware that if you type an external email address and press Enter, this
adds the address to the list and then closes the dialog box. If you're not
finished, use the Check names button to add it instead.

f. When you finish adding mailboxes, tab to the OK button and press Enter. The
Export Mailbox Audit Logs dialog box has the focus again, and the Search
these mailboxes text box lists the selected mailboxes.
10. Tab to the Search for access by combo box. This specifies which types of mailbox
non-owners you want the audit logs to show.

To have the audit logs show all non-owners, you don't need to do anything,
as this is the default.
To specify a certain group of non-owners, like External users (Microsoft
datacenter administrators), Administrators and delegated users, or
Administrators, press the Down Arrow key to move to the user type you
want, and then press Enter.

11. Press the Tab key twice to access the next select users button. You hear "Send the
audit report to picker button." To open the Select Members dialog box, press
Enter. The Search button has the focus.

a. To search for a user within your organization, press Enter, type all or part of the
name of the first audit log recipient, and then press Enter.

b. Press the Tab key several times until you hear the name of the user in the search
results list.

c. To add the user to the list of audit log recipients, press the Down Arrow key
until you hear the user's name, and then press Enter. The list of users retains the
focus, so you can continue to add more recipients by selecting their mailboxes
and pressing Enter.

 Tip

To check the recipients you've added, tab to the Add button. To hear the
list of recipients, press the Tab key again. The first name is read. To hear the
second name in the list, press the Tab key one more time. Continue
pressing the Tab key until you hear the names of all the recipients you've
added. To delete a recipient from the list, activate the Remove link by
pressing Enter when you hear the username.

d. To search for another name or set of names from within your organization, tab
several times until you hear "Filter or search edit." Type all or part of the name
of the next user you want to add, and press Enter. Repeat steps b and c. Do this
for all audit report recipients in your organization.

e. To add an external recipient, press the Tab key until you hear "Check names edit,
Type in text." (In Narrator, you hear "Editing.") Type the email address of the
external recipient, press Shift+Tab to select the Check names button, and then
press Enter. This verified the email address and adds it to the list of recipients.
  Tip

Be aware that if you type an external email address and press Enter, this
adds the recipient to the list and then closes the dialog box. If you're not
finished, use the Check names button to add it instead.

f. When you finish adding users, tab to the OK button and press Enter. The Export
Mailbox Audit Logs dialog box has the focus again, and the Send the audit
report to text box lists the audit log recipients.

12. Tab to the export button and press Enter. Exchange retrieves entries in the mailbox
audit log that meet your search criteria, saves them to a file named
SearchResult.xml, and then attaches the XML file to an email message sent within
24 hours to your selected audit log recipients.

 Tip

If you hear an error message that says the items you're trying to open
couldn't be found, check that audit logging is enabled for the selected
mailboxes. Also check that the selected dates are within range. The dates
need to be after the date audit logging was enabled, and, by default, within
the past 90 days.

Review a mailbox audit log

1. Open Outlook and sign in to your mailbox (or the mailbox where the audit log was
sent).

2. In the Inbox, find and open the message sent by Exchange or Outlook with a
subject including "Mailbox Audit Log Search" and an XML file attachment named
SearchResult.xml. The body of the email message contains the search criteria for
this exported audit log.

 Tip

If Outlook is not configured to allow XML attachments, you might receive the
email message but not be able to open the XML attachment. Also, if you can't
find the message, you might need to wait longer. Recipients typically receive
the exported audit log within 24 hours, but in some cases it might take a few
days.
3. Select the message attachment and specify that you want to download the XML
file.

4. Open the SearchResult.xml file in Excel. Each log entry includes information about
non-owners of the mailbox who accessed the mailbox and the actions performed.
The following fields are included, among others, in the audit log:

This mailbox Gives this information

audit log field

Owner The owner of the mailbox accessed by a non-owner

LastAccessed The date and time of the most recent mailbox access

Operation The action performed by the non-owner

OperationResult Whether the action performed by the non-owner succeeded or failed

LogonType The type of non-owner access, like administrator, delegate, or external

Microsoft datacenter administrator

ClientIPAddress The IP address of the computer used by the non-owner to access the
mailbox

LogonUserDN The display name of the non-owner

Subject The subject line of the message affected by the non-owner

Use a screen reader to identify your
admin role in the Classic Exchange
admin center in Exchange Online
Article • 02/22/2023

To complete administrative tasks in the Classic Exchange admin center (Classic EAC) in
Exchange Online, you need the appropriate administrative permissions, which are
grouped and assigned by role. By using a screen reader and keyboard shortcuts, you
can identify your admin role, in addition to the role you must be assigned to complete
particular tasks.

７ Note

To learn how to open the EAC, refer to Use a screen reader to open the Exchange
admin center. To learn more admin role groups, go to Manage role groups in
Exchange Online.

1. In the EAC, to move the focus to Dashboard, which is the first link in the navigation
pane, press Ctrl+F6 twice. You hear "Dashboard, Primary navigation link..

2. In the navigation pane, to move the focus to the Permissions link, press the Tab
key until you hear "Permissions, Primary navigation link." Press Enter.

3. To move the focus to the admin roles link on the content area of the page, press
Crtl+F6. You hear "Admin roles, Secondary navigation link."

4. To move the focus to each of the following three elements of the user interface,
press the Tab key for each element:

a. The main content for admin roles. You hear "Role groups."

b. The Name column. You hear "Name, Column header..

c. The list of admin role groups in the Name column. You hear the name of the
first role group, which is Compliance Management, followed by "Row..

5. In the list of admin role groups, to move between and select the name of a group,
use the Up Arrow and Down Arrow keys. As you select each group, you hear its
name, followed by "Row."

6. Select the admin role group that includes the role you need to complete a task.
  Tip

If you don't know the role required for a particular task, select the admin role
group that you think might include roles related to your task, perform step 6,
and pay particular attention to the assigned roles.

7. To move the focus to the details pane for the admin role group, press Ctrl+F6.

If you're using Narrator, you hear all the details for the admin role group,
including a description of the group, assigned roles, members, managed by,
and write scope.

If you're using JAWS, to hear the description of the admin role group, press
the Down Arrow key, and then, to hear the rest of the text in the details pane,
press Alt+Down Arrow.

8. If you do not hear your name among the members, you have not been assigned
the appropriate role to complete your task. Contact your Microsoft 365 or Office
365 administrator.
Use a screen reader to run an audit
report in the Classic Exchange admin
center in Exchange Online
Article • 02/22/2023

You can run audit reports and search for audit information by using your screen reader
in the Classic Exchange admin center (Classic EAC) in Exchange Online. Certain audit
reports can help you troubleshoot configuration issues by tracking specific changes
made by administrators. Other audit reports can help you monitor regulatory,
compliance, and litigation requirements.

Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have
the appropriate Microsoft 365 or Office 365 subscription plan and admin role to work in
the EAC. Then, open the EAC and get started.

Use your browser and keyboard to navigate in the EAC

Exchange Online, which includes the EAC, is a web-based application, so the keyboard
shortcuts and navigation may be different from those in Exchange 2016. Accessibility in
the Exchange admin center.

For best results when working in the EAC in Exchange Online, use Internet Explorer as
your browser. Learn more about Internet Explorer keyboard shortcuts .

Many tasks in the EAC require the use of pop-up windows. In your browser, be sure to
enable pop-up windows for Microsoft 365 or Office 365.

Confirm your Office 365 or Microsoft 365 subscription

plan
For more information about the Exchange Online capabilities in your subscription plan,
go to What Office 365 business product or license do I have? and Exchange Online
Service Description..

Open the EAC, and confirm your admin role

To run audit reports, Use a screen reader to open the Exchange admin center and check
that your global administrator has assigned you to the Organization Management and
Records Management admin role groups. To run In-Place eDiscovery or In-Place Hold
reports, check that you are assigned to the Discovery Management role group. Learn
how to Use a screen reader to identify your admin role in the Exchange admin center.

Find data to troubleshoot configuration and

security issues
Troubleshoot configuration issues by examining logged information about mailbox
access by non-owners, Exchange Online configuration changes, and administrator role
group updates. This information is available on the Compliance Management tab and
the Auditing page of the EAC.

Search for non-owner mailbox access

When Exchange mailbox auditing is enabled for a mailbox, information is recorded in
the mailbox audit log whenever a user other than the owner accesses that mailbox. Each
log entry includes information about who accessed the mailbox and what actions were
performed. Search for non-owner mailbox access when you need to troubleshoot
possible security issues.

７ Note

Before you can search for non-owner mailbox access, you or another Admin must
enable mailbox audit logging, which is done in Exchange Online PowerShell. Learn
more about running a non-owner mailbox access report.

1. In the EAC, press Ctrl+F6 until the primary navigation pane has the focus and you
hear "Dashboard, Primary navigation link."

2. Tab to compliance management and press Enter.

3. To move to the menu bar, press Ctrl+F6.

4. Tab to auditing. You hear "Auditing, Secondary navigation link." Press Enter.

5. To access the main window list view, press Ctrl+F6. You hear "Audit reports..

6. Press the Tab key about three times until you hear "Run a non-owner mailbox
access report." Press Enter.
7. In the Search for Mailboxes Accessed by Non-Owners dialog box which opens,
the Start date year combo box has the focus, and you hear "Year of Start date
combo box..

 Tip

By default, the start date is set to two weeks before yesterday's date. When
enabled, the mailbox audit log typically stores entries for 90 days.

a. If necessary, type the start date year for your administrator configuration
change search. You can also select the start date year by pressing the Up Arrow
key or the Down Arrow key.

b. Tab to the month text box, and type or select the start date month.

c. Tab to the day text box, and type or select the start date day.

8. Tab to the End date year combo box. You hear "Year of End date combo box..

 Tip

The default end date is today's date.

a. If necessary, type the end date year for your administrator configuration change
search. You can also select the end date year by pressing the Up Arrow key or
the Down Arrow key.

b. Tab to the month text box, and type or select the end date month.

c. Tab to the day text box, and type or select the end date day.

9. Press the Tab key to access the search button, and press Enter.

 Tip

If you want to search all mailboxes for non-owner access, don't select any
specific mailboxes, and go on to step 10. When the Search these mailboxes
box is blank, the search includes all mailboxes.

a. To open the Select Mailbox dialog box, with the focus on the select mailboxes
button, press Enter. The Search box has the focus, and you hear "Filter or search
 edit." Type all or part of the name of the first mailbox you want to include in the
non-owner mailbox access search and then, to search for the name, press Enter.

b. To select a mailbox, press the Tab key about four times until you hear the name
of the mailbox owner in the search results list. If there are multiple mailboxes in
the search results list, press the Down Arrow key or Up Arrow key until you hear
the name of the mailbox owner.

 Tip

You can select multiple consecutive mailboxes. To work with all mailboxes,
leave the Search box blank, or enter all or part of the mailbox names you
want to add. Tab to the search results. Press the Down Arrow key to hear
each name. To add them all, press Ctrl+A. To add several mailboxes listed
consecutively, press the Down Arrow key or the Up Arrow key until you
hear the first mailbox name you want to add, hold down the Shift key,
press the Down Arrow key or the Up Arrow key until you hear the last
mailbox name you want to add, and then release the Shift key. All
mailboxes between the first and last mailbox names are selected.

c. To add the selected mailbox(es) to the list to be included in the non-owner

mailbox access search, press Enter. The list of mailboxes retains the focus, so
you can continue to add more mailboxes by selecting them and pressing Enter.

 Tip

To check the mailboxes you've added, tab to the Add button. To hear the
list of mailboxes, press the Tab key again. You hear the first mailbox name
in the list. To hear the second mailbox name in the list, press the Tab key
once more. Continue pressing the Tab key until you hear the names of all
the mailboxes you've added. To delete a mailbox from the list, activate the
Remove link by pressing Enter when you hear the mailbox name.

d. To search for another mailbox or set of mailboxes, tab several times until you
hear "Filter or search edit." Type all or part of the name of the next mailboxes
you want to add, and press Enter. Repeat steps b and c. Do this for all mailboxes
you want to add.

e. To add an external mailbox, press the Tab key until you hear "Check names edit,
Type in text." (In Narrator, you hear "Editing.") Type the email address of the
 external recipient, press Shift+Tab to select the Check names button, and then
press Enter. This verifies the email address and adds it to the list of mailboxes.

 Tip

Be aware that if you type an external email address and press Enter, this
adds the address to the list and then closes the dialog box. If you're not
finished, use the Check names button to add it instead.

f. When you finish adding mailboxes, tab to the OK button and press Enter. The
Search for Mailboxes Accessed by Non-Owners dialog box has the focus again,
and the Search these mailboxes text box lists the selected mailboxes.

10. Tab to the Search for access by combo box. This specifies which types of mailbox
non-owners you want the non-owner mailbox report to show.

To search the audit logs for administrator access, you don't need to do
anything, as this is the default.

To search the audit logs for another group of non-owners, like All non-
owners, External users (Microsoft datacenter administrators), or
Administrators and delegated users, press the Up Arrow key to move to the
user type you want.

11. Press the Tab key to access the Search button, and press Enter.

12. Press the Tab key about four times to access the search results. If any mailboxes
were accessed by a non-owner of the type you specified in the time period you
selected, you hear the name of the mailbox owner and the date the mailbox was
accessed by a non-owner. If none of the mailboxes were accessed by a non-owner,
you hear "There are no items to show in this view." (In Narrator, you hear "Contains
0 items.")

13. For more details about a non-owner mailbox access, with the item selected in the
search results list, press the Tab key to move to the details pane. To print the
contents of the details pane, press Enter. To hear the contents of the details pane,
press Tab again.

14. To close the dialog box, tab to the Close button and press Enter.

 Tip
 You can also export the log of non-owner access of mailboxes and review it in
an XML file. Learn more in Use a screen reader to export and review audit
logs in the Exchange admin center.

Search for configuration changes on a mailbox

With administrator audit logging, Exchange records specific changes an administrator
makes to the organization's Exchange configuration. Such changes can include adding
users, adding public folders, creating policies or rules, and so on. This can help you
troubleshoot configuration problems or identify the cause of security-related or
compliance-related problems. Learn more about running a non-owner mailbox access
report.

1. In the EAC, press Ctrl+F6 until the primary navigation pane has the focus and you
hear "Dashboard, Primary navigation link."

2. Tab to compliance management and press Enter.

3. To move to the menu bar, press Ctrl+F6.

4. Tab to auditing. You hear "Auditing, Secondary navigation link." Press Enter.

5. To access the main window list view, press Ctrl+F6. You hear "Audit reports..

6. Press the Tab key about 12 times until you hear "Run the admin audit log report."
Press Enter.

7. In the View the Administrator Audit Log dialog box which opens, the Start date
year combo box has the focus, and you hear "Year of Start date combo box..

 Tip

By default, the start date is set to two weeks before yesterday's date. The
administrator audit log typically stores entries for 90 days.

a. If necessary, type the start date year for your administrator configuration
change search. You can also select the start date year by pressing the Up Arrow
key or the Down Arrow key.

b. Tab to the month text box, and type or select the start date month.

c. Tab to the day text box, and type or select the start date day.
 8. Tab to the End date year combo box. You hear "Year of End date combo box..

 Tip

The default end date is today's date.

a. If necessary, type the start date year for your administrator configuration
change search. You can also select the end date year by pressing the Up Arrow
key or the Down Arrow key.

b. Tab to the month text box, and type or select the end date month.

c. Tab to the day text box, and type or select the end date day.

9. Press the Tab key to access the search button, and press Enter.

10. Press the Tab key about five times to access the search results. Press the Down
Arrow key or the Up Arrow key to hear the list of configuration changes made in
the time period you specified. For each item, you hear the date of the change, the
type of configuration change made, and the name of the Administrator who made
the change. If there were no configuration changes, you hear "There are no items
to show in this view." (In Narrator, you hear "Contains 0 items.")

11. For more details about a configuration change, with the change selected in the
search results list, press the Tab key to move to the details pane. To print the
contents of the details pane, press Enter. To hear the contents of the details pane,
press Tab again.

12. To close the dialog box, tab to the Close button and press Enter.

 Tip

You can also export the admin audit log to an XML file and email it to specified
recipients. On the auditing page, press the Tab key until you hear "Export the admin
audit log." Press Enter and work through the Export the Administrator Audit Log
dialog box which appears. For more information, go to Use a screen reader to
export and review audit logs in the Exchange admin center.

Search for administrator role group changes

You can search for administrator role changes, which, like configuration changes, are
recorded in the administrator audit log. With a targeted search, you can examine the
admin audit log for changes made to role groups, which are used to assign
administrative permissions to users. Learn more about running an administrator role
group report.

1. In the EAC, press Ctrl+F6 until the primary navigation pane has the focus and you
hear "Dashboard, Primary navigation link."

2. Tab to compliance management and press Enter.

3. To move to the menu bar, press Ctrl+F6.

4. Tab to auditing. You hear "Auditing, Secondary navigation link." Press Enter.

5. To access the main window list view, press Ctrl+F6. You hear "Audit reports..

6. Press the Tab key about nine times until you hear "Run an administrator role group
report." Press Enter.

7. In the Search for Changes to Administrative Role Groups dialog box which opens,
the Start date year combo box has the focus, and you hear "Year of Start date
combo box..

 Tip

By default, the start date is set to two weeks before yesterday's date. The
administrator audit log typically stores entries for 90 days.

a. If necessary, type the start date year for your administrator role group change
search. You can also select the start date year by pressing the Up Arrow key or
the Down Arrow key.

b. Tab to the month text box, and type or select the start date month.

c. Tab to the day text box, and type or select the start date day.

8. Tab to the End date year combo box. You hear "Year of End date combo box..

 Tip

The default end date is today's date.

a. If necessary, type the start date year for your administrator role group change
search. You can also select the end date year by pressing the Up Arrow key or
the Down Arrow key.
 b. Tab to the month text box, and type or select the end date month.

c. Tab to the day text box, and type or select the end date day.

9. To access the select role groups button, press the Tab key twice. You hear "Search
these role groups or leave this box blank to find all changed role groups..

 Tip

If you want to search all role groups for changes, don't select any specific role
groups, and go on to step 10. When the Search these role groups box is
blank, the search includes all role groups.

a. To open the Select a Role dialog box, with the focus on the select role groups
button, press Enter. The Search box has the focus, and you hear "Filter or search
edit." Type all or part of the name of the first role group you want to include in
the search and then, to search for the role group, press Enter.

b. To select a role group, press the Tab key about three times until you hear the
name of the role group in the search results list. If there are role groups in the
search results list, press the Down Arrow key or Up Arrow key until you hear the
name of the role group.

 Tip

You can select multiple consecutive role groups. To work with all role groups,
leave the Search box blank, or enter all or part of the role group names you
want to add. Tab to the search results. Press the Down Arrow key to hear each
name. To add them all, press Ctrl+A. To add several role groups listed
consecutively, press the Down Arrow key or the Up Arrow key until you hear
the first role group name you want to add, hold down the Shift key, press the
Down Arrow key or the Up Arrow key until you hear the last role group name
you want to add, and then release the Shift key. All role groups between the
first and last names are selected.

c. To add the selected role group(s) to the list to be included in the role group
change search, press Enter. The list of role groups retains the focus, so you can
continue to add more role groups by selecting them and pressing Enter.

 Tip
 To check the role groups you've added, tab to the Add button. To hear the list
of role groups, press the Tab key again. You hear the first role group name in
the list. To hear the second role group name in the list, press the Tab key once
more. Continue pressing the Tab key until you hear the names of all the role
groups you've added. To delete a role group from the list, activate the
Remove link by pressing Enter when you hear the role group name.

d. When you finish adding role groups, tab to the OK button and press Enter. The
Search for Changes to Administrator Role Groups dialog box has the focus
again, and the Search these role groups text box lists your selected role groups.

10. Press the Tab key to access the Search button, and press Enter.

11. Press the Tab key about four times to access the search results. If any of your
selected role groups were changed in the time period you selected, you hear the
name of the role group and the date of the change. If none of the role groups
were changed, you hear "There are no items to show in this view." (In Narrator, you
hear "Contains 0 items.")

12. For more details about a role group change, with the change selected in the search
results list, press the Tab key to move to the details pane. To print the contents of
the details pane, press Enter. To hear the contents of the details pane, press Tab
again.

13. To close the dialog box, tab to the Close button and press Enter.

Find data about changes to compliance status

Monitor regulatory, compliance, and litigation requirements by finding status changes
to In-Place eDiscovery and Hold and the Per-mailbox Litigation Hold. This information is
available on the Compliance Management tab and the Auditing page of the EAC.

Search for changes to In-Place eDiscovery and Hold

status
If your organization adheres to legal discovery requirements (related to organizational
policy, compliance, or lawsuits), In-Place eDiscovery and In-Place Hold in Exchange
Online can help you perform discovery searches for relevant content within mailboxes.
You can search the administrator audit log to find mailboxes that have been put on or
removed from In-Place eDiscovery or In-Place Hold. Learn more about In-Place
eDiscovery & Hold reports.
1. In the EAC, press Ctrl+F6 until the primary navigation pane has the focus and you
hear "Dashboard, Primary navigation link."

2. Tab to compliance management and press Enter.

3. To move to the menu bar, press Ctrl+F6.

4. Tab to auditing. You hear "Auditing, Secondary navigation link." Press Enter.

5. To access the main window list view, press Ctrl+F6. You hear "Audit reports..

6. Press the Tab key about 15 times until you hear "Run an In-Place eDiscovery and
Hold report." Press Enter.

7. In the Search for changes to In-Place eDiscovery & Hold dialog box which opens,
the Start date year combo box has the focus, and you hear "Year of Start date
combo box..

 Tip

By default, the start date is set to two weeks before yesterday's date. The
administrator audit log typically stores entries for 90 days.

a. If necessary, type the start date year for the eDiscovery and Hold change search.
You can also select the start date year by pressing the Up Arrow key or the
Down Arrow key.

b. Tab to the month text box, and type or select the start date month.

c. Tab to the day text box, and type or select the start date day.

8. Tab to the End date year combo box. You hear "Year of End date combo box..

 Tip

The default end date is today's date.

a. If necessary, type the end date year for your eDiscovery and Hold change
search. You can also select the end date year by pressing the Up Arrow key or
the Down Arrow key.

b. Tab to the month text box, and type or select the end date month.

c. Tab to the day text box, and type or select the end date day.
 9. Press the Tab key to access the Search button, and press Enter.

10. Press the Tab key about three times to access the search results. If any eDiscovery
or Holds were changed in the time period you selected, you hear their names. If
none have been changed, you hear "There are no items to show in this view." (In
Narrator, you hear "Contains 0 items.")

11. For more details about an eDiscovery or Hold change, with the change selected in
the search results list, press the Tab key to move to the details pane. To print the
contents of the details pane, press Enter. To hear the contents of the details pane,
press Tab again.

12. To close the dialog box, tab to the Close button and press Enter.

Search for mailboxes that are enabled or disabled for

litigation holds
If your organization is involved in a legal action, you may have to take steps to preserve
email messages that might be used as evidence. You can use the litigation hold feature
to retain all email sent and received by specific people or retain all email sent and
received in your organization for a specific time period. Search the administrator audit
log to monitor the mailboxes that have had a change to their litigation hold status
(enabled or disabled) during a specified time period. Learn more about running a per-
mailbox litigation hold report.

1. In the EAC, press Ctrl+F6 until the primary navigation pane has the focus and you
hear "Dashboard, Primary navigation link."

2. Tab to compliance management and press Enter.

3. To move to the menu bar, press Ctrl+F6.

4. Tab to auditing. You hear "Auditing, Secondary navigation link." Press Enter.

5. To access the main window list view, press Ctrl+F6. You hear "Audit reports..

6. Press the Tab key about 21 times until you hear "Run a per-mailbox Litigation Hold
report." Press Enter.

7. In the Search for Changes to Per-Mailbox Litigation Hold dialog box which opens,
the Start date year combo box has the focus, and you hear "Year of Start date
combo box..

 Tip
 By default, the start date is set to two weeks before yesterday's date. The
administrator audit log typically stores entries for 90 days.

a. If necessary, type the start date year for your litigation hold change search. You
can also select the start date year by pressing the Up Arrow key or the Down
Arrow key.

b. Tab to the month text box, and type or select the start date month.

c. Tab to the day text box, and type or select the start date day.

8. Tab to the End date year combo box. You hear "Year of End date combo box..

 Tip

The default end date is today's date.

a. If necessary, type the end date year for your litigation hold change search. You
can also select the end date year by pressing the Up Arrow key or the Down
Arrow key.

b. Tab to the month text box, and type or select the end date month.

c. Tab to the day text box, and type or select the end date day.

9. To access the select users button, press the Tab key twice. You hear "Search these
mailboxes or leave blank to find all mailboxes with litigation hold changes..

 Tip

If you want to search all mailboxes for litigation hold changes, don't select any
specific mailboxes, and go on to step 10. When the Search these mailboxes
box is blank, the search includes all mailboxes.

a. To open the Select Members dialog box, with the focus on the select users
button, press Enter. The Search button has the focus. To search for a user within
your organization, press the Spacebar, type all or part of the name of the user,
and then press Enter.

b. Press the Tab key about seven times until you hear the name of the user in the
search results list.
 c. To add the user to the list of mailboxes in the litigation hold search, press the
Down Arrow key until you hear the user's name, and then press Enter. The list of
users retains the focus, so you can continue to add more users by selecting their
mailboxes and pressing Enter.

 Tip

To check the users you've added, tab to the Add button. To hear the list of
users, press the Tab key again. The first name is read. To hear the second
name in the list, press the Tab key once more. Continue pressing the Tab key
until you hear the names of all the users you've added. To delete a user from
the list, activate the Remove link by pressing Enter when you hear the
username.

d. To add an external user, press the Tab key until you hear "Check names edit,
Type in text." (In Narrator, you hear "Editing.") Type the email address of the
external user, press Shift+Tab to select the Check names button, and then press
Enter. This verifies the email address and adds it to the list of users.

 Tip

Be aware that if you type an external email address and press Enter, this adds
the user to the list and then closes the dialog box. If you're not finished, use
the Check names button to add it instead.

e. When you finish adding users, tab to the OK button and press Enter. The Search
for Changes to Per-Mailbox Litigation Hold dialog box has the focus again, and
the Search these mailboxes text box lists the mailboxes to be searched for
litigation hold changes.

10. Press the Tab key to access the Search button, and press Enter.

11. Press the Tab key about three times to access the search results. If any mailboxes
had a change to its litigation hold status in the time period you selected, you hear
the name of the mailbox owner. If none of the mailboxes were accessed by a non-
owner, you hear "There are no items to show in this view." (In Narrator, you hear
"Contains 0 items.")

12. For more details about a litigation hold change, with the change selected in the
search results list, press the Tab key to move to the details pane. To print the
contents of the details pane, press Enter. To hear the contents of the details pane,
press Tab again.
13. To close the dialog box, tab to the Close button and press Enter.
Use a screen reader to trace an email
message in the Classic Exchange admin
center in Exchange Online
Article • 02/22/2023

You can trace email messages by using your screen reader in the Classic Exchange
admin center (Classic EAC) in Exchange Online. This is helpful if users are wondering
whether their messages are delayed or possibly lost in delivery. With message tracing,
you can follow messages as they pass through Exchange Online and determine whether
a targeted email message was received, rejected, deferred, or delivered.

Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have
the appropriate Microsoft 365 or Office 365 subscription plan and admin role to
perform this task. Then, open the EAC and get started.

Use your browser and keyboard to navigate in the EAC

Exchange Online, which includes the EAC, is a web-based application, so the keyboard
shortcuts and navigation may be different from those in Exchange 2016. Accessibility in
the Exchange admin center.

For best results when working in the EAC in Exchange Online, use Internet Explorer as
your browser. Learn more about Internet Explorer keyboard shortcuts .

Many tasks in the EAC require the use of pop-up windows. In your browser, be sure to
enable pop-up windows for Microsoft 365 or Office 365.

Confirm your Office 365 or Microsoft 365 subscription

plan
Exchange Online is included in several different subscription plans, but capabilities may
differ by plan. If your EAC doesn't include a function described in this article, your plan
might not include it.

For more information about the Exchange Online capabilities in your subscription plan,
go to What Office 365 business product or license do I have? and Exchange Online
Service Description.

Open the EAC, and confirm your admin role

To trace a message, Use a screen reader to open the Exchange admin center and check
that your global administrator has assigned you to the Organization Management,
Compliance Management, and Help Desk admin role groups. Learn how to Use a screen
reader to identify your admin role in the Exchange admin center.

Create a new message trace

You might find that you need a message trace when a user contacts you about
messages that are not delivered or are taking longer than usual to be delivered. You can
trace a message using various criteria, including email address, date range, delivery
status, and message ID.

1. In the EAC, press Ctrl+F6 until the primary navigation pane has the focus and you
hear "Dashboard, Primary navigation link."

2. Tab to mail flow, and press Enter.

3. To move to the menu bar, press Ctrl+F6.

4. Tab to message trace. You hear "Message trace, Secondary navigation link." Press
Enter.

5. To access the main window list view, press Ctrl+F6. You hear "Message was sent or
received combo box, Past 48 hours."

6. The Date range combo box has the focus, and the default setting is Past 48 hours.
To cycle through the other choices, including Past 24 hours, Past 7 Days, and
Custom, press the Up Arrow or Down Arrow key.

 Tip

If you select Custom, you can tab to and enter the time zone, start date and
time, and end date and time. These fields are not available unless you select
Custom in the Date range combo box. Note that there might not be any data
for messages that are less than four hours old. You cannot run a message
trace on a message more than 90 days old.
7. Tab to the Delivery status combo box. Choices are All (the default setting),
Delivered, Failed, Pending, Expanded, Quarantined, Filtered as spam, and
Unknown. Press the Down Arrow or Up Arrow key until the delivery status you
want is selected.

8. Tab to the Message ID text box. This is an optional field, but it can help narrow the
search results. The Message ID or Client ID is generated by the sending system and
can be found in the header of the message with the Message-ID: token. The
Message ID might include angle brackets (< >).

9. To specify senders (one or more) in the message trace, tab to the add sender
button and press Enter. In the Select Members dialog box, the Search button has
the focus.

a. To search for a user within your organization, press Enter, type all or part of the
name of the user, and then press Enter.

b. Press the Tab key about seven times until you hear the name of the user in the
search results list.

c. To add the user to the list of senders for the message trace, press the Down
Arrow key until you hear the user's name and then press Enter. The list of users
retains the focus, so you can continue to add more users by selecting their
mailboxes and pressing Enter.

 Tip

To check the users you've added, tab to the Add button. To hear the list of
users, press the Tab key again. The first name is read. To hear the second
name in the list, press the Tab key one more time. Continue pressing the Tab
key until you hear the names of all the users you've added. To delete a user
from the list, activate the Remove link by pressing Enter when you hear the
username.

d. To specify an external user or an email address with a wildcard (for example,

*@contoso.com), press the Tab key until you hear "Check names edit, Type in
text." (In Narrator, you hear "Editing.") Type the email address of the external
user or the address with a wildcard. To select the Check names button, press
Shift+Tab and then press Enter. This verifies the email address and adds it to the
list of users.

 Tip
 When you specify a wildcard, you cannot also add full email addresses to the
message trace. > Be aware that if you type an external email address and
press Enter, this adds the user to the list and then closes the dialog box. If
you're not finished, use the Check names button to add it instead.

e. When you finish adding users, tab to the OK button and press Enter. The
message trace page has the focus again, and the Sender text box lists the
senders you specified for the message trace.

10. To add a recipient to the message trace instead of or in addition to the senders,
tab to the add recipient button and press Enter. In the Select Members dialog box,
the Search button has the focus. To add one or more recipients to the message
trace, repeat step 9.

11. On the message trace page, tab to the search button and press Enter. The
Message Trace Results page opens and shows the date, sender, recipient, subject,
and status of the message(s) that are a result of the message trace.

 Tip

When you run a trace for messages that are less than seven days old, the messages
should appear within 5-30 minutes. When you run a message trace for messages
that are more than seven days old, results may take up to a few hours. So if the
Message Trace Results page appears empty at first, check again later. An easy way
to do this is to keep this page open, and, on the toolbar, periodically tab to the
Refresh button and then press Enter.

12. To close the Message Trace Results page, tab to the Close button and press Enter.

Review the status of pending or completed

message traces
It might take a few minutes to a few hours for message trace results to return. You can
check the status of pending or completed message traces.

1. In the EAC, press Ctrl+F6 until the primary navigation pane has the focus and you
hear "Dashboard, Primary navigation link."

2. Tab to mail flow, and press Enter.

3. To move to the menu bar, press Ctrl+F6.

4. Tab to message trace. You hear "Message trace, Secondary navigation link." Press
Enter.

5. To access the main window list view, press Ctrl+F6. You hear "Message was sent or
received combo box..

6. The Date range combo box has the focus. To move to the View pending or
completed traces link, press Shift+Tab. Press Enter. The pending or completed
traces page opens and shows the report title, date submitted, report status, and
messages.

7. To refresh the page, make sure that the Refresh button has the focus (this is the
default setting) and then press Enter.

8. To close the pending or completed traces page, tab to the Close button and press
Enter.

７ Note

For more information, refer to Trace an email message.

Use a screen reader to work with mobile
clients in the Classic Exchange admin
center in Exchange Online
Article • 02/22/2023

You can use your screen reader in the Classic Exchange admin center (Classic EAC) to
enable the use of mobile devices for users of Exchange Online, who can then access
information in their Microsoft 365 or Office 365 mailboxes through mobile phones and
tablets. Learn more about clients and mobile in Exchange Online.

Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have
the appropriate Microsoft 365 or Office 365 subscription plan and admin role to work in
the EAC. Then, open the EAC and get started.

Use your browser and keyboard to navigate in the EAC

Exchange Online, which includes the EAC, is a web-based application, so the keyboard
shortcuts and navigation may be different from those in Exchange 2016. Accessibility in
the Exchange admin center.

For best results when working in the EAC in Exchange Online, use Internet Explorer as
your browser. Learn more about Internet Explorer keyboard shortcuts .

Many tasks in the EAC require the use of pop-up windows. In your browser, be sure to
enable pop-up windows for Microsoft 365 or Office 365.

Confirm your Microsoft 365 or Office 365 subscription

plan
Exchange Online is included in several different subscription plans. But capabilities may
differ by plan. If your EAC doesn't include a function described in this article, your plan
might not include it.

For more information about the Exchange Online capabilities in your subscription plan,
go to What Microsoft 365 Apps for business product or license do I have? and
Exchange Online Service Description..
Open the EAC, and confirm your admin role
To complete the tasks covered in this topic, Use a screen reader to open the Exchange
admin center and check that your global administrator has assigned you to the
Organization Management and Records Management admin role groups. Use a screen
reader to identify your admin role in the Exchange admin center.

Configure mobile device mailbox policies and

access
You can use the EAC to create mobile device mailbox policies that apply a common set
of rules or security settings to a collection of users. If you don't create your own mobile
device mailbox policy, the default policy is applied, which includes the following
settings:

Allow mobile devices that don't fully support policies to synchronize.

Outlook Web App (OWA) for Devices supports all password policies and won't
block any devices.

A password is optional.

Device encryption is not required.

To view, edit, or create a mobile device mailbox policy, on the EAC primary navigation
pane, select the mobile link and then, on the menu bar, select the mobile device
mailbox policies link. Learn more about the options you can set for mobile device
mailbox policies.

You can also specify Exchange ActiveSync access settings, maintain a list of quarantined
mobile devices, and set up device access rules. To do this, on the EAC primary navigation
pane, select the mobile link and then, on the menu bar, select the mobile device access
link.

Enable Exchange ActiveSync and Outlook on

the web for users
Exchange ActiveSync is an Exchange synchronization protocol which allows mobile
phones to access your organization's Exchange server. With Exchange ActiveSync,
recipients can use their mobile devices to access their email, calendar, contacts, and
tasks. They can also continue to access this information while working offline. Learn
more about Exchange ActiveSync.

With Outlook on the web (formerly known as Outlook Web App), users can access their
Exchange mailbox from almost any web browser, including from a browser on their
mobile devices. Learn more about Outlook on the web.

Enable Exchange ActiveSync and Outlook on the web for

an individual user
1. In the EAC, press Ctrl+F6 until the primary navigation pane has the focus and you
hear "Dashboard, Primary navigation link."

2. Tab to recipients and press Enter.

3. To move to the menu bar, press Ctrl+F6. You hear "Mailboxes, Secondary
navigation link." To select the mailboxes link, press Enter.

4. To search for the user for whom you want to enable Exchange ActiveSync, press
Ctrl+F6 and then press the Tab key until you hear "Search button." Press Enter.

5. Type all or part of the user's name and press Enter.

6. Press Ctrl+F6 until you hear the name of the user in the search results list. If the
search results list includes multiple names, press the Down Arrow key or the Up
Arrow key until you hear the name you want.

7. To move to the details pane, press Ctrl+F6. You hear "Unified Messaging link,
Enable."

8. Press the Tab key. You hear "Mobile devices link, Enable Exchange ActiveSync..

 Tip

If the user is already enabled for Exchange ActiveSync, you hear "Disable
Exchange ActiveSync..

9. Press Enter. You hear "Are you sure you want to enable Exchange ActiveSync?"
With the focus on the Yes button, press Enter.

10. Press the Tab key. You hear "Mobile devices link, Enable OWA for Devices."

 Tip
 If the user is already enabled for OWA for Devices, you hear "Disable OWA for
Devices..

11. Press Enter. You hear "Are you sure you want to enable OWA for Devices?" With
the focus on the Yes button, press Enter.

 Tip

If you want to enable Exchange ActiveSync and Outlook on the web for
additional users, press Ctrl+Shift+F6 to move the focus back to the list of
users. Press the Down Arrow key or the Up Arrow key until you hear the name
you want, and repeat steps 7 through 11.

Enable Exchange ActiveSync and Outlook on the web for

multiple users at once
1. In the EAC, press Ctrl+F6 until the primary navigation pane has the focus and you
hear "Dashboard, Primary navigation link."

2. Tab to recipients and press Enter.

3. To move to the menu bar, press Ctrl+F6. You hear "Mailboxes, Secondary
navigation link." To select the mailboxes link, press Enter.

4. Press Ctrl+F6 twice to move to the list of users. Press the Down Arrow key or the
Up Arrow key to move to the first adjacent user. Hold down the Shift key and press
the Down Arrow key or the Up Arrow key to select more adjacent users.

 Tip

To select all users, press Ctrl+A.

5. Repeatedly press the Tab key until the Bulk Edit details pane has the focus and you
hear "Bulk Edit..

6. Press the Tab key until you hear "Enable link." Press Enter.

7. An alert asks "Are you sure you want to enable Outlook on the web for all the
selected recipients?" With the focus on the OK button, press Enter.
8. Press the Tab key about 10 times until you hear "Show link." Press the Tab key once
more. You hear "Enable link." Press Enter.

9. An alert asks "Are you sure you want to enable Exchange ActiveSync for all the
selected recipients?" With the focus on the OK button, press Enter.
Multi-Geo Capabilities in Exchange
Online
Article • 06/20/2023

In a multi-geo environment, you can select the location of Exchange Online mailbox
content (data at rest) on a per-user basis.

You can place mailboxes in satellite geo locations by:

Creating a new Exchange Online mailbox directly in a satellite geo location.

Moving an existing Exchange Online mailbox to a satellite geo location by
changing the user's preferred data location.
Onboarding a mailbox from an on-premises Exchange organization directly into a
satellite geo location.

７ Note

This feature doesn't guarantee email routing through a dedicated geo-specific

region (data in transit).

Mailbox placement and moves

After Microsoft completes the prerequisite multi-geo configuration steps, Exchange
Online will honor the PreferredDataLocation attribute on user objects in Microsoft
Azure Active Directory (Azure AD).

Exchange Online synchronizes the PreferredDataLocation property from Azure AD into

the MailboxRegion property in the Exchange Online directory service. The value of
MailboxRegion determines the geo location where user mailboxes and any associated
archive mailboxes are placed. It isn't possible to configure a user's primary mailbox and
archive mailboxes to reside in different geo locations. Only one geo location per user
object is allowed.

When PreferredDataLocation is configured on a user with an existing mailbox, the

mailbox is put into a relocation queue and automatically moved to the specified
geo location.
When PreferredDataLocation is configured on a user without an existing mailbox,
the mailbox is provisioned into the specified geo location when you provision the
mailbox.
 When PreferredDataLocation isn't specified on a user, the mailbox is provisioned
in the central geo location when you provision the mailbox.
If the PreferredDataLocation code is incorrect (for example, a typo of NAN instead
of NAM), the mailbox is provisioned in the central geo location.

７ Note

Multi-geo capabilities and Microsoft Teams regionally hosted meetings both use
the PreferredDataLocation property on user objects to locate services. If you
configure PreferredDataLocation values on user objects for regionally hosted
meetings, the mailbox for those users will be automatically moved to the specified
geo location after multi-geo is enabled on the Microsoft 365 tenant.

Feature limitations for multi-geo in Exchange

Online
Outlook for Mac users may experience a temporary loss of access to their Online
Archive folder while you move their mailbox to a new geo location. This condition
occurs when the user's the primary and archive mailboxes are in different geo
locations, because cross-geo mailbox moves may complete at different times.

Users can't share mailbox folders across geo locations in Outlook on the web
(formerly known as Outlook Web App or OWA). For example, a user in the
European Union can't use Outlook on the web to open a shared folder in a mailbox
that's located in the United States. However, Outlook on the Web users can open
other mailboxes in different geo locations by using a separate browser window as
described in Open another person's mailbox in a separate browser window in
Outlook Web App .

Note: Cross-geo mailbox folder sharing is supported in Outlook on Windows.

Public folders are supported in multi-geo organizations. However, the public

folders must remain in the central geo location. You can't move public folders to
satellite geo locations.

In a multi-geo environment, cross-geo mailbox auditing isn't supported. For

example, if a user is assigned permissions to access a shared mailbox in a different
geo location, mailbox actions performed by that user aren't logged in the mailbox
audit log of the shared mailbox. Exchange admin audit events are available for all
locations via Microsoft Purview and the Search-UnifiedAuditLog cmdlet. For more
information, see Manage mailbox auditing.
Bifurcation
Article • 01/27/2023

Bifurcation (also known as forking) refers to the process of creating multiple copies of a
given message. All these copies will have the same message content, but different
envelopes.

Bifurcation occurs through Microsoft Exchange while messages are in transit.

Why bifurcation?
There are different purposes for which bifurcation can occur to a message in transit,
such as (including but not limited) recipient-based customization, routing, security, and
performance.

Recipient-based customization
Bifurcation enables customization of the message based on the recipient. Specifically,
the need for the occurrence of bifurcation to customize the message is created by the
following scenarios:

When policies apply to a subset of the recipients: For example, if a policy is in

place to add a disclaimer to messages sent to external recipients, Exchange will
bifurcate the message, resulting in:
One copy for the internal recipients with the original message content, and
A second copy for the external recipients with the modified content and
disclaimer.
When recipients require different message settings: Exchange will bifurcate a
message when the read receipts setting is enabled for some recipients and
blocked for others.
When the message sender in MAIL FROM in the message envelope is updated:
For example, a message is sent to a user and a distribution group. In such a case, if
the group has been configured to not report non-delivery reports (NDRs), the
message needs to be bifurcated since the copy sent to the group will have the
envelope sender (MAIL FROM:) set to <> (the null reverse path) to suppress NDRs.
When auto-response messages [for example, delivery status notifications (DSNs),
out of office (OOF) messages, and recall reports] need to be suppressed.
When alternative recipients are expanded.
When a "Resent-From:" header field is added to the message header. Resent
header fields are informational header fields that can be used to determine
 whether a message has been forwarded by a user. Resent header fields make the
message appear to the recipient in such a way that it was sent directly by the
original sender. The recipient can view the message header to discover who
forwarded the message. Resent header fields are defined in section 3.6.6 of RFC
5322.
When the expansion history of the group needs to be transmitted.

Routing
Bifurcation enables routing, and the need for the occurrence of bifurcation to route the
message is created by the following scenarios:

When mail flow rules (also known as Transport Rules) are applicable to only a
subset of recipients.
When the recipients have different next hop domains.

Security
Features such as anti-spam and other security-related ones might perform forking for
security and threat protection purposes.

Performance
Bifurcation facilitates good performance, and the need for the occurrence of bifurcation
to optimize performance is created by the following scenario:

To limit the number of envelope recipients in a single message: Expanding large

groups can generate thousands of individual recipients. Instead of creating a single
copy of the message that has thousands of envelope recipients, Exchange creates
multiple copies of the same message, which have a limited number of recipients in
the message envelope.

What are the implications of bifurcation?

Bifurcation can impact the way some of our Exchange features work, and therefore it's
important to understand how this impact can change some of their behavior.

A few implications of the occurrence of bifurcation are described in the following table:

It can How?
affect
It can How?
affect

Mail flow Rule conditions (or exceptions) that are met/fulfilled by the original message might
rules (also not be met/fulfilled by some of the forks. Rule actions will be executed
known as independently for all the forks (for example, generating a notification or incident
Transport report for each copy of the message).
Rules)

Moderation Each copy of the message will result in a separate approval request.

Journaling Multiple copies of a message will be archived, leading to increased storage costs.

Data Loss Policies that might have applied to the original message might no longer apply to
Prevention some of the forks. Rule actions will be executed independently for all the forks (for
(DLP) example, generating a notification or incident report for each copy of the
Policies message).
Sender Rewriting Scheme (SRS) in
Microsoft 365
Article • 07/19/2023

７ Note

In August 2023, a change will be rolled out to SMTP or mailbox forwarded

messages. Moving forward, SRS will be used to rewrite these messages instead of
the forwarding mailbox. This will consolidate forwarding methods to all use SRS in
Exchange Online. While SRS is designed to avoid disruptions to forwarded
messages, some special cases could see issues. One case from this change is that
messages being relayed to the internet via on-premises servers will not be rewritten
with SRS. To avoid this behavior change, see the new setting covered here: Sender
Rewriting Scheme Upcoming Changes .

The relay pool feature has been introduced in Microsoft 365 which affects SRS
rewriting behavior. Messages that qualify for this relay pool skip being rewritten by
SRS and are sent out of IPs that aren't part of the Microsoft 365 SPF record. This
mainly affects messages that fail SPF checks when they are entering Exchange
Online so that SRS does not fix these failures. For more information, see the relay
pool documentation here: Outbound delivery pools.

The Sender Rewriting Scheme (SRS) functionality was added to Microsoft 365 to resolve
a problem in which autoforwarding was incompatible with SPF. The SRS feature rewrites
the P1 From address (also known as the Envelope From address) for all applicable
messages that are sent externally from Microsoft 365.

７ Note

The From header, also known as the Display From address or P2 From address, that
is displayed by email clients remains unchanged.

The SRS functionality improves the delivery of applicable messages that pass Sender
Policy Framework (SPF) checks when they arrive from the original sender but fail SPF
checks at the final external destination after they're forwarded.

SRS rewrites the P1 From address in the following scenarios:

 Messages in Microsoft 365 that are autoforwarded (or redirected) to an external
recipient by using any of the following methods:
SMTP forwarding Some messages forwarded by using SMTP Forwarding won't be
rewritten by SRS because they would have already been rewritten. In an upcoming
change, the SMTP Forwarding method will be covered under SRS as well.
Mailbox Rule (or Inbox rule) redirection
Transport Rule redirection
Groups or DLs that have external members
Mail Contact forwarding
Mail User forwarding
Messages that are autoforwarded (or redirected) from a customer's on-premises
environment and relayed through Exchange Online.

It's important to note that SRS rewriting is used to prevent spoofing of unverified
domains. You should send messages only from domains that you own and for which
you've verified your ownership through the Accepted Domains list. For more
information about Accepted Domains in Microsoft 365, see Manage accepted domains
in Exchange Online.

７ Note

SRS rewriting does not fix the issue of DMARC passing for forwarded messages.
Although an SPF check will now pass by using a rewritten P1 From address, DMARC
also requires an alignment check for the message to pass. For forwarded messages,
DKIM always fails because the signed DKIM domain does not match the From
header domain. If an original sender sets their DMARC policy to reject forwarded
messages, the forwarded messages are rejected by Message Transfer Agents
(MTAs) that honor DMARC policies.

This scenario causes Non-Delivery Reports (NDRs) to be returned to Exchange Online

instead of the original sender, which is the case when SRS isn't used. Therefore, part of
the SRS implementation is to reroute returning NDRs to the original sender if a message
can't be delivered.

The following sections present different autoforwarding scenarios and information on

how SRS handles them.

Autoforwarding emails for a mailbox hosted on

Microsoft 365
For a message that is sent to a hosted mailbox and is autoforwarded by using
mechanisms such as SMTP forwarding, Mailbox Rule redirection or Transport Rule
redirection, the P1 From address is rewritten before the message leaves Exchange
Online. The address is rewritten by using the following pattern:

PowerShell

<Forwarding Mailbox Username>+SRS=<Hash>=<Timestamp>=<Original Sender

Domain>=<Original Sender Username>@<Forwarding Mailbox Domain>

In the following example, a message is sent from Bob (bob@fabrikam.com) to John's

mailbox in Exchange Online (john.work@contoso.com). John has set up autoforwarding
from this mailbox to his home email address (john.home@example.com). Notice how
the P1 From address is rewritten by SRS.

Original message Autoforwarded message

Recipient john.work@contoso.com john.home@example.com

P1 From bob@fabrikam.com john.work+SRS=44ldt=IX=fabrikam.com=bob@contoso.com

From header bob@fabrikam.com bob@fabrikam.com

When SRS rewrites the P1 From address, it increases the length of the username portion
of the email address. However, the email address has a limit of 64 characters. So if the
length of the rewritten email address exceeds 64 characters, it will take the following
form:

PowerShell

bounces+SRS=<Hash>=<Timestamp>@<Default Accepted Domain>

where <Default Accepted Domain> is the name of the default Accepted Domain set up
for the tenant.

Relaying from a customer's on-premises server

When a message that originates from a non-verified domain is relayed from a
customer's on-premises server, or an application through Exchange Online, the P1 From
address is rewritten before it leaves Exchange Online. The address is rewritten by using
the following pattern:

PowerShell
 bounces+SRS=<Hash>=<Timestamp>@<Default Accepted Domain>

In the following example, a message is sent from Bob (bob@fabrikam.com) to John's

mailbox (john.onprem@contoso.com) which is on his company's server that is running
Exchange Server. John has set up autoforwarding from this mailbox to his home email
address (john.home@example.com). Notice how the P1 From address is rewritten by
SRS in this scenario.

Type Original message Relayed message Relayed message sent from

received by Exchange Exchange Online
Online

Recipient john.onprem@contoso.com john.home@example.com john.home@example.com

P1 From bob@fabrikam.com bob@fabrikam.com bounces+SRS=44ldt=IX@contoso.com

From bob@fabrikam.com bob@fabrikam.com bob@fabrikam.com

header

In some situations, the relayed messages that are rewritten by SRS might not get
delivered, and a Non Delivery Report (NDR) might be generated.

To receive those NDRs, the tenant administrator must create a mailbox named
"bounces" that is hosted either on Exchange Online or on-premises. The domain for this
mailbox must be set to the default Accepted Domain for the tenant.

Forwarded messages sent to a customer's on-

premises server
By design, SRS considers on-premises servers to be within the trust boundary and
doesn't rewrite forwarded messages that are bound to on-premises. However, for
complex routing configurations that use on-premises servers to route messages to the
Internet, the forwarded messages won't be rewritten and will be rejected due to SPF
failure. To solve this issue, administrators can enable the SRS rewrite for traffic flowing
through an on-premises outbound connector. For more information about this SRS
parameter on outbound on-premises connectors, see Sender Rewriting Scheme
Upcoming Changes .
Behavior of retention tags and retention
labels for items moved to the Deleted
Items folder
Article • 07/14/2023

Use this article to understand the behavior of Exchange Online email items when they're
moved to the Deleted Items folder and retention tags from messaging records
management (MRM) or retention labels from Microsoft Purview are used for compliance
requirements.

There was a change of behavior in June 2023 that completes rollout in August 2023 for
items with retention tags or retention labels that are moved to the Deleted Items folder
and either of the following scenarios apply:

A retention tag or retention label was originally inherited from a parent folder
A retention label was autoapplied

These items with a retention tag or retention label applied in the ways listed are affected
when moved to the Deleted Items folder by drag & drop or manual deletion.

７ Note

This change doesn't affect the behavior for items that are permanently deleted by a
user (for example, using SHIFT+DEL), items that have no retention labels applied, or
items that have a retention label or retention tag manually applied by a user. It also
doesn't affect the behaviors of any other folders within the mailbox.

Before the change for the listed scenarios:

A retention label or retention tag that was inherited from a parent folder isn't
persisted when the item is moved to the Deleted Items folder.
A retention label that was autoapplied is replaced with a retention policy tag (RPT)
if one exists, after the item is moved to the Deleted Items folder.

After the change for the listed scenarios, the Deleted Items folder honors the principles
of retention. This means:

Any retention label, regardless of how it's applied, remains applied to the item and
is enforced if its settings are configured to retain the item when it's moved to the
Deleted Items folder, even if the Deleted Items folder has a retention policy tag
(RPT) applied.

When the Deleted Items folder doesn't have a retention policy tag (RPT) applied,
any retention label or retention tag, regardless of how it's applied, remains applied
to the item and is enforced.

For retention labels or retention tags that are configured for deletion-only rather
than retention-only or retention and then delete, and the Deleted Items folder has
a retention policy tag (RPT) applied:
An autoapplied retention label remains applied to the item and the deletion
settings from the retention label are enforced.
When an inherited retention label or inherited retention tag is applied to an
item, the item is deleted according to the shortest deletion period.
About Exchange Online documentation
Article • 02/22/2023

You're reading a collection of conceptual and procedural topics organized by subject or

by technologies used by Exchange Online. You can access each topic directly from the
table of contents in the left pane, from a link in another Help topic, from the results of a
search, or from your own custom list of favorite topics.

Other information related to Exchange documentation is in Third-party copyright

notices.

Where to find Exchange documentation

Exchange documentation is your primary gateway to in-depth technical information
about Exchange Online.

The Exchange Team Blog contains technical articles written by the Exchange Team, as
well as product announcements and updates. The blog is an excellent way to interact
with the Exchange Team. We read and respond to your feedback and comments.

If you're an admin for an Exchange hybrid or Exchange Online deployment, you may
also be interested in Manage Microsoft 365 and Office 365.

Additional resources
Looking for more than just documentation? Check out these other Exchange resources:

Exchange Online Forums: The forum provides a place to discuss Exchange Online
with users and Exchange Team members.

Exchange and Exchange Online development: You'll find Exchange developer

documentation here.

Accessibility in Exchange Online: This topic provides important information about

features, products, and services that help make Exchange Online more accessible
for people with disabilities.