Recent Discussions
Disabling Calendar Repair Assistant on mailboxes in Exchange Onprem 2019
Hi, We are in Exchange Hybrid setup were some mailboxes are in cloud and onprem. Recently, there were some issues with Calendar events were recipients weren't notified of any updates for the events, sometimes the updated event would have been cancelled by recipient and the recipient didn't even know that they received update and it was automatically cancelled by them.... This was a normal situation for EAs for their executive calendar events When raised a ticket with Microsoft on this issue, Microsoft collected CDL logs and found that CRA was kicking in each time when there was an update and was reverting the updated meeting request to the previous cancellation and as we know this is not a bug, this is just how the CRA works...So, Microsoft is like CRA is a legacy feature with limited applicability and functionality in the current exchange environment and hence has asked to disable-CRA in On-prem exchange as this will not affect normal calendar usage for users. I had disabled for 5 users and they have reverted that they are not seeing any issues post disabling CRA. so before gunning down on all mailboxes I wanted to take a second opinion on whether is it safe to disable CRA for alll mailboxes in Exchange Onprem
Send admin notifications on x number of messages from an email address
Hi, We're having a problem with a repeat spam/phishing offender that recycles email addresses from a particular domain. Because the email address is new it hasn't had a chance to be picked up by blacklists, so it doesn't get picked up as spam. We can't block on content, subject or sender because it all changes so for these campaigns we're relying on user reports to give us the heads up. We also can't block the domain because we receive legitimate email from the domain also. I'd like to change this so we can hit them before users notice and possibly whilst the spam campaign is in flight but I'm unsure as to how to go about it. Is there a rule or other setting I can configure which sends notifications to specific e-mail addresses if, say 100 emails were received from any email address (or from a specific domain?) within an hour, or 5 hours? I don't see how I can configure such a rule in mailflow rules so I'm guessing this might be somewhere else. There's an element of us likely being falsely alerted to marketing campaigns, but hopefully it's configurable enough that we can limit it down to only applying this against a specific sender domain, or adding a new custom mailflow rule which will lower the likelihood of false positives. Many thanks, - LswardWill these commands fix our phantom meetings issue?
I opened a ticket with Microsoft Support for an issue we are facing where "phantom" meetings are appearing in at least two of our meeting room calendars. The subject of the meeting says "Private appointment" and the lock icon appears at the bottom, and when you click on any of them they disappear from the calendar, only to re-appear when you navigate away and come back. They appear in Classic Outlook, New Outlook and Outlook for the web. The support rep is telling me to run these commands on the room mailbox to "reset the room mailbox availability cache": Set-CalendarProcessing -Identity <roommailboxupn> -RemoveOldMeetingMessages $true Set-CalendarProcessing -Identity <roommailboxupn> -AutomateProcessing AutoAccept But if I run Get-CalendarProcessing, it confirms that these are the existing settings already: Get-CalendarProcessing -Identity <roommailboxupn> | fl RemoveOldMeetingMessages,AutomateProcessing RemoveOldMeetingMessages : True AutomateProcessing : AutoAccept This can't possibly do anything, right? I should ask my CSAM to open a GetHelp on this case, right? Does anyone know how to actually fix this issue?High Volume Email is Generally Available and Ready to Charge
On April 1, Microsoft announced the general availability for the High-Volume Email (HVE) solution together with details of the PAYG charges incurred to send email to internal recipients, which is all that HVE can do. Microsoft will enable HVE charging on June 1, 2026, Before then, youโll need to create a billing policy and link it to a valid Azure subscription if you want to continue to use HVE. https://office365itpros.com/2026/04/23/hve-ga-charging/Is the Archive mailbox self-help diagnostic working for anyone?
Just curious: is the archive mailbox self-help diagnostic at https://aka.ms/PillarArchiveMailbox working for anyone? When I run it, instead of getting results about the user whose UPN I entered, I get this: The following issues were found with your archive mailbox. No account was found for [The UPN of my admin account]. Make sure you've entered the correct email address or create a new account with that name. For more information, see Add users to Office 365. I tried opening a ticket with Microsoft Support, but they refused to work on it without requiring me to do all the legwork of gathering logs and HAR traces and who knows what else, despite the fact that the support agent was able to replicate the exact same issue in his lab.
User cannot rename categories even when being the owner
Hi guys, I have a user that cannot rename categories in a mailbox whilst being the owner. As you can her permission level is set on owner. And yet the rename is greyed out: User says she was able to rename just some time ago, but when she tried on 17/04/2026 she couldn't. Anyone has any ideas?Preserving permissions during EXO migration
Hi, Can you help me understand the outcome of preserving the permissions in our scenario. Exchange Server 2016 (soon Exchange SE) in a hybrid with Exchange Online. We are moving 75% of the mailboxes to Exchange Online. What ways will preserve or break the full-access or sendas permissions? I guess best way would be to migrate both the user and the shared mailbox at the same time in the same batch to keep the permission? If we migrate the user in batch 1 and shared mailbox in batch 2 will that preserve/break the full access/send as? If we migrate the shared mailbox in batch 1 and usermailbox in batch 2 will that preserve/break the full access/send as? If the permission is linked directly on the shared mailbox or via a security group is there a difference? Thanks!
Microsoft Exchange Report
I faced a new issue today, don't know if anything breaks at Microsoft or any new thing roll out from there, the things is unable to check usage report properly as well as unable to export the email activity, Mailbox Usage etc report under report- exchange and other tabs as well in customer tenant. I have Global Reader privilege but still facing this issue. Anyone faced this type of issue from today or before? If anyone knows about its pleas update your comment here. Thanks..
Issue with certificate renewal for exchange Edge Transport Server
Hello team, I have come across a very particular problem I deployed 2 exchange server 2019 with one edge transport server When we are renewing the Certificates with wildcard certificate on both mailbox server ,and on edge transport server ,it is impossible for me to renew the edge subscription It says the cerificate is in "doublon" (repetitive) on one of the Exchange servers.I have always been using same certificate on exchange server be it edge or mailbox I tested a bogus different certificate on mailbox and on edge,only then th e edge sync works Did anybody come across this issue. Thanks
Administratively retract a user's email
I was recently asked to retract a message that was sent in-error to staff. I ran a discovery/search, and saved it, but when I ran the powershell script after connecting to Exchange, the script could not find the search, something like name not found. I verfied the name was correct, and I am a global admin so permissions should not have been an issue. Does anyone know of any accurate documentation to run a search and retract? I had to use an old YouTube video and could not find anything in Microsoft's documentation.Email Showing as Quarantined in a Message Trace, but Not Showing up in MS Defender
A customer of ours was waiting on an email to arrive and to help figure out where the email was or if it was sent yet we ran a message trace. The message trace showed that the email was sent to quarantine. With this information in mind, I went to MS Defender > Email & collaboration > Review > Quarantine but could not find the message. I modified some of the filters and could not get the quarantined message to appear. I triple checked the filters I created and made sure the information was correct. I also removed all filters and looked for the time period the email came in, but could not find it. Not sure if this is related, but this email had a significant delay likely coming from the sender. Any thoughts or ideas? Or anything that I am missing?
ARC verification fail (40) on specific Exchange Online frontends - recurring issue
Hello, We are observing recurring arc=fail (40) errors on messages forwarded through Exchange Online, caused by specific frontend servers. The same messages pass ARC verification correctly on other providers (Google, etc.). Affected frontends identified so far: CH2PEPF0000013F.namprd02.prod.outlook.com - build 15.20.9700.17 (March 14, 2026) CH3PEPF0000000B.namprd04.prod.outlook.com - build 15.20.9769.17 (April 6, 2026) Both share the same build suffix .17. The signing implementation on our side has been cryptographically verified as correct and RFC 6376 compliant. The issue has also been reported on the IETF ietf-smtp mailing list with full technical analysis. Cryptographic analysis shows the failing servers append a spurious trailing \r\n to the last header before computing the verification hash, violating RFC 6376 Section 3.7. Is there a pattern with .17 frontend builds and ARC verification? Reagards VittorioMailbox for Service Account (exchange online)
Hi Our organisation isn't ready to move to Exchange Online yet, though we have Office 365 e3 licencing. I need to create a service account that can send emails via Outlook 365 for use In Power Automate. The documentation I have seen for adding a mailbox to an existing AAD user requires assigning an exchange licence to the account via the licence portal. I can't see any such licences though we do have e3 licencing which are visible that I assume covers this? Unfortunately the admin who did the original configuration has moved on and I don't have a global admin role so have to go through a support team that can't help me with my lack of knowledge in the area! Any advice would be very much appreciated as what ( i think) should be a simple task has taken a lot of time to try and get to the bottom of! Thanks, Dale.Cross Tenant Mailbox Migration: NotAcceptedDomainException
This week I'm performing a new cross tenant mailbox migration. I have some experience with this kind of migrations, ( it's the third one I'm in charge of ), and with the new procedure, ( will paste the link with the instructions at the end of this article ), an Azure Key Vault is no longer required, so I was very confident and thought that I would no have any issue. But, as sometimes occurs, I was wrong The setup was quite easy, and the mail users configuration was like always, so no a big deal. But now comes the point... Once I launched the migration batch, half of the users started syncing correctly and the ther ones failed, ( neither a MoveRequest was able to start for them ). Once I checked the errors, I got the same for all the failed ones: " NotAcceptedDomainException: You can't use the domain because it's not an accepted domain for your organization ". Ok. No problem... ( I thought ). I work with Exchange since more than 10 years and this is a common error message. ( Again I was wrong ). I started to check the mail users, looking for some misspelled domain, missing alias, spaces, etc... Basically, the troubleshooting for this kind of errors. But from my perspective all looked good. So, I decided to reconfigure all the mailusers with a script, launch a delta sync, and resume the failed moverequest. But again, same error for all of them. Checked again, with PS, from source and target tenant, checked in AD, all the proxy addresses... Nothing, all was correct! Non sense... Ok. At that point I decid to compare some syncing mail users with some failed ones, looking for anything that could be a pattern. And "voilรก"! The syncing users were all licensed in O365... The failed ones not! After assigning a license to the failed ones and resume the MoveRequest, all started to work smoothly. For sure, I would have saved many hours of work if the error message had been: " The user is not licensed ". But, yeah... It would have been too simple ๐ Summarizing, make sure that the mail users have an O365 license before you start the migration batch. And remember, not always the error messages are what they seems to be ๐ Cross Tenant Mailbox Migration procedure, ( Preview ๐ https://docs.microsoft.com/en-us/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-worldwideM365 tenant emails marked as spam (SCL:5, CAT:PHISH) despite perfect authentication
Hello, Our business emails from our M365 tenant are consistently marked as spam when sent to other M365 tenants, despite perfect email authentication. Technical status: - SPF: Pass โ - DKIM: Pass โ (recently enabled) - DMARC: Pass โ (recently enabled) - Composite Authentication: Pass (reason=100) โ But messages are still marked as: - X-MS-Exchange-Organization-SCL: 5 - X-Forefront-Antispam-Report: CAT:PHISH;SFV:SPM We suspect a tenant reputation issue, possibly because the tenant ran for months without DKIM enabled. Now that all authentication is correct, how can we request a reputation review? Thank you!iOS 26.4 iPhone Contact Sync with Microsoft Exchange Online
For the past 2โ3 weeks, several of our iOS users have been experiencing synchronization issues with Exchange contacts. Contacts intermittently disappear from their devices and then re-sync after some time. In some cases, the re-synchronization process is significantly delayed. Anyone else experiencing the same issue?Can't connect with GDAP using ExchangeOnlineManagement 3.7.0/3.8.0, but 3.6.0 works
Since upgrading to ExchangeOnlineManagement version 3.7.0, I've been unable to connect to any of my clients using GDAP. I thought I'd try upgrading to 3.8.0, but I still get the same error: PS C:\Users\username> connect-exchangeonline -userprincipalname email address removed for privacy reasons -DelegatedOrganization contoso.com ---------------------------------------------------------------------------------------- This V3 EXO PowerShell module contains new REST API backed Exchange Online cmdlets which doesn't require WinRM for Client-Server communication. You can now run these cmdlets after turning off WinRM Basic Auth in your client machine thus making it more secure. Unlike the EXO* prefixed cmdlets, the cmdlets in this module support full functional parity with the RPS (V1) cmdlets. V3 cmdlets in the downloaded module are resilient to transient failures, handling retries and throttling errors inherently. REST backed EOP and SCC cmdlets are also available in the V3 module. Similar to EXO, the cmdlets can be run without WinRM basic auth enabled. For more information check https://aka.ms/exov3-module Starting with EXO V3.7, use the LoadCmdletHelp parameter alongside Connect-ExchangeOnline to access the Get-Help cmdlet, as it will not be loaded by default ---------------------------------------------------------------------------------------- The role assigned to user email address removed for privacy reasons isn't supported in this scenario. Please check online documentation for assigning correct Directory Roles to User. At C:\Users\username\OneDrive - MSP\Documents\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.7.2\netFramework\ ExchangeOnlineManagement.psm1:758 char:21 + throw $_.Exception; + ~~~~~~~~~~~~~~~~~~ + CategoryInfo : OperationStopped: (:) [], SystemException + FullyQualifiedErrorId : The role assigned to user email address removed for privacy reasons isn't supported in this scenario. Please check online documentation for assigning correct Directory Roles to User. You'd think there'd be something wrong with my GDAP permissions, but there doesn't appear to be. I can do anything via the Microsoft 365 Admin Center. Plus, most notably, if I manually load ExchangeOnlineManagement 3.6.0, everything works perfectly. I'm running Windows 11, and this behavior is reproducible on Windows PowerShell 5.1 as well as my preferred PowerShell 7.5.2. How can I troubleshoot this?OAB download fails after hybrid mailbox move.
Hi folks, I'm posting this query here as I doubt anyone in the Outlook forums would have the necessary Exchange hybrid knowledge. I run a classic hybrid Exchange environment where Exchange Server 2019 CU15 is the on-premise platform. Authentication is provided by on-premise AD FS, with the accounts being synchronised from on-premise via AAD Connect. I've just moved my on-premise mailbox to Exchange Online via New-MoveRequest and for the most part, everything is fine. One thing that possibly isn't fine - going off the Bits-Client event log is the regular offline address book downloads, where I'm seeing regular failures in the event log and through double-checking with bitsadmin.exe. The initial address book synchronisation worked as the view in Outlook is fully populated, however, I expect that future changes likely won't come through. bitsadmin output Event log output (There's numerous events to choose from - this is the one I'm most curious about.) The BITS service provided job credentials in response to the UNIDENTIFIED authentication challenge from the outlook.office365.com server for the Microsoft Outlook Offline Address Book <guid> transfer job that is associated with the following URL: /OAB/<guid>/oab.xml. The credentials for the <sid> user were rejected. When the mailbox was on-premise, the OAB came from the Exchange Server - no surprise there, where post migration it can be seen from the bitsadmin output it now comes from outlook.office365.com. Perhaps that's also to be expected - I don't know, but it makes sense given the move. What alerted me to there potentially being an issue is the systray icon frequently gets stuck on the "synchronising" icon, and running a manual full OAB sync from within Outlook fails to complete. After an extended "hang" period, the sync window eventually times out with the error shown above (the protracted UI behaviour would appear to be due to the large number of retries). Dropping the BITS job URL into Edge simply returns a HTTP 503, which doesn't necessarily strike me as a problem. After all, I'm unable to provide a BEARER token using this method. I haven't yet tried via PowerShell as it only occurred to me now but perhaps I'll do so after posting this. Searching on this error and scenario has turned up nothing useful. I have also checked and compared event log entries from an Azure AD-native account, where it's a mixed bag of successful OAB BITS downloads and unsuccessful ones that feature the same symptoms as above, which offers up the possibility this might be a transient service-side error (though I'm not leaning heavily towards this). Has anyone else encountered this issue and resolved it? Is it even an issue to begin with, or is this expected behaviour? I'm unsure what to make of the symptoms. Cheers, LainMicrosoft Limits App Access to Sensitive Message Properties
Microsoft has announced details of a change to app permissions to restrict updates to sensitive message properties (like recipients) without consent for a new advanced mail access permission. If tenants have apps that interact with message properties, including apps developed by third parties, they should check whether the apps are updating sensitive properties. If so, the new permission must be assigned or the apps will stop working. https://office365itpros.com/2026/03/26/sensitive-message-properties-graph/HTTP Response Headers Hardening for Exchange 2019 on Windows Server 2022
Category: Security Hardening Issue: Currently, Exchange 2019 running on Windows Server 2022 does not have strict HTTP response headers configured, leaving it potentially vulnerable to security threats such as MIME type sniffing, clickjacking, and cross-site scripting (XSS) attacks. Objective: Harden the security of Exchange 2019 web services by enabling the following HTTP response headers: X-Content-Type-Options: Prevents MIME type sniffing by forcing browsers to respect declared content types. X-Frame-Options: Prevents embedding of Exchange web pages in iframes to mitigate clickjacking attacks. X-XSS-Protection or Content-Security-Policy (CSP): Protects against reflected XSS attacks (X-XSS-Protection is deprecated, CSP is preferred). I have found this article; can anyone tell me if it applies to Exchange 2019 as well? HTTP Security Headers - Icewolf Blog Thank you
Recent Blogs
- We wanted to provide a few updates related to modernizing DNS Security in Exchange Online.Apr 23, 2026
- 2 MIN READWe wanted to tell you about a new Change Optics Report that is now in Public Preview.Apr 20, 2026
