Recent Discussions
Email Showing as Quarantined in a Message Trace, but Not Showing up in MS Defender
A customer of ours was waiting on an email to arrive and to help figure out where the email was or if it was sent yet we ran a message trace. The message trace showed that the email was sent to quarantine. With this information in mind, I went to MS Defender > Email & collaboration > Review > Quarantine but could not find the message. I modified some of the filters and could not get the quarantined message to appear. I triple checked the filters I created and made sure the information was correct. I also removed all filters and looked for the time period the email came in, but could not find it. Not sure if this is related, but this email had a significant delay likely coming from the sender. Any thoughts or ideas? Or anything that I am missing?Administratively retract a user's email
I was recently asked to retract a message that was sent in-error to staff. I ran a discovery/search, and saved it, but when I ran the powershell script after connecting to Exchange, the script could not find the search, something like name not found. I verfied the name was correct, and I am a global admin so permissions should not have been an issue. Does anyone know of any accurate documentation to run a search and retract? I had to use an old YouTube video and could not find anything in Microsoft's documentation.
ARC verification fail (40) on specific Exchange Online frontends - recurring issue
Hello, We are observing recurring arc=fail (40) errors on messages forwarded through Exchange Online, caused by specific frontend servers. The same messages pass ARC verification correctly on other providers (Google, etc.). Affected frontends identified so far: CH2PEPF0000013F.namprd02.prod.outlook.com - build 15.20.9700.17 (March 14, 2026) CH3PEPF0000000B.namprd04.prod.outlook.com - build 15.20.9769.17 (April 6, 2026) Both share the same build suffix .17. The signing implementation on our side has been cryptographically verified as correct and RFC 6376 compliant. The issue has also been reported on the IETF ietf-smtp mailing list with full technical analysis. Cryptographic analysis shows the failing servers append a spurious trailing \r\n to the last header before computing the verification hash, violating RFC 6376 Section 3.7. Is there a pattern with .17 frontend builds and ARC verification? Reagards Vittorio
Microsoft Exchange Report
I faced a new issue today, don't know if anything breaks at Microsoft or any new thing roll out from there, the things is unable to check usage report properly as well as unable to export the email activity, Mailbox Usage etc report under report- exchange and other tabs as well in customer tenant. I have Global Reader privilege but still facing this issue. Anyone faced this type of issue from today or before? If anyone knows about its pleas update your comment here. Thanks..iOS 26.4 iPhone Contact Sync with Microsoft Exchange Online
For the past 2–3 weeks, several of our iOS users have been experiencing synchronization issues with Exchange contacts. Contacts intermittently disappear from their devices and then re-sync after some time. In some cases, the re-synchronization process is significantly delayed. Anyone else experiencing the same issue?
Preserving permissions during EXO migration
Hi, Can you help me understand the outcome of preserving the permissions in our scenario. Exchange Server 2016 (soon Exchange SE) in a hybrid with Exchange Online. We are moving 75% of the mailboxes to Exchange Online. What ways will preserve or break the full-access or sendas permissions? I guess best way would be to migrate both the user and the shared mailbox at the same time in the same batch to keep the permission? If we migrate the user in batch 1 and shared mailbox in batch 2 will that preserve/break the full access/send as? If we migrate the shared mailbox in batch 1 and usermailbox in batch 2 will that preserve/break the full access/send as? If the permission is linked directly on the shared mailbox or via a security group is there a difference? Thanks!Microsoft Limits App Access to Sensitive Message Properties
Microsoft has announced details of a change to app permissions to restrict updates to sensitive message properties (like recipients) without consent for a new advanced mail access permission. If tenants have apps that interact with message properties, including apps developed by third parties, they should check whether the apps are updating sensitive properties. If so, the new permission must be assigned or the apps will stop working. https://office365itpros.com/2026/03/26/sensitive-message-properties-graph/
Can we hide default address lists in Outlook Address Book and show only custom ones?
There are existing Custom Address Lists. When users use the MS Outlook App (Office 2019) and open the Address Book, is it possible to hide the other address lists (including domain-sg-GAL, Global Address List, and domain-sg-Rooms), and only display the Custom Address Lists (domain-HK-AL and domain-sg-AL) — the ones shown in green in the photo?
Issue with certificate renewal for exchange Edge Transport Server
Hello team, I have come across a very particular problem I deployed 2 exchange server 2019 with one edge transport server When we are renewing the Certificates with wildcard certificate on both mailbox server ,and on edge transport server ,it is impossible for me to renew the edge subscription It says the cerificate is in "doublon" (repetitive) on one of the Exchange servers.I have always been using same certificate on exchange server be it edge or mailbox I tested a bogus different certificate on mailbox and on edge,only then th e edge sync works Did anybody come across this issue. ThanksOAB download fails after hybrid mailbox move.
Hi folks, I'm posting this query here as I doubt anyone in the Outlook forums would have the necessary Exchange hybrid knowledge. I run a classic hybrid Exchange environment where Exchange Server 2019 CU15 is the on-premise platform. Authentication is provided by on-premise AD FS, with the accounts being synchronised from on-premise via AAD Connect. I've just moved my on-premise mailbox to Exchange Online via New-MoveRequest and for the most part, everything is fine. One thing that possibly isn't fine - going off the Bits-Client event log is the regular offline address book downloads, where I'm seeing regular failures in the event log and through double-checking with bitsadmin.exe. The initial address book synchronisation worked as the view in Outlook is fully populated, however, I expect that future changes likely won't come through. bitsadmin output Event log output (There's numerous events to choose from - this is the one I'm most curious about.) The BITS service provided job credentials in response to the UNIDENTIFIED authentication challenge from the outlook.office365.com server for the Microsoft Outlook Offline Address Book <guid> transfer job that is associated with the following URL: /OAB/<guid>/oab.xml. The credentials for the <sid> user were rejected. When the mailbox was on-premise, the OAB came from the Exchange Server - no surprise there, where post migration it can be seen from the bitsadmin output it now comes from outlook.office365.com. Perhaps that's also to be expected - I don't know, but it makes sense given the move. What alerted me to there potentially being an issue is the systray icon frequently gets stuck on the "synchronising" icon, and running a manual full OAB sync from within Outlook fails to complete. After an extended "hang" period, the sync window eventually times out with the error shown above (the protracted UI behaviour would appear to be due to the large number of retries). Dropping the BITS job URL into Edge simply returns a HTTP 503, which doesn't necessarily strike me as a problem. After all, I'm unable to provide a BEARER token using this method. I haven't yet tried via PowerShell as it only occurred to me now but perhaps I'll do so after posting this. Searching on this error and scenario has turned up nothing useful. I have also checked and compared event log entries from an Azure AD-native account, where it's a mixed bag of successful OAB BITS downloads and unsuccessful ones that feature the same symptoms as above, which offers up the possibility this might be a transient service-side error (though I'm not leaning heavily towards this). Has anyone else encountered this issue and resolved it? Is it even an issue to begin with, or is this expected behaviour? I'm unsure what to make of the symptoms. Cheers, LainAdd-PublicFolderClientPermission: Object reference not set to an instance of an object.
Running into an issue with adding public folder permissions in Exchange Online. I've used this PowerShell script for a few years without any issues, but suddenly getting this error no matter what I try. I do have Owner permissions and there are Default and Anonymous permissions on the public folder, tried completely removing and reinstalling the ExchangeOnlineManagement module as well. Anyone else having this problem? $PF = Get-MailPublicFolder -Identity "\pf1" $User = Get-User -Anr "User1" $AccessRights = @( "ReadItems", "CreateItems", "EditOwnedItems", "EditAllItems", "FolderVisible" ) Add-PublicFolderClientPermission -Identity "\$($PF.Id)" -User $User.UserPrincipalName -AccessRights $AccessRights -Verbose VERBOSE: Returning precomputed version info: 3.9.2 VERBOSE: Requested HTTP/1.1 POST with 227-byte payload VERBOSE: Received HTTP/1.1 response of content type application/json of unknown size VERBOSE: Query 1 failed. Add-PublicFolderClientPermission: Object reference not set to an instance of an object. Thank you
Emails from Azure Communication Services (ACS) are treated as external emails
When using Azure Communication Services (ACS) Email, messages are delivered to Microsoft 365 as external mail, even if the system sending them belongs to my own organization. This behavior can be expected because ACS sends emails from Microsoft’s cloud infrastructure rather than directly from my tenant. As a result, Distribution Groups (DG), Dynamic Distribution Groups (DDG), or Mail-enabled Security Groups (SG) that are configured to accept messages only from internal senders will reject these emails. The common workaround is to enable “Allow external senders” on the group. However, we don't want to open the group to the entire internet. Does anyone else have the same experience? What is the best solution, exchange transport rules? Thanks!Microsoft Rushes High-Volume Email to General Availability
Almost two years after it first previewed, Microsoft is making the High-Volume Email (HVE) solution generally available in March 2026. HVE runs on a pay-as-you-go basis, but Microsoft won’t start charging tenants for sending email until May 2026. Two months should be enough for people to decide if they want to use HVE for internal communications as it has no ability to send external email. https://office365itpros.com/2026/03/09/hve-ga/Measuring KPIs like Response Times for Shared Mailboxes
Shared mailboxes are not CRM systems. However, many Microsoft 365 tenants use shared mailboxes to handle customer queries and then want to measure KPIs such as agent responsiveness to customer queries or the number of queries handled per agent in a month. As explored in this article, it’s possible to use the Microsoft Graph and PowerShell to extract some KPI-like data from shared mailboxes. https://office365itpros.com/2026/03/05/shared-mailbox-kpi/
Proper whitelisting of microsoft.com on dnswl.org
I keep having the issue that system-generated e-mails, e.g. on Trace Reports get classified as spam by the receiving e-mail provider. The sender address is email address removed for privacy reasons and the e-mails go to my M365 mailbox and are redirected to my external monitoring mailbox with that e-mail provider. The e-mail provider calculates a score that includes checking the sender's IP address 52.101.69.91 with dnswl.org . Unfortunately, that address is only whitelisted for outlook.com and some secondary domains, but not for microsoft.com. Of course, the issue also occurs with mailto:email address removed for privacy reasons and other IP addresses, so this is an example. It started to occur around two weeks ago, not sure if the provider changed policies or Microsoft changed the whitelisting; of course the provider refuses to overrun dnswl.org it, e.g. by own whitelisting. Who at Microsoft could I ask to fix that kind of issues? I don't find any appropriate category in their support menues, M365 support says the cannot help (TrackingID#2603031420001611). Thanks in advance for any hints, this is my first posting here, so please forgive me, if this is a dumb question.Exchange online - track deleted mail
I am 365 admin and see quite often people rapport "all my mails are in deleted post - and I have done nothing" or similar What is the best practice to investigate that. I know in powershell I have made some auditsearches, where it rapports like softdelete, hardelete etc - but is there any more specific way proving that the user actually did in on his own ? - I know with retention policies it is hard delete - but just wondering what the best practice is like to prove to the user that this is the user. Just write that it is soft deleted and means user have done it, often the user think is not understandableRetire last Exchange Server but keep directory sync
Hello all -- I'm looking for guidance on the recommended way to retire our last Exchange 2019 server while maintaining directory synchronization in our environment. We do not have any mail flowing through our exchange server, never have. It was only installed 10 years ago for a hybrid deployment. I believe one supported path is to stand up a member server and install the Exchange Management Tools on it. Given that Exchange 2019 is already out of support, is the the long term path moving forward? I've also read about an attribute "IsExchangeCloudManaged". In this scenario, I can set this on a per-mailbox basis and manage attributes such as proxyaddresses, extension attributes, and other non-AD-managed attributes. Is this the more forward path to take? Thinking about our user provisioning process now, we have a PowerShell script that creates the user in AD and connects to our hybrid Exchange server to Enable-RemoteMailbox. In this scenario, we would still create the user in AD, wait for the sync to happen, then enable the IsExchangeCloudManaged. Would this now provide the ability to manage additional addresses, or even, shared mailboxes without having to migrate from AD --> EXO - all while keeping AD in sync with cloud mailboxes? Am I thinking about this correctly? Thanks for any insight sb
Recent Blogs
- High Volume Email reached GA!Mar 31, 2026
- We are announcing upcoming changes to what message properties can be changed using Graph API.Mar 24, 2026
