Recent Discussions
Checking the Effectiveness of a Transport Rule to Block Spammy Email
Some weeks ago, I wrote about using a transport rule to suppress spammy email by sending the messages to the quarantine. But what’s the best way to check the rule’s effect? One method is to use the transport rule report PowerShell cmdlet to check for the actions you expect the rule to perform. Once information is found, it’s a matter of slicing and dicing the data. https://office365itpros.com/2025/11/26/transport-rule-effectiveness/
OL client in-app link for getting OL for iOS or Android not working
Hello! Redirected to this forum from here: https://learn.microsoft.com/en-us/answers/questions/5617563/ol-desktop-link-broken-file-get-ol-app-for-ios-and See error description and attempt to solve it by following the link. For some reason, Windows clients in our organization can not follow the Outlook desktop client in-app link for getting Outlook for iOS or Android. (hybrid, no mailboxes in MS-cloud, only on prem) The link for getting the Outlook app for iOS and Android under File when logged into Outlook app does not seem to work. Clicking on it seems to send user to the URL: go.microsoft.com/fwlink/?LinkId=2112779 but quickly redirects and ends up with https://w2.outlook.com/l/mobile?WT.mc_id=Backstage**Win32**All**Hyperlink** https://learn-attachment.microsoft.com/api/attachments/cb7d456f-ac6e-4566-a4ef-ffa912500423?platform=QnAhttps://learn-attachment.microsoft.com/api/attachments/cb7d456f-ac6e-4566-a4ef-ffa912500423?platform=QnA We haven't been able to figure out why, but since the same two different accounts mentioned in the thread above works on a private device on a private home network, is seems like something in our environment is the cause.Federation Trust Gateway broken - OrgCertificate cannot be uploaded
Hey guys, last week we have done Windows Server updates and this broke some stuff. Some certificates have been unbound and so on. Until then the full classic hybrid worked quite good in our Exchange Server 2016 CU23 environment. We are just in the process of upgrading/migrating. But after this point of time the On-Premises users stopped being able to see the calendars of the cloud users, other way around still worked. So we started trying to fix the hybrid deployment with several runs of the HCW (which is always fine) and rebuilding the organizational relationship and the trust federation gateway. This was quite exhausting, as we updated a bunch of domains in global DNS several times. Currently, neither direction is functioning. Now it looks like the Federation Trust Gateway is in an inconsistent state. When I try... Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate then I get the message, that the rollover certificate (OrgNextPrivCertificate) is not set and that I only can publish, when this is done. When I try to define a rollover certificate, then I get the message, that the rollover certificate cannot be set until the OrgCertificate has been published. So, we have a chicken-and-egg situation here. Thanks for any help.
Stop ASP.NET SMTP Emails from Appearing in Office 365 Sent Items Without Affecting Manual Sends
We are sending Emails to our clients through an ASP.NET application using the SMTP protocol and using an O365 Account (email address removed for privacy reasons). The problem is that every time a mail (reset password, otp, campaigns, etc) is sent from asp.net application, a copy of that mail is created in the "Sent Items" of the Support mailbox. This is not needed and it is quickly filling our Support mailbox. How to stop this? Is there any setting in the Exchange Server? Please note that the Support mailbox is also used by our company support representative to send resolutions to customers using O365 Outlook Web Access. The mails send by the representative are very much needed in the sent items. It's only the ASP.NET-sent mails that we want to prevent in the "Sent Items".Use PowerShell to Analyze Junk Email and Intercept Traffic from Spammy Domains
Despite the best efforts of anti-spam solutions, some unwanted messages usually get through to user inboxes. This article explains how to analyze messages that end up in Junk Email and use the results to create a transport rule to block future traffic from the spammy domains. https://practical365.com/analyze-junk-email-block-spammy-domains/Resolved: Hybrid Exchange Duplicate (Ghost) Mailbox Created After Assigning Exchange Online License
Summary During a hybrid Exchange migration, a user’s mailbox failed to migrate and mail flow broke due to a duplicate (ghost) mailbox automatically created in Exchange Online. Root Cause An Exchange Online Plan 2 license was mistakenly assigned to the user before migration. Azure AD sync then provisioned a cloud mailbox, even though the user already had an on-prem mailbox. This caused a hybrid mismatch — the user appeared in both environments, and migration failed with mailbox lookup errors. Resolution Steps Removed the Exchange Online Plan 2 license from the user account. Forced a DirSync (AAD Connect) synchronization. Verified that the mailbox existed only on-prem via PowerShell Get-Mailbox -Identity email address removed for privacy reasons | fl Name,RecipientTypeDetails,ExchangeGuid Confirmed the ghost mailbox was removed from Exchange Online. Re-ran migration batch successfully to Exchange Online. Verification Get-MailboxStatistics -Identity email address removed for privacy reasons | fl TotalItemSize,ItemCount,LastLogonTime Ensure only one mailbox object exists and mail flow routes correctly. Prevention Tips Don’t assign Exchange Online licenses to hybrid mailboxes before migration. Always verify mailbox location prior to assigning any license. Use PowerShell or EAC to check where the mailbox resides (on-prem vs. cloud). Environment Hybrid Exchange Deployment Exchange 2016 On-Premises Exchange Online (M365) Azure AD Connect This issue is not caused by connectors or mail flow settings, but by improper licensing before migration. Removing the license and resyncing resolves the ghost mailbox problem.We have set RejectDirectSend to true
Hello Please i need your help on this issue. We have set RejectDirectSend to true, but it is still possible to send mail anonymously through tenant Last Friday 3 oct 2025 we configured the tenant not to allow DirectSend from anonymous sources by setting the RejectDirectSend value to true using Powershell command. When we check the status with the Get-command it looks like it is set but it is not working - it is still possible to spoof emails by sending through the mx record as anonymous.Exchange 2016 and 2019 End of Life and Some Interesting Exchange Online Developments
On Oct 14, 2025, Exchange 2019 and 2016 reach end-of-life and Exchange SE becomes the only supported on-premises Exchange server. In other news, we discuss Microsoft guidance for moving to cloud first identity, HVE and ECS and the extension of basic authentication support to September 2028, the introduction of auto-archiving for Exchange Online, and why Microsoft is deprecating the Contact object from Exchange Online. https://office365itpros.com/2025/10/09/exchange-se-news/I am receiving DMARC errors
Hello Please i need your help on this issue. Last night I started receiving DMARC and other errors when trying to send emails. I dont believe my business email is receiving messages either. Please help me 'fix' resolve these bounce back errors. I did try to find the solution on my own,, but its just out of my wheelhouse. Please help as my business is being affected by these errors and bounce backs.External tag in Cards
After the rollout of the https://www.microsoft.com/en-us/microsoft-365/roadmap?id=498231 our users who are hidden from the GAL have the External tag applied when sending internally, as well as the external tag on their profile cards. Was this an expected behavior with this change?Change Coming for How Outlook Extracts Events from Email
The Outlook events from email feature changes from January 31, 2026. Events will only be created if notifications support the properties for events defined by schema.org. Seeking consistency is a good idea, especially if it means that Outlook can process notifications sent by airlines, car hire companies, and other event providers in a way that doesn’t happen today. However, some disruption is likely. https://office365itpros.com/2025/09/30/events-from-email-schema/Licensing question: Exchange Server SE for CSP M365 E3/E5 customers without Extended Use Rights
Does anyone have any information on licensing the new Exchange Server SE for customers who have M365/O365 E3/E5 purchased via CSP but do not have Extended Use Rights (i.e., no EA/EAS -> no on-prem Office server licenses included)? Specifically: Is it enough to license Exchange Server SE per node only, or Do customers also need to purchase Exchange Server CALs per user (even if they already have M365 E3/E5)? I’ve spoken with multiple licensing distributors and a Microsoft partner contact, but I still haven’t been able to get a definitive answer. According to a comment from Jeremy Carlson and Microsoft’s licensing documentation, certain licenses appear to include "CAL-equivalency rights". Can anyone here confirm whether these CAL-equivalency rights cover access to Exchange Server SE in the CSP E3/E5 (no Extended Use Rights) scenario? licensing reference: https://www.microsoft.com/licensing/terms/product/CALandMLEquivalencyLicenses/MCA#clause-2165-h3-1
Microsoft some server IP not in SPF List?
We Have add DNS record v=spf1 include:spf.protection.outlook.com -all , but find to SPF is failed spf:demo.com:2603:1096:301:11b::15 how can we solve this problem , because we need increase the security Level , would like quarantine / set to junk mailbox for SPF Fail mail Thank
Configure Dedicated Exchange Server Application
Currently our product ranning exchange 2019 CU15 with Exchange hybrid, so what else need configure other task for configuration of the dedicated application for Exchange Server. HCW8126 - Admin consent was not granted during the configuration of the dedicated application for Exchange Server. The application will be created but will not function until consent is provided. Please re-run the Hybrid Configuration Wizard (HCW) or grant consent via the Entra ID portal before using the application.
Update Federation Trust Certificate
Almost five years ago, I had set this up. I realized the cert is about to expire. I only have on test account on prem, everything else is in the cloud. Oauth is set up and we do have token based auth. I followed the steps to generate a new self signed cert, everything looks good even the text file in DNS. The issue is, when I run set-federationtrust - identity "Microsoft Federation Gateway -publishfederationcertificate, I get the following error. [FailureCategory=Cmdlet-Live DomainServicesException] 2B0D1031,Microsoft.Exchange.Management.SystemConfigurationTasks.SetFederationTrust + PSComputerName I have search and and tried several things for TLS 1.2 Enforcing TLS 1.2 on Windows 2019 via the reg Windows Registry Editor Version 5.00 enforce SchUseStrongCrypto Force Powershell to run tls1.2 I had to remove some of the verbage - i think the forum does not like it. Does anyone have any ideas Thanks Paul
Exchange SE and Domain / Forest Functional Level 2025 Support
Does anyone have any general idea on when they may test support for Domain / Forest Functional Level 2025? We're still rocking hybrid with Exchange SE and ExO and as such we're waiting on the supportability matrix (https://learn.microsoft.com/en-us/exchange/plan-and-deploy/supportability-matrix#supported-active-directory-environments) to get updated so we can raise the DFL/FFL. Currently Exchange SE supports 2025 AD servers so they've verified the schema update from 88 to 91 is good to go but our Exchange team doesn't want us to raise the functional level until this matrix shows that it's supported for our current Exchange version. Thanks for any insight. Supported Active Directory environments The following table lists the supported Active Directory environments for Exchange Server. Version Active Directory servers Forest Functional Levels Exchange Server SE Windows Server 2025 Windows Server 2022 Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 Windows Server 2016 Windows SApplying On-Prem EAP with New-Remote Mailbox
BACKGROUND: my org is in a hybrid AD/Exchange environment, and will remain so for some time. All mailboxes, other than a very small number with on-prem dependencies, were migrated to M365 a few years ago; we will continue to have 1-2 Exchange Servers on-premises for both management and some legacy on-prem processes. All user accounts are created on-premises, and synchronized to M365 through Entra Connect Sync. Our on-prem EAP has the exact address syntaxes that we need [applies to "Users with Exchange mailboxes" + "Resource mailboxes" + "Mail-enabled groups"]. I haven't found a clear answer to the question: with an Exchange 2019 (and soon SE) server on-premises - with users initially created on-premises - is there a way to provision new EXO mailboxes [using the 'new-remotemailbox' cmdlet], such that the on-prem EAP applies during creation? I've been working with these two references, but so far haven't found a way to make the "new-remotemailbox..." cmdlet work to (a) create a new account on-premises and (b) ultimately have an EXO mailbox provisioned with the on-prem EAP addresses in place: On provisioning mailboxes in Exchange Online when in Hybrid | Microsoft Community Hub https://learn.microsoft.com/en-us/powershell/module/exchangepowershell/new-remotemailbox?view=exchange-ps Any thoughts or suggestions would be welcomed! (OR - perhaps it just can't be done?)Use PowerShell to Send Messages from Shared Mailboxes, Groups, and Distribution Lists
Everyone probably knows how to use Exchange's Send As and Send on Behalf of permissions to send email from user mailboxes. Here we venture into the same task, but for Microsoft 365 Groups, shared mailboxes, distribution lists, and mail-enabled security groups. Once your permissions are aligned, everything is pretty simple. https://practical365.com/sendas-send-on-behalf-of-mail-objects/
Exchange EWS API Error
After migrating from 2016 to 2019 and SE, I was trying to move my script to the new server but came up with many issues. I was using this yesterday and it was working and today it's not. Seems random and no idea why it's happening that Exchange2016 disappears from the selection. $Service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService( [Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2016 ) The property 'Exchange2016' cannot be found on this object. Verify that the property exists. At line:1 char:1 + $Service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeSer ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], PropertyNotFoundException + FullyQualifiedErrorId : PropertyNotFoundStrict If I run the following, Exchange2016 is no longer in the list (it was when I tried yesterday). This seems random, [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Set-StrictMode -Version Latest Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn Add-Type -Path 'C:\Setup\ExchangeEWS\Microsoft.Exchange.WebServices.dll' # Get the type information for the ExchangeVersion enumeration $type = [Microsoft.Exchange.WebServices.Data.ExchangeVersion] # Get all declared fields $fields = $type.GetFields('DeclaredOnly, Public, Static') # Iterate over each field and display its name and value foreach ($field in $fields) { Write-Output "$($field.Name) = $($field.GetValue($null))" } Output: Exchange2007_SP1 = Exchange2007_SP1 Exchange2010 = Exchange2010 Exchange2010_SP1 = Exchange2010_SP1 Exchange2010_SP2 = Exchange2010_SP2 Exchange2013 = Exchange2013 Exchange2013_SP1 = Exchange2013_SP1 And if I run in Powershell ISE, I see more error (same script in regular powershell works). Exception calling "FindItems" with "2" argument(s): "The request failed. The underlying connection was closed: An unexpected error occurred on a send." At line:87 char:5 + $Items = $Service.FindItems( 'Inbox', ( New-Object Microsoft.Exch ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : ServiceRequestException
Recent Blogs
- We are announcing the Public Preview of the Exchange Online Admin API.Nov 17, 2025
- We are not releasing any Exchange Server Security Updates for November 2025Nov 11, 2025
