Recent Discussions
Issue with Distribution Groups Members
Hello Please i need your help on this issue. Issue with Distribution Groups Members. I created Manually Dynamic Distribution Group and added Users with Exchange Mailbox option but its added all the active licenced users and shared mailboxes and unlicenced users also. I only want Licenced users only in that group where E3 Licenced are assigned and users are active. But all users are added in that group instead of Licenced active users. I need only automatically add active users who has Office 365 Licence. I do not require any shared mailbox users I do not require non-active users NOTE: I do not want to create the users through PowerShell. So please is there a solution for GUI onlyHow to extract domain of the original link from a SafeLink
I'm trying to extract the original domain from the links that are warped by Microsoft SafeLinks I use the Nager.publicsuffix library in C# to parse domains, but with SafeLink's it only returns the SafeLink domain instead of the real one Example: https://ind01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstspg.io%2Fn504fyn3g38x... https://nam.safelink.emails.azure.net/redirect/?destination=https%3A%2F%2Fentra.microsoft.com%2Fdemodomain.cf%23blade... I've tried writing custom logic for SafeLink pattern, but Microsoft seems to use different formats, so it's not reliable Question: What's the best way in C# to reliably detect and unwrap these SafeLink's (or other tracking URLs) so I can extract the original domain before passing it to Nager.PublicSuffix
Missing Teams Contacts after Migration
Hello, We are currently migrating mailboxes from exchange 2019 to exchange online. The migration works absolute flawless. Now we have some employees complaining about missing teams contacts that were previously created in Teams only. The MS support told me that this is a teams limitation and the local contacts are gone. I know about unified contacts, thats contacts are synced now between outlook and teams and newly created contacts are stored in exchange online mailbox. But whatabout the old contacts ?? cant believe that theres no workaround to keep this contacts. Do you know something about this ? Rene
Which ExchangeServerApp is the right one? How to tell?
From running HCW multiple times w/ various exceptions, we have a number of separate ExchangeServerApp instances in Entra. How can I definitively tell which one (or more) is the correct instance? I can't find any of the UUIDs in the Entra entries anywhere in the Exchange Server configuration. I can't run the ConfigureHybridExchangeApplication script because (from the error it gives) it doesn't handle the multiple app identifiers. I submitted feedback but haven't heard back from the CSS-Exchange people. Any guidance appreciated.
Licensing question: Exchange Server SE for CSP M365 E3/E5 customers without Extended Use Rights
Does anyone have any information on licensing the new Exchange Server SE for customers who have M365/O365 E3/E5 purchased via CSP but do not have Extended Use Rights (i.e., no EA/EAS -> no on-prem Office server licenses included)? Specifically: Is it enough to license Exchange Server SE per node only, or Do customers also need to purchase Exchange Server CALs per user (even if they already have M365 E3/E5)? I’ve spoken with multiple licensing distributors and a Microsoft partner contact, but I still haven’t been able to get a definitive answer. According to a comment from Jeremy Carlson and Microsoft’s licensing documentation, certain licenses appear to include "CAL-equivalency rights". Can anyone here confirm whether these CAL-equivalency rights cover access to Exchange Server SE in the CSP E3/E5 (no Extended Use Rights) scenario? licensing reference: https://www.microsoft.com/licensing/terms/product/CALandMLEquivalencyLicenses/MCA#clause-2165-h3-1
Microsoft some server IP not in SPF List?
We Have add DNS record v=spf1 include:spf.protection.outlook.com -all , but find to SPF is failed spf:demo.com:2603:1096:301:11b::15 how can we solve this problem , because we need increase the security Level , would like quarantine / set to junk mailbox for SPF Fail mail Thank
Configure Dedicated Exchange Server Application
Currently our product ranning exchange 2019 CU15 with Exchange hybrid, so what else need configure other task for configuration of the dedicated application for Exchange Server. HCW8126 - Admin consent was not granted during the configuration of the dedicated application for Exchange Server. The application will be created but will not function until consent is provided. Please re-run the Hybrid Configuration Wizard (HCW) or grant consent via the Entra ID portal before using the application.
Update Federation Trust Certificate
Almost five years ago, I had set this up. I realized the cert is about to expire. I only have on test account on prem, everything else is in the cloud. Oauth is set up and we do have token based auth. I followed the steps to generate a new self signed cert, everything looks good even the text file in DNS. The issue is, when I run set-federationtrust - identity "Microsoft Federation Gateway -publishfederationcertificate, I get the following error. [FailureCategory=Cmdlet-Live DomainServicesException] 2B0D1031,Microsoft.Exchange.Management.SystemConfigurationTasks.SetFederationTrust + PSComputerName I have search and and tried several things for TLS 1.2 Enforcing TLS 1.2 on Windows 2019 via the reg Windows Registry Editor Version 5.00 enforce SchUseStrongCrypto Force Powershell to run tls1.2 I had to remove some of the verbage - i think the forum does not like it. Does anyone have any ideas Thanks PaulExchange SE and Domain / Forest Functional Level 2025 Support
Does anyone have any general idea on when they may test support for Domain / Forest Functional Level 2025? We're still rocking hybrid with Exchange SE and ExO and as such we're waiting on the supportability matrix (https://learn.microsoft.com/en-us/exchange/plan-and-deploy/supportability-matrix#supported-active-directory-environments) to get updated so we can raise the DFL/FFL. Currently Exchange SE supports 2025 AD servers so they've verified the schema update from 88 to 91 is good to go but our Exchange team doesn't want us to raise the functional level until this matrix shows that it's supported for our current Exchange version. Thanks for any insight. Supported Active Directory environments The following table lists the supported Active Directory environments for Exchange Server. Version Active Directory servers Forest Functional Levels Exchange Server SE Windows Server 2025 Windows Server 2022 Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 Windows Server 2016 Windows SApplying On-Prem EAP with New-Remote Mailbox
BACKGROUND: my org is in a hybrid AD/Exchange environment, and will remain so for some time. All mailboxes, other than a very small number with on-prem dependencies, were migrated to M365 a few years ago; we will continue to have 1-2 Exchange Servers on-premises for both management and some legacy on-prem processes. All user accounts are created on-premises, and synchronized to M365 through Entra Connect Sync. Our on-prem EAP has the exact address syntaxes that we need [applies to "Users with Exchange mailboxes" + "Resource mailboxes" + "Mail-enabled groups"]. I haven't found a clear answer to the question: with an Exchange 2019 (and soon SE) server on-premises - with users initially created on-premises - is there a way to provision new EXO mailboxes [using the 'new-remotemailbox' cmdlet], such that the on-prem EAP applies during creation? I've been working with these two references, but so far haven't found a way to make the "new-remotemailbox..." cmdlet work to (a) create a new account on-premises and (b) ultimately have an EXO mailbox provisioned with the on-prem EAP addresses in place: On provisioning mailboxes in Exchange Online when in Hybrid | Microsoft Community Hub https://learn.microsoft.com/en-us/powershell/module/exchangepowershell/new-remotemailbox?view=exchange-ps Any thoughts or suggestions would be welcomed! (OR - perhaps it just can't be done?)Use PowerShell to Send Messages from Shared Mailboxes, Groups, and Distribution Lists
Everyone probably knows how to use Exchange's Send As and Send on Behalf of permissions to send email from user mailboxes. Here we venture into the same task, but for Microsoft 365 Groups, shared mailboxes, distribution lists, and mail-enabled security groups. Once your permissions are aligned, everything is pretty simple. https://practical365.com/sendas-send-on-behalf-of-mail-objects/Exchange EWS API Error
After migrating from 2016 to 2019 and SE, I was trying to move my script to the new server but came up with many issues. I was using this yesterday and it was working and today it's not. Seems random and no idea why it's happening that Exchange2016 disappears from the selection. $Service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService( [Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2016 ) The property 'Exchange2016' cannot be found on this object. Verify that the property exists. At line:1 char:1 + $Service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeSer ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], PropertyNotFoundException + FullyQualifiedErrorId : PropertyNotFoundStrict If I run the following, Exchange2016 is no longer in the list (it was when I tried yesterday). This seems random, [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Set-StrictMode -Version Latest Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn Add-Type -Path 'C:\Setup\ExchangeEWS\Microsoft.Exchange.WebServices.dll' # Get the type information for the ExchangeVersion enumeration $type = [Microsoft.Exchange.WebServices.Data.ExchangeVersion] # Get all declared fields $fields = $type.GetFields('DeclaredOnly, Public, Static') # Iterate over each field and display its name and value foreach ($field in $fields) { Write-Output "$($field.Name) = $($field.GetValue($null))" } Output: Exchange2007_SP1 = Exchange2007_SP1 Exchange2010 = Exchange2010 Exchange2010_SP1 = Exchange2010_SP1 Exchange2010_SP2 = Exchange2010_SP2 Exchange2013 = Exchange2013 Exchange2013_SP1 = Exchange2013_SP1 And if I run in Powershell ISE, I see more error (same script in regular powershell works). Exception calling "FindItems" with "2" argument(s): "The request failed. The underlying connection was closed: An unexpected error occurred on a send." At line:87 char:5 + $Items = $Service.FindItems( 'Inbox', ( New-Object Microsoft.Exch ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : ServiceRequestExceptionNot receiving <InReplyTo> tag in EWS GetItem response if mail subject changed in reply
Hello, I have an add-in that I run in Exchange Server 2019. When replying to an email, my add-in requires some information related to the parent email. For this, I use the EWS GetItem API. In the response, I get an <InReplyTo> tag, where I find information about the parent email. See below example for more info: The issue is that if I change the subject in the reply, I do not get that <InReplyTo> tag in the response, and hence cannot access parent email information. This issue is only observed in Outlook on Mac (classic UI). Any information, workaround, or timelines on a potential fix for this issue will be greatly appreciated. Do let me know if any further information is required from my end. Thanks, Raghunandan KumbharMicrosoft 365 Tenants Need Vanity Domains to Send External Email
Microsoft will impose a throttling limit for external recipients for tenants that use MOERA domain addresses to send outbound email. The limit is designed to stop tenants using mailboxes with primary SMTP addresses from MOERA domains from sending email, a technique that’s often used by spammers. This shouldn’t cause a problem for legitimate organizations who already have vanity domains, but it might stop some spam. https://office365itpros.com/2025/08/25/moera-domain-limit/RBAC Role – Trying to restrict available parameters Try to get head around…
The goal is to create a custom role for Exchange administrators with permissions to manage existing users, while restricting access to certain parameters when using commands such as set-mailbox. I created a role, add assign to role assignment “Public Folders – clone“ and „"Transport Rules-clone“ I added the test admin to the role and connected to Exchange Online. When the administrator enters the Set-Mailbox command, a list of parameters appears that are not included in the assigned role. Public folder Management role has command Set-Mailbox with only following parameters : DefaultPublicFolderMailbox,Identity, IsExcludedFromServingHierarchy, PublicFolder But from picture we can see paramaterst hat are not present in Publicv folder menegament role, I run command Get-Command set-mailbox | Select-Object -ExpandProperty Parameters AcceptMessagesOnlyFrom AcceptMessagesOnlyFromDLMembers AcceptMessagesOnlyFromSendersOrMembers DefaultPublicFolderMailbox DeliverToMailboxAndForward DisplayName ExternalOofOptions ForwardingAddress ForwardingSmtpAddress GrantSendOnBehalfTo Identity IsExcludedFromServingHierarchy Languages MailTip MailTipTranslations MessageCopyForSendOnBehalfEnabled MessageCopyForSentAsEnabled MessageCopyForSMTPClientSubmissionEnabled Password PublicFolder RejectMessagesFrom RejectMessagesFromDLMembers RejectMessagesFromSendersOrMembers RequireSenderAuthenticationEnabled SimpleDisplayName UniqueRecipientsCountLimitLevel UniqueUnrestrictedGroupsLimitEnabled UserCertificate UserSMimeCertificate Verbose Debug ErrorAction WarningAction InformationAction ProgressAction ErrorVariable WarningVariable InformationVariable OutVariable OutBuffer PipelineVariable WhatIf ConfirmAllow MessageClass Filtering in Default Folder Retention Tags in Exchange Online
What do other Microsoft 365 Exchange Oline Admins think about this. While implementing online archiving the current filtering of message types is hindering adoption for Online Archiving. Summary:I Exchange Online currently restricts the -MessageClass parameter in default folder retention tags to only * or VoiceMail. This limitation prevents administrators from applying retention policies that target only standard email messages (IPM.Note)—a critical need for organizations that want to archive email while preserving user-facing data like calendar items, tasks, and notes. Problem: This restriction: Forces the archiving of non-email items (e.g., calendar invites, tasks, notes), which are often small in size but essential to users. Breaks user workflows by making these items inaccessible in the archive. Undermines compliance strategies by preventing precise policy enforcement. Renders personal tags ineffective in environments where users are not trained or incentivized to apply them. Impact: Compliance Risk: Organizations cannot enforce retention policies that reflect their actual compliance requirements. User Experience: Critical calendar and task data becomes inaccessible in the archive, leading to confusion and support overhead. Administrative Burden: Workarounds (e.g., mailbox rules) are fragile and inefficient. Reputational Harm: These limitations reduce trust in Microsoft 365 among educational institutions and other sectors. Proposed Change: Allow the -MessageClass parameter in default folder tags to accept: IPM.Note (standard email) Other valid message classes (e.g., IPM.Appointment, IPM.Task) as needed Custom values where applicable Justification: The retention engine already supports MessageClass filtering in personal tags—this is a policy restriction, not a technical one. Granular control enhances compliance, not weakens it. This change would align Exchange Online’s retention capabilities with real-world organizational needs.Enable Outlook and To Do Clients to Surface Archived Items
Description: Exchange Online’s retention architecture currently forces the archiving of calendar items, tasks, and notes when default folder tags are applied with MessageClass = '*'. However, Microsoft Outlook (on the web, Mac, and PC) and the Microsoft To Do app do not surface these archived items, resulting in a broken user experience and loss of access to critical data. Problem: Calendar items, tasks, and notes that are archived via retention policies become invisible to users in Outlook and To Do. Users are unaware that these items have been archived, leading to confusion and support requests. The Microsoft To Do app, which replaces legacy task workflows, does not integrate with the Exchange Online Archive, making archived tasks inaccessible. Outlook clients do not provide visibility or searchability for archived calendar and note items, even though they remain stored in the archive. Impact: User Experience Breakdown: Users lose access to important calendar and task data without warning. Support Overhead: IT teams must explain and troubleshoot why items “disappear” from view. Compliance Confusion: Organizations applying retention policies for email only are forced to archive unrelated item types due to Exchange Online limitations. Feature Inconsistency: Microsoft’s own apps (Outlook, To Do) do not fully support the data lifecycle created by Exchange Online’s retention engine. Proposed Change: Update Microsoft Outlook (Web, Mac, PC, iOS, Android) and Microsoft To Do to: Surface archived calendar, task, and note items from the Exchange Online Archive. Provide clear indicators and search capabilities for archived items. Ensure that retention policies do not result in silent data loss from the user’s perspective. Justification: This change would restore visibility and trust in Microsoft’s compliance and archiving tools. It aligns client behavior with backend retention logic. It reduces support burden and improves usability across Microsoft 36Unexpected Microsoft Defender for Office 365 License Requirement for Shared Mailboxes
A question about shared mailboxes brought up the topic of licensing requirements when a tenant has Microsoft Defender for Office 365 (MDO). The news is not good. Once MDO is active, every shared mailbox needs an MDO license, and every user mailbox must also be licensed for MDO (those with E5 licenses are covered). At $5 per month, those MDO licenses can ramp up to a considerable cost. Ouch! https://office365itpros.com/2025/08/11/microsoft-defender-for-office-365/Microsoft Tells Hybrid Exchange Customers to Get Going with New App
Microsoft says that few customers have installed the dedicated hybrid connectivity app that’s needed to migrate from EWS. It’s time to install that app! If not, rich coexistence between cloud and on-premises components will stop working for several days when Microsoft imposes service time-outs in August, September, and October to prompt customers to take action. It’s time to install the dedicated hybrid connectivity app. https://office365itpros.com/2025/08/07/hybrid-connectivity-app-exo/Question Regarding Exchange Server Usability Test/Development Environments
Hello dear community or Microsoft Teams, I recently posted a message in the general Exchange forum: Request on Exchange Server SE CU1 Codebase and Trial Version Behavior | Microsoft Community Hub I have already received some very helpful feedback – many thanks to the person who responded! However, one question remains unanswered: Is it legally questionable if the server continues to be used in a test environment after the trial version has expired? How is this handled? Now I have a specific question about ‘server usability’ after the trial version expires: ‘The server remains usable after the trial version expires, but is not legally licensed for productive use.’ How would this look in a test or development environment if the server is not used in a productive environment, but only for testing purposes? Are there any legal restrictions that need to be taken into account? I look forward to your answers and thank you in advance!
Recent Blogs
- A reminder that on September 16 2025, we will enforce the first temporary block of shared security principal use for our hybrid customers.Sep 12, 2025
