Recent Discussions
Modern Auth EWS error 50199 when signing from Crestron Touchpanels
Good Afternoon, All I am having a difficult time nailing down this issue. I have a few Crestron TTS-770s that were, up to last week, working correctly by pulling Calendars data with EWS. They were configured with a service account signed into EWS using 'modern authentication'. This week, these panels have disconnected and report that 'Needs to be authorized' as the EWS status. I have verified that CA is not blocking sign in, the account is excluded from MFA policies, and is correctly licensed for Exchange Access. We do not use Intune for device management. When I attempt to re-register the device, I follow the prompts until I am prompted to close the browser window; The device spins, then fails to connect with the status above. I have attempted this with the service account and my own Admin account with MFA, to the same result. Entra Enterprise Apps Sign-in logs show a 'Successful' entry, then immediately after, a 'Failed' entry with an error '50199'. I had not made changes to any of the URIs before initial failure, and any additional entries or changes do not change the results of the error. Initial URI was configured to 'https://app.noop' (no idea, was configured before I got here, and I hadn't needed to change it), I have attempted combinations of our Tenant URI, ' https://login.microsoftonline.com/common/oauth2/nativeclient', and other 'fixes' I had found while GTS-ing. I additionally have set my 'legacy authentication' and 'legacy applications' CA polices to read-only for troubleshooting. I am working to disable OAuth2ClientProfile on Exchange Online temporarily for troubleshooting. Does anyone have any ideas? Please let me know if any additional information is needed, or if needed to post in another location. Thank You
Autoreseed, now what?
Have had a disk failure in a four server Exchange SE DAG with autoreseed enabled. New disk inserted, but now what? What I can google and AI myself to is something like this: Bring the new disk online Remove the broken mount point by deleting the mount point folder that does not lead anywhere Create a New Simple Volume and mount it in an empty NTFS folder Format it as per our standard, ReFS 64K and label to our standard (same as the old one) Does the experts agree that this is all there is to it? Many thanks!
Teams delegation permission issue with Onpremise Exchange Server
we have migrated the exchange server from 2019 to SE Environment and configure the OAuth 2.0 which is working perfectly but there is one issue that one of the user is using Shared calendar but while he create the meeting invite along with Teams meeting option then everytime it shows an error "please login into the meeting" If anyone works on this case please guide or help us. ThanksMicrosoft Cancels Exchange Mailbox External Recipient Rate Limit
After considering customer feedback, Microsoft cancelled the mailbox external recipient rate limit for Exchange Online. The idea behind the new limit was simple – it makes life more difficult for spammers to use Exchange Online as a platform. Unhappily, customers didn’t like losing the ability to send relatively small amounts of external email for different reasons, and Microsoft didn't have a cost-free alternative to offer. C’est la vie. https://office365itpros.com/2026/01/08/mailbox-external-recipient-rate/
MS Bookings
Hi everyone, We’ve been stumped on this for a while and even Microsoft Support couldn't provide a clear solution. Our tenant is cluttered with MS Shared Bookings calendars that are either inactive or were created as one-off tests. Does anyone have a PowerShell script or a specific Graph query that can pull activity for all MS Bookings calendars in the tenant within a 90-day window? As Global Admins, we need to identify which ones are safe to decommission. Any advice would be greatly appreciated!
Linking cloud only shared mailbox with onpremise object
Hi all, We currently have a cloud only shared mailbox in exchange online that we need to exist in onprem exchange for a smtp relay that is setup in a hybrid config. Is it possible to create onprem and match these objects onprem/cloud - or will the mailbox need to be recreated onprem and then it will sync to cloudTop 3 Myths about Exchange Server Subscription Edition
Over the last few months, several myths about Exchange Server Subscription Edition (SE) have been circulating online. From what I have seen, the top 3 myths are: Exchange Server SE RTM includes new features. Exchange Server SE will be updated like the Cloud. Exchange Server 2016 customers must move to Exchange Server 2019 to upgrade to Exchange Server SE. None of these things are true, but unfortunately, they keep being repeated. Let's dive into each of them. Myth #1: Exchange Server SE RTM includes new features The first myth is that Exchange Server SE includes new features. This is not true, and Microsoft's https://learn.microsoft.com/exchange/new-features/new-features makes this clear. In fact, it was always our plan to intentionally not include any features in the RTM release of Exchange Server SE. In my https://www.amazon.com/dp/B0FR5GGL75/ and my talks about it at the https://www.exchange-summit.de/ and https://www.ntk.si/en/schedule/237 last year, I provided insight into the RTM release of Exchange Server SE, so I won't go into that here. But I will explain why Exchange Server SE RTM doesn't include new features (or any other substantive code changes). When we decided to move the release of Exchange Server SE RTM to the second half of 2025, we knew we were significantly reducing the overlap between supported versions to about 106 days. We also knew that even with in-place upgrade capabilities, customers still needed time to validate the release. To help make that validation as quick and easy as possible, our plan was to make the RTM release code equivalent to the last released update for Exchange Server 2019, with only necessary branding and licensing changes. Last released update meant the last Cumulative Update (CU) for Exchange Server 2019 plus any Security Updates (SUs) or Hotfix Updates (HUs) released after the last CU but before the SE RTM release. Internally, we described the SE RTM release as a "soft CU for Exchange Server 2019" to help business, engineering, support, and community stakeholders better understand what we were doing. Eventually, senior leadership approved our plan, which the engineering team then executed flawlessly. As a side note, because Exchange Server and https://aka.ms/sfbb are developed and released by the same engineering team, Skype for Business Server SE took the same approach with their RTM plans and release. In the end, we committed to the SE RTM release being the same exact code as Exchange Server 2019 CU15, plus the two post-CU15 updates released before SE RTM (namely, the April 2025 and May 2025 HUs). This meant that customers running Exchange Server 2019 with the May 2025 HU experienced only: A name change from Exchange Server 2019 to Exchange Server Subscription Edition; A new License Agreement file (License.RTF), which is shown only during the GUI version of Setup; and A new build number that was incremented using the Exchange Server 2019 numbering scheme. Aside from that, when compared to Exchange Server 2019 CU15 plus the May 2025 HU, there are no changes in Exchange Server SE. Despite making this clear in numerous blog posts and documentation, some authors have posted articles that list "new" features in Exchange Server SE, citing support for Windows Server 2025, TLS 1.3, and OAuth 2.0 (aka Modern Auth), and new certificate management capabilities. These "new" features were all available in Exchange Server 2019, and other cited features were available in Exchange Server 2016 and earlier versions. That said, there are only two other changes that apply to Exchange Server SE: Lifecycle Policy and Support Policy. Both are outside the product and they are related. Lifecycle Policy changes Previous versions of Exchange Server were covered under Microsoft's https://learn.microsoft.com/lifecycle/policies/fixed, which has phases such as Mainstream Support and Extended Support as well as published (and fixed) dates for end of support (the Beyond End of Support phase aka End of Life). Exchange Server SE is covered under Microsoft's https://learn.microsoft.com/lifecycle/policies/modern, which does not have any support phases or published end of support dates. Exchange Server SE will have at least a 10½-year lifecycle because Microsoft has https://learn.microsoft.com/lifecycle/additional-support-server-modern-lifecycle-policy to supporting Exchange Server SE (as well as SharePoint Server SE and Skype for Business Server SE) until at least December 31, 2035, a few months shy of the 40th anniversary of Exchange Server! Under the Modern Lifecycle Policy, Microsoft also commits to provide a minimum of 12 months' notice before ending support for Exchange Server SE (and it would not surprise me to see the Office Servers eventually added to list of products on the https://learn.microsoft.com/lifecycle/policies/3-year-subset). Support Policy changes Historically, Microsoft's support stance has been based on where a product is in its lifecycle. For example, when Exchange Server 2013 was in Mainstream Support, Microsoft supported N-1, where N is the latest CU and -1 is the immediately previous CU. When Exchange Server 2013 moved into Extended Support, only the latest CU was supported. Exchange Hybrid environments have always been an exception to this, as Microsoft supports only the current CU in Hybrid environments. The change from the Fixed Lifecycle Policy to the Modern Lifecycle Policy means that Microsoft's support stance is more fluid. The Modern Lifecycle Policy says: "Customers must stay current as per the servicing and system requirements published for the product or service." This means that Microsoft can change the support requirements for Exchange Server SE as needed, but you should not expect them to pull the rug out from under you. Rather, you should expect their changes to be to your benefit, as previously demonstrated by their support for both CU15 and CU14 while Exchange Server 2019 was in Extended Support. So, if Microsoft releases a CU that contains a large payload or other significant changes, they may opt to take an N-1 support stance to give customers plenty of time to test and deploy it. Conversely, it's also possible that Microsoft could require customers to deploy an update immediately to fix a critical security issue or a significant bug (for example, a bug known to cause data loss). Regardless of the changes to Microsoft's support stance, my general advice is to evaluate and deploy all updates (especially SUs) as quickly as possible. Don't skip testing or validation, but do make installing updates, keeping Windows and Exchange current, and monitoring your Exchange servers a top priority. Myth #2: Exchange Server will be updated like the Cloud The second myth has to do with how Exchange Server will be serviced by the engineering team (and updated by customers). The move to the Modern Lifecycle Policy includes some language that may be helping to perpetuate this myth: "The Modern Lifecycle Policy covers products and services that are serviced and supported continuously." Servicing generally means updating the code and providing release packages for customers to install. Serviced and supported continuously refers to the evergreen type of model now used by Exchange Server (and other Microsoft products) which simply means instead of major releases and version upgrades, Microsoft will simply service the product via periodic updates. In the past, Microsoft released a new major version of Exchange Server roughly every 2-4 years. With the release of Exchange Server SE, there are no more major version releases. Instead, Exchange Server will be maintained in an evergreen fashion. Code updates for Exchange Server include the following package types: CU - a full-product package containing a specific build (e.g., RTM, CU1, CU2, etc.). SU - a recommended security-related hotfix package HU - an optional non-security hotfix package IU - a customer-specific fix packaged as an Interim Update CUs, SUs, and HUs, are cumulative, so you need only install the latest package. HUs are optional updates, but I recommend always reviewing HU release articles to see if they might introduce features or fixes that might benefit your organization. When Microsoft releases one of these packages, they will announce it on the https://aka.ms/EHLO and provide download links, and update the https://learn.microsoft.com/exchange/new-features/build-numbers-and-release-dates of build numbers and release dates for Exchange Server. I think the use of the word continuously in Modern Lifecycle Policy is causing confusion. The reality is that Exchange Server SE uses the same servicing model that Exchange Server 2019, Exchange Server 2016, and Exchange Server 2013 have used since April 2022, and no changes to this model have been made (or are expected). Microsoft has already announced the general plan for the first two CUs for Exchange Server SE that will both release in 2026 (in H1 and H2, respectively). Security work always takes precedence over non-security work, and there have been many times when Microsoft has released only one Exchange Server CU per year (including in 2024, 2023, and 2022). So, no, Exchange Server SE won't be updated by Microsoft like the cloud (nor will it get most cloud features). Myth #3: Exchange Server 2016 customers must move to Exchange Server 2019 to upgrade to Exchange Server SE The third myth is about upgrading to Exchange Server SE from Exchange Server 2016. This myth is concerning but understandable. Concerning, because it might cause (and might have caused) some customers to waste time and money. Understandable, because in the past it was guidance from Microsoft; but that guidance is now out-of-date and no longer applies. Some background and detail will help explain why. Exchange Server 2019 reached general availability on October 22, 2018. Despite the many improvements and benefits, Exchange Server 2019 was not well-adopted, likely because at the time Microsoft was leaning heavily into a cloud-first world. In fact, you could make an argument that when Exchange Server 2019 was released, Microsoft did everything it could to make sure no one used it. If you look at the https://web.archive.org/web/20181120140237/https:/products.office.com/en-us/exchange/email?rtc=1, it didn't even mention Exchange Server 2019. This led a lot of customers to think that our goal was to kill Exchange Server, or at the very least, ignore it to death. In the aftermath of the Hafnium attacks against Exchange servers, we learned that there were hundreds of thousands of servers around the world running unsupported builds, or supported but old and vulnerable builds, and that a very small percentage (~5%) were running Exchange Server 2019. Of the supported versions, patching levels were all over the place, with literally every build we had released still in use somewhere, including RTM builds of each major version. After Hafnium, we spent more than a year figuring out what to do with the next version of Exchange Server, and it was during that time that an entirely new plan for Exchange Server SE was developed (along with a new codename: Quantum Lobster). During planning, we intentionally went radio silent on the next version of Exchange Server (aka Quantum Lobster), making https://youtu.be/Q5iwvrrqQpA in September 2020, the last that anyone outside of Microsoft heard about the next version of Exchange Server for almost 2 years. During those 2 years, we continued telling customers that wanted to run Exchange Server to move to Exchange Server 2019. Not because it was the latest version, but because that's where we were still investing in security and features (such as custom configuration backup and support for Windows Server 2025 and TLS 1.3). Eventually, on June 2, 2022, we broke radio silence on the next version of Exchange Server, and among other things, we repeated our multi-year call-to-action to move to Exchange Server 2019, telling customers that once on Exchange Server 2019 they would be able to do a quick and easy in-place upgrade to Exchange Server SE RTM. In other words, Microsoft had been telling customers for years to move to Exchange Server 2019 to enable a quick and low-risk in-place upgrade to Exchange Server SE RTM when it releases. This message was further refined to focus on Exchange Server 2016 customers for two reasons: Exchange Server 2013 reached end of support, and as an Awareness Action, we changed Setup in CU15 to prevent installation if Exchange Server 2013 was present in the organization; and Exchange Server 2016 had a notable (and for a brief time, the largest) percentage of the visible install base. Circling back to the What's New article I mentioned earlier, this https://learn.microsoft.com/exchange/new-features/new-features#whats-new-when-upgrading-from-exchange-2016-to-exchange-se has an Important note about upgrading that says: "In-place upgrades from versions of Exchange Server earlier than Exchange Server 2019 are not supported. You must first perform a legacy upgrade to Exchange Server 2019 CU14 or CU15 before upgrading to Exchange Server Subscription Edition (SE). Alternatively, a legacy upgrade to Exchange Server SE is also supported." It seems that some may have read the first two sentences in the note and ignored the rest, as there are a lot of articles and posts that state that to move from Exchange Server 2016 to Exchange Server SE, you must first do a legacy upgrade from Exchange Server 2016 to Exchange Server 2019, and then do an in-place upgrade to Exchange Server SE. But that guidance was rendered obsolete with the SE RTM release and should no longer be followed. There is absolutely no reason to do two upgrades (legacy + in-place) when a single upgrade (legacy) from Exchange Server 2016 to Exchange Server SE can be done. In fact, the legacy upgrade process from Exchange Server 2016 to Exchange Server 2019 or Exchange Server SE is exactly the same! The https://m365accelerator.microsoft.com/exchange (aka the https://aka.ms/ExDeploy) are helpful when performing a legacy upgrade from Exchange Server 2016 to Exchange Server SE. If you're still running Exchange Server 2019 or earlier, I encourage you to remediate that as quickly as possible (even if you are in the Extended Security Update program) by upgrading to Exchange Server SE or by moving to Exchange Online. Conclusion Hopefully, you now understand the truth behind the top three Exchange Server SE myths discussed in this article and why they are myths. But as I said in the beginning, these aren't the only myths being perpetuated. What else have you seen/read? What other myths would you like busted? Drop a comment and let me know!Outlook Keep prompting Password in Exchange 2019 CU15 environment
Recently, we encountered an issue in our Hybrid Exchange environment where Outlook repeatedly prompted for credentials for users in a child domain (e.g., xx.abc.com). The issue did not occur for users in the root domain (abc.com). The problem was observed only when users connected from outside the corporate network. Outlook worked normally within the office network and over VPN, but external users experienced continuous password prompts. Firewall checks indicated HTTP 401 (Unauthorized) responses. After troubleshooting, a client-side workaround resolved the issue by applying specific settings on the affected machines. However, this fix would require deployment to all impacted users via Active Directory Group Policy. I would like to understand: Why this issue occurs specifically for child-domain users, and Whether there is a server-side or configuration-based workaround to resolve the issue without deploying registry changes on user machines. Solution for each client's machine: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover Create a DWORD (32-bit) Value. Give it the name ExcludeHttpsRootDomain and the value 1. Create a DWORD (32-bit) Value. Give it the name ExcludeExplicitO365EndPoint and the value 1.The Exchange EnforcedTimestamps Mailbox Property
While examining mailbox properties, I noticed that the EnforcedTimeStamps property held some information that I just couldn’t explain. Google search was no help, but Microsoft Copilot told me that the information related to the management of compliance holds. Basically, the data are guardrails to help the Managed Folder Assistant do the right thing, which is nice, even if no documentation exists. https://office365itpros.com/2025/12/30/enforcedtimestamps/
Does Exchange Online have an internal search Index for people ?
Hello everyone, I'm managing users with Office 365 E3 licences. We have an hybrid Exchange Online / Exchange On-Premise architecture. My problem is the following: After I create an user with E3 licence, and after AAD Synchronisation between Azure / AD, the user is created on Azure but also the email mailbox (Exchange Online). But within the "To" input, through the Autocomplete suggestions, this user cannot be found, neither with Outlook Desktop Client nor with OWA Outlook (Web version of Otlook), even several hours later of the creation. I can use the mailbox (can login to OWA Outlook), can send / receive. So the mailbox is created correctly. I can connect to Exchange-Online via PowerShell and get all informations for the target mailbox (like others) with: Get-Recipient -Identity "email address removed for privacy reasons" And also via Get-Recipient -Anr "elon" (this gives me "Elon, Musk" as a suggestion through PowerShell). But why the autocomplete cannot suggest me this user ? Through the GAL (Global Address List) the user is visible (when I click on "To" button within Outlook Desktop Client -> Popup showing the Global Address List). But it's not suggested automatically, like others (old users). I made several hours of searches but I do not found any concluant result. My only question is: does Exchange Online infrastructure have an internal Search Index for People ? And if so, how often it's updated to include newly added users to the tenant? On what is based the autosuggestions within the inputs "To" / "CC" / "CCI". In my case (at least), the search for autosuggestions cannot be based on Global Address List / Offline Address Book from our On-Premise Exchange server, because EVEN the Web based OWA Outlook cannot find the newly created user! Thank you in advance for your precious help! Best Regards, Adam J.
Microsoft Exchange refers to an older certificate that no longer exists, ID 12023.
We have one Microsoft Exchange 2013 server. The Windows Application log periodically displays the ID 12023 entry, which states that Microsoft Exchange could not load the certificate with the thumbprint 3E8XXXXXXXXXXXXXXXXXXXXXXXXXXXX from the local computer's personal certificate store. This certificate was deleted because it expired, and a new self-signed Auth certificate was created. Now, when running the Get-AuthConfig | Format-List CurrentCertificateThumbprint, PreviousCertificateThumbprint, NextCertificateThumbprint command, only the current certificate is displayed. The Microsoft Exchange 2013 server is running. The question is, what should I do to remove the ID 12023 entry from the Windows Application log?Exchange Online Mailbox cannot see Unsynchronized On-Premises mailbox Free/Busy info and vice versa
Hello Everyone! I originally posted an issue on Microsoft Learn https://learn.microsoft.com/en-us/answers/questions/5651848/free-busy-not-viewable-from-on-premises-mailbox-to?comment=answer-12418292&page=1#comment-2404594 regarding Free/Busy issues with our On Premises Exchange Server which is running the latest version of Exchange SE and Exchange Online which is on our Microsoft 365 Tenant. At first, it would fail the Test-OAuthConnectivity, but that now seems to be fixed with renewing the OAuth Certificate and in addition, enabling the Dedicated Exchange Hybrid App as per https://learn.microsoft.com/en-us/exchange/hybrid-deployment/deploy-dedicated-hybrid-app . On initial deployment, we could not see Free/Busy between EXO and On-Prem Exchange but after 2 hours, it started working but only between On-Premises Synchronized to Microsoft 365 Mailboxes and EXO Mailboxes Our final problem is the viewing of Free/Busy information of On-Premises 'NON-Synchronized to Microsoft 365' mailboxes and EXO Mailboxes. Running the Free/Busy Troubleshooter on ExRCA just gives me a warning during the Determining where the target mailbox is hosted. Also using 'Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/EWS/Exchange.asmx -Mailbox<onpremnonsynchedmailbox>@domain.com -verbose | fl ' on our On-Prem EMS leads to the following error System.Net.WebException: The remote server returned an error: (500) Internal Server Error. at System.Net.HttpWebRequest.GetResponse() at Microsoft.Exchange.Monitoring.TestOAuthConnectivityHelper.SendExchangeOAuthRequest(ADUser user, String orgDomain, Uri targetUri, String& diagnosticMessage, Boolean appOnly, Boolean useCachedToken, Boolean reloadConfig) ResultType : Error Identity : Microsoft.Exchange.Security.OAuth.ValidationResultNodeId IsValid : True ObjectState : New Please advise on how we can fix this error.Removing Retention Holds from Exchange Mailboxes
A new Exchange Online feature allows administrators to remove multiple types of holds from mailboxes (usually inactive mailboxes). It’s a great way to release holds that might be keeping inactive mailboxes lingering in a tenant. The feature doesn’t remove holds used to retain items required for eDiscovery or other compliance purposes. Even so, this is definitely a feature that needs to be carefully tested. https://office365itpros.com/2025/12/18/remove-retention-holds/Older Versions of Exchange ActiveSync Clients Get the Bullet
Exchange Online will require email clients to use Exchange ActiveSync (EAS) V16.1 to connect from March 1, 2026. Email clients that use older versions of EAS won’t be able to synchronize with Exchange Online to upload outbound messages or download messages, attachments, and calendar items. There should be relatively few clients using an old version of EAS, but it’s wise to check. https://office365itpros.com/2025/12/16/exchange-activesync-161/Exchange Server SE Licensing, Part II
Since posting my previous article about licensing and product keys in Exchange Server SE, I’ve received a ton of follow-up questions. Many of them were public, and I answered them publicly. Many were sent privately and answered privately, but I wanted to publicly share that information because I think it may generally be helpful. Discrepancies on Microsoft’s web site There were questions were about Microsoft’s https://www.microsoft.com/en-us/microsoft-365/exchange/microsoft-exchange-server-licensing-licensing-overview, which talks about Server licenses and Client Access Licenses (CALs), but doesn’t mention anything about a subscription, or Software Assurance (SA), or cloud subscription licenses. If you look at the https://web.archive.org/web/20250309171415/https:/www.microsoft.com/en-us/microsoft-365/exchange/microsoft-exchange-server-licensing-licensing-overview of that page (before Exchange Server SE was released) you’ll notice that the SE version is simply a copy and paste of Exchange Server 2019 version. I’ve said and written many times that licensing for Exchange Server SE is the same as it was for Exchange Server 2019, and that is a true statement. There were also questions about Microsoft’s https://www.microsoft.com/en-us/microsoft-365/exchange/microsoft-exchange-licensing-faq-email-for-business, which still talks about Exchange Server 2019 licensing, and also fails to mention subscriptions or SA. So, how does my article reconcile with the information on Microsoft’s licensing pages? The answer is that, while Microsoft’s licensing pages are accurate, they are also incomplete because they don’t mention anything about a subscription, SA, or cloud licenses. The good news is that I’m told by Microsoft that they will be updating those pages with complete information (and perhaps consolidating them). I don’t have a timeline to share, but updates to those pages are coming. But I’m not sure those pages actually matter, given that the source of licensing truth is https://www.microsoft.com/licensing/terms/, which has three main areas: Product Terms that describe the license terms and Use Rights of Products and Services for VL programs; Other Documents related legal materials referenced in the Product Terms; and Licensing Resources, which are links to additional information. You can (and should) also review Microsoft’s https://www.microsoft.com/licensing/terms/product/ForallSoftware/all#clause-705-h3-1 (ULTs), which apply to all software products licensed through Microsoft Volume Licensing. Note that these may not be your only rights and the only terms to which you are bound. For example, SA grants additional rights and comes with additional terms. And your VL agreement may include additional rights and terms. One of the “code changes” in Exchange Server SE RTM was the updating of a rich text file that ships with Exchange Server. This file contains the Microsoft Software License Terms (MSLT), to which you must agree in order to install Exchange Server. The MSLT is displayed, however, only when using the GUI version of Setup. But you don’t need to run Setup to view the MSLT; the file—License.rtf—is localized in several languages in the Setup files under \Setup\ServerRoles\Common\Eula\<language>. Using the Trial Edition Beyond 180 days There were several questions about using a Trial Edition beyond 180 days after installing it. Microsoft’s ULTs explicitly https://www.microsoft.com/licensing/terms/product/ForallSoftware/all#clause-723-h3-1 that “An assigned product key is required for licensed use of the software.” It also talks about technical measures that Microsoft may use to enforce these terms, but as I mentioned in my previous article, Exchange Server implements product keys, but it does not implement any activation or validation of the software. The MSLT for Exchange Server SE states “If you do not have a product key, then Section 2 (Trial) applies to you.” Some (but not all) of Section 2 is shown below. Paragraph 2 of Section 2 makes it clear that the software rights are time-sensitive and limited to 180 days after installation (2a), that you may receive periodic reminders about this time limit (2b), and that you may not be able to access data when the license term ends (2c). The language in Section 2 is used in the MSLT for multiple products. In the case of Exchange Server SE, an admin will see a message in the Exchange admin center when the Trial period ends (as described in 2b), but the product remains fully functional, and data is fully accessible, contrary to the statements in 2c. More on License Terms Paragraphs 6 and 7 on Section 2 are also worth noting: Paragraph 6 states that Microsoft is not obligated to provide support for Trial Edition deployments. While Microsoft has no obligation to provide support, they will do so, even for Trial Editions. In fact, they likely won’t ask about licensing or product keys unless its germane to the support case (for example, you can’t mount more than 5 databases on a server because it is a Trial or Standard Edition). Paragraph 7 discusses software updates, which in the case of Exchange Server SE, includes CUs, SUs, HUs, and IUs. Exchange Server SE does not check for updates, does not download updates, and does not install updates. It does include the optional Exchange Emergency Mitigation service, but that applies mitigations and does not download updates. Exchange Server SE also includes Feature Flighting which will be used by Microsoft in the future to enable features or changes present in an update, but it won’t download or install those updates automatically. Windows Server has the ability to check for and install updates, and an Exchange admin can opt into these automatic updates which include Exchange Server SUs; however, it’s a best practice to control updates to Exchange Server by installing them manually or using controlled automation. If you do install an SU manually using the GUI, then you’ll see additional License Terms, as shown below, that state the license requirements for installing the SU. Based on the above License Terms, if you don’t have a valid license for Exchange Server SE, then you don’t have the right to install the SU. Again, though, Exchange Server uses the honor system, and there is nothing that blocks the install. Client Access Licenses and Management Licenses One of the three ways to allow users or devices to legally access Exchange Server SE is by using CAL or ML equivalency licenses (the other two ways are L+SA or Exchange Online licenses). CALs are used by a user or a device, and MLs are licenses that are used by management software. “Licensing software with CALs and MLs can be complicated due to the technical nature of server products and networks.” That’s a direct quote from Microsoft’s https://www.microsoft.com/en-us/licensing/product-licensing/client-access-license#tab-overview, and it’s very true. Microsoft has user CALs, device CALs, External Connector licenses, Server MLs for managing server operating systems (OSEs), OSE client MLs, user client MLs, and core-based licensing. Exchange Server SE (like SharePoint Server SE and Skype for Business Server SE) use the Server+CAL model (which is what the aforementioned Microsoft’s licensing pages are trying to convey). Microsoft also offers what are called CAL Suites, which is a single license that covers multiple products (e.g., one CAL that covers Exchange Server, SharePoint Server, Skype for Business Server, Windows Server, etc.). There is a Core CAL Suite and an Enterprise CAL Suite, and the Enterprise CAL Suite also includes licenses for online services such as Exchange Online Archiving for Exchange Server and Exchange Online Protection. If you have deployed on-premises and you do want to move to the cloud, Microsoft also offers CAL Suite Bridges, which is a subscription-based licensing path that moves you from L+SA to cloud subscription licenses. This is where things can get tricky when comparing licensing costs between on-premises and the cloud. Remember, cloud licensing is deployment-agnostic, so you can purchase cloud licenses and deploy solely on-premises. Ultimately, the most economical approach will depend on what you are buying and how much.Hybrid Configuration Wizard fails to run – manifest download error on all machines
Hello, I am unable to run the Exchange Hybrid Configuration Wizard (HCW) for our Exchange 2016 environment. The issue occurs on multiple machines and networks, so it does not appear to be a local configuration problem. Environment: Exchange Server: 2016 CU23 Windows versions tested: Windows Server 2016, Windows 10 (all fully updated) .NET Framework: 4.8 (Release 528040 / 4.8.03761) TLS: TLS 1.2 enabled, SSL 3.0/TLS 1.0/1.1 disabled Network: No proxy, firewall, or other network restrictions; internet access available Problem: When attempting to run HCW via https://aka.ms/HybridWizard, the wizard fails to start. I have also tried to run HCW offline by downloading Microsoft.Online.CSE.Hybrid.Client.application, but it immediately fails. The error log shows the following repeated messages: Downloading file:///C:/Users/.../Application Files/Microsoft.Online.CSE.Hybrid.Client_17_1_3902_0/Microsoft.Online.CSE.Hybrid.Client.exe.manifest did not succeed. Could not find a part of the path 'C:\Users\...\Application Files\Microsoft.Online.CSE.Hybrid.Client_17_1_3902_0\Microsoft.Online.CSE.Hybrid.Client.exe.manifest' This occurs on all tested machines (three PCs across three different networks). ClickOnce cache has been cleared, root certificates are up-to-date, .NET is 4.8, and TLS 1.2 is active. Attempts to resolve: Ensured TLS 1.2 is enabled and default in .NET and OS Verified .NET 4.8 installation Cleared ClickOnce cache (rundll32 dfshim CleanOnlineAppCache) Updated root certificates Tried multiple machines and networks Tried to run offline using .application file and local copy of Application Files Result: HCW fails immediately with DeploymentDownloadException / DirectoryNotFoundException for the manifest. The issue is reproducible on all tested machines. Request: Please advise if there is an official offline installation method for HCW or a way to obtain a working manifest. If this is a temporary issue with the hosted distribution, please confirm expected resolution or workaround. Thank you for your assistance.TEST-OAuthConnectivity | The remote server returned an error: (403) Forbidden
Hello Exchange Tech Community, I have setup a lab environment of Exchange Server 2016 in Hybrid Configuration. I can successfully onboard and offboard mailboxes. OnPrem Exchange Server is I have a Microsoft 365 Business Basic subscription for Exchange Online. Entra ID Sync is working seamlessly. Email flow between OnPrem and EXO and vice versa work perfectly. When I am testing OAuth functionality from OnPrem to EXO, I am getting this error highlighted in yellow Do I need assign any role to synchronized user in Entra ID ? Currently, they are just MEU in EXO. When OAuth is test from EXO to OnPrem, I am getting this error Please advise.Exchange Server SE Licensing and Product Keys
It seems that there’s a lot of confusion about licensing and product keys for Exchange Server SE; not just here on the Tech Community, but also on LinkedIn, on Reddit, and in the general Exchange community. So, I thought I would write an article to try to clear up that confusion. Licensing Let’s talk about licensing first. Undoubtedly, changing the name of the product to Exchange Server Subscription Edition caused some of the confusion. Some mistakenly believed it meant that cloud connectivity would now be required for the first time in Exchange Server history. Others thought this meant that Microsoft would start updating on-premises Exchange servers the same way they update Exchange Online. Neither of these things are true—as with all previous versions of Exchange Server, cloud (or Internet) connectivity is not required for Exchange Server SE (although there are some features that do require cloud connectivity to be used, such as the Exchange Emergency Mitigation service and Feature Flighting). Despite the name change, though, the reality is that the https://www.microsoft.com/licensing/terms/productoffering/ExchangeServer/all (and distributions channels) for Exchange Server SE are exactly the same as Exchange Server 2019: there are three licensing options: Server licenses and client access licenses (CALs) that have active Software Assurance (SA); Exchange Online licenses; or CAL equivalency licenses. Purchasing server licenses and CALs with SA is the traditional approach and something that can be done with Exchange Server SE; however, some customers have chosen to purchase cloud licenses or equivalency licenses to modernize their license acquisition and to better manage their licenses. Qualifying cloud licenses that satisfy the Exchange Server SE CAL requirement include https://www.microsoft.com/microsoft-365/exchange/exchange-online, which provides a license equivalent to an Exchange Server Standard CAL, and https://www.microsoft.com/microsoft-365/exchange/compare-microsoft-exchange-online-plans, which provides a license equivalent to an Exchange Server Enterprise CAL, which gives you the right to use advanced features, such as In-Place Archive, In-Place Holds, Information Protection and Compliance, Custom Retention Policies, Per User/DL Journaling, Site Mailboxes – Compliance, Data Loss Prevention, Exchange Online Protection, and Cloud Voicemail. At the higher end of cloud licenses are Microsoft 365 E3 (ME3) and Microsoft 365 E5 (ME5), both of which include https://www.microsoft.com/licensing/terms/productoffering/Microsoft365 for on-premises Office servers, namely Exchange Server, SharePoint Server, and Skype for Business Server, depending on the type of agreement you have with Microsoft. For example, customers with an Enterprise Agreement and ME3 or ME5 licenses can “install any number of copies of” Office server software. In this scenario, though, all users and devices accessing the on-premises Office servers must have an ME3 or ME5 license. Note though that you don’t directly assign the license in this case; you simply need to purchase it. In addition, there are similar https://www.microsoft.com/licensing/terms/productoffering/Microsoft365/MCA available with Microsoft 365 A3 and A5 under the Microsoft Customer Agreement (MCA) program. As I mentioned earlier, these are the same requirements as Exchange Server 2019. So, if you are running Exchange Server 2019 and you have active SA, then you likely already satisfy the license requirements for Exchange Server SE, and you can deploy it in your environment without any additional licensing costs. If you are running an earlier version of Exchange Server and you have active SA or qualifying cloud licenses, then you also likely satisfy the license requirements for Exchange Server SE. But if you don’t have SA or cloud licenses (or a Volume License Agreement), then you will need to purchase qualifying licenses and sign the right agreement to be entitled to Exchange Server SE and updates. However, there is one key difference. Downgrade (aka previous version) rights are no longer available. This is simply because there are no other supported versions, so there’s nothing to downgrade to. So, if you don’t maintain a subscription, you lose the right to install updates and run the product. Product Keys Now let’s talk about product keys. As with previous versions of Exchange Server, there is no product key or license activation. You simply purchase the required licenses (or maintain your existing subscription) to get the rights to use the software and install updates. A product key validates that you have purchased a Standard or Enterprise Edition server license for Exchange Server SE. Without a product key, a server is considered a Trial Edition. The Trial edition operates identically to a Standard Edition server and can be used to evaluate Exchange in a non-production setting for up to 180 days. To continue using the server beyond this period, you must enter a product key; otherwise, the Exchange admin center (EAC) will begin displaying reminders to enter a product key on the server, which you can do using the EAC or the Exchange Management Shell. Although the EAC will display a warning when the trial period expires, there’s no loss of functionality, and the software will continue to operate as if it were licensed (except for the warning messages). If you are doing an in-place upgrade of a running Exchange Server 2019 that has an existing valid product key, the RTM version of Exchange Server SE will continue to use that key. This was done on purpose to support a smooth in-place upgrade. If you are doing a fresh install of Exchange Server SE RTM (which includes legacy upgrades from Exchange Server 2016), you can also enter a product key Exchange Server 2019, which you can get from the Volume License page in the Microsoft 365 admin center (after you’ve signed your agreement with Microsoft). Exchange Server SE is available in four Editions: Enterprise, which supports a maximum of 100 mounted databases per server. Standard, which supports a maximum of 5 mounted databases per server. StandardEvaluation, which is a 180-day time-limited Standard Trial Edition. Coexistence (aka Hybrid Deployment), which maintains the hybrid relationship with Exchange Online. As an aside, a mounted database is a database that's in use (an active mailbox database that's mounted for use by clients or a passive mailbox database that's mounted for log replication and replay). While you can create more databases than the described limits, you can only mount the maximum number of databases that are allowed by the Edition of Exchange, as determined by the product key. Note that recovery databases don’t count towards these limits. When you enter a valid product key, the supported edition for the server is established. You can use a valid product key to move from the Trial Edition to either Standard Edition or Enterprise Edition. Again, no loss of functionality occurs after the Trial Edition expires, so you can maintain lab, demo, training, and other non-production environments beyond 180 days without having to reinstall the Trial Edition of Exchange or enter a product key. You can use a valid product key to move from Standard Edition to Enterprise Edition, but you can't use a valid product key to downgrade from Enterprise Edition to Standard Edition or revert to a Trial Edition. You can only do these types of downgrades by uninstalling Exchange, reinstalling Exchange, and entering the correct product key. Product keys also apply to Edge Transport servers. When you create an Edge Subscription, the Edition of Edge Transport server is captured (as determined by the presence or absence of a product key). Edge Transport servers support two Editions: Trial or Standard. Enterprise doesn’t apply because there are no Enterprise features or mailbox databases on Edge Transport servers. Hybrid doesn’t apply because you can’t use an Edge Transport server as a hybrid server. If you create an Edge Subscription for an Edge Transport server that is a Trial Edition, it will appear as unlicensed to the internal organization. If you then enter a product key on a subscribed Edge Transport server, the server will reflect the change to Standard immediately, but the internal organization will not. To update the internal organization information, you must remove and recreate the Edge Subscription. If you don’t, the internal organization will continue to see the Edge Transport server as unlicensed, which is only cosmetic in nature (e.g., no changes in functionality). However, for compliance, auditing, etc., it is considered a best practice to recreate the Edge Subscription. As in previous versions, the Hybrid Configuration Wizard (HCW) provides the license for Hybrid servers, so it is expected that you have not entered a product key on the server. To obtain the Hybrid server license, click license this server now in the HCW and authenticate to your tenant. The HCW will update the product key on the server and refresh the page, and depending on replication latency, it might not update the Version from StandardEvaluation Edition to Coexistence Edition (Hybrid Deployment). However, you can verify the license using Get-ExchangeServer or simply toggle between the two on-premises server options in the HCW, which triggers detection and should choose the same server with updated properties. Final Note Although the Exchange Server 2019 product keys work with Exchange Server SE RTM, it is expected that new product keys specific to Exchange Server SE will be made available with Exchange Server SE CU1, which is expected in H1 of 2026. When the new keys are issues, they will be available from the Volume License area of the Microsoft 365 admin center, along with the CU1 download. I hope this clears up any confusion regarding licensing and product keys for Exchange Server SE.
Recent Blogs
- We are not releasing any Exchange Server Security Updates for January 2026.Jan 13, 2026
- We wanted to explain why using Local Move Requests in Exchange Online is not a good idea as a general practice.Jan 08, 2026
