Forum Widgets
Latest Discussions
Microsoft Limits App Access to Sensitive Message Properties
Microsoft has announced details of a change to app permissions to restrict updates to sensitive message properties (like recipients) without consent for a new advanced mail access permission. If tenants have apps that interact with message properties, including apps developed by third parties, they should check whether the apps are updating sensitive properties. If so, the new permission must be assigned or the apps will stop working. https://office365itpros.com/2026/03/26/sensitive-message-properties-graph/HTTP Response Headers Hardening for Exchange 2019 on Windows Server 2022
Category: Security Hardening Issue: Currently, Exchange 2019 running on Windows Server 2022 does not have strict HTTP response headers configured, leaving it potentially vulnerable to security threats such as MIME type sniffing, clickjacking, and cross-site scripting (XSS) attacks. Objective: Harden the security of Exchange 2019 web services by enabling the following HTTP response headers: X-Content-Type-Options: Prevents MIME type sniffing by forcing browsers to respect declared content types. X-Frame-Options: Prevents embedding of Exchange web pages in iframes to mitigate clickjacking attacks. X-XSS-Protection or Content-Security-Policy (CSP): Protects against reflected XSS attacks (X-XSS-Protection is deprecated, CSP is preferred). I have found this article; can anyone tell me if it applies to Exchange 2019 as well? HTTP Security Headers - Icewolf Blog Thank you
Can we hide default address lists in Outlook Address Book and show only custom ones?
There are existing Custom Address Lists. When users use the MS Outlook App (Office 2019) and open the Address Book, is it possible to hide the other address lists (including domain-sg-GAL, Global Address List, and domain-sg-Rooms), and only display the Custom Address Lists (domain-HK-AL and domain-sg-AL) — the ones shown in green in the photo?
Issue with certificate renewal for exchange Edge Transport Server
Hello team, I have come across a very particular problem I deployed 2 exchange server 2019 with one edge transport server When we are renewing the Certificates with wildcard certificate on both mailbox server ,and on edge transport server ,it is impossible for me to renew the edge subscription It says the cerificate is in "doublon" (repetitive) on one of the Exchange servers.I have always been using same certificate on exchange server be it edge or mailbox I tested a bogus different certificate on mailbox and on edge,only then th e edge sync works Did anybody come across this issue. ThanksOAB download fails after hybrid mailbox move.
Hi folks, I'm posting this query here as I doubt anyone in the Outlook forums would have the necessary Exchange hybrid knowledge. I run a classic hybrid Exchange environment where Exchange Server 2019 CU15 is the on-premise platform. Authentication is provided by on-premise AD FS, with the accounts being synchronised from on-premise via AAD Connect. I've just moved my on-premise mailbox to Exchange Online via New-MoveRequest and for the most part, everything is fine. One thing that possibly isn't fine - going off the Bits-Client event log is the regular offline address book downloads, where I'm seeing regular failures in the event log and through double-checking with bitsadmin.exe. The initial address book synchronisation worked as the view in Outlook is fully populated, however, I expect that future changes likely won't come through. bitsadmin output Event log output (There's numerous events to choose from - this is the one I'm most curious about.) The BITS service provided job credentials in response to the UNIDENTIFIED authentication challenge from the outlook.office365.com server for the Microsoft Outlook Offline Address Book <guid> transfer job that is associated with the following URL: /OAB/<guid>/oab.xml. The credentials for the <sid> user were rejected. When the mailbox was on-premise, the OAB came from the Exchange Server - no surprise there, where post migration it can be seen from the bitsadmin output it now comes from outlook.office365.com. Perhaps that's also to be expected - I don't know, but it makes sense given the move. What alerted me to there potentially being an issue is the systray icon frequently gets stuck on the "synchronising" icon, and running a manual full OAB sync from within Outlook fails to complete. After an extended "hang" period, the sync window eventually times out with the error shown above (the protracted UI behaviour would appear to be due to the large number of retries). Dropping the BITS job URL into Edge simply returns a HTTP 503, which doesn't necessarily strike me as a problem. After all, I'm unable to provide a BEARER token using this method. I haven't yet tried via PowerShell as it only occurred to me now but perhaps I'll do so after posting this. Searching on this error and scenario has turned up nothing useful. I have also checked and compared event log entries from an Azure AD-native account, where it's a mixed bag of successful OAB BITS downloads and unsuccessful ones that feature the same symptoms as above, which offers up the possibility this might be a transient service-side error (though I'm not leaning heavily towards this). Has anyone else encountered this issue and resolved it? Is it even an issue to begin with, or is this expected behaviour? I'm unsure what to make of the symptoms. Cheers, Lain
Add-PublicFolderClientPermission: Object reference not set to an instance of an object.
Running into an issue with adding public folder permissions in Exchange Online. I've used this PowerShell script for a few years without any issues, but suddenly getting this error no matter what I try. I do have Owner permissions and there are Default and Anonymous permissions on the public folder, tried completely removing and reinstalling the ExchangeOnlineManagement module as well. Anyone else having this problem? $PF = Get-MailPublicFolder -Identity "\pf1" $User = Get-User -Anr "User1" $AccessRights = @( "ReadItems", "CreateItems", "EditOwnedItems", "EditAllItems", "FolderVisible" ) Add-PublicFolderClientPermission -Identity "\$($PF.Id)" -User $User.UserPrincipalName -AccessRights $AccessRights -Verbose VERBOSE: Returning precomputed version info: 3.9.2 VERBOSE: Requested HTTP/1.1 POST with 227-byte payload VERBOSE: Received HTTP/1.1 response of content type application/json of unknown size VERBOSE: Query 1 failed. Add-PublicFolderClientPermission: Object reference not set to an instance of an object. Thank you
Emails from Azure Communication Services (ACS) are treated as external emails
When using Azure Communication Services (ACS) Email, messages are delivered to Microsoft 365 as external mail, even if the system sending them belongs to my own organization. This behavior can be expected because ACS sends emails from Microsoft’s cloud infrastructure rather than directly from my tenant. As a result, Distribution Groups (DG), Dynamic Distribution Groups (DDG), or Mail-enabled Security Groups (SG) that are configured to accept messages only from internal senders will reject these emails. The common workaround is to enable “Allow external senders” on the group. However, we don't want to open the group to the entire internet. Does anyone else have the same experience? What is the best solution, exchange transport rules? Thanks!TEST-OAuthConnectivity | The remote server returned an error: (403) Forbidden
Hello Exchange Tech Community, I have setup a lab environment of Exchange Server 2016 in Hybrid Configuration. I can successfully onboard and offboard mailboxes. OnPrem Exchange Server is I have a Microsoft 365 Business Basic subscription for Exchange Online. Entra ID Sync is working seamlessly. Email flow between OnPrem and EXO and vice versa work perfectly. When I am testing OAuth functionality from OnPrem to EXO, I am getting this error highlighted in yellow Do I need assign any role to synchronized user in Entra ID ? Currently, they are just MEU in EXO. When OAuth is test from EXO to OnPrem, I am getting this error Please advise.Microsoft Rushes High-Volume Email to General Availability
Almost two years after it first previewed, Microsoft is making the High-Volume Email (HVE) solution generally available in March 2026. HVE runs on a pay-as-you-go basis, but Microsoft won’t start charging tenants for sending email until May 2026. Two months should be enough for people to decide if they want to use HVE for internal communications as it has no ability to send external email. https://office365itpros.com/2026/03/09/hve-ga/
