Recent Discussions
Microsoft Delays Retirement of Basic Authentication for SMTP AUTH
Microsoft has delayed the retirement of basic authentication for the SMTP AUTH client submissions protocol to 2027 or beyond. New tenants will be the first to be blocked and Microsoft will disable basic authentication for SMTP AUTH in a way that existing tenants can reenable the protocol. Eventually, we’ll get a date for final retirement sometime in 2027. These things take time! https://office365itpros.com/2026/01/29/smtp-auth-basic-retirement/
M365 tenant emails marked as spam (SCL:5, CAT:PHISH) despite perfect authentication
Hello, Our business emails from our M365 tenant are consistently marked as spam when sent to other M365 tenants, despite perfect email authentication. Technical status: - SPF: Pass ✓ - DKIM: Pass ✓ (recently enabled) - DMARC: Pass ✓ (recently enabled) - Composite Authentication: Pass (reason=100) ✓ But messages are still marked as: - X-MS-Exchange-Organization-SCL: 5 - X-Forefront-Antispam-Report: CAT:PHISH;SFV:SPM We suspect a tenant reputation issue, possibly because the tenant ran for months without DKIM enabled. Now that all authentication is correct, how can we request a reputation review? Thank you!Using the Exchange Online Message Trace API
January 22 saw the announcement of the beta version of an Exchange Online Graph-based message trace API. The API can retrieve message trace records and their details and offers equivalent functionality to the message trace cmdlets in the Exchange Online management PowerShell module. However, sometimes applications simply want to access data without going through a module, and that’s what this API delivers. The article includes a complete PowerShell script to demonstrate how to use the API. https://office365itpros.com/2026/01/27/message-trace-api/
some sent emails are missing and moving to "recover deleted items"
hello , we are using on-premises exchange server 2016 in my environment. and we are using microsoft outlook 2019 & 2021 . i have one question : i notice that the sent emails for all users are appear in "recover deleted items" , however these emails are not deleted and still exist in sent items folder . so it is appear the same emails in "sent item" folder and in "recover deleted items" , which i think very weird . i have one incident : one of my user is encounter a weird problem , that some sent emails are weirdly disappear from "sent item" folder but he never delete them , and we can found these items in "recover deleted items" , but the restore option in "recover deleted items" didn't restore the email to the user mailbox . however i don't have any problem mention in healthreport for my exchange server , all in good condition . what may be the problem ?
Teams calendar for exchange on prem users not working
Hello I am having issues to make Exchange On prem users use Calendar on teams. Initially Client autodiscover was blocked externally but they added a cname and open flows but I am still having issues to makecalendar on teams work HCW as passed and new hybrid dedicated app was used any help is welcomeFeedback to users who report phishing
Hi, is it possible to create a power automate flow to find submissions from users and as soon as MS has added a verdict to a submission as real phish send a notification back to the user who has reported it? Trying to figure out what is needed for such integration and build a flow but I am stuck. Anyone who has built that and like to share learning?
Microsoft Exchange refers to an older certificate that no longer exists, ID 12023.
We have one Microsoft Exchange 2013 server. The Windows Application log periodically displays the ID 12023 entry, which states that Microsoft Exchange could not load the certificate with the thumbprint 3E8XXXXXXXXXXXXXXXXXXXXXXXXXXXX from the local computer's personal certificate store. This certificate was deleted because it expired, and a new self-signed Auth certificate was created. Now, when running the Get-AuthConfig | Format-List CurrentCertificateThumbprint, PreviousCertificateThumbprint, NextCertificateThumbprint command, only the current certificate is displayed. The Microsoft Exchange 2013 server is running. The question is, what should I do to remove the ID 12023 entry from the Windows Application log?
Keep user account but provision new empty mailbox
i did ask in another forum but thought i would ask here as it seems impossible... we are hybrid exchange. We have litigation hold and purview retention policies in place. We have a scenario where an existing user is moving to a new role and her existing mailbox needs to be dissociated from her AD account and a new clean mailbox provisioned. The original mailbox needs to stay as inactive and searchable via ediscovery. Is it possible? I have asked AI and its said: Make sure all the holds and retention policies are in place Move the AD account to a non-syncing OU and run a delta sync The mailbox should show as inactive in exchange online Then it tells me to run Set-User <UserUPN> -PermanentlyClearPreviousMailboxInfo but ONLY if the recipient type shows as MailUser or User This is where i am stuck as it is still UserMailbox. It told me to restore the cloud only object which i did. But it still shows as RecipientType = UserMailbox when i check. Its now just a cloud only account, it has no license. The mailbox is inactive but its still a UserMailbox Is what i am trying to do possible? Would now just changing the cloud only account to have a new email address be the only way to retain it and then sync back the on-prem account?
DMARC rejection after Exchange upgrade
I'm having problems with inbound emails getting bounced as Undeliverable due to DMARC rejection. For many years I've had my email come through Fasthosts / Livemail to my own domain (qts.org.uk) with catch-all forwarding set to forward everything to my GMail account. Just recently Fasthosts have upgraded their servers to Exchange and I've started getting DMARC rejections from GMail which start Diagnostic information for administrators: Generating server: exchange2019.livemail.co.uk Total retry attempts: 1 (my gmail email address) t1-hex-xprelay.gem.livemail.co.uk Remote Server returned '550 5.7.26 Message rejected by DMARC policy by gmail.com. Please use your own email address as the sender, instead of (sender's email address). [MSG0009]' Which bounce from Fasthosts / Livemail back to my GMail address. My own domain has SPF, DMARC, and DKIM configured I've done a little digging and it appears to only affect senders from originating domains with DMARC set to reject. So either GMail has coincidentally become much more strict (possible) or Fasthosts are somehow failing to forward emails fully transparently. I have spoken to Fasthosts and logged the issue with them and was not impressed so I hope the experts here can offer a solution I can forward to them.Modern Auth EWS error 50199 when signing from Crestron Touchpanels
Good Afternoon, All I am having a difficult time nailing down this issue. I have a few Crestron TTS-770s that were, up to last week, working correctly by pulling Calendars data with EWS. They were configured with a service account signed into EWS using 'modern authentication'. This week, these panels have disconnected and report that 'Needs to be authorized' as the EWS status. I have verified that CA is not blocking sign in, the account is excluded from MFA policies, and is correctly licensed for Exchange Access. We do not use Intune for device management. When I attempt to re-register the device, I follow the prompts until I am prompted to close the browser window; The device spins, then fails to connect with the status above. I have attempted this with the service account and my own Admin account with MFA, to the same result. Entra Enterprise Apps Sign-in logs show a 'Successful' entry, then immediately after, a 'Failed' entry with an error '50199'. I had not made changes to any of the URIs before initial failure, and any additional entries or changes do not change the results of the error. Initial URI was configured to 'https://app.noop' (no idea, was configured before I got here, and I hadn't needed to change it), I have attempted combinations of our Tenant URI, ' https://login.microsoftonline.com/common/oauth2/nativeclient', and other 'fixes' I had found while GTS-ing. I additionally have set my 'legacy authentication' and 'legacy applications' CA polices to read-only for troubleshooting. I am working to disable OAuth2ClientProfile on Exchange Online temporarily for troubleshooting. Does anyone have any ideas? Please let me know if any additional information is needed, or if needed to post in another location. Thank You
MS Bookings
Hi everyone, We’ve been stumped on this for a while and even Microsoft Support couldn't provide a clear solution. Our tenant is cluttered with MS Shared Bookings calendars that are either inactive or were created as one-off tests. Does anyone have a PowerShell script or a specific Graph query that can pull activity for all MS Bookings calendars in the tenant within a 90-day window? As Global Admins, we need to identify which ones are safe to decommission. Any advice would be greatly appreciated!Teams delegation permission issue with Onpremise Exchange Server
we have migrated the exchange server from 2019 to SE Environment and configure the OAuth 2.0 which is working perfectly but there is one issue that one of the user is using Shared calendar but while he create the meeting invite along with Teams meeting option then everytime it shows an error "please login into the meeting" If anyone works on this case please guide or help us. ThanksMicrosoft Cancels Exchange Mailbox External Recipient Rate Limit
After considering customer feedback, Microsoft cancelled the mailbox external recipient rate limit for Exchange Online. The idea behind the new limit was simple – it makes life more difficult for spammers to use Exchange Online as a platform. Unhappily, customers didn’t like losing the ability to send relatively small amounts of external email for different reasons, and Microsoft didn't have a cost-free alternative to offer. C’est la vie. https://office365itpros.com/2026/01/08/mailbox-external-recipient-rate/
Linking cloud only shared mailbox with onpremise object
Hi all, We currently have a cloud only shared mailbox in exchange online that we need to exist in onprem exchange for a smtp relay that is setup in a hybrid config. Is it possible to create onprem and match these objects onprem/cloud - or will the mailbox need to be recreated onprem and then it will sync to cloudTop 3 Myths about Exchange Server Subscription Edition
Over the last few months, several myths about Exchange Server Subscription Edition (SE) have been circulating online. From what I have seen, the top 3 myths are: Exchange Server SE RTM includes new features. Exchange Server SE will be updated like the Cloud. Exchange Server 2016 customers must move to Exchange Server 2019 to upgrade to Exchange Server SE. None of these things are true, but unfortunately, they keep being repeated. Let's dive into each of them. Myth #1: Exchange Server SE RTM includes new features The first myth is that Exchange Server SE includes new features. This is not true, and Microsoft's https://learn.microsoft.com/exchange/new-features/new-features makes this clear. In fact, it was always our plan to intentionally not include any features in the RTM release of Exchange Server SE. In my https://www.amazon.com/dp/B0FR5GGL75/ and my talks about it at the https://www.exchange-summit.de/ and https://www.ntk.si/en/schedule/237 last year, I provided insight into the RTM release of Exchange Server SE, so I won't go into that here. But I will explain why Exchange Server SE RTM doesn't include new features (or any other substantive code changes). When we decided to move the release of Exchange Server SE RTM to the second half of 2025, we knew we were significantly reducing the overlap between supported versions to about 106 days. We also knew that even with in-place upgrade capabilities, customers still needed time to validate the release. To help make that validation as quick and easy as possible, our plan was to make the RTM release code equivalent to the last released update for Exchange Server 2019, with only necessary branding and licensing changes. Last released update meant the last Cumulative Update (CU) for Exchange Server 2019 plus any Security Updates (SUs) or Hotfix Updates (HUs) released after the last CU but before the SE RTM release. Internally, we described the SE RTM release as a "soft CU for Exchange Server 2019" to help business, engineering, support, and community stakeholders better understand what we were doing. Eventually, senior leadership approved our plan, which the engineering team then executed flawlessly. As a side note, because Exchange Server and https://aka.ms/sfbb are developed and released by the same engineering team, Skype for Business Server SE took the same approach with their RTM plans and release. In the end, we committed to the SE RTM release being the same exact code as Exchange Server 2019 CU15, plus the two post-CU15 updates released before SE RTM (namely, the April 2025 and May 2025 HUs). This meant that customers running Exchange Server 2019 with the May 2025 HU experienced only: A name change from Exchange Server 2019 to Exchange Server Subscription Edition; A new License Agreement file (License.RTF), which is shown only during the GUI version of Setup; and A new build number that was incremented using the Exchange Server 2019 numbering scheme. Aside from that, when compared to Exchange Server 2019 CU15 plus the May 2025 HU, there are no changes in Exchange Server SE. Despite making this clear in numerous blog posts and documentation, some authors have posted articles that list "new" features in Exchange Server SE, citing support for Windows Server 2025, TLS 1.3, and OAuth 2.0 (aka Modern Auth), and new certificate management capabilities. These "new" features were all available in Exchange Server 2019, and other cited features were available in Exchange Server 2016 and earlier versions. That said, there are only two other changes that apply to Exchange Server SE: Lifecycle Policy and Support Policy. Both are outside the product and they are related. Lifecycle Policy changes Previous versions of Exchange Server were covered under Microsoft's https://learn.microsoft.com/lifecycle/policies/fixed, which has phases such as Mainstream Support and Extended Support as well as published (and fixed) dates for end of support (the Beyond End of Support phase aka End of Life). Exchange Server SE is covered under Microsoft's https://learn.microsoft.com/lifecycle/policies/modern, which does not have any support phases or published end of support dates. Exchange Server SE will have at least a 10½-year lifecycle because Microsoft has https://learn.microsoft.com/lifecycle/additional-support-server-modern-lifecycle-policy to supporting Exchange Server SE (as well as SharePoint Server SE and Skype for Business Server SE) until at least December 31, 2035, a few months shy of the 40th anniversary of Exchange Server! Under the Modern Lifecycle Policy, Microsoft also commits to provide a minimum of 12 months' notice before ending support for Exchange Server SE (and it would not surprise me to see the Office Servers eventually added to list of products on the https://learn.microsoft.com/lifecycle/policies/3-year-subset). Support Policy changes Historically, Microsoft's support stance has been based on where a product is in its lifecycle. For example, when Exchange Server 2013 was in Mainstream Support, Microsoft supported N-1, where N is the latest CU and -1 is the immediately previous CU. When Exchange Server 2013 moved into Extended Support, only the latest CU was supported. Exchange Hybrid environments have always been an exception to this, as Microsoft supports only the current CU in Hybrid environments. The change from the Fixed Lifecycle Policy to the Modern Lifecycle Policy means that Microsoft's support stance is more fluid. The Modern Lifecycle Policy says: "Customers must stay current as per the servicing and system requirements published for the product or service." This means that Microsoft can change the support requirements for Exchange Server SE as needed, but you should not expect them to pull the rug out from under you. Rather, you should expect their changes to be to your benefit, as previously demonstrated by their support for both CU15 and CU14 while Exchange Server 2019 was in Extended Support. So, if Microsoft releases a CU that contains a large payload or other significant changes, they may opt to take an N-1 support stance to give customers plenty of time to test and deploy it. Conversely, it's also possible that Microsoft could require customers to deploy an update immediately to fix a critical security issue or a significant bug (for example, a bug known to cause data loss). Regardless of the changes to Microsoft's support stance, my general advice is to evaluate and deploy all updates (especially SUs) as quickly as possible. Don't skip testing or validation, but do make installing updates, keeping Windows and Exchange current, and monitoring your Exchange servers a top priority. Myth #2: Exchange Server will be updated like the Cloud The second myth has to do with how Exchange Server will be serviced by the engineering team (and updated by customers). The move to the Modern Lifecycle Policy includes some language that may be helping to perpetuate this myth: "The Modern Lifecycle Policy covers products and services that are serviced and supported continuously." Servicing generally means updating the code and providing release packages for customers to install. Serviced and supported continuously refers to the evergreen type of model now used by Exchange Server (and other Microsoft products) which simply means instead of major releases and version upgrades, Microsoft will simply service the product via periodic updates. In the past, Microsoft released a new major version of Exchange Server roughly every 2-4 years. With the release of Exchange Server SE, there are no more major version releases. Instead, Exchange Server will be maintained in an evergreen fashion. Code updates for Exchange Server include the following package types: CU - a full-product package containing a specific build (e.g., RTM, CU1, CU2, etc.). SU - a recommended security-related hotfix package HU - an optional non-security hotfix package IU - a customer-specific fix packaged as an Interim Update CUs, SUs, and HUs, are cumulative, so you need only install the latest package. HUs are optional updates, but I recommend always reviewing HU release articles to see if they might introduce features or fixes that might benefit your organization. When Microsoft releases one of these packages, they will announce it on the https://aka.ms/EHLO and provide download links, and update the https://learn.microsoft.com/exchange/new-features/build-numbers-and-release-dates of build numbers and release dates for Exchange Server. I think the use of the word continuously in Modern Lifecycle Policy is causing confusion. The reality is that Exchange Server SE uses the same servicing model that Exchange Server 2019, Exchange Server 2016, and Exchange Server 2013 have used since April 2022, and no changes to this model have been made (or are expected). Microsoft has already announced the general plan for the first two CUs for Exchange Server SE that will both release in 2026 (in H1 and H2, respectively). Security work always takes precedence over non-security work, and there have been many times when Microsoft has released only one Exchange Server CU per year (including in 2024, 2023, and 2022). So, no, Exchange Server SE won't be updated by Microsoft like the cloud (nor will it get most cloud features). Myth #3: Exchange Server 2016 customers must move to Exchange Server 2019 to upgrade to Exchange Server SE The third myth is about upgrading to Exchange Server SE from Exchange Server 2016. This myth is concerning but understandable. Concerning, because it might cause (and might have caused) some customers to waste time and money. Understandable, because in the past it was guidance from Microsoft; but that guidance is now out-of-date and no longer applies. Some background and detail will help explain why. Exchange Server 2019 reached general availability on October 22, 2018. Despite the many improvements and benefits, Exchange Server 2019 was not well-adopted, likely because at the time Microsoft was leaning heavily into a cloud-first world. In fact, you could make an argument that when Exchange Server 2019 was released, Microsoft did everything it could to make sure no one used it. If you look at the https://web.archive.org/web/20181120140237/https:/products.office.com/en-us/exchange/email?rtc=1, it didn't even mention Exchange Server 2019. This led a lot of customers to think that our goal was to kill Exchange Server, or at the very least, ignore it to death. In the aftermath of the Hafnium attacks against Exchange servers, we learned that there were hundreds of thousands of servers around the world running unsupported builds, or supported but old and vulnerable builds, and that a very small percentage (~5%) were running Exchange Server 2019. Of the supported versions, patching levels were all over the place, with literally every build we had released still in use somewhere, including RTM builds of each major version. After Hafnium, we spent more than a year figuring out what to do with the next version of Exchange Server, and it was during that time that an entirely new plan for Exchange Server SE was developed (along with a new codename: Quantum Lobster). During planning, we intentionally went radio silent on the next version of Exchange Server (aka Quantum Lobster), making https://youtu.be/Q5iwvrrqQpA in September 2020, the last that anyone outside of Microsoft heard about the next version of Exchange Server for almost 2 years. During those 2 years, we continued telling customers that wanted to run Exchange Server to move to Exchange Server 2019. Not because it was the latest version, but because that's where we were still investing in security and features (such as custom configuration backup and support for Windows Server 2025 and TLS 1.3). Eventually, on June 2, 2022, we broke radio silence on the next version of Exchange Server, and among other things, we repeated our multi-year call-to-action to move to Exchange Server 2019, telling customers that once on Exchange Server 2019 they would be able to do a quick and easy in-place upgrade to Exchange Server SE RTM. In other words, Microsoft had been telling customers for years to move to Exchange Server 2019 to enable a quick and low-risk in-place upgrade to Exchange Server SE RTM when it releases. This message was further refined to focus on Exchange Server 2016 customers for two reasons: Exchange Server 2013 reached end of support, and as an Awareness Action, we changed Setup in CU15 to prevent installation if Exchange Server 2013 was present in the organization; and Exchange Server 2016 had a notable (and for a brief time, the largest) percentage of the visible install base. Circling back to the What's New article I mentioned earlier, this https://learn.microsoft.com/exchange/new-features/new-features#whats-new-when-upgrading-from-exchange-2016-to-exchange-se has an Important note about upgrading that says: "In-place upgrades from versions of Exchange Server earlier than Exchange Server 2019 are not supported. You must first perform a legacy upgrade to Exchange Server 2019 CU14 or CU15 before upgrading to Exchange Server Subscription Edition (SE). Alternatively, a legacy upgrade to Exchange Server SE is also supported." It seems that some may have read the first two sentences in the note and ignored the rest, as there are a lot of articles and posts that state that to move from Exchange Server 2016 to Exchange Server SE, you must first do a legacy upgrade from Exchange Server 2016 to Exchange Server 2019, and then do an in-place upgrade to Exchange Server SE. But that guidance was rendered obsolete with the SE RTM release and should no longer be followed. There is absolutely no reason to do two upgrades (legacy + in-place) when a single upgrade (legacy) from Exchange Server 2016 to Exchange Server SE can be done. In fact, the legacy upgrade process from Exchange Server 2016 to Exchange Server 2019 or Exchange Server SE is exactly the same! The https://m365accelerator.microsoft.com/exchange (aka the https://aka.ms/ExDeploy) are helpful when performing a legacy upgrade from Exchange Server 2016 to Exchange Server SE. If you're still running Exchange Server 2019 or earlier, I encourage you to remediate that as quickly as possible (even if you are in the Extended Security Update program) by upgrading to Exchange Server SE or by moving to Exchange Online. Conclusion Hopefully, you now understand the truth behind the top three Exchange Server SE myths discussed in this article and why they are myths. But as I said in the beginning, these aren't the only myths being perpetuated. What else have you seen/read? What other myths would you like busted? Drop a comment and let me know!Hybrid Configuration Wizard fails to run – manifest download error on all machines
Hello, I am unable to run the Exchange Hybrid Configuration Wizard (HCW) for our Exchange 2016 environment. The issue occurs on multiple machines and networks, so it does not appear to be a local configuration problem. Environment: Exchange Server: 2016 CU23 Windows versions tested: Windows Server 2016, Windows 10 (all fully updated) .NET Framework: 4.8 (Release 528040 / 4.8.03761) TLS: TLS 1.2 enabled, SSL 3.0/TLS 1.0/1.1 disabled Network: No proxy, firewall, or other network restrictions; internet access available Problem: When attempting to run HCW via https://aka.ms/HybridWizard, the wizard fails to start. I have also tried to run HCW offline by downloading Microsoft.Online.CSE.Hybrid.Client.application, but it immediately fails. The error log shows the following repeated messages: Downloading file:///C:/Users/.../Application Files/Microsoft.Online.CSE.Hybrid.Client_17_1_3902_0/Microsoft.Online.CSE.Hybrid.Client.exe.manifest did not succeed. Could not find a part of the path 'C:\Users\...\Application Files\Microsoft.Online.CSE.Hybrid.Client_17_1_3902_0\Microsoft.Online.CSE.Hybrid.Client.exe.manifest' This occurs on all tested machines (three PCs across three different networks). ClickOnce cache has been cleared, root certificates are up-to-date, .NET is 4.8, and TLS 1.2 is active. Attempts to resolve: Ensured TLS 1.2 is enabled and default in .NET and OS Verified .NET 4.8 installation Cleared ClickOnce cache (rundll32 dfshim CleanOnlineAppCache) Updated root certificates Tried multiple machines and networks Tried to run offline using .application file and local copy of Application Files Result: HCW fails immediately with DeploymentDownloadException / DirectoryNotFoundException for the manifest. The issue is reproducible on all tested machines. Request: Please advise if there is an official offline installation method for HCW or a way to obtain a working manifest. If this is a temporary issue with the hosted distribution, please confirm expected resolution or workaround. Thank you for your assistance.Outlook Keep prompting Password in Exchange 2019 CU15 environment
Recently, we encountered an issue in our Hybrid Exchange environment where Outlook repeatedly prompted for credentials for users in a child domain (e.g., xx.abc.com). The issue did not occur for users in the root domain (abc.com). The problem was observed only when users connected from outside the corporate network. Outlook worked normally within the office network and over VPN, but external users experienced continuous password prompts. Firewall checks indicated HTTP 401 (Unauthorized) responses. After troubleshooting, a client-side workaround resolved the issue by applying specific settings on the affected machines. However, this fix would require deployment to all impacted users via Active Directory Group Policy. I would like to understand: Why this issue occurs specifically for child-domain users, and Whether there is a server-side or configuration-based workaround to resolve the issue without deploying registry changes on user machines. Solution for each client's machine: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover Create a DWORD (32-bit) Value. Give it the name ExcludeHttpsRootDomain and the value 1. Create a DWORD (32-bit) Value. Give it the name ExcludeExplicitO365EndPoint and the value 1.
Recent Blogs
- Introducing the Microsoft Graph User Configuration API (preview)Jan 29, 2026
- 5 MIN READWe wanted to let you know of an upcoming change in certificates trusted by Exchange Online.Jan 28, 2026
