admin
647 TopicsShared Mailbox can have a password and login enabled without license
I'm very much aware of the license requirements for Shared Mailboxes in Exchange Online and for all Shared Mailboxes we always give licensed users access to them. If we need to login to the actual shared mailbox, we assigned them a license. This could be necessary if you also have some 3rd party application that actually need to login to the mailbox and fetch e-mail for some reason. I have recently realized that you CAN actually set a password to a Shared Mailbox. Just go to admin.microsoft.com > Users > Active Users > select the Shared Mailbox > Reset password. After this, you can login with the username/password. Of course, if you access it via portal.office.com you won't see Outlook but if you go directly to outlook.office365.com you will get access to the mailbox. Anyone know anything more about this feature? Limitations? I'm not looking to break the licensing terms, all our physical users for all our customers have their own personal accounts but there are scenarios where you have a 3rd party application accessing the mailbox for some reason.Solved708KViews3likes24CommentsCopy contents of one mailbox to another
Good afternoon, I have a bit of an interesting issue. I have a department that has split into two departments. The "new" department, department1 is keeping the name of the old department, and therefore wants the shared mailbox associated with department1 (department1@domain.com) The new department, department2, has a new mailbox, department2@domain.com. Great. However, the new department wants all of the contents of the old mailbox, including all of the folders from department1@domain.com, copied/moved to the new mailbox, department2@domain.com, and department1@domain.com to essentailly start fresh and blank. I was thinking I could just rename department1@domain.com to department2@domain.com, and create a new mailbox called department1@domain.com - however that won't work because Exchange Online will keep the previous alias assigned to the original mailbox, and that isn't able to be deleted. So I thought I'd use Search-Mailbox to move all of the mail - Search-Mailbox -identity department1@domain.com -TargetMailbox department2@domain.com - however, this requires a TargetFolder to be specified. If I try to specify Inbox, it creates a subfolder under Inbox, with all of the folders/messages. If I specify / for root, the messages disappear, because the root isn't visible (they show up in a search). My question is, is there anyway to copy these messages, and folders, intact, from the one shared mailbox, over to the other shared mailbox so all of the folders etc. show up under root, and the messages that are in the inbox to into inbox, and sent items go into sent items, etc. Any ideas? I was hoping not to have to export to PST and import the PST. Thanks, Craig94KViews0likes6CommentsDealing with high number of failed log on attempts from foreign countries utilizing Exchange Online
We have noted a drastic increase in the number of failed log on attempts coming from countries outside the US within ADFS, obviously attempting to log in through Exchange Online. (When reviewing event id 411 specifically within the security logs of the ADFS servers you will note two IP addresses "OriginIPAddress,MicrosoftExchangeOnlineIP" We are running a hybrid environment with ADFS 3.0 on 2012 r2 and O365, AD domain is on 2008 r2. We have a user base of approximately 700 users This presents a couple of obvious issues. Enabled advanced event logging for ADFS and processes, so I can see the IP addresses of logins through ADFS Every day, I am processing through all of the 411 events within the security event logs and comsolidating it into a spreadsheet for easier consumption. (not a pretty process as I haven't completely fine tuned it yet) Here's some of the things I am seeing for all of the foreign IP addresses They are making attempts at approximately 400 account names. The majority of attempts are performed in alphabetical order with occasional deviations They are rate limiting what they are trying for the most part to only 4 or 5 attempts per account per day with occasional deviations which wind up triggering the extranet lockout for a given user. Microsoft's online logging and monitoring of failures such as these is pretty much worthless or outright non-existent. Limitations of my environment We can't enable MFA across the board as the company wont supply mobile devices across the board and they find the cost for tokens too prohibitive. Have contemplated blocking regional IP addresses but this presents it's own problems. One, I can't block it at the firewall fronting the ADFS WAP as they are utilizing basic auth through Exchange Online so all we would see at the firewall is the Exchange Online IP addresses. Two, can't enable conditional access due to it is design to be inclusive not exclusive, where the IPs specified are for known networks good networks. We have too many remote locations that are on some form of dynamic connection. Three, I can't really block non-US ips as we routinely have execs traveling. Sorry for the long winded description. Here is where the questions come in. I am hunting for ideas First, any ideas on how to mitigate this other than what was already provided? Second, any one found a way to determine which protocols these authentication attempts are being made against Exchange Online? It logs client type for sucesses which allows you to do some tracking of client type but it does not provide any form of reporting or logging that I have found for failed attempts and there doesn't appear to be anything I can extract from AD FS logs. Three, anyone found a way to fully monitor the Azure AD sign-ins? MS has their reporting and the online logging but I would like to have something monitor the Azure AD sign-ins for sucessful failures from foreign IP addresses and notify on these events. We don't have that many people that travel outside the country so it's easy to correlate to a given known user traveling. Four, anyone else seeing something along these lines? Thanks for your time, -GSolved78KViews0likes20CommentsConnect to Exchange Online PowerShell using MFA
Hi, I'm trying to follow the instructions on this page: https://technet.microsoft.com/en-us/library/mt775114(v=exchg.160).aspx which all seem pretty easy to follow. I'm on a brand new install of Windows 10 Pro, and when I try to run the file I download from Exchange Admin I get the error in the image attached. I've tried this on a few Win 10 Pro PC's, some brand new some a few months old, I get the same issue. What's the correct way to overcome this so I can install? This is the error that's in the log file: ERROR SUMMARY Below is a summary of the errors, details of these errors are listed later in the log. * Activation of E:\Microsoft.Online.CSE.PSModule.Client.application resulted in exception. Following failure messages were detected: + Deployment and application do not have matching security zones.Solved75KViews0likes10CommentsHow to Troubleshoot EWS Connection Issues Using EWS Editor
How to Troubleshoot EWS Connection Issues Using EWS Editor Problem: You get errors when you use any application to connect to (or execute a specific action upon) a mailbox or public folder via the Exchange Web Services (EWS) protocol. Solution: To verify if an error is related to application or to your environment, you can use a tool called EWS Editor to connect to the mailbox or public folder that causes errors and check if the error appears. This can be very useful in scenarios when: An application cannot establish connection to a mailbox or upload/download required data An application cannot access public folders An application cannot impersonate a mailbox – Connecting to a mailbox via EWSEditor 1. Go to the EWSEditor page on GitHub and download the bin package. 2. Copy the downloaded file to the machine where application is installed and extract it. 3. Open the program and click File > New Exchange Service (Fig. 1.). Fig. 1. Creating a new EWS connection to a mailbox in EWSEditor. 4. Use the Autodiscover Email option or manually provide the Service URL by using the FQDN of the machine you are connecting to (CAS server). If you use Office 365, click the 365 Default button (Fig. 2.). Note : The Service URL for EWS should be as follows: https://<your machine FQDN>/EWS/Exchange.asmx for example: https://exchange.example.com/EWS/Exchange.asmx Fig. 2. Configuring the EWS connection. 5. Configure the authentication options: o Direct access: If you want to access your mailbox directly, select Use the following credentials instead of the default Windows credentials and provide the user name and password for that mailbox account (Fig. 3.). o Mailbox impersonation: If you want to connect to another mailbox by using the admin’s credentials, click Use the following credentials instead of the default Windows credentials and provide the administrator’s credentials. After that, select the Check if using EWS Impersonation checkbox and provide the primary SMTP address of the mailbox you want to access. Fig. 4. Configuring a connection to a mailbox as an administrator, by using impersonation. 6. When the configuration is complete, click OK. If the connection is successful, you will see a confirmation in the program. If the connection is not successful, the software will throw an error. The appearance of any errors means that the mailbox connection problem is not related to your application and the problem relates to your environment. If you are getting Error 500, then probably your XML configuration file for web services (including EWS) is corrupted. Please consider reverting any recent changes made to that file. Browsing a mailbox Directly after you finish configuring the connection, you get a prompt asking if you want to add the mailbox root to the tree view. Please confirm by clicking Yes (Fig. 5.). Fig. 5. The prompt that allows you to browse the mailbox content in EWSEditor. After the addition is complete, you can browse the content of your mailbox under Root\Top of Information Store (Fig. 6.). If you are getting any errors while accessing any of the folders within that container, it means that the mailbox is corrupted. Fig. 6. Browsing the content of a mailbox. Browsing public folders To browse public folders of a mailbox account that you added to the EWSEditor’s tree view, right-click the name (email address) of the mailbox at the very top of the tree, and select Add Root Folder. After selecting Identify folder by well known name, choose PublicFoldersRoot (Fig. 7.) and click OK. Fig. 7. Adding public folders to the mailbox tree view. If you are getting any errors when accessing public folders, this might mean that public folders are not yet created or their creation is still pending. However, if you are getting trouble accessing some particular public folders, it means that you are missing some of the required permissions. Reference : http://jasparrow.info/2020/08/how-to-troubleshoot-ews-connection-by-using-ews-editor/ Regards Jason57KViews1like0CommentsGlobal Administrator as Shared Mailbox
I am new to Microsoft 365. Have recently subscribed to Microsoft 365 Business Standard. The global administrator account does not have license attached to it. But we want to add a shared mailbox to the global administrator. When we do, we get the following error Error executing request. The proxy address "SMTP:<email address removed for privacy reasons>" is already being used by the proxy addresses or LegacyExchangeDN. Please choose another proxy address. Is this possible at all, if yes, how to go about it. Thanks, Ramkumar.Solved49KViews0likes2CommentsHow to clear the Discovery Holds folder
To find whether this discovery holds folder is completely full, use the below-mentioned command. Step 1: Connect-ExchangeOnline and then, Step 2: Get-MailboxFolderStatistics -Identity user | select name,foldersize Note: This DiscoveryHolds folder is having a limit of 100 GB. If it is full, we will get issues like "Unable to clear deleted items folder", "deleted items are getting auto-restored" etc., One of the reasons for this folder is full: If Organization Hold is turned on(All Exchange mailboxes are selected in Compliance Retention Policy) or the Individual ID is selected on Compliance Retention Policy. Solution: Please try the below-mentioned steps to overcome this issue. Step 1: Exclude the DiscoveryHolds full ID in the Compliance Retention policy or run the below-mentioned commands in PowerShell. Connect-IPPSSession and then, Set-RetentionCompliancePolicy -Identity "Compliance Retention Policy Name" -AddExchangeLocationException user for multiple users, Set-RetentionCompliancePolicy -Identity "Compliance Retention Policy Name" -AddExchangeLocationException user1, user2, user3 Now on PowerShell, Connect-ExchangeOnline and then, Set-Mailbox -Identity user -RetainDeletedItemsFor 0 and then run the below-mentioned command two times. Start-Managedfolderassistant -Identity user Start-Managedfolderassistant -Identity user After 2-3 minutes, run the below-mentioned commands. Get-Mailbox "user" | FL DelayHoldApplied,DelayReleaseHoldApplied If the output is received as true for any above-mentioned holds, then run the below-mentioned commands. Set-Mailbox user -RemoveDelayHoldApplied Set-Mailbox user -RemoveDelayReleaseHoldApplied and then run the below-mentioned command two times. Start-Managedfolderassistant -Identity user Start-Managedfolderassistant -Identity user After 2-3 minutes, this DiscoveryHolds folder will become zero as per the below-mentioned screenshot. This process helped me a lot. If you have any doubts/concerns/suggestions about this post, please comment below. Best Regards, Venkat Kiran Kona.Solved39KViews6likes9CommentsInviting a group calendar without sending invites to the distribution group
Hi, I'm struggling with finding a good way to have a shared calendar with our Microsoft Teams team of 100+ members. We'd like to have a shared calendar where things like all the teams standups, demos, testing with users etc are added. This is meant to be for general information so that everyone can decide themselves what they should be part of, or just know that it is happening, rather than the meeting host needs to invite "the right" people. Thus, we don't want everyone in the team to get e-mail invites to each of these events. We have the Office 365 Group shared calendar automatically showing up (after a lot of work), but find it cumbersome to add events to it without distrubing everyone. The suggested approach seems to be to go into the calendar and create the event there. However, there are a few user experience issues with that: Adding an event behaves differently on Outlook desktop app vs Outlook 365 - on desktop the distribution group is added automatically as a recipient and on the web version it is not. This makes it difficult for us to write clear instructions for users. If anyone opens an event on the desktop app, it seems as if the distribution group is added as a reciptient automatically, meaning everyone will have to remember to take away the distribution group as a reciptient. Point 1 and 2 means that very often there will be e-mail invites sent to everyone unintentionally. It is annoying to have to go into another calendar to add events. I really need there to be an easy way of having a shared calendar with events that everyone can see and join in to, but not get an e-mail invite to. I've thought of two possible solutions based on the current functionality of Outlook: Solution A Preferably, I'd like this to be achieved through adding that group as an "attendee" (just as I do with room bookings). The way I thought of to solve this was to create another shared calendar that everyone can edit, but whose team no one is a member of. Unfortunately, it seems like I'm not allowed to set permissions of the shared group calendar in the same way I can do with my own calendars. Thus, I can't give edit access to people that aren't a member of the team. Solution B Another way I thought of would be to disable the calendar invites being sent to the team members. If I understand the documentation of Set-UnifiedGroup correctly, that would be possible through setting -AlwaysSubscribeMembersToCalendarEvents:$false. It says that means "ReplyOnly". However, I don't know for sure what that value means, because it's not really explained. Also, I'm not sure how to set this for exsiting members, as this setting is only for new members. Any help on how to achieve either of my two solutions are greatly appreciated. And of course, if you can think of any other solution to achieve my goal of an easily adminstered shared calendar that doesn't disturb everyone, I'm all ears. Oh, and of course...being a former G Suite user, I'd really like there to be a way for the user to set if they wish the event to be modifiable by others or not. But I guess that's just not possible with Microsoft's solution? Thanks, Jonatan39KViews3likes18CommentsRestrict mobile access to email for specific users
I would like to block mobile access to emails for specific users in my organization. This includes the native mail app on the phone, any other mail app on the phone (including Outlook), as well as any browser on the phone. This is because these users have access to sensitive information about the company. All other users should be able to access mobile emails. I tried using the quarantine policy, from the exchange admin, however, that does not prevent the users from using the web browser to access the emails via outlook.com on their mobile.39KViews0likes6Comments