On Oct 14, 2025, Exchange 2019 and 2016 reach end-of-life and Exchange SE becomes the only supported on-premises Exchange server. In other news, we discuss Microsoft guidance for moving to cloud first identity, HVE and ECS and the extension of basic authentication support to September 2028, the introduction of auto-archiving for Exchange Online, and why Microsoft is deprecating the Contact object from Exchange Online.
Microsoft will impose a throttling limit for external recipients for tenants that use MOERA domain addresses to send outbound email. The limit is designed to stop tenants using mailboxes with primary SMTP addresses from MOERA domains from sending email, a technique that’s often used by spammers. This shouldn’t cause a problem for legitimate organizations who already have vanity domains, but it might stop some spam.
This article discusses how to use PowerShell to find obsolete mobile device partnerships in Exchange Online (or Exchange Server) and remove the obsolete devices. Users won’t be able to remove obsolete mobile devices after the settings to manage mobile devices are removed from OWA and the New Outlook, so cleaning up the mess is the responsibility of administrators (like it usually always is).
Outlook Mobile clients have started to highlight messages received from unverified senders. But what does “unverified” mean and what can be done to fix the problem? The issue lies at the sender’s end, so the administrators of the sending system must verify their email configuration to make sure that Exchange Online can validate inbound messages from their domain. The same visual markers are available in Outlook classic, OWA, and the new Outlook.
Microsoft plans to remove the ability of users to perform mobile device management (for their devices) from the OWA and new Outlook for Windows clients. It’s unclear how much use these options receive, but following the update, users will only be able to disable or wipe a device remotely using features provided by O/S vendors. Administrators can still act to block or wipe lost or stolen devices.
The Connect-IPPSSession cmdlet is needed to connect to the Security and Compliance endpoint to update a Microsoft 365 retention policy. Unhappily, the Security and Compliance module doesn’t support managed identities, which makes it harder to run Connect-IPPSSession securely in an Azure Automation runbook. In the end, we use a credential stored in the automation account. And then we had to disable WAM. All explained here.
A question about shared mailboxes brought up the topic of licensing requirements when a tenant has Microsoft Defender for Office 365 (MDO). The news is not good. Once MDO is active, every shared mailbox needs an MDO license, and every user mailbox must also be licensed for MDO (those with E5 licenses are covered). At $5 per month, those MDO licenses can ramp up to a considerable cost. Ouch!
Microsoft says that few customers have installed the dedicated hybrid connectivity app that’s needed to migrate from EWS. It’s time to install that app! If not, rich coexistence between cloud and on-premises components will stop working for several days when Microsoft imposes service time-outs in August, September, and October to prompt customers to take action. It’s time to install the dedicated hybrid connectivity app.
After being asked whether licenses are needed to include shared mailboxes in Microsoft 365 retention policies, I investigated and found that licenses are not. This led to a consideration of the steps needed to create a special retention policy for shared mailboxes (with PowerShell, naturally) and how to avoid retention setting collisions with other policies. All explained in detail here.
The new Outlook for Windows now supports the NoSignOnReply control for inheritance of S/MIME signatures from messages to replies. It’s an update to match the feature that’s been in Outlook (classic) for a long time. The new setting is only available for Exchange Online and isn’t supported by OWA.
The Exchange Extended Security Update program is a 6-month lifeline for organizations struggling to upgrade servers to Exchange Server SE. Although it’s easy to upgrade a server to , many things might get in the way before the Setup program can run. Small things like vacations, buying new hardware, or deploying a new O/S. From August 1, organizations can sign up to receive security updates from October 2025 to April 2026.
A July 15 announcement says that Exchange Online is reducing the Delicensing Resiliency threshold from 10,000 to 5,000 mailboxes. That’s fine, but this feature should be available for all Exchange Online tenants. It’s a sticking plaster for how group-based licensing works and is inconsistent with how OneDrive for Business deals with unlicensed personal user data.
July 1 marked the general availability of Exchange Server SE (subscription edition), the latest in a long line of server releases going back to Exchange 4.0 (1996). Exchange Server SE will soon be the only game in town after Exchange 2016 and 2019 reach end of support in October 2025. In other news, Defender for Office 365 now boasts protection against email bombs.
Microsoft announced the GA for the new message tracing feature on June 3. The old code will be deprecated in September 2025, so it’s time to update any PowerShell scripts that use the Get-MessageTrace or Get-MessageTraceDetail cmdlets. Upgrading is easy and shouldn’t take too long, once you find the time to do the work.
A recent post revealed that the Mailbox Import-Export Graph API doesn’t capture audit events for its operations. The API is in beta, but this is disappointing. Auditing any mailbox is important, but it becomes a critical requirement when the possibility exists that attackers could use the API to exfiltrate mailbox data outside of the tenant. This is a hole that Microsoft needs to close.
The new TwoClickMailPreviewEnabled setting in the Exchange organization configuration controls if OWA and the new Outlook for Windows use two-click confirmation to open protected email. The new feature could be useful for people who commonly open confidential and protected email in situations where someone else could see what they’re reading. In other situations, it will irritate people.
Litigation holds can retain mailbox data, but that’s it. You can swap litigation holds out for a Microsoft 365 retention policy and gain extra functionality, such as retaining OneDrive for Business content for the mailbox owners. It’s easy to script the transition from litigation holds to retention policy using PowerShell and to show how, we include a fully working script.
The ConditionalAccessPolicy setting in an OWA mailbox policy can be configured to work with Entra ID conditional access so that OWA blocks access to attachments on unmanaged devices. Microsoft originally introduced the feature in 2018 and as it turns out, the combination of OWA mailbox policy and CA policy also blocks attachment access for the new Outlook for Windows client.
Microsoft recently announced the deprecation of the Exchange cmdlets to search for mailbox audit data. The audit data is ingested into the Microsoft 365 unified audit log, but it’s more difficult to find and retrieve Exchange mailbox audit events. Methods are available to find mailbox audit data, but interpreting what comes back is different. Any script that depends on the old cmdlets must be updated to interact with the unified audit log.
Some new Graph APIs were announced on April 1 to close a feature gap with EWS. The new APIs permanently remove mailbox items and other objects, including folders, calendars, and calendar items. Permanent deletion means that items cannot be recovered through clients because they end up in the Purges folder in Recoverable Items. This article explains how the new APIs work, including a practical example.
The Direct Send feature allows apps and devices to send unauthenticated email via Exchange Online to internal receipts. Microsoft doesn’t want unauthenticated connections to send email because these connections could be hijacked by spammers. Enter the Reject Send feature to block Direct Send. Reject Send is in preview now but Microsoft wants it to be the default setting in the future.
Microsoft will retire Exchange Web Services (EWS) from Exchange Online on October 1, 2026. A new usage report helps tenants understand what apps use EWS. Many of the apps are likely to be first-party (Microsoft) apps, but some might be third-party apps developed externally or internally. Those apps need to be retired or upgraded to use Graph APIs. Time is slipping away to do the work.
Litigation holds were great when introduced with Exchange 2010. Fifteen years on, better methods exist to preserve user information, like eDiscovery holds. It might seem unnatural to move from litigation holds to eDiscovery cases, but this approach allows the preservation of both mailbox and OneDrive content for as long as necessary. Retention policies can serve the same purpose, so choice exists for modern preservation.
Microsoft’s April 17 announcement that OWA in Exchange Server will not support access to online archives after May 12, 2025, surprised quite a few people. However, the decision is entirely logical and is driven by falling mailbox numbers on-premises and the need to match engineering and support costs with revenue. Outlook classic continues to support access to online archives. Maybe Outlook will be the Exchange on-premises client for the future.
Microsoft is introducing a Dedicated Exchange Hybrid App to facilitate the transition away from EWS to use Graph API requests for rich hybrid coexistence (free/busy, Mail Tips, and user photos). The plan involves the creation of an Entra ID app to hold EWS permissions (stage 1) followed by Graph permissions (stage 2). Everything has to be complete by October 1, 2026, because that’s when EWS goes away.
Neither Outlook nor Teams includes a transfer meeting ownership feature for user calendars. Moving meetings owned by an ex-employee to give someone else the ownership requires manual intervention to find and reschedule meetings. Administrators can cancel future meetings for a user. In this article, we explore how to generate a report of meetings that might need to be rescheduled.
The February 2025 EX1015484 incident explains why mail user objects with duplicate SMTP addresses are created for guest accounts. That’s a problem because Exchange Online can’t route messages to objects with duplicate email addresses. Fortunately, you can find out if any duplicates exist in your tenant with some PowerShell. Problems happen!
Microsoft 365 makes it easy to remove domains. However, if you remove a domain and don’t adjust email proxy addresses, some fix-up might be needed to make sure that mail-enabled objects don’t have primary SMTP addresses or proxy addresses that use the removed domains. This article explains how to fix up mail-enabled objects with PowerShell to remove traces of any removed domains.
The new message recall facility has been around since 2022. Even after Microsoft revamped the feature in 2023, it’s still only possible to recall protected messages with OWA and the new Outlook. As it turns out, the reason is that a premium license is needed and Outlook classic might need some new code to check for that license. In other news, Outlook mobile now supports message recall.
Exchange Online is imposing a new tenant-wide limit of 3,000 Dynamic Distribution Groups. Few tenants might be affected, but the question might be asked why Microsoft is limiting DDGs at this point. Is it a cunning plan to prompt people to use dynamic Microsoft 365 groups instead? Or are some tenants abusing DDGs in weird and wonderful ways? Who knows, but the limit applies from early April 2025.
A change made in late 2024 allows Microsoft 365 tenants to use IOS build numbers in Exchange ActiveSync device access rules. Apparently, the idea is that tenants can insist that people use iOS devices with very specific build numbers (like iOS 18.3.1 22D72) before the devices can synchronize with Exchange Online mailboxes. You never know when you might need the feature (or so they say).
Exchange Web Services (EWS) will retire in October 2026. Tenants that still need to use EWS must explicitly set EWSEnabled to true in the organization configuration. If they don’t, the previous rule that allows mailboxes enabled for EWS to function won’t work. The change is part of the preparation for the phase-out of EWS. To help, we’ve written a script to send email to administrators listing accounts still enabled for EWS.
In this primer, we cover how to create and execute Azure Automation Exchange Online runbooks (scripts) using cmdlets from the Exchange Online management module. Some setup is necessary before runbooks can process Exchange cmdlets, but once the necessary resources and permissions are in place, it’s all plain sailing. The next challenge is how to output data created in a runbook…
This article covers how to use HVE with Azure Automation to send email. HVE is Exchange Online’s High Volume Email solution for internal communications. In the discussion, we cover how to retrieve credentials from Azure Key Vault, how to retrieve data from a web page, and how to bring everything together in a message submitted to HVE.
A February 2025 deadline looms for Outlook classic add-ins that use legacy Exchange tokens for authentication. Add-ins must switch to nested app authentication (NAA) to have continued access to Exchange mailboxes and other objects. The upgrade is easy enough if the ISV that developed the original add-in is still in business. Things get a lot more complicated when they’re not, or you have no idea who developed an add-in.
This article covers how to use Exchange Online message trace data to find inactive mailboxes based on their message send activity. The script processes user mailboxes but can easily be adapted to process shared mailboxes too. This is only one of the available methods to find inactive mailboxes. The other methods mentioned in the article might be better suited to your purpose.
In a November 18 post, Microsoft describes some Exchange Online security updates that are due to land between now and 2026. Some of the news is a restatement of previously announced information, like the deprecation of EWS in October 2026. New information includes some information about feature caps that the Graph APIs cannot close when EWS goes away. And then there’s a hint about the demise of public folders (again!)
Microsoft announced Delicensing Resiliency, a new feature for tenants with over 10,000 paid seats, to avoid inadvertent data loss due to licensing errors. Essentially, the feature adds an extra 30-day grace period post license removal during which mailboxes work as normal. The idea is that administrators will have extra time to detect and fix licensing errors that lead to mailbox removal. Overall, the new feature seems like a great idea (for large tenants).
The Exchange admin center feature to allow administrators to initiate an upgrade distribution list process to request group owners to migrate distribution groups to Microsoft 365 groups is terrible. In my experience, the request goes into a black hole and never emerges, or the process fails immediately. But you shouldn’t be upgrading distribution lists to Microsoft 365 groups anyway because groups are often overkill when all that’s needed is a way to distribute email to multiple recipients.
A recent script demonstrated how to import contacts into user mailboxes using a list in a SharePoint site as the source. With a quick change, a CSV file becomes the source. This is a great example of how adaptable PowerShell is and how to update code found in articles to meet your needs. If you do ask an author to change their code, remember to try to make the change yourself first, and if you fail, explain to the author why the change should be made.
