Documente Academic
Documente Profesional
Documente Cultură
Exchange Online
Exchange admin center
Permissions
Feature permissions
Role groups
Role assignment policies
Security and compliance
Modify archive policies
In-Place and Litigation Holds
Create or remove In-Place Holds
In-Place eDiscovery
Assign eDiscovery permissions
Create In-Place eDiscovery search
Export search results
Message properties and search operators
Search limits
Create a discovery mailbox
Create custom management scope
Reduce discovery mailbox size
Delete and re-create default discovery mailbox
Data loss prevention
DLP rule application
Integrate sensitive information rules
DLP policy templates
Create DLP policy from template
Create custom DLP policy
Policy Tips
Manage policy tips
Exchange auditing reports
Export mailbox audit logs
Non-owner mailbox access report
Per-mailbox litigation hold report
Search role group changes
View administrator audit log
View external admin audit log
Messaging records management
Retention tags and policies
Default Retention Policy
Default folders
Retention age
Create a Retention Policy
Add or remove retention tags
Apply retention policy
Mailbox retention hold
Journaling
Manage journaling
Configure Journaling
Mail flow rules
Conditions and exceptions
Mail flow rule actions
Configuration best practices
Inspect message attachments
Enable encryption and decryption
Common attachment blocking scenarios
Disclaimers, signatures, footers, or headers
Mail flow rule procedures
Manage mail flow rules
Test mail flow rules
Use rules to bypass Clutter
Use rules to route email
Use rules to add meetings
Manage message approval
Common message approval scenarios
Recoverable Items folder in Exchange Online
Clean up or delete items from the Recoverable Items folder in Exchange Online
Mail flow best practices
Test mail flow
Troubleshoot mail flow
Use connectors to configure mail flow
Do I need to create a connector?
Set up connectors to route mail
Set up connectors for secure mail flow with a partner
Validate connectors
Conditional mail routing
Integrate Office 365 with an email add-on service
Use Directory Based Edge Blocking
Manage accepted domains
Enable mail flow for subdomains
Remote domains
Manage remote domains
Supported character sets
Message format and transmission
Configure external postmaster address
Manage mailboxes with Office 365
Manage mail flow using third-party cloud
Manage mail flow for multiple locations
Manage mail flow on Office 365 and on-prem
How to set up a multifunction device or application to send email using Office 365
How to configure IIS for relay with Office 365
Fix issues with printers, scanners, and LOB applications that send email using Office
365
Recipients in Exchange Online
Message and recipient limits
Create user mailboxes
Delete or restore mailboxes
Manage user mailboxes
Add or remove email addresses
Change deleted item retention
Configure email forwarding
Configure message delivery restrictions
Convert a mailbox
Enable or disable Exchange ActiveSync
Enable or disable MAPI
Enable or disable Outlook on the wb
Mailbox plans
Automatically save sent items in delegator's mailbox
Clutter notifications in Outlook
Change Clutter notification branding
Enable or disable single item recovery
Recover deleted messages
Use PowerShell to display mailbox information
Manage distribution groups
Create group naming policy
Override group naming policy
Manage dynamic distribution groups
View group members
Manage mail-enabled security groups
Manage group access to Office 365 groups
Manage mail contacts
Manage mail users
Manage room mailboxes
Manage equipment mailboxes
Manage permissions for recipients
Manage Facebook contact sync
Manage LinkedIn contact sync
Configure a moderated recipient
Migrate multiple email accounts
Decide on a migration path
Use Minimal Hybrid to quickly migrate
What to know about a cutover migration
Cutover migration to Office 365
What to know about a staged migration
Perform a staged migration
Convert Exchange 2007 mailboxes
Convert Exchange 2003 mailboxes
Migrating IMAP mailboxes
Migrate G Suite mailboxes
Migrate other types of IMAP mailboxes
IMAP migration in the admin center
Setting up your IMAP server connection
Optimizing IMAP migrations
CSV files for IMAP migrations
Prepare Gmail or G Suite accounts
Migrating your Outlook.com account
Enable 2-step verification for Google apps
Migrate mailboxes across tenants
Migrate from Lotus Notes
Add an SSL certificate to Exchange 2013
Add an SSL certificate to Exchange 2010
Add an SSL certificate to Exchange 2007
Enable Gmail accounts for IMAP
Office 365 migration best practices
Assign permissions for migration
Manage migration batches
Migration users status report
CSV files for migration
Collaboration
Public folders
Public folder procedures
Batch migration of legacy public folders
Batch migration of Exchange 2013 public folders
Roll back Exchange 2013 public folder migration
Migrate your public folders to Office 365 Groups
Batch migration of Exchange Online public folders
Set up legacy hybrid public folders
Set up modern hybrid public folders
Set up EXO hybrid public folders
Set up public folders
Access public folders with Outlook 2016 for Mac
Create public folder mailbox
Create public folder
Recover deleted public folder mailbox
Use favorite public folders
Enable or disable mail for public folder
Update public folder hierarchy
Remove public folder
View public folder statistics
Shared mailboxes
Address books
Address book policies
Address book policy procedures
Turn on address book policy routing
Create an address book policy
Assign an address book policy to users
Change the settings of an address book policy
Remove an address book policy
Address lists
Address list procedures
Manage address lists
Use recipient filters to create an address list
Remove a global address list
Configure global address list properties
Create global address list
Hierarchical address books
Enable or disable hierarchical address books
Offline address books
Offline address book procedures
Create offline address book
Add or remove an address list
Change default offline address book
Provision recipients
Remove offline address book
Sharing
Organization relationships
Create an organization relationship
Modify an organization relationship
Remove an organization relationship
Sharing policies
Create a sharing policy
Apply a sharing policy
Modify a sharing policy
Voice mail: Unified Messaging
Greetings, announcements, menus, and prompts
Set dial plan default language
Select auto attendant language
Enable custom prompt recording
Telephone system integration with UM
Telephony advisor for Exchange 2013
Configuration notes for VoIP gateways
Configuration notes for session border controllers
Connect voice mail system
UM dial plans
UM dial plan procedures
Create UM dial plan
Manage UM dial plan
Change audio codec
Configure maximum call duration
Configure maximum recording duration
Configure recording idle time-out
Configure VoIP security setting
Configure dial plan for users with similar names
Delete UM dial plan
UM IP gateways
UM IP gateway procedures
Create UM IP gateway
Manage UM IP gateway
Enable UM IP gateway
Disable UM IP gateway
Configure fully qualified domain name
Configure IP address
Configure listening port
Delete UM IP gateway
UM hunt groups
UM hunt group procedures
Create UM hunt group
View UM hunt group
Delete UM hunt group
Automatically answer and route calls
DTMF interface
UM auto attendant procedures
Set up UM auto attendant
Create a UM auto attendant
Add an auto attendant extension number
Configure business hours
Create a holiday schedule
Enter a business name
Set a business location
Configure the time zone
Enable a customized business hours greeting
Enable a customized business hours menu prompt
Enable a customized non-business hours greeting
Enable a customized non-business hours menu prompt
Enable an informational announcement
Create menu navigation
Create business hours navigation menus
Create non-business hours navigation menus
Manage UM auto attendant
Configure DTMF fallback auto attendant
Enable UM auto attendant
Disable UM auto attendant
Delete UM auto attendant
Enable or disable speech recognition
Enable or prevent transferring calls
Enable or disable sending voice messages
Enable or disable directory lookups
Configure users that can be contacted
Configure auto attendant for users with similar names
Set up voice mail
UM mailbox policies
UM mailbox policy procedures
Create UM mailbox policy
Manage UM mailbox policy
Delete UM mailbox policy
Voice mail for users
Voice mail-enabled user procedures
Enable a user for voice mail
Include text with email sent when voicemail is enabled
Manage voice mail settings
Assign UM mailbox policy
Change UM dial plan
Enable calls from users who aren't UM-enabled
Disable calls from users who aren't UM-enabled
Allow callers without caller ID to leave voice message
Include text with email sent when voice message Is received
Prevent callers without caller ID from leaving voice message
Disable voice mail
Change SIP address
Change extension number
Add SIP address
Remove SIP address
Add extension number
Remove extension number
Change E.164 number
Add E.164 number
Remove E.164 number
Set up client voice mail features
Set up Outlook Voice Access
Outlook Voice Access commands
Navigating menus with Outlook Voice Access
Play on Phone
Outlook Voice Access procedures
Enable or disable Outlook Voice Access
Configure Outlook Voice Access number
Disable selected features
Set mailbox features for users
Set mailbox features for a user
Enable or disable automatic speech recognition
Enable an informational announcement
Enable a customized greeting
Enable or disable Play on Phone
Enable or disable sending voice messages
Enable or prevent transferring calls
Configure the group of users that Outlook Voice Access users can contact
Configure primary search method
Configure secondary search method
Configure number of sign-in failures
Configure number of input failures
Configure personal greetings limit
Protect voice mail
Protected Voice Mail procedures
Configure Protected Voice Mail from authenticated callers
Configure Protected Voice Mail from unauthenticated callers
Enable or disable multimedia playback
Specify text to display for clients that don't support Windows Rights
Management
Allow voice mail users to forward calls
Forwarding calls procedures
Call answering rules
Call answering rules in the same mailbox policy
Create a call answering rule
View and manage a call answering rule
Enable or disable a call answering rule for a user
Remove a call answering rule for a user
Allow users to see a voice mail transcript
Voice Mail Preview advisor
Voice Mail Preview procedures
Configure Voice Mail Preview partner services
Enable Voice Mail Preview
Disable Voice Mail Preview
MWI in Exchange Online
Allow MWI procedures
Allow MWI on UM IP gateway
Prevent MWI on UM IP gateway
Enable MWI for users
Disable MWI for users
Enable missed call notifications
Disable missed call notifications
Allow users to make calls
Dial codes, number prefixes, number formats
Allow users to make calls procedures
Enable outgoing calls on UM IP gateways
Disable outgoing calls on UM IP gateways
Configure dial codes
Create dialing rules
Authorize calls using dialing rules
Set up incoming faxing
Fax advisor for Exchange UM
Faxing procedures
Set the partner fax server URI to allow faxing
Include text with the email sent when a fax message is received
Allow users in the same dial plan to receive faxes
Prevent users in the same dial plan from receiving faxes
Enable faxing for a group of users
Disable faxing for a group of users
Enable a user to receive faxes
Prevent a user from receiving faxes
Set Outlook Voice Access PIN security
PIN security procedures
Set PIN policies
Reset a voice mail PIN
Retrieve voice mail PIN information
Include text in email sent when PIN Is reset
Set minimum PIN length
Set PIN lifetime
Set number of previous PINs to recycle
Disable common PIN patterns
Enable common PIN patterns
Set number of sign-in failures before PIN reset
Set number of sign-in failures before lock out
Run voice mail call reports
UM reports procedures
Review voice mail calls for organization
Review voice mail calls for user
Audio quality of voice calls in organization
Audio quality of voice calls for user
Interpret voice mail call records
UM and voice mail terminology
Clients and mobile in Exchange Online
Exchange ActiveSync
Mobile device mailbox policies
POP3 and IMAP4
Enable or disable POP3 or IMAP4 access
POP3 or IMAP4 settings
Outlook for iOS and Android
Outlook for iOS and Android FAQ
Setup with modern authentication
Manage Outlook for iOS and Android
Secure Outlook for iOS and Android
Deploy app config settings
Outlook for iOS and Android in the Government Cloud
Mobile access
Configure email on mobile phone
Remote wipe on mobile phone
Outlook on the web
Outlook Web App mailbox policies
Outlook Web App mailbox policy procedures
Create Outlook Web App mailbox policy
Apply or remove Outlook Web App mailbox policy
Remove Outlook Web App mailbox policy
Configure Outlook Web App mailbox policy properties
OWA for Devices contact sync
Public attachment handling
Increase the space used by Inbox rules
MailTips
Configure large audience size
Configure custom MailTips
MailTips over organization relationships
Manage MailTips for organization relationships
Add-ins for Outlook
Remote Connectivity Analyzer tests
Client Access Rules
Procedures for Client Access Rules
Disable Basic authentication in Exchange Online
Enable or disable modern authentication in Exchange Online
Monitoring
Use mail protection reports
Customize and schedule mail protection reports
What happened to delivery reports in Office 365?
Trace an email message
Run a Message Trace and View Results
Message Trace FAQ
Back up email
Fix Outlook connection problems in Office 365 and Exchange Online
Fix Outlook and Office 365 issues
Diagnostic log collection in Support and Recovery Assistant
Find and fix email delivery issues as an Office 365 for business admin
About Exchange documentation
Accessibility
Accessibility in Exchange admin center
Get started using screen reader
Keyboard shortcuts in admin center
Use screen reader to add equipment mailbox in Exchange admin center
Use screen reader to add mail contact in Exchange admin center
Use screen reader to add room mailbox in Exchange admin center
Use screen reader to add shared mailbox in Exchange admin center 2016
Use screen reader to add members to a distribution group in Exchange admin
center
Use screen reader to archive mailbox items in Exchange admin center
Use screen reader to configure collaboration in Exchange admin center
Use screen reader to create distribution group in Exchange admin center
Use screen reader to configure mail flow rules in Exchange admin center
Use screen reader to define rules that encrypt or decrypt email in Exchange admin
center 2016
Use screen reader to edit mailbox display name in Exchange admin center
Use screen reader to export and review audit logs in Exchange admin center
Use screen reader to identify admin role in Exchange admin center
Use screen reader to manage anti-malware protection in Exchange admin center
Use a screen reader to manage anti-spam protection
Use screen reader to open Exchange admin center
Use screen reader to run audit report in Exchange admin center
Use screen reader to trace an email message in Exchange admin center
Use screen reader to work with mobile clients in Exchange admin center
Exchange Online Multi-Geo
Exchange Online is part of the Office 365 suite of products.
You use the Exchange admin center to manage email settings for your organization.
You can also get to the Exchange admin center directly by using a URL. To do this, go to
https://outlook.office365.com/ecp and sign in using your credentials.
NOTE
Be sure to use a private browsing session (not a regular session) to access the Exchange admin center using the direct
URL. This will prevent the credential that you are currently logged on with from being used. To open an InPrivate
Browsing session in Microsoft Edge or Internet Explorer or a Private Browsing session in Mozilla FireFox, press
CTRL+SHIFT+P. To open a private browsing session in Google Chrome (called an incognito window), press
CTRL+SHIFT+N.
Compliance management Manage In-Place eDiscovery & Hold, auditing, data loss
prevention (DLP), retention policies, retention tags, and
journal rules.
Tabs
The tabs are your second level of navigation. Each of the feature areas contains various tabs, each representing
a complete feature.
Toolbar
When you click most tabs, you'll see a toolbar. The toolbar has icons that perform a specific action. The
following table describes the most common icons and their actions. To display the action associated with an
icon, simply hover over the icon.
List view
When you select a tab, in most cases you'll see a list view. The list view in Exchange admin center is designed to
remove limitations that existed in Exchange Control Panel.
In Exchange Online, the viewable limit from within the Exchange admin center list view is approximately 10,000
objects. In addition, paging is included so you can page to the results. In the Recipients list view, you can also
configure page size and export the data to a CSV file.
Details pane
When you select an item from the list view, information about that object is displayed in the details pane.
To bulk edit several items: press the CTRL key, select the objects you want to bulk edit, and use the options in
the details pane.
Centers, Me tile, and Help
The Centers tile allows you to change from one admin center to another. The Me tile allows you to sign out of
the EAC and sign in as a different user. From the Help drop-down menu, you can perform the following
actions:
Help: Click to view the online help content.
Disable Help bubble: The Help bubble displays contextual help for fields when you create or edit and
object. You can turn off the Help bubble help or turn it on if it has been disabled.
Supported browsers
See the following articles:
Office 365 System Requirements: lists supported browsers for Office 365 and the Exchange admin
center.
Supported Browsers for Outlook on the web.
Related articles
Are you using Exchange Server? See Exchange admin center in Exchange Server.
Are you using Exchange Online Protection? See Exchange admin center in Exchange Online Protection.
Permissions in Exchange Online
3/4/2019 • 16 minutes to read • Edit Online
Exchange Online in Office 365 includes a large set of predefined permissions, based on the Role Based Access
Control (RBAC ) permissions model, which you can use right away to easily grant permissions to your
administrators and users. You can use the permissions features in Exchange Online so that you can get your new
organization up and running quickly.
RBAC is also the permissions model that's used in Microsoft Exchange Server. Most of the links in this topic refer
to topics that reference Exchange Server. The concepts in those topics also apply to Exchange Online.
For information about permissions across Office 365, see Permissions in Office 365
NOTE
Several RBAC features and concepts aren't discussed in this topic because they're advanced features. If the functionality
discussed in this topic doesn't meet your needs, and you want to further customize your permissions model, see
Understanding Role Based Access Control.
Role-based permissions
In Exchange Online, the permissions that you grant to administrators and users are based on management roles.
A management role defines the set of tasks that an administrator or user can perform. For example, a
management role called Mail Recipients defines the tasks that someone can perform on a set of mailboxes,
contacts, and distribution groups. When a management role is assigned to an administrator or user, that person is
granted the permissions provided by the management role.
Administrative roles and end-user roles are the two types of management roles. Following is a brief description of
each type:
Administrative roles: These roles contain permissions that can be assigned to administrators or specialist
users using role groups that manage a part of the Exchange Online organization, such as recipients,
compliance management, or Unified Messaging.
End-user roles: These roles, which are assigned using role assignment policies, enable users to manage
aspects of their own mailbox and distribution groups that they own. End-user roles begin with the prefix
My .
Management roles give permissions to perform tasks to administrators and users by making cmdlets available to
those who are assigned the roles. Because the Exchange admin center (EAC ) and Exchange Online PowerShell use
cmdlets to manage Exchange Online, granting access to a cmdlet gives the administrator or user permission to
perform the task in each of the Exchange Online management interfaces.
Exchange Online includes approximately 45 roles that you can use to grant permissions. For a list of roles, see
Built-in Management Roles.
NOTE
Some management roles many be available only to on-premises Exchange Server installations and won't be available in
Exchange Online.
Role groups and role assignment policies
Management roles grant permissions to perform tasks in Exchange Online, but you need an easy way to assign
them to administrators and users. Exchange Online provides you with the following to help you make
assignments:
Role groups: Role groups enable you to grant permissions to administrators and specialist users.
Role assignment policies: Role assignment policies enable you to grant permissions to end users to
change settings on their own mailbox or distribution groups that they own.
The following sections provide more information about role groups and role assignment policies.
Role groups
Every administrator who manages Exchange Online must be assigned at least one or more roles. Administrators
might have more than one role because they may perform job functions that span multiple areas in Exchange
Online. For example, one administrator might manage both recipients and Unified Messaging features in the
Exchange Online organization. In this case, that administrator might be assigned both the Mail Recipients and
Unified Messaging roles.
To make it easier to assign multiple roles to an administrator, Exchange Online includes role groups. When a role
is assigned to a role group, the permissions granted by the role are granted to all the members of the role group.
This enables you to assign many roles to many role group members at once. Role groups typically encompass
broader management areas, such as recipient management. They're used only with administrative roles, and not
end-user roles. Role group members can be Exchange Online users and other role groups.
NOTE
It's possible to assign a role directly to a user without using a role group. However, that method of role assignment is an
advanced procedure and isn't covered in this topic. We recommend that you use role groups to manage permissions.
The following figure shows the relationship between users, role groups, and roles.
Roles, role groups, and role group members
Exchange Online includes several built-in role groups, each one providing permissions to manage specific areas in
Exchange Online. Some role groups may overlap with other role groups. The following table lists each role group
with a description of its use.
Built-in role groups
ROLE GROUP DESCRIPTION
Help Desk The Help Desk role group, by default, enables members to
view and modify the Microsoft Outlook Web App options of
any user in the organization. These options might include
modifying the user's display name, address, and phone
number. They don't include options that aren't available in
Outlook Web App options, such as modifying the size of a
mailbox or configuring the mailbox database on which a
mailbox is located.
Help Desk Administrators (HelpdeskAdmins_ <unique The Help Desk Administrators role group doesn't have any
value>) roles assigned to it. However, it's a member of the View-Only
Organization Management role group and inherits the
permissions provided by that role group.
This role group can't be managed in Exchange Online. You can
add members to this role group by adding users to the
Password administrator Office 365 role.
Records Management Users who are members of the Records Management role
group can configure compliance features, such as retention
policy tags, message classifications, and mail flow rules (also
known as transport rules).
View-Only Organization Management Administrators who are members of the View Only
Organization Management role group can view the properties
of any object in the Exchange Online organization.
Compliance Management Users who are members of the Compliance Management role
group are responsible for compliance, to properly configure
and manage compliance settings within Exchange in
accordance with their policy.
If you work in a small organization that has only a few administrators, you might need to add those administrators
to the Organization Management role group only, and you may never need to use the other role groups. If you
work in a larger organization, you might have administrators who perform specific tasks administering Exchange
Online, such as recipient or organization-wide Unified Messaging configuration. In those cases, you might add
one administrator to the Recipient Management role group, and another administrator to the UM Management
role group. Those administrators can then manage their specific areas of ExchangeOnline, but they won't have
permissions to manage areas they're not responsible for.
If the built-in role groups in Exchange Online don't match the job function of your administrators, you can create
role groups and add roles to them. For more information, see the Work with role groups section later in this topic.
Role assignment policies
Exchange Online provides role assignment policies so that you can control what settings your users can configure
on their own mailboxes and on distribution groups they own. These settings include their display name, contact
information, voice mail settings, and distribution group membership.
Your Exchange Online organization can have multiple role assignment policies that provide different levels of
permissions for the different types of users in your organizations. Some users can be allowed to change their
address or create distribution groups, while others can't, depending on the role assignment policy associated with
their mailbox. Role assignment policies are added directly to mailboxes, and each mailbox can only be associated
with one role assignment policy at a time.
Of the role assignment policies in your organization, one is marked as default. The default role assignment policy
is associated with new mailboxes that aren't explicitly assigned a specific role assignment policy when they're
created. The default role assignment policy should contain the permissions that should be applied to the majority
of your mailboxes.
Permissions are added to role assignment policies using end-user roles. End-user roles begin with My and grant
permissions for users to manage only their mailbox or distribution groups they own. They can't be used to
manage any other mailbox. Only end-user roles can be assigned to role assignment policies.
When an end-user role is assigned to a role assignment policy, all of the mailboxes associated with that role
assignment policy receive the permissions granted by the role. This enables you to add or remove permissions to
sets of users without having to configure individual mailboxes. The following figure shows:
End-user roles are assigned to role assignment policies. Role assignment policies can share the same end-
user roles. For details about the end-user roles that are available in Exchange Online, see Role assignment
policies in Exchange Online.
Role assignment policies are associated with mailboxes. Each mailbox can only be associated with one role
assignment policy.
After a mailbox is associated with a role assignment policy, the end-user roles are applied to that mailbox.
The permissions granted by the roles are granted to the user of the mailbox.
Roles, role assignment policies, and mailboxes
The Default Role Assignment Policy role assignment policy is included with Exchange Online. As the name
implies, it's the default role assignment policy. If you want to change the permissions provided by this role
assignment policy, or if you want to create role assignment policies, see Work with role assignment policies later in
this topic.
NOTE
The user that was used to create your Office 365 tenant is automatically assigned to the Global administrator Office 365
role.
The following table lists the Office 365 roles and the Exchange Online role group they correspond to.
For a description of the Exchange Online role groups, see the table "Built-in role groups" in Role groups.
When you add a user to either the Global administrator or Password administrator Office 365 roles, the user is
granted the rights provided by the respective Exchange Online role group. Other Office 365 roles don't have a
corresponding Exchange Online role group and won't grant administrative permissions in Exchange Online. For
more information about assigning an Office 365 role to a user, see Assigning admin roles.
Users can be granted administrative rights in Exchange Online without adding them to Office 365 roles. This is
done by adding the user as a member of an Exchange Online role group. When a user is added directly to an
Exchange Online role group, they'll receive the permissions granted by that role group in Exchange Online.
However, they won't be granted any permissions to other Office 365 components. They'll have administrative
permissions only in Exchange Online. Users can be added to any of the role groups listed in the "Built-in role
groups table" in Role groups with the exception of the Company Administrator and Help Desk Administrators role
groups. For more information about adding a user directly to an Exchange Online role group, see Work with role
groups.
Exchange Online includes several role groups that separate permissions into specific administrative areas. If these
existing role groups provide the permissions your administrators need to manage your Exchange Online
organization, you need only add your administrators as members of the appropriate role groups. After you add
administrators to a role group, they can administer the features that relate to that role group. To add or remove
members to or from a role group, open the role group in the EAC, and then add or remove members from the
membership list. For a list of built-in role groups, see the table "Built-in role groups" in Role groups.
IMPORTANT
If an administrator is a member of more than one role group, Exchange Online grants the administrator all of the
permissions provided by the role groups he or she is a member of.
If none of the role groups included with Exchange Online have the permissions you need, you can use the EAC to
create a role group and add the roles that have the permissions you need. For your new role group, you will:
1. Choose a name for your role group.
2. Select the roles you want to add to the role group.
3. Add members to the role group.
4. Save the role group.
After you create the role group, you manage it like any other role group.
If there's an existing role group that has some, but not all, of the permissions you need, you can copy it and then
make changes to create a role group. You can copy an existing role group and make changes to it, without
affecting the original role group. As part of copying the role group, you can add a new name and description, add
and remove roles to and from the new role group, and add new members. When you create or copy a role group,
you use the same dialog box that's shown in the preceding figure.
Existing role groups can also be modified. You can add and remove roles from existing role groups, and add and
remove members from it at the same time, using an EAC dialog box similar to the one in the preceding figure. By
adding and removing roles to and from role groups, you turn on and off administrative features for members of
that role group.
NOTE
Although you can change which roles are assigned to built-in role groups, we recommend that you copy built-in role
groups, modify the role group copy, and then add members to the role group copy. > The Company Administrator and Help
Desk administrator role groups can't be copied or changed.
NOTE
If you select a check box for a role that has child roles, the check boxes for the child roles are also selected. If you clear the
check box for a role with child roles, the check boxes for the child roles are also cleared.
For detailed role assignment policy procedures, see Role assignment policies in Exchange Online.
Permissions documentation
The following table contains links to topics that will help you learn about and manage permissions in Exchange
Online.
TOPIC DESCRIPTION
Understanding Role Based Access Control Learn about each of the components that make up RBAC and
how you can create advanced permissions models if role
groups and management roles aren't enough.
Manage role groups in Exchange Online Configure permissions for Exchange Online administrators
and specialist users using role groups, including adding and
removing members to and from role groups.
Role assignment policies in Exchange Online Configure which features end-users have access to on their
mailboxes using role assignment policies, view, create, modify,
and remove role assignment policies, specify the default role
assignment policy, and apply role assignment policies to
mailboxes.
View Effective Permissions View who has permissions to administer Exchange Online
features.
Feature permissions in Exchange Online Learn more about the permissions required to manage
Exchange Online features and services.
Feature permissions in Exchange Online
3/4/2019 • 2 minutes to read • Edit Online
The permissions required to perform tasks to manage Microsoft Exchange Online vary depending on the
procedure being performed or the cmdlet you want to run.
For information about Exchange Online Protection (EOP ) permissions, see Feature Permissions in EOP.
To find out what permissions you need to perform the procedure or run the cmdlet, do the following:
1. In the table below, find the feature that is most related to the procedure you want to perform or the
cmdlet you want to run.
2. Next, look at the permissions required for the feature. You must be assigned one of those role groups, an
equivalent custom role group, or an equivalent management role. You can also click on a role group to
see its management roles. If a feature lists more than one role group, you only need to be assigned one of
the role groups to use the feature. For more information about role groups and management roles, see
Understanding Role Based Access Control.
3. Now, run the Get-ManagementRoleAssignment cmdlet to look at the role groups or management
roles assigned to you to see if you have the permissions that are necessary to manage the feature.
NOTE
You must be assigned the Role Management management role to run the Get-ManagementRoleAssignment
cmdlet. If you don't have permissions to run the Get-ManagementRoleAssignment cmdlet, ask your Exchange
administrator to retrieve the role groups or management roles assigned to you.
If you want to delegate the ability to manage a feature to another user, see Delegate role assignments.
A role group is a special kind of universal security group (USG ) that's used in the Role Based Access Control
(RBAC ) permissions model in Exchange Online. Management role groups simplify the assignment and
maintenance of permissions to users in Exchange Online. THe members of the role group are assigned the same
set of roles, and you add and remove permissions from users by adding them to or removing them from the role
group. For more information about role groups in Exchange Online, see Permissions in Exchange Online.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Online, or Exchange Online Protection.
Get-RoleGroup
This example returns detailed information for the role group named Recipient Administrators.
This example returns all role groups where the user Julia is a member. You need to use the DistinguishedName
(DN ) value for Julia, which you can find by running the command:
Get-User -Identity Julia | Format-List DistinguishedName .
New-RoleGroup -Name "Unique Name" -Description "Descriptive text" -Roles <"Role1","Role2"...> -ManagedBy
<Managers> -Members <Members> -CustomRecipientWriteScope "<Existing Write Scope Name>"
The Roles parameter specifies the management roles to assign to the role group by using the following
syntax "Role1","Role1",..."RoleN" . You can see the available roles by using the Get-ManagementRole
cmdlet.
The Members parameter specifies the members of the role group by using the following syntax:
"Member1","Member2",..."MemberN" . You can specify users, universal security groups ( USGs), or other role
groups (security principals).
The ManagedBy parameter specifies the delegates who can modify and remove the role group by using the
following syntax: "Delegate1","Delegate2",..."DelegateN" . Note that this setting isn't available in the EAC.
The CustomRecipientWriteScope parameter specifies the existing custom recipient write scope to apply to
the role group. You can see the available custom recipient write scopes by using the Get-
ManagementScope cmdlet.
This example creates a new role group named "Limited Recipient Management" with the following settings:
The Mail Recipients and Mail Enabled Public Folders roles are assigned to the role group.
The users Kim and Martin are added as members. Because no custom recipient write scope was specified,
Kim and Martin can manage any recipient in the organization.
New-RoleGroup -Name "Limited Recipient Management" -Roles "Mail Recipients","Mail Enabled Public Folders" -
Members "Kim","Martin"
This is the same example with a custom recipient write scope, which means Kim and Martin can only manage
recipients that are included in the Seattle Recipients scope (recipients who have their City property set to the value
Seattle).
New-RoleGroup -Name "Limited Recipient Management" -Roles "Mail Recipients","Mail Enabled Public Folders" -
Members "Kim","Martin" -CustomRecipientWriteScope "Seattle Recipients"
The Members parameter specifies the members of the role group by using the following syntax:
"Member1","Member2",..."MemberN" . You can specify users, universal security groups ( USGs), or other role
groups (security principals).
The ManagedBy parameter specifies the delegates who can modify and remove the role group by using
the following syntax: "Delegate1","Delegate2",..."DelegateN" . Note that this setting isn't available in the
EAC.
The CustomRecipientWriteScope parameter specifies the existing custom recipient write scope to apply
to the role group. You can see the available custom recipient write scopes by using the Get-
ManagementScope cmdlet.
This example copies the Organization Management role group to the new role group named "Limited
Organization Management". The role group members are Isabelle, Carter, and Lukas and the role group delegates
are Jenny and Katie.
This example copies the Organization Management role group to the new role group called Vancouver
Organization Management with the Vancouver Users recipient custom recipient write scope.
New-ManagementRoleAssignment [-Name "<Unique Name>"] -SecurityGroup "<Role Group Name>" -Role "<Role Name>" [-
RecipientRelativeWriteScope <MyGAL | MyDistributionGroups | Organization | Self>] [-CustomRecipientWriteScope
"<Role Scope Name>]
The role assignment name is created automatically if you don't specify one.
If you don't use the RecipientRelativeWriteScope parameter, the implicit read scope and implicit write scope
of the role is applied to the role assignment.
If a predefined scope meets your business requirements, you can use the RecipientRelativeWriteScope
parameter to apply the scope to the role assignment.
To apply a custom recipient write scope, use the CustomRecipientWriteScope parameter.
This example assigns the Transport Rules management role to the Seattle Compliance role group.
This example assigns the Message Tracking role to the Enterprise Support role group and applies the Organization
predefined scope.
This example assigns the Message Tracking role to the Seattle Recipient Admins role group and applies the Seattle
Recipients scope.
Get-ManagementRoleAssignment -RoleAssignee "<Role Group Name>" -Role "<Role Name>" -Delegating <$true |
$false> | Remove-ManagementRoleAssignment
To remove regular role assignments that grant permissions to users, use the value $false for the
Delegating parameter.
To remove delegating role assignments that allow the role to be assigned to others, use the value $true for
the Delegating parameter.
This example removes the Distribution Groups role from the Seattle Recipient Administrators role group.
This example changes the recipient scope for all role assignments on the Sales Recipient Management role group
to Direct Sales Employees.
To change the scope on an individual role assignment between a role group and a management role, do the
following steps:
1. Replace <Role Group Name> with the name of the role group and run the following command to find the
names of all the role assignments on the role group:
2. Find the name of the role assignment you want to change. Use the name of the role assignment in the next
step.
3. To set the scope on the individual role assignment, use the following syntax:
This example changes the recipient scope for the role assignment named Mail Recipients_Sales Recipient
Management to All Sales Employees.
```
Set-ManagementRoleAssignment "Mail Recipients_Sales Recipient Management" -CustomRecipientWriteScope "All
Sales Employees"
```
To replace the existing list of delegates with the values you specify, use the following syntax:
"Delegate1","Delegate2",..."DelegateN" .
To selectively modify the existing list of delegates, use the following syntax:
@{Add="Delegate1","Delegate2"...; Remove="Delegate3","Delegate4"...} .
This example replaces all current delegates of the Help Desk role group with the specified users.
This example adds Daigoro Akai and removes Valeria Barrio from the list of delegates on the Help Desk role
group.
To replace the existing list of members with the values you specify, use the following syntax:
"Member1","Member2",..."MemberN" .
To selectively modify the existing list of members, use the following syntax:
@{Add="Member1","Member2"...; Remove="Member3","Member4"...} .
This example replaces all current members of the Help Desk role group with the specified users.
This example adds Daigoro Akai and removes Valeria Barrio from the list of members on the Help Desk role
group.
In Exchange Online PowerShell, replace <Role Group Name> with the name of the role group, and run the
following command to verify the settings:
This example removes the Vancouver Recipient Administrators role group. Because the user running the
command isn't defined in the ManagedBy property of the role group, the BypassSecurityGroupManagerCheck
switch is required in the command. The user that's running the command is assigned the Role Management role,
which enables the user to bypass the security group manager check.
Get-RoleGroup
Role assignment policies in Exchange Online
3/29/2019 • 13 minutes to read • Edit Online
A role assignment policy is a collection of one or more end-user roles that enable users to manage their mailbox
settings and distribution groups in Exchange Online. End-users roles are part of the role based access control
(RBAC ) permissions model in Exchange Online. You can assign different role assignment policies to different users
to allow or prevent specific self-management features in Exchange Online. For more information, see Role
assignment policies.
In Exchange Online, a default role assignment policy named Default Role Assignment Policy is specified by the
mailbox plan that's assigned to users when their account is licensed. For more information about mailbox plans,
see Mailbox plans in Exchange Online.
Role assignment polices are how end-user roles (as opposed to management roles) are assigned to users in
Exchange Online. There are several ways you can use role assignment policies to assign permissions to users:
New users:
Change the end-user roles that are assigned to the default role assignment policy.
Create a custom role assignment policy and set it as the default. Note that this method only affects
mailboxes that you create without specifying a role assignment policy or assigning a license (the
license specifies the mailbox plan, which specifies the role assignment policy).
Specify a custom role assignment policy in the mailbox plan. For more information, see Use
Exchange Online PowerShell to modify mailbox plans.
Existing users:
Assign a different license to the user. This will apply the settings of the different mailbox plan, which
specifies the role assignment policy to apply.
Manually assign a custom role assignment policy to mailboxes.
The available end-user roles that you can assign to mailbox plans are described in the following table:
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
This example returns the roles that are assigned to the policy named Default Role Assignment Policy.
This example adds the role MyMailboxDelegation to the role assignment policy named Default Role Assignment
Policy.
This example removes the MyDistributionGroups role from the role assignment policy named Default Role
Assignment Policy.
This example creates a new role assignment policy named Contoso Contractors that includes the specified end-
user roles.
This example configures Contoso Users as the default role assignment policy.
This example removes the role assignment policy named Contoso Managers.
This example returns the role assignment policy for the mailbox named Pedro Pizarro.
To return all mailboxes that have a specific role assignment policy assigned, use the following syntax:
$<VariableName> = Get-Mailbox -ResultSize unlimited
This example returns all mailboxes that have the role assignment policy named Contoso Managers assigned.
This example applies the role assignment policy named Contoso Managers to the mailbox named Pedro Pizarro.
To change the assignment for all mailboxes that have a specific role assignment policy assigned, use the following
syntax:
This example changes the role assignment policy from Default Role Assignment Policy to Contoso Staff for all
mailboxes that currently have Default Role Assignment Policy assigned.
$Users = Get-Mailbox -ResultSize unlimited
In Exchange Online PowerShell, replace <RoleAssignmentPolicyName> with the name of the role
assignment policy, and run the following commands to verify the mailboxes that have the policy assigned:
Email has become a reliable and ubiquitous communication medium for information workers in organizations of
all sizes. Messaging stores and mailboxes have become repositories of valuable data. It's important for
organizations to formulate messaging policies that dictate the fair use of their messaging systems, provide user
guidelines for how to act on the policies, and where required, provide details about the types of communication
that may not be allowed.
Organizations must also create policies to manage email lifecycle, retain messages for the length of time based on
business, legal, and regulatory requirements, preserve email records for litigation and investigation purposes, and
be prepared to search and provide the required email records to fulfill eDiscovery requests.
Leakage of sensitive information such as intellectual property, trade secrets, business plans, and personally
identifiable information (PII) collected or handled by your organization must also be protected.
FEATURE DESCRIPTION
Archive mailboxes in Exchange Online Archive mailboxes (called In-Place Archiving) let people in your
Office 365 organization take control of messaging data by
providing additional email storage. People can use Outlook or
Outlook Web App to view messages in their archive mailbox
and move or copy messages between their primary and
archive mailboxes.
In-Place Hold and Litigation Hold In-Place Hold and Litigation Hold allow you to preserve or
archive mailbox content for compliance and eDiscovery.
Inactive mailboxes in Exchange Online You can preserve the contents of deleted mailboxes
indefinitely by using inactive mailboxes. You can make an
inactive mailbox by placing an In-Place Hold or a Litigation
Hold on the mailbox, and then deleting the corresponding
Office 365 user account. In addition to preserving mailbox
contents, administrators or compliance officers can use In-
Place eDiscovery in Exchange Online or Content Search in the
Office 365 Security & Compliance Center to search the
contents of an inactive mailbox.
Data loss prevention (DLP) Data loss prevention (DLP) helps you identify and monitor
sensitive information, such as private identification numbers,
credit card numbers, or standard forms used in your
organization. You can set up DLP policies to notify users that
they are sending sensitive information or block the
transmission of sensitive information.
FEATURE DESCRIPTION
Exchange auditing reports You can use the auditing functionality in Exchange Online to
track changes made to your Exchange Online configuration by
Microsoft and by your organization's administrators, and to
audit mailbox access by persons other than the mailbox owner.
In Exchange Online, audited actions are recorded and available
to view in an online report or export to a file.
Messaging records management (MRM) Messaging records management (MRM) helps your
organization manage email lifecycle to meet business and
regulatory requirements and reduce the legal risks associated
with email. In Exchange Online, you can use In-Place Hold or
Litigation Hold to preserve email and Retention tags and
retention policies to archive and delete email.
Information Rights Management in Exchange Online Information Rights Management (IRM) helps you and your
users control who can access, forward, print, or copy sensitive
data within an email. IRM can use your on-premises Active
Directory Rights Management Services (AD RMS) server.
Office 365 Message Encryption Office 365 Message Encryption allow you to send encrypted
messages to people inside or outside your organization,
regardless of the destination email service—whether it's
Outlook.com, Yahoo, Gmail, or another service. Designated
recipients can send encrypted replies. Office 365 Message
Encryption combines email encryption and rights
management capabilities. Rights management capabilities are
powered by Azure Information Protection.
S/MIME for Message Signing and Encryption Secure/Multipurpose Internet Mail Extensions (S/MIME) allows
email users to help protect sensitive information by sending
signed and encrypted email within their organization. As an
administrator, you can enable S/MIME-based security for your
organization if you have mailboxes in either Exchange Server
or Exchange Online.
Journaling in Exchange Online Journaling can help you meet legal, regulatory, and
organizational compliance requirements by recording inbound
and outbound email communications. In Exchange Online, you
can create journal rules to deliver journal reports to your on-
premises mailbox or archiving system, or to an external
archiving service.
Mail flow rules (transport rules) in Exchange Online You can use mail flow rules (also known as transport rules) to
inspect messages sent or received by your users and take
actions such as blocking or bouncing a message, holding it for
review by a manager or an administrator or delivering a copy
to another recipient if the message matches specified
conditions.
Modify archive policies
3/4/2019 • 4 minutes to read • Edit Online
In Exchange Online, you can use archive policies to automatically move mailbox items to personal (on-premises) or
cloud-based archives. Archive policies are retention tags that use the Move to Archive retention action.
Exchange Setup creates a retention policy called Default MRM Policy. This policy has a default policy tag (DPT)
assigned that moves items to the archive mailbox after two years. The policy also includes a number of personal
tags that users can apply to folders or mailbox items to automatically move or delete messages. If a mailbox
doesn't have a retention policy assigned when it's archive-enabled, the Default MRM Policy is automatically
applied to it by Exchange. You can also create your own archive and retention policies and apply them to mailbox
users. To learn more, see Retention tags and retention policies.
You can modify retention tags included in the default policy to meet your business requirements. For example, you
can modify the archive DPT to move items to the archive after three years instead of two. You can also create
additional personal tags and either add them to a retention policy, including the Default MRM Policy, or allow
users to add personal tags to their mailboxes from Outlook Web App Options.
For additional management tasks related to archives, see Enable or disable an archive mailbox in Exchange Online.
NOTE
In an Exchange hybrid deployment, you can enable a cloud-based archive mailbox for an on-premises primary mailbox. If you
assign an archive policy to an on-premises mailbox, items are moved to the cloud-based archive. If an item is moved to the
archive mailbox, a copy of it isn't retained in the on-premises mailbox. If the on-premises mailbox is placed on hold, an archive
policy will still move items to the cloud-based archive mailbox where they are preserved for the duration specified by the
hold.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
3. In Retention Tag, view or modify the following settings, and then click Save:
Name: Use this box at the top of the page to view or change the tag name.
Retention tag type: This read-only field displays the tag type.
Retention action: Don't modify this field for archive policies.
Retention period: Select one of the following options:
Never: Click this button to disable the tag. If the DPT is disabled, the tag is no longer applied to the mailbox.
IMPORTANT
Items that have a disabled retention tag applied aren't processed by the Mailbox Assistant. If you want to prevent a
tag from being applied to items, we recommend disabling the tag rather than deleting it. When you delete a tag, the
tag configuration is deleted from Active Directory, and the Mailbox Assistant processes all messages to remove the
deleted tag.
NOTE
If a user applies a tag to an item believing the item will never be moved, enabling the tag later may move items the
user wanted to retain in the primary mailbox.
When the item reaches the following age (in days): Click this button to specify that items be moved to
archive after a certain period. By default, this setting is configured to move items to the archive after two
years (730 days). To modify this setting, in the corresponding text box, type the number of days in the
retention period. The range of values is from 1 through 24,855 days.
Comment: Use this box to type a comment that will be displayed to Outlook and Outlook Web App users.
Set-RetentionPolicyTag "Default 2 year move to archive" -Name "Default 3 year move to archive" -
AgeLimitForRetention 1095
This example retrieves all archive DPTs and personal tags and disables them.
For detailed syntax and parameter information, see Set-RetentionPolicyTag and Get-RetentionPolicyTag.
How do you know this worked?
Use the Get-RetentionPolicyTag cmdlet to retrieve settings of the retention tag.
This command retrieves properties of the Default 2 year move to archive retention tag and pipes the output to the
Format-List cmdlet to display all properties in a list format.
NOTE
We've postponed the July 1, 2017 deadline for creating new In-Place Holds in Exchange Online (in Office 365 and Exchange
Online standalone plans). But later this year or early next year, you won't be able to create new In-Place Holds in Exchange
Online. As an alternative to using In-Place Holds, you can use eDiscovery cases or Office 365 retention policies in the Office
365 Security & Compliance Center. After we decommission new In-Place Holds, you'll still be able to modify existing In-
Place Holds, and creating new In-Place Holds in an Exchange hybrid deployment will still be supported. And, you'll still be
able to place mailboxes on Litigation Hold.
When a reasonable expectation of litigation exists, organizations are required to preserve electronically stored
information (ESI), including email that's relevant to the case. This expectation often exists before the specifics of
the case are known, and preservation is often broad. Organizations may need to preserve all email related to a
specific topic or all email for certain individuals. Depending on the organization's electronic discovery
(eDiscovery) practices, the following measures can be adopted to preserve email:
End users may be asked to preserve email by not deleting any messages. However, users can still delete
email knowingly or inadvertently.
Automated deletion mechanisms such as messaging records management (MRM ) may be suspended.
This could result in large volumes of email cluttering the user mailbox, and thus impacting user
productivity. Suspending automated deletion also doesn't prevent users from manually deleting email.
Some organizations copy or move email to an archive to make sure it isn't deleted, altered, or tampered
with. This increases costs due to the manual efforts required to copy or move messages to an archive, or
third-party products used to collect and store email outside Exchange.
Failure to preserve email can expose an organization to legal and financial risks such as scrutiny of the
organization's records retention and discovery processes, adverse legal judgments, sanctions, or fines.
You can use In-Place Hold or Litigation Hold to accomplish the following goals:
Place user mailboxes on hold and preserve mailbox items immutably.
Preserve mailbox items deleted by users or automatic deletion processes such as MRM.
Use query-based In-Place Hold to search for and retain items matching specified criteria.
Preserve items indefinitely or for a specific duration.
Place a user on multiple holds for different cases or investigations.
Keep holds transparent from the user by not having to suspend MRM.
Enable In-Place eDiscovery searches of items placed on hold.
IMPORTANT
Items that are marked as unsearchable, generally because of failure to index an attachment, are also preserved
because it can't be determined whether they match query parameters. For more details about partially indexed
items, see Partially indexed items in Content Search in Office 365.
Time-based hold: Both In-Place Hold and Litigation Hold allow you to specify a duration of time for
which to hold items. The duration is calculated from the date a mailbox item is received or created.
If your organization requires that all mailbox items be preserved for a specific period, for example 7 years,
you can create a time-based hold so that items on hold are retained for a specific period of time. For
example, consider a mailbox that's placed on a time-based In-Place Hold and has a retention period set to
365 days. If an item in that mailbox is deleted after 300 days from the date it was received, it's held for an
additional 65 days before being permanently deleted. You can use a time-based In-Place Hold in
conjunction with a retention policy to make sure items are preserved for the specified duration and
permanently removed after that period.
You can use In-Place Hold to place a user on multiple holds. When a user is placed on multiple holds, the search
queries from any query-based hold are combined (with OR operators). In this case, the maximum number of
keywords in all query-based holds placed on a mailbox is 500. If there are more than 500 keywords, then all
content in the mailbox is placed on hold (not just that content that matches the search criteria). All content is held
until the total number of keywords is reduced to 500 or less.
NOTE
When you place a mailbox on In-Place Hold or Litigation Hold, the hold is placed on both the primary and the archive
mailbox. If you place an on-premises primary mailbox on hold in an Exchange hybrid deployment, the cloud-based archive
mailbox (if enabled) is also placed on hold.
NOT(subject:HierarchySync*)
The result is that any message (related to the synchronization of the public folder hierarchy) that contains the
phrase "HierarchySync" in the subject line is not placed on hold.
Items other than messages and posts Any change to a visible property, except the following:
Item location (when an item is moved between folders)
Item status change (read or unread)
Changes to retention tag applied to an item
Items in the default folder Drafts None (items in the Drafts folder are exempt from copy on
write)
IMPORTANT
Copy-on-write is disabled for calendar items in the organizer's mailbox when meeting responses are received from
attendees and the tracking information for the meeting is updated. For calendar items and items that have a reminder set,
copy-on-write is disabled for the ReminderTime and ReminderSignalTime properties. Changes to these properties are not
captured by copy-on-write. Changes to RSS feeds aren't captured by copy-on-write.
Although the DiscoveryHold, Purges, and Versions folders aren't visible to the user, all items in the Recoverable
Items folder are indexed by Exchange Search and are discoverable using In-Place eDiscovery. After a mailbox
user is removed from In-Place Hold or Litigation Hold, items in the DiscoveryHold, Purges, and Versions folders
are purged by the Managed Folder Assistant.
NOTE
We've postponed the July 1, 2017 deadline for creating new In-Place Holds in Exchange Online (in Office 365 and Exchange
Online standalone plans). But later this year or early next year, you won't be able to create new In-Place Holds in Exchange
Online. As an alternative to using In-Place Holds, you can use eDiscovery cases or retention policies in the Office 365
Security & Compliance Center. After we decommission new In-Place Holds, you'll still be able to modify existing In-Place
Holds, and creating new In-Place Holds in Exchange Server and Exchange hybrid deployments will still be supported. And,
you'll still be able to place mailboxes on Litigation Hold.
An In-Place Hold preserves all mailbox content, including deleted items and original versions of modified items.
All such mailbox items are returned in an In-Place eDiscovery search. When you place an In-Place Hold on a user's
mailbox on, the contents in the corresponding archive mailbox (if it's enabled) are also placed on hold, and
returned in a eDiscovery search.
5. Search all mailboxes: You can't select this option to create an In-Place Hold. You can select this option for
In-Place eDiscovery searches, but to create an In-Place Hold, you must select the specific mailboxes that
you want to place on hold.
6. Don't search any mailboxes: Select this option when you're creating an In-Place Hold exclusively for
public folders.
7. Specify mailboxes to search: Select this option and then click Add to select the mailboxes or
distribution groups that you want to place on hold. In Exchange Online, you can also select Office 365
groups to place on hold.
8. Search all public folders: In Exchange Online, you can select this checkbox to place all public folders in
your organization on hold. As previously explained, to create an In-Place Hold only for public folders, be
sure to select the Don't search any mailboxes option.
9. On the Search query page, complete the following fields, and then click Next:
Include all user mailbox content: Click this button to place all content in selected mailboxes on hold.
Filter based on criteria: Click this button to specify search criteria, including keywords, start and end
dates, sender and recipient addresses, and message types. When you create a query-based hold, only items
that match the search criteria are preserved.
TIP
When you place public folders on In-Place Hold, email messages related to the public folder hierarchy
synchronization process are also preserved. This might result in thousands of hierarchy synchronization related email
items being preserved. These messages can fill up the storage quota for the Recoverable Items folder on public folder
mailboxes. To prevent this, you can create a query-based In-Place Hold and add the following property:value pair
to the search query: > NOT(subject:HierarchySync*) > The result is that any message (related to the
synchronization of the public folder hierarchy) that contains the phrase "HierarchySync" in the subject line is not
placed on hold.
6. On the In-Place Hold settings page, select the Place content matching the search query in selected
mailboxes on hold check box and then select one of the following options:
Hold indefinitely: Click this button to place items returned by the search on an indefinite hold. Items on
hold will be preserved until you remove the mailbox from the search or remove the search.
Specify number of days to hold items relative to their received date: Click this button to hold items
for a specific period. For example, you can use this option if your organization requires that all messages be
retained for at least seven years. You can use a time-based In-Place Hold along with a retention policy to
make sure items are deleted in seven years. To learn more about retention polices, see Retention tags and
retention policies.
Use Exchange Online PowerShell to create an In-Place Hold
This example creates an In-Place Hold named Hold-CaseId012 and adds the mailbox joe@contoso.com to the
hold.
IMPORTANT
If you don't specify additional search parameters for an In-Place Hold, all items in the specified source mailboxes are placed
on hold. If you don't specify the ItemHoldPeriod parameter, items are placed on hold indefinitely or until the mailbox is
either removed from hold or the hold is deleted.
NOTE
We've postponed the July 1, 2017 deadline for creating new In-Place eDiscovery searches in Exchange Online (in Office 365
and Exchange Online standalone plans). But later this year or early next year, you won't be able to create new searches in
Exchange Online. To create eDiscovery searches, please start using Content Search in the Office 365 Security & Compliance
Center. After we decommission new In-Place eDiscovery searches, you'll still be able to modify existing In-Place eDiscovery
searches, and creating new In-Place eDiscovery searches in Exchange Server and Exchange hybrid deployments will still be
supported.
If your organization adheres to legal discovery requirements (related to organizational policy, compliance, or
lawsuits), In-Place eDiscovery in Microsoft Exchange Server and Exchange Online can help you perform
discovery searches for relevant content within mailboxes. Exchange Server and Exchange Online also offer
federated search capability and integration with Microsoft SharePoint 2013 and Microsoft SharePoint Online.
Using the eDiscovery Center in SharePoint, you can search for and hold all content related to a case, including
SharePoint 2013 and SharePoint Online websites, documents, file shares indexed by SharePoint (SharePoint
2013 only), mailbox content in Exchange, and archived Lync 2013 content. You can also use In-Place eDiscovery
in an Exchange hybrid environment to search on-premises and cloud-based mailboxes in the same search.
IMPORTANT
In-Place eDiscovery is a powerful feature that allows a user with the correct permissions to potentially gain access to all
messaging records stored throughout the Exchange Server or Exchange Online organization. It's important to control and
monitor discovery activities, including addition of members to the Discovery Management role group, assignment of the
Mailbox Search management role, and assignment of mailbox access permission to discovery mailboxes.
Auditing of RBAC role changes, which is enabled by default, makes sure that adequate records are kept to track
assignment of the Discovery Management role group. You can use the administrator role group report to search
for changes made to administrator role groups. For more information, see Search the role group changes or
administrator audit logs.
Discovery mailboxes
After you create an In-Place eDiscovery search, you can copy the search results to a target mailbox. The EAC
allows you to select a discovery mailbox as the target mailbox. A discovery mailbox is a special type of mailbox
that provides the following functionality:
Easier and secure target mailbox selection: When you use the EAC to copy In-Place eDiscovery search
results, only discovery mailboxes are made available as a repository in which to store search results. You
don't need to sort through a potentially long list of mailboxes available in the organization. This also
eliminates the possibility of a discovery manager accidentally selecting another user's mailbox or an
unsecured mailbox in which to store potentially sensitive messages.
Large mailbox storage quota: The target mailbox should be able to store a large amount of message
data that may be returned by an In-Place eDiscovery search. By default, discovery mailboxes have a
mailbox storage quota of 50 gigabytes (GB ). This storage quota can't be increased.
More secure by default: Like all mailbox types, a discovery mailbox has an associated Active Directory
user account. However, this account is disabled by default. Only users explicitly authorized to access a
discovery mailbox have access to it. Members of the Discovery Management role group are assigned Full
Access permissions to the default discovery mailbox. Any additional discovery mailboxes you create don't
have mailbox access permissions assigned to any user.
Email delivery disabled: Although visible in Exchange address lists, users can't send email to a discovery
mailbox. Email delivery to discovery mailboxes is prohibited by using delivery restrictions. This preserves
the integrity of search results copied to a discovery mailbox.
Exchange Setup creates one discovery mailbox with the display name Discovery Search Mailbox. You can use
Exchange Online PowerShell to create additional discovery mailboxes. By default, the discovery mailboxes you
create won't have any mailbox access permissions assigned. You can assign Full Access permissions for a
discovery manager to access messages copied to a discovery mailbox. For details, see Create a discovery mailbox.
In-Place eDiscovery also uses a system mailbox with the display name SystemMailbox{e0dc1c29-89c3-4034-
b678-e6c29d823ed9} to hold In-Place eDiscovery metadata. System mailboxes aren't visible in the EAC or in
Exchange address lists. In on-premises organizations, before removing a mailbox database where the In-Place
eDiscovery system mailbox is located, you must move the mailbox to another mailbox database. If the mailbox is
removed or corrupted, your discovery managers are unable to perform eDiscovery searches until you re-create
the mailbox. For details, see Re-Create the Discovery System Mailbox.
NOTE
In on-premises organizations, you can use In-Place eDiscovery to search mailboxes located on Exchange Server Mailbox
servers. To search mailboxes located on Exchange 2010 Mailbox servers, use Multi-Mailbox Search on an Exchange 2010
server. > > In a hybrid deployment, which is an environment where some mailboxes exist on your on-premises Mailbox
servers and some mailboxes exist in a cloud-based organization, you can perform In-Place eDiscovery searches of your
cloud-based mailboxes using the EAC in your on-premises organization. If you intend to copy messages to a discovery
mailbox, you must select an on-premises discovery mailbox. Messages from cloud-based mailboxes that are returned in
search results are copied to the specified on-premises discovery mailbox. To learn more about hybrid deployments, see
Exchange Server Hybrid Deployments.
The In-Place eDiscovery & Hold wizard in the EAC allows you to create an In-Place eDiscovery search and
also use In-Place Hold to place search results on hold. When you create an In-Place eDiscovery search, a search
object is created in the In-Place eDiscovery system mailbox. This object can be manipulated to start, stop, modify,
and remove the search. After you create the search, you can choose to get an estimate of search results, which
includes keyword statistics that help you determine query effectiveness. You can also do a live preview of items
returned in the search, allowing you to view message content, the number of messages returned from each
source mailbox and the total number of messages. You can use this information to further fine-tune your query if
required.
When satisfied with the search results, you can copy them to a discovery mailbox. You can also use the EAC or
Outlook to export a discovery mailbox or some of its content to a PST file.
When creating an In-Place eDiscovery search, you must specify the following parameters:
Name: The search name is used to identify the search. When you copy search results to a discovery
mailbox, a folder is created in the discovery mailbox using the search name and the timestamp to uniquely
identify search results in a discovery mailbox.
Mailboxes: You can choose to search all mailboxes in your Exchange Server or Exchange Online
organization or specify the mailboxes to search. A user's primary and archive mailboxes are included in the
search. If you also want to use the same search to place items on hold, you must specify the mailboxes. You
can specify a distribution group to include mailbox users who are members of that group. Membership of
the group is calculated once when creating the search and subsequent changes to group membership are
not automatically reflected in the search.
In Exchange Online, you can also specify Office 365 groups as a content source so that the group mailbox
is searched (or placed on hold). When you add an Office 365 group to an In-Place eDiscovery search, only
the group mailbox is searched; the mailboxes of the group members aren't searched.
Search query: You can either include all mailbox content from the specified mailboxes or use a search
query to return items that are more relevant to the case or investigation. You can specify the following
parameters in a search query:
Keywords: You can specify keywords and phrases to search message content. You can also use the
logical operators AND, OR, and NOT. Additionally, Exchange Server also supports the NEAR
operator, allowing you to search for a word or phrase that's in proximity to another word or phrase.
To search for an exact match of a multiple word phrase, you must enclose the phrase in quotation
marks. For example, searching for the phrase "plan and competition" returns messages that contain
an exact match of the phrase, whereas specifying plan AND competition returns messages that
contain the words plan and competition anywhere in the message.
Exchange Server also supports the Keyword Query Language (KQL ) syntax for In-Place eDiscovery
searches.
NOTE
In-Place eDiscovery does not support regular expressions.
You must capitalize logical operators such as AND and OR for them to be treated as operators
instead of keywords. We recommend that you use explicit parenthesis for any query that mixes
multiple logical operators to avoid mistakes or misinterpretations. For example, if you want to
search for messages that contain either WordA or WordB AND either WordC or WordD, you must
use (WordA OR WordB ) AND (WordC OR WordD ).
Start and End dates: By default, In-Place eDiscovery doesn't limit searches by a date range. To
search messages sent during a specific date range, you can narrow the search by specifying the start
and end dates. If you don't specify an end date, the search will return the latest results every time
you restart it.
Senders and recipients: To narrow down the search, you can specify the senders or recipients of
messages. You can use email addresses, display names, or the name of a domain to search for items
sent to or from everyone in the domain. For example, to find email sent by or sent to anyone at
Contoso, Ltd, specify **@contoso.com** in the From or the To/cc field in the EAC. You can also
specify **@contoso.com** in the Senders or Recipients parameters in Exchange Online PowerShell.
Message types: By default, all message types are searched. You can restrict the search by selecting
specific message types such as email, contacts, documents, journal, meetings, notes and Lync
content.
The following screenshot shows an example of a search query in the EAC.
When using In-Place eDiscovery, also consider the following:
Attachments: In-Place eDiscovery searches attachments supported by Exchange Search. For details, see
Default Filters for Exchange Search. In on-premises deployments, you can add support for additional file
types by installing search filters (also known as an iFilter) for the file type on Mailbox servers.
Unsearchable items: Unsearchable items are mailbox items that can't be indexed by Exchange Search.
Reasons they can't be indexed include the lack of an installed search filter for an attached file, a filter error,
and encrypted messages. For a successful eDiscovery search, your organization may be required to include
such items for review. When copying search results to a discovery mailbox or exporting them to a PST file,
you can include unsearchable items. For more information, see Unsearchable Items in Exchange
eDiscovery.
Encrypted items: Because messages encrypted using S/MIME aren't indexed by Exchange Search, In-
Place eDiscovery doesn't search these messages. If you select the option to include unsearchable items in
search results, these S/MIME encrypted messages are copied to the discovery mailbox.
IRM -protected items: Messages protected using Information Rights Management (IRM ) are indexed by
Exchange Search and therefore included in the search results if they match query parameters. Messages
must be protected by using an Active Directory Rights Management Services (AD RMS ) cluster in the
same Active Directory forest as the Mailbox server. For more information, see Information Rights
Management.
IMPORTANT
When Exchange Search fails to index an IRM-protected message, either due to a decryption failure or because IRM
is disabled, the protected message isn't added to the list of failed items. If you select the option to include
unsearchable items in search results, the results may not include IRM-protected messages that could not be
decrypted. > > To include IRM-protected messages in a search, you can create another search to include messages
with .rpmsg attachments. You can use the query string attachment:rpmsg to search all IRM-protected messages
in the specified mailboxes, whether successfully indexed or not. This may result in some duplication of search results
in scenarios where one search returns messages that match the search criteria, including IRM-protected messages
that have been indexed successfully. The search doesn't return IRM-protected messages that couldn't be indexed. >
> Performing a second search for all IRM-protected messages also includes the IRM-protected messages that were
successfully indexed and returned in the first search. Additionally, the IRM-protected messages returned by the
second search may not match the search criteria such as keywords used for the first search.
De-duplication: When copying search results to a discovery mailbox, you can enable de-duplication of
search results to copy only one instance of a unique message to the discovery mailbox. De-duplication has
the following benefits:
Lower storage requirement and smaller discovery mailbox size due to reduced number of messages
copied.
Reduced workload for discovery managers, legal counsel, or others involved in reviewing search
results.
Reduced cost of eDiscovery, depending on the number of duplicate items excluded from search
results.
NOTE
In Exchange Server and Exchange Online, keyword statistics also include statistics for non-keyword properties such as dates,
message types, and senders/recipients specified in a search query.
You can also preview the search results to further ensure that messages returned contain the content you're
searching for and further fine-tune the query if required. eDiscovery Search Preview displays the number of
messages returned from each mailbox searched and the total number of messages returned by the search. The
preview is generated quickly without requiring you to copy messages to a discovery mailbox.
After you're satisfied with the quantity and quality of search results, you can copy them to a discovery mailbox.
When copying messages, you have the following options:
Include unsearchable items: For details about the types of items that are considered unsearchable, see
the eDiscovery search considerations in the previous section.
Enable de-duplication: De-duplication reduces the dataset by only including a single instance of a
unique record if multiple instances are found in one or more mailboxes searched.
Enable full logging: By default, only basic logging is enabled when copying items. You can select full
logging to include information about all records returned by the search.
Send me mail when the copy is completed: An In-Place eDiscovery search can potentially return a
large number of records. Copying the messages returned to a discovery mailbox can take a long time. Use
this option to get an email notification when the copying process is completed. For easier access using
Outlook Web App, the notification includes a link to the location in a discovery mailbox where the
messages are copied.
For more information, see Copy eDiscovery Search Results to a Discovery Mailbox.
After search results are exported to a PST file, you or other users can open them in Outlook to review or print
messages returned in the search results. For more information, see Export eDiscovery search results to a PST file.
NOTE
When using Exchange Online PowerShell to create or modify an In-Place eDiscovery search, you can also disable logging.
Besides the search log included when copying search results to a discovery mailbox, Exchange also logs cmdlets
used by the EAC or Exchange Online PowerShell to create, modify or remove In-Place eDiscovery searches. This
information is logged in the admin audit log entries. For details, see Administrator Audit Logging.
IMPORTANT
In Exchange Online, In-Place eDiscovery can search content in inactive mailboxes. Inactive mailboxes are mailboxes that are
placed on In-Place Hold or litigation hold and then removed. Inactive mailboxes are preserved as long as they're placed on
hold. When an inactive mailbox is removed from In-Place Hold or when litigation hold is disabled, it is permanently deleted.
For details, see Manage Inactive Mailboxes in Exchange Online.
In on-premises deployments, if your organization requires that retention settings be applied to messages of
employees who are no longer in the organization or if you may need to retain an ex-employee's mailbox for an
ongoing or future eDiscovery search, do not disable or remove the mailbox. You can take the following steps to
ensure the mailbox can't be accessed and no new messages are delivered to it.
1. Disable the Active Directory user account using Active Directory Users & Computers or other Active
Directory or account provisioning tools or scripts. This prevents mailbox logon using the associated user
account.
IMPORTANT
Users with Full Access mailbox permission will still be able to access the mailbox. To prevent access by others, you
must remove their Full Access permission from the mailbox. For information about how to remove Full Access
mailbox permissions on a mailbox, see Manage permissions for recipients.
2. Set the message size limit for messages that can be sent from or received by the mailbox user to a very
low value, 1 KB for example. This prevents delivery of new mail to and from the mailbox. For details, see
Configure Message Size Limits for a Mailbox.
3. Configure delivery restrictions for the mailbox so nobody can send messages to it. For details, see
Configure message delivery restrictions for a mailbox.
IMPORTANT
You must take the above steps along with any other account management processes required by your organization, but
without disabling or removing the mailbox or removing the associated user account.
When planning to implement mailbox retention for messaging retention management (MRM ) or In-Place
eDiscovery, you must take employee turnover into consideration. Long-term retention of ex-employee mailboxes
will require additional storage on Mailbox servers and also result in an increase in Active Directory database
because it requires that the associated user account be retained for the same duration. Additionally, it may also
require changes to your organization's account provisioning and management processes.
NOTE
1 If you initiate an eDiscovery search from the eDiscovery Center in SharePoint Online in an Office 365 organization, you
can search a maximum of 1,500 mailboxes in a single search.
In Exchange Server, you can change the default values for these parameters to suit your requirements or create
additional throttling policies and assign them to users with delegated Discovery Management permission. In
Exchange Online, the default values for these throttling parameters can't be changed.
TOPIC DESCRIPTION
Assign eDiscovery permissions in Exchange Learn how to give a user access to use In-Place eDiscovery in
the EAC to search Exchange mailboxes. Adding a user to the
Discovery Management role group also allows the person to
use the eDiscovery Center in SharePoint 2013 and SharePoint
Online to search Exchange mailboxes.
Create a discovery mailbox Learn how to use Exchange Online PowerShell to create a
discovery mailbox and assign access permissions.
Create an In-Place eDiscovery search Learn how to create an In-Place eDiscovery search, and how
to estimate and preview eDiscovery search results.
TOPIC DESCRIPTION
Message properties and search operators for In-Place Learn which email message properties can be searched using
eDiscovery In-Place eDiscovery. The topic provides syntax examples for
each property, information about search operators such as
AND and OR, and information about other search query
techniques such as using double quotation marks (" ") and
prefix wildcards.
Search limits for In-Place eDiscovery in Exchange Online Learn In-Place eDiscovery limits in Exchange Online that help
maintain the health and quality of eDiscovery services for
Office 365 organizations.
Start or Stop an In-Place eDiscovery Search Learn how to start, stop, and restart eDiscovery searches.
Modify an In-Place eDiscovery Search Learn how to modify an existing eDiscovery search.
Copy eDiscovery Search Results to a Discovery Mailbox Learn how to copy the results of an eDiscovery search to a
discovery mailbox.
Export eDiscovery search results to a PST file Learn how to export the results of an eDiscovery search to a
PST file.
Create a custom management scope for In-Place eDiscovery Learn how to use custom management scopes to limit the
searches mailboxes that a discovery manager can search.
Search and Delete Messages Learn how to use the Search-Mailbox cmdlet to search for
and then delete email messages.
Reduce the size of a discovery mailbox in Exchange Use this process to reduce the size of a discovery mailbox
that's larger than 50 GB.
Delete and re-create the default discovery mailbox in Learn how to delete the default discovery mailbox, re-create
Exchange it, and then reassign permissions to it. Use this procedure if
this mailbox has exceeded the 50 GB limit and you don't need
the search results.
Re-Create the Discovery System Mailbox Learn how to recreate the discovery system mailbox. This task
is applicable only to Exchange Server organizations.
Using Oauth Authentication to Support eDiscovery in an Learn about the eDiscovery scenarios in an Exchange hybrid
Exchange Hybrid Deployment deployment that require you to configure OAuth
authentication.
Configure Exchange for SharePoint eDiscovery Center Learn how to configure Exchange Server so that you can use
the eDiscovery Center in SharePoint 2013 to search Exchange
mailboxes.
Unsearchable Items in Exchange eDiscovery Learn about mailbox items that can't be indexed by Exchange
Search and are returned in eDiscovery search results as
unsearchable items.
For more information about eDiscovery in Office 365, Exchange Server, SharePoint 2013, and Lync 2013, see the
eDiscovery FAQ.
Assign eDiscovery permissions in Exchange
3/4/2019 • 2 minutes to read • Edit Online
If you want users to be able to use Microsoft Exchange Server In-Place eDiscovery, you must first authorize them
by adding them to the Discovery Management role group. Members of the Discovery Management role group
have Full Access mailbox permissions for the Discovery mailbox that's created by Exchange Setup.
Cau t i on
Members of the Discovery Management role group can access sensitive message content. Specifically, these
members can use In-Place eDiscovery to search all mailboxes in your Exchange organization, preview messages
(and other mailbox items), copy them to a Discovery mailbox and export the copied messages to a .pst file. In most
organizations, this permission is granted to legal, compliance, or Human Resources personnel. >
To learn more about the Discovery Management role group, see Discovery Management. To learn more about
Role Based Access Control (RBAC ), see Understanding Role Based Access Control.
Interested in scenarios where this procedure is used? See the following topics:
Create an In-Place eDiscovery search
Create or remove an In-Place Hold
Use the EAC to add a user to the Discovery Management role group
1. Go to Permissions > Admin roles.
2. In the list view, select Discovery Management and then click Edit
3. In Role Group, under Members, click Add .
4. In Select Members, select one or more users, click Add, and then click OK.
5. In Role Group, click Save.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Create an In-Place eDiscovery search
3/29/2019 • 9 minutes to read • Edit Online
NOTE
We've postponed the July 1, 2017 deadline for creating new In-Place eDiscovery searches in Exchange Online (in Office 365
and Exchange Online standalone plans). But later this year or early next year, you won't be able to create new searches in
Exchange Online. To create eDiscovery searches, please start using Content Search in the Office 365 Security & Compliance
Center. After we decommission new In-Place eDiscovery searches, you'll still be able to modify existing In-Place eDiscovery
searches, and creating new In-Place eDiscovery searches in Exchange Server and Exchange hybrid deployments will still be
supported.
Use In-Place eDiscovery to search across all mailbox content, including deleted items and original versions of
modified items for users placed on In-Place Hold and Litigation Hold.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
IMPORTANT
You can't use the Search all mailboxes option to place all mailboxes on hold. To create an In-Place Hold, you must
select Specify mailboxes to search. For more details, see Create or remove an In-Place Hold.
NOTE
The From: and To/Cc/Bcc: fields are connected by an OR operator in the search query that's created when you run
the search. That means any message sent or received by any of the specified users (and matches the other search
criteria) is included in the search results. > The dates are connected by an AND operator.
6. On the In-place hold settings page, you can select the Place content matching the search query in
selected mailboxes on hold check box, and then select one of the following options to place items on In-
Place Hold:
Hold indefinitely: Select this option to place the returned items on an indefinite hold. Items on hold will
be preserved until you remove the mailbox from the search or remove the search.
Specify number of days to hold items relative to their received date: Use this option to hold items
for a specific period. For example, you can use this option if your organization requires that all messages be
retained for at least seven years. You can use a time-based In-Place Hold along with a retention policy to
make sure items are deleted in seven years.
IMPORTANT
When placing mailboxes or items on In-Place Hold for legal purposes, it is generally recommended to hold items
indefinitely and remove the hold when the case or investigation is completed.
7. Click Finish to save the search and return an estimate of the total size and number of items that will be
returned by the search based on the criteria you specified. Estimates are displayed in the details pane. Click
Refresh to update the information displayed in the details pane.
IMPORTANT
If you don't specify additional search parameters when running an In-Place eDiscovery search, all items in the specified
source mailboxes are returned in the results. If you don't specify mailboxes to search, all mailboxes in your Exchange or
Exchange Online organization are searched.
This example creates an In-Place eDiscovery search named HRCase090116 that searches for email messages sent
by Alex Darrow to Sara Davis in 2015.
After using Exchange Online PowerShell to create an In-Place eDiscovery search, you have to start the search by
using the Start-MailboxSearch cmdlet to copy messages to the discovery mailbox specified in the TargetMailbox
parameter. For details, see Copy eDiscovery Search Results to a Discovery Mailbox.
For detailed syntax and parameter information, see New -MailboxSearch.
NOTE
The mailboxes that were searched are listed in the right pane in the eDiscovery search preview window. For each
mailbox, the number of items returned and the total size of these items is also displayed. All items returned by the
search are listed in the right pane, and can be sorted by newest or oldest date. Items from each mailbox can't be
displayed in the right pane by clicking a mailbox in the left pane. To view the items returned from a specific mailbox,
you can copy the search results and view the items in the discovery mailbox.
Use Exchange Online PowerShell to estimate search results
You can use the EstimateOnly switch to return only get an estimate of the search results and not copy the results
to a discovery mailbox. You have to start an estimate-only search with the Start-MailboxSearch cmdlet. Then
you can retrieve the estimated search results by using the Get-MailboxSearch cmdlet.
For example, you would run the following commands to create a new eDiscovery search and then display an
estimate of the search results:
To display specific information about the estimated search results from the previous example, you could run the
following command:
You can use the eDiscovery Export tool in the Exchange admin center (EAC ) to export the results of an In-Place
eDiscovery search to an Outlook Data File, which is also called a PST file. Administrators can distribute the results
of the search to other people within your organization, such as a human resources manager or records manager,
or to opposing counsel in a legal case. After search results are exported to a PST file, you or other users can open
them in Outlook to review or print messages returned in the search results. PST files can also be opened in third-
party eDiscovery and reporting applications. This topic shows you how to do this, as well as troubleshoot any
issues you might have.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Use the Exchange admin center to export In-Place eDiscovery search
results to a PST
1. Go to Compliance management > In-place eDiscovery & hold.
2. In the list view, select the In-Place eDiscovery search you want to export the results of, and then click
Export to a PST file.
IMPORTANT
Including unsearchable items when you export eDiscovery search results takes longer when mailboxes contain a lot
of unsearchable items. To reduce the time it takes to export search results and prevent large PST export files,
consider the following recommendations: > Create multiple eDiscovery searches that each search a fewer number of
source mailboxes. > If you're exporting all mailbox content within a specific date range (by not specifying any
keywords in the search criteria), then all unsearchable items within that date range will be automatically included in
the search results. Therefore, don't select the Include unsearchable items checkbox.
More information
You can reduce the size of the PST export fileby exporting only the unsearchable items. To do this, create or
edit a search, specify a start date in the future, and then remove any keywords from the Keywords box.
This will result in no search results being returned. When you copy or export the search results and select
the Include unsearchable items checkbox, only the unsearchable items will be copied to the discovery
mailbox or exported to a PST file.
If you enable de-duplication, all search results are exported in a single PST file. If you don't enable de-
duplication, a separate PST file is exported for each mailbox included in the search. And as previously
stated, unsearchable items are exported to a separate PST file.
In addition to the PST files that contain the search results, two other files are also exported:
A configuration file (.txt file format) that contains information about the PST export request, such as
the name of the eDiscovery search that was exported, the date and time of the export, whether de-
duplication and unsearchable items were enabled, the search query, and the source mailboxes that
were searched.
A search results log (.csv file format) that contains an entry for each message returned in the search
results. Each entry identifies the source mailbox where the message is located. If you've enabled de-
duplication, this helps you identify all mailboxes that contain a duplicate message.
The name of the search is the first part of the filename for each file that is exported. Also, the date and time
of the export request is appended to the filename of each PST file and the results log.
For more information about de-duplication and unsearchable items, see:
Estimate, preview, and copy search results
Unsearchable Items in Exchange eDiscovery
To export eDiscovery search results from the eDiscovery Center in SharePoint or SharePoint Online, see
Export eDiscovery content and create reports.
Troubleshooting
SYMPTOM POSSIBLE CAUSE
Cannot export to a PST file. There is no active mailbox attached to the account. To export
the PST, you must have an active account.
Your version of Internet Explorer is out of date. Try updating
IE to version 10 or later. Or try a different browser.
Search criteria entered in the Filter based on criteria query
is incorrect. For example, a username is entered instead of an
email address. For more information about how to filter based
on criteria, see Modify an In-Place eDiscovery search.
Unable to export search results on a specific machine. Export The wrong Windows credentials were saved in the Credential
works as expected on a different machine. Manager. Clear your credentials and log in again.
eDiscovery PST Export Tool won't start. Local intranet zone settings aren't set up correctly in Internet
Explorer. Make sure that *.outlook.com, *.office365.com,
*.sharepoint.com and *.onmicrosoft.com are added to the
Local intranet zone trusted sites.
To add these sites to the Trusted zone in IE, see Security
zones: adding or removing websites.
Message properties and search operators for In-Place
eDiscovery
3/29/2019 • 8 minutes to read • Edit Online
This topic describes the properties of Exchange email messages that you can search by using In-Place eDiscovery
& Hold in Exchange Server and Exchange Online. The topic also describes Boolean search operators and other
search query techniques that you can use to refine eDiscovery search results.
In-Place eDiscovery uses Keyword Query Language (KQL ). For more details, see Keyword Query Language syntax
reference.
Category The categories to search. category:"Red Category" Messages that have been
Categories can be defined by assigned the red category in
users by using Outlook or the source mailboxes.
Outlook Web App. The
possible values are:
blue
green
orange
purple
red
yellow
Kind The message type to search. kind:email Email messages that meet
Possible values: kind:email OR kind:im OR the search criteria. The
contacts kind:voicemail second example returns
docs email messages, instant
email messaging conversations,
faxes and voice messages that
im meet the search criteria.
journals
meetings
notes
posts
rssfeeds
tasks
voicemail
Received The date that an email received:04/15/2014 Messages that were received
message was received by a received>=01/01/2014 AND on April 15, 2014. The
recipient. received<=03/31/2014 second example returns all
messages received between
January 1, 2014 and March
31, 2014.
Sent The date that an email sent:07/01/2014 Messages that were sent on
message was sent by the sent>=06/01/2014 AND the specified date or sent
sender. sent<=07/01/2014 within the specified date
range.
Subject The text in the subject line of subject:"Quarterly Financials" Messages that contain the
an email message. subject:northwind exact phrase "Quarterly
Financials" anywhere in the
text of the subject line.
The second example returns
all messages that contain the
word northwind in the
subject line.
NOTE
1For the value of a recipient property, you can use the SMTP address, display name, or alias to specify a user. For example,
you can use annb@contoso.com, annb, or "Ann Beebe" to specify the user Ann Beebe.
IMPORTANT
You must use uppercase Boolean operators in a search query. For example, use AND; don't use and. Using lowercase
operators in search queries will return an error.
AND keyword1 AND keyword2 Returns messages that include all of the
specified keywords or property:value
expressions.
NEAR keyword1 NEAR(n) keyword2 Returns messages with words that are
near each other, where n equals the
number of words apart. For example,
best NEAR(5) worst returns
messages where the word "worst" is
within five words of "best". If no number
is specified, the default distance is eight
words.
NOTE
1 Use this operator for properties that have date or numeric values.
**How to prevent unsupported characters in your search queries?**The best way to prevent unsupported
characters is to just type the query in the keyword box. Alternatively, you can copy a query from Word or Excel and
then paste it to file in a plain text editor, such as Microsoft Notepad. Then save the text file and select ANSI in the
Encoding drop-down list. This will remove any formatting and unsupported characters. Then you can copy and
paste the query from the text file to the keyword query box.
Search tips and tricks
Keyword searches are not case sensitive. For example, cat and CAT return the same results.
A space between two keywords or two property:value expressions is the same as using AND. For example,
from:"Sara Davis" subject:reorganization returns all messages sent by Sara Davis that contain the word
reorganization in the subject line.
Use syntax that matches the property:value format. Values are not case-sensitive, and they can't have a
space after the operator. If there is a space, your intended value will just be full-text searched. For example
to: pilarp searches for "pilarp" as a keyword, rather than for messages that were sent to pilarp.
When searching a recipient property, such as To, From, Cc, or Recipients, you can use an SMTP address,
alias, or display name to denote a recipient. For example, you can use pilarp@contoso.com, pilarp, or "Pilar
Pinilla".
You can use only prefix wildcard searches—for example, cat* or set*. Suffix wildcard searches (*cat) or
substring wildcard searches (*cat*) aren't supported.
When searching a property, use double quotation marks (" ") if the search value consists of multiple words.
For example subject:budget Q1 returns messages that contain budget in the in the subject line and that
contain Q1 anywhere in the message or in any of the message properties. Using subject:"budget Q1"
returns all messages that contain budget Q1 anywhere in the subject line.
Search limits for In-Place eDiscovery in Exchange Online
3/29/2019 • 8 minutes to read • Edit Online
Various types of limits are applied to In-Place eDiscovery searches in Exchange Online and Office 365. These limits help to maintain the
health and quality of services provided to Office 365 organizations. In most cases, you can't modify these limits, but you should be aware of
them so that you can take these limits into consideration when planning, running, and troubleshooting eDiscovery searches.
The maximum number of mailboxes that can be 10,000 If you have more than 10,000 mailboxes in your
searched in a single In-Place eDiscovery search. organization, you won't be able to use the
Search all mailboxes option on the Mailboxes
page in the EAC. To search large numbers of
mailboxes (up to 10,000 mailboxes total), you can
organize users into distribution groups or
dynamic distribution groups and then specify a
group on the Mailboxes page in the EAC. 1
One workaround for this limit is to use the
Compliance Search feature in the Office 365
Compliance Center, which doesn't have a limit for
the number of mailboxes that can be searched in
a single search. You run a search in the
Compliance Center to search all mailboxes in your
organization to identify those that contain search
results. Then you can use that list of mailboxes as
the source mailboxes for an In-Place eDiscovery
search in the EAC. For details, see Use
Compliance Search in your eDiscovery workflow.
The maximum number of mailboxes that can be 100 After you run an eDiscovery search estimate, you
searched in a single In-Place eDiscovery search can view keyword statistics. These statistics show
that still allows you to view keyword statistics. details about the number of items returned for
each keyword used in the search query. If more
than 100 source mailboxes are included in the
search, an error will be returned if you try to view
keyword statistics.
To view keyword statistics, reduce the number of
source mailboxes to 100 or fewer, and then rerun
the search estimate. When you're satisfied with
the search query, you can add additional source
mailboxes to the search and then copy or export
the search results.
The maximum number of mailboxes that can be 10,000 You can place up to 10,000 mailboxes on In-Place
placed on In-Place Hold in a single In-Place Hold by using a single eDiscovery search.
eDiscovery search. However, if you select the Search all mailboxes
option on the Sources page, you won't be able
to enable an In-Place Hold for that search. To
place a large number of mailboxes on hold using
a single In-Place Hold, use distribution groups or
dynamic distribution groups to group mailboxes
together, and then specify one of those groups
on the Mailboxes page in the EAC. 1
A better option for placing a hold on a large
number of mailboxes is to use a Litigation Hold.
Using lots of single In-Place eDiscovery searches
to place mailboxes on hold isn't recommended.
For more information, see Place all mailboxes on
hold.
NOTE
1 Group membership is calculated only when the search or a hold is created. If a user gets added to the group after the search is created, the user's
mailbox won't be added automatically as a source mailbox. You'll have to edit the search and add the mailbox. The same thing applies when a user is
removed from a group that is used to create a search or hold. You'll have to edit the search to remove the mailbox.
The maximum number of mailboxes that are 500 Only 500 mailboxes, distribution groups, and
displayed in the mailbox picker for selecting dynamic distribution groups are listed in the
source mailboxes when creating a new In-Place mailbox picker to select source mailboxes from
eDiscovery or In-Place Hold search. when you create a new search. A message is
displayed saying that there are more recipients
than the ones displayed. Here are some
workarounds for this limit:
Use the search box to find a mailbox that isn't
listed in the mailbox picker.
Use distribution groups or dynamic distribution
groups to group large numbers of mailboxes
together. Then pick the group from the mailbox
list or search for it using the search box. Groups
are expanded into source mailboxes when you
create an eDiscovery search.
Select Search all mailboxes on the Mailbox
page if your organization has less than 10,000
mailboxes and you're not going to place
mailboxes on hold.
Use distribution groups or dynamic distribution
groups to group users if you want to place more
than 500 mailboxes on In-Place Hold.
MORE INFORMATION AND SUGGESTED
DESCRIPTION OF LIMIT LIMIT WORKAROUNDS
The maximum number of mailboxes that are 3,000 Up to 3,000 mailboxes are displayed on the
displayed when editing an In-Place eDiscovery or Sources page in the EAC when you edit an In-
In-Place Hold search. Place eDiscovery search or hold. To add a mailbox
to the list of sources, you can use the search box
to find a mailbox that isn't listed in the mailbox
picker (a maximum of 500 recipients are listed in
the mailbox picker). To remove a mailbox that's
listed, you can select it and then click Remove.
To remove a mailbox that isn't listed, you have to
use Exchange Online PowerShell to remove it. For
example, the following commands are run to
remove the user Ann Beebe from an In-Place
Hold named ContosoHold.
$SourceMailboxes = Get-MailboxSearch
"ContosoHold"
$SourceMailboxes.Sources.Remove("/o=contoso/ou=Exchange
Administrative Group
(FYDIBOHF23SPDLT)/cn=Recipients/cn=28e3edb87e29422998ec8f3a9
annb")
Set-MailboxSearch "ContosoHold" -
SourceMailboxes $SourceMailboxes.Sources
The first command creates a variable that
contains the properties of ContosoHold. The
second command removes the user Ann Beebe
(by specifying the value of the
LegacyExchangeDN property) from the list of
source mailboxes. The third command edits
ContosoHold with the updated list of source
mailboxes.
To add a user to an In-Place Hold, use the
following syntax in the second command in the
previous example.
$SourceMailboxes.Sources.Add("
<LegacyExchangeDN of the user>")
Note: The Sources property of an In-Place
eDiscovery search or an In-Place Hold identifies
the source mailboxes by their
LegacyExchangeDN property. Because this
property uniquely identifies a user mailbox, using
the Sources property helps prevent adding or
removing the wrong mailbox. This also helps to
avoid issues if two mailboxes have the same alias
or primary SMTP address.
Other limits
The following table describes other limits that affect In-Place eDiscovery searches.
The maximum number of In-Place eDiscovery 2 If an eDiscovery search is started while two
searches that can run at the same time in your previous searches are still running, the third
organization. search won't be queued and will instead fail. You
have to wait until one of the running searches is
completed before you can successfully start a
new search.
Also, estimate-only and copy searches are both
considered In-Place eDiscovery searches. So, if
you are running an estimate-only search and a
copy search at the same time, you can't start
another search until one of the running searches
is completed. However, you can preview or
export the search results from another search
while two searches are running.
The maximum number of keywords that can be 500 Boolean operators, such as AND and OR aren't
specified in a single In-Place eDiscovery search counted against the total number of keywords.
query. For example, the keyword query
cat AND dog AND bird AND fish consists of
four keywords.
DESCRIPTION OF LIMIT LIMIT MORE INFORMATION
The maximum number of items displayed on the 200 When you preview search results, the mailboxes
search preview page when previewing In-Place that were searched are listed in the right pane on
eDiscovery search results. the eDiscovery search preview page. For each
mailbox, the number of items returned and the
total size of these items are also displayed. Items
returned by the search are listed in the right
pane. Up to 200 items are displayed on the
preview page.
Note: Items from each mailbox can't be displayed
in the right pane by clicking a mailbox in the left
pane. To view the items returned from a specific
mailbox, you can copy the search results and view
the items in the discovery mailbox.
The maximum number of keywords that can be 500 If multiple In-Place Holds are placed on a user's
specified in all In-Place Holds placed on a single mailbox, the maximum number of keywords in all
mailbox. search queries is 500. That's because Exchange
Online combines all the keyword search
parameters from of all In-Place Holds by using
the OR operator. If there are more than 500
keywords in the hold queries, then all content in
the mailbox is placed on hold (and not just that
content that matches the search criteria of any
query-based hold). All content is held until the
total number of keywords in all In-Place Holds is
reduced to 500 or less. Holding all mailbox
content is similar in functionality to a Litigation
Hold.
Maximum number of variants returned when 10,000 For non-phrase queries we use a special prefix
using a prefix wildcard to search for an exact index. This only tells us that a word occurs in a
phrase in a keyword search query or when using document, not where in the document it occurs.
a prefix wildcard and the NEAR operator. To do a phrase query we need to compare the
position within the document for the words in
the phrase. This means that we cannot use the
prefix index for phrase queries. In this case we are
internally expanding the query with all possible
words that the prefix expands to (i.e. "time*" can
expand to "time OR timer OR times OR timex OR
timeboxed OR ..."). 10,000 is the maximum
number of variants the word can expand to, not
the number of documents matching the query.
For non-phrase terms there are no upper limit.
Create a discovery mailbox
3/4/2019 • 3 minutes to read • Edit Online
Microsoft Exchange Server Setup creates a discovery mailbox by default. In Exchange Online, a discovery mailbox
is also created by default. Discovery mailboxes are used as target mailboxes for In-Place eDiscovery searches in
the Exchange admin center (EAC ). You can create additional discovery mailboxes as required. After you create a
new discovery mailbox, you will have to assign Full Access permissions to the appropriate users so they can
access eDiscovery search results that are copied to the discovery mailbox.
Cau t i on
After a discovery manager copies the results of an eDiscovery search to a discovery mailbox, the mailbox can
potentially contain sensitive information. You should control access to discovery mailboxes and make sure only
authorized users can access them.
For more information, see Discovery mailboxes.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
$UserCredential = Get-Credential
In the **Windows PowerShell Credential Request** dialog box, type username and password for an Office 365
global admin account, and then click **OK**.
2. Run the following command.
Import-PSSession $Session
4. To verify that you're connected to your Exchange Online organization, run the following command to get a list
of all the mailboxes in your organization.
Get-Mailbox
For more information or if you have problems connecting to your Exchange Online organization, see Connect to
Exchange Online using remote PowerShell.
Add-MailboxPermission <Name of the discovery mailbox> -User <Name of user or group> -AccessRights FullAccess -
InheritanceType all
For example, the following command assigns the Full Access permission to the Litigation Managers group, so
members of the group can open the Fabrikam Litigation discovery mailbox.
More information
By default, members of the Discovery Management role group only have Full Access permission to the
default Discovery Search Mailbox. You will have to explicitly assign the Full Access permission to the
Discovery Management role group if you want members to open a discovery mailbox that you've created.
Although visible in Exchange address lists, users can't send email to a discovery mailbox. Email delivery to
discovery mailboxes is prohibited with delivery restrictions. This preserves the integrity of search results
copied to a discovery mailbox.
A discovery mailbox can't be repurposed or converted to another type of mailbox.
You can remove a discovery mailbox as you would any other type of mailbox.
Create a custom management scope for In-Place
eDiscovery searches
3/29/2019 • 10 minutes to read • Edit Online
You can use a custom management scope to let specific people or groups use In-Place eDiscovery to search a
subset of mailboxes in your Exchange Online organization. For example, you might want to let a discovery
manager search only the mailboxes of users in a specific location or department. You can do this by creating a
custom management scope. This custom management scope uses a recipient filter to control which mailboxes can
be searched. Recipient filter scopes use filters to target specific recipients based on recipient type or other recipient
properties.
For In-Place eDiscovery, the only property on a user mailbox that you can use to create a recipient filter for a
custom scope is distribution group membership (the actual property name is MemberOfGroup). If you use other
properties, such as CustomAttributeN, Department, or PostalCode, the search fails when it's run by a member of
the role group that's assigned the custom scope.
To learn more about management scopes, see:
Understanding management role scopes
Understanding management role scope filters
2. Run this command to create a custom management scope based on the membership of the Ottawa Users
distribution group.
The distinguished name of the distribution group, which is contained in the variable **$DG**, is used to
create the recipient filter for the new management scope.
You can also use the EAC to add members to a distribution group. For more information, see Create and manage
distribution groups.
(Optional) Step 5: Add a discovery mailbox as a member of the
distribution group used to create the custom management scope
You only need to perform this step if you want to let a discovery manager copy eDiscovery search results.
Run this command to add a discovery mailbox named Ottawa Discovery Mailbox as a member of the Ottawa
Users distribution group.
NOTE
To open a discovery mailbox and view the search results, discovery managers must be assigned Full Access permissions for
the discovery mailbox. For more information, see Create a discovery mailbox.
More information
Because distribution groups are used in this scenario to scope eDiscovery searches and not for message
delivery, consider the following when you create and configure distribution groups for eDiscovery:
Create distribution groups with a closed membership so that members can be added to or removed
from the group only by the group owners. If you're creating the group in Exchange Online
PowerShell, use the syntax MemberJoinRestriction closed and MemberDepartRestriction closed .
Enable group moderation so that any message sent to the group is first sent to the group
moderators who can approve or reject the message accordingly. If you're creating the group in
Exchange Online PowerShell, use the syntax ModerationEnabled $true . If you're using the EAC, you
can enable moderation after the group is created.
Hide the distribution group from the organization's shared address book. Use the EAC or the Set-
DistributionGroup cmdlet after the group is created. If you're using Exchange Online PowerShell,
use the syntax HiddenFromAddressListsEnabled $true .
In the following example, the first command creates a distribution group with closed membership
and moderation enabled. The second command hides the group from the shared address book.
For more information about creating and managing distribution groups, see Create and manage
distribution groups.
Though you can use only distribution group membership as the recipient filter for a custom management
scope used for eDiscovery, you can use other recipient properties to add users to that distribution group.
Here are some examples of using the Get-Mailbox and Get-Recipient cmdlets to return a specific group
of users based on common user or mailbox attributes.
You can then use the examples from the previous bullet to create a variable that can be used with the Add-
DistributionGroupMember cmdlet to add a group of users to a distribution group. In the following
example, the first command creates a variable that contains all user mailboxes that have the value
Vancouver for the Department property in their user account. The second command adds these users to
the Vancouver Users distribution group.
You can use the Add-RoleGroupMember cmdlet to add a member to an existing role group that's used to
scope eDiscovery searches. For example, the following command adds the user
admin@ottawa.contoso.com to the Ottawa Discovery Management role group.
Have a discovery mailbox that's exceeded the 50 GB limit? You can fix this issue by creating new discovery
mailboxes and copying the search results from the large discovery mailbox to the new ones.
Determine if you need to keep some or all of the search results from the discovery mailbox that's exceeded
the 50 GB limit. Follow the steps in this topic to retain search results by copying them to a different
discovery mailbox. If you don't need to keep the results of a specific eDiscovery search, you can delete the
search, as explained in step 3. Deleting a search will delete the search results from the discovery mailbox.
If you don't need any of the search results from a discovery mailbox that's exceeded the 50 GB limit, you
can delete it. If this is the default discovery mailbox that was created when your Exchange organization was
provisioned, you can re-create it. For more information, see Delete and re-create the default discovery
mailbox in Exchange.
For current legal cases, you might want to export the results of selected eDiscovery searches to .pst files.
Doing this keeps the results from a specific search intact. In addition to the .pst files that contain the search
results, a search results log (.csv file format) that contains an entry for each message returned in the search
results is also exported. Each entry in this file identifies the source mailbox where the message is located.
For more information, see Export eDiscovery search results to a PST file.
After you export search results to .pst files, you'll need to use Outlook if you want to import them to a new
discovery mailbox.
2. Run the following command to assign a user or group permissions to open the discovery mailbox and view
search results.
Add-MailboxPermission <discovery mailbox name> -User <name of user or group> -AccessRights FullAccess -
InheritanceType all
New-MailboxSearch -Name "Search results from 2010" -SourceMailboxes "Discovery Search Mailbox" -StartDate
"01/01/2010" -EndDate "12/31/2010" -TargetMailbox "Discovery Mailbox Backup 01" -EstimateOnly -
StatusMailRecipients admin@contoso.com
Name: This parameter specifies the name of the new eDiscovery search. Because the search is scoped by
sent and received dates, it's useful that the name of the search includes the date range.
SourceMailboxes: This parameter specifies the default discovery mailbox. You can also specify the name of
another discovery mailbox that's exceeded the size limit.
StartDate and EndDate: These parameters specify the date range of the search results in the default
discovery mailbox to include in the search results.
NOTE
For dates, use the short date format, mm/dd/yyyy, even if the Regional Options settings on the local computer are
configured with a different format, such as dd/mm/yyyy. For example, use 03/01/2014 to specify March 1, 2014.
TargetMailbox: This parameter specifies that search results should be copied to the discovery mailbox
named "Discovery Mailbox Backup 01".
EstimateOnly: This switch specifies that only an estimate of the number of items that will be returned is
provided when the search is started. If you don't include this switch, messages are copied to the target
mailbox when the search is started. Using this switch lets you adjust the date ranges if necessary to increase
or decrease the number of search results.
StatusMailRecipients: This parameter specifies that the status message should be sent to the specified
recipient.
2. After the search is created, start it by using Exchange Online PowerShell or the Exchange admin center (EAC ).
Using Exchange Online PowerShell: Run the following command to start the search created in the previous
step. Because the EstimateOnly switch was included when the search was created, the search results won't be
copied to the target discovery mailbox.
Using the EAC: Go to Compliance management > In-Place eDiscovery & hold. Select the search created
in the previous step, click Search , and then click Estimate search results.
3. If necessary, adjust the date range to increase or decrease the amount of search results that are returned. If
you change the date range, run the search again to get a new estimate of the results. Consider changing the
name of the search to reflect the new date range.
4. When you're finished testing the search, use Exchange Online PowerShell or the EAC to copy the search
results to the target discovery mailbox.
Using Exchange Online PowerShell: Run the following commands to copy the search results. You have to
remove the EstimateOnly switch before you can copy the search results.
Using the EAC: Go to Compliance management > In-Place eDiscovery & hold. Select the search,
click Search , and then click Copy search results.
For more information, see Copy eDiscovery Search Results to a Discovery Mailbox.
5. Repeat steps 1 through 4 to create new searches for additional date ranges. Include the date range in the name
of the new search to indicate the range of the results. To make sure none of the discovery mailboxes exceeds
the 50 GB limit, use different discovery mailboxes as the target mailbox.
You can use Exchange Online PowerShell or the EAC to delete an eDiscovery search.
Using Exchange Online PowerShell: Run the following command.
You can use Exchange Online PowerShell to delete the default discovery mailbox, re-create it, and then assign
permissions to it.
No Follow the steps in this topic to delete, and then re-create the
default discovery mailbox.
Remove-Mailbox "DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}"
2. In the message asking you to confirm that you want to delete the mailbox and the corresponding Active
Directory user object, type Y, and then press Enter.
A new user object is created in Active Directory when you create the discovery mailbox in the next step.
3. Run the following command to re-create the default discovery mailbox.
New-Mailbox -Name "DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}" -Alias
"DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}" -DisplayName "Discovery Search Mailbox" -
Discovery
4. Run the following command to assign the Discovery Management role group permissions to open the default
discovery mailbox and view search results.
Learn about DLP policies in Exchange Server and Exchange Online, including what they contain and how to test
them. You'll also learn about a new feature in Exchange DLP.
Data loss prevention (DLP ) is an important issue for enterprise message systems because of the extensive use of
email for business critical communication that includes sensitive data. In order to enforce compliance
requirements for such data, and manage its use in email, without hindering the productivity of workers, DLP
features make managing sensitive data easier than ever before. For a conceptual overview of DLP, watch the
following video.
DLP policies are simple packages that contain sets of conditions, which are made up of mail flow rule (also
known as transport rule) conditions, exceptions, and actions that you create in the Exchange admin center (EAC )
and then activate to filter email messages and attachments. You can create a DLP policy, but choose to not
activate it. This allows you to test your policies without affecting mail flow. DLP policies can use the full power of
existing mail flow rules. In fact, a number of new types of mail flow rules have been created in Microsoft
Exchange Server and Exchange Online in order to accomplish new DLP capability. One important new feature of
mail flow rules is a new approach to classifying sensitive information that can be incorporated into mail flow
processing. This new DLP feature performs deep content analysis through keyword matches, dictionary matches,
regular expression evaluation, and other content examination to detect content that violates organizational DLP
policies. For more information about mail flow rules, see Mail flow rules (transport rules) in Exchange Online, and
Integrating sensitive information rules with mail flow rules in Exchange Online. You can also manage your DLP
policies by using Exchange Online PowerShell cmdlets. For more information about policy and compliance
cmdlets, see Messaging Policy and Compliance Cmdlets.
In addition to the customizable DLP policies themselves, you can also inform email senders that they may be
about to violate one of your policies—even before they send an offending message. You can accomplish this by
configuring Policy Tips. Policy Tips are similar to MailTips, and can be configured to present a brief note in the
Microsoft Outlook 2013 client that provides information about possible policy violations to a person creating a
message. In Exchange Online and in Exchange Server, Policy Tips are also displayed in Outlook Web App and
OWA for Devices. For more information, see Policy Tips.
NOTE
DLP is a premium feature that requires an Exchange Online Plan 2 subscription. For more information, see Exchange Online
Licensing. > Messages sent between on-premises users in a hybrid deployment do not have Exchange Online DLP policies
applied, because the message doesn't leave the on-premises infrastructure.
Looking for management tasks related to Data Loss Prevention? See DLP Procedures (Exchange Server) or DLP
Procedures (Exchange Online).
Installation prerequisites
In order to make use of DLP features, you must have Exchange Server or Exchange Online configured with at
least one sender mailbox. Data Loss Prevention is a premium feature that requires an Enterprise Client Access
License (CAL ). For more information about getting started with Exchange Server, see Planning and Deployment.
For more information about getting started with Exchange Online, see Exchange Online.
You can set up sensitive information rules within your Microsoft Exchange data loss prevention (DLP ) policies to
detect very specific data in email messages. This topic will help you understand how these rules are applied and
how messages are evaluated. You can avoid workflow disruptions for your email users and achieve a high degree
of accuracy with your DLP detections if you know how your rules are enforced. Let's use the Microsoft-supplied
credit card information rule as an example. When you activate a mail flow rule (also known as a transport rule) or
DLP policy, all messages that your users send are compared with the rule sets that you create.
Margie's Travel,
Spencer Badillo
Expires: 2/2012
Let's also make it clear that the following information should not be classified as a credit card.
Hi Alex,
I expect to be in Hawaii too. My booking code is 1234 1234 1234 1234 and I'll be there on 3/2018.
Regards, Lisa
The following XML snippet shows how the needs expressed earlier are currently defined in a sensitive information
rule that is provided with Exchange and it is embedded within one of the supplied DLP policy templates.
<Entity id="50842eb7-edc8-4019-85dd-5a5c1f2bb085" patternsProximity="300" recommendedConfidence="85">
<Pattern confidenceLevel="85">
<IdMatch idRef="Func_credit_card" />
<Any minMatches="1">
<Match idRef="Keyword_cc_verification" />
<Match idRef="Keyword_cc_name" />
<Match idRef="Func_expiration_date" />
</Any>
</Pattern>
</Entity>
<Match idRef="Keyword_cc_name">
<Match idRef="Func_expiration_date">
These three simply mean a list of keywords for credit cards, the names of the credit cards, or an expiration
date is required. The expiration date is defined and evaluated internally as another function.
STEP ACTION
2. Regular Expression Analysis 4111 1111 1111 1111 -> a 16-digit number is detected
STEP ACTION
4. Additional Evidence
5. Verdict
The way this rule is set up by Microsoft makes it mandatory that corroborating evidence such as keywords are a
part of the email message content in order to match the rule. So the following email content would not be detected
as containing a credit card:
Margie's Travel,
Spencer Badillo
You can use a custom rule that defines a pattern without extra evidence, as shown in the next example. This would
detect messages with only credit card number and no corroborating evidence.
<Pattern confidenceLevel="85">
<IdMatch idRef="Func_credit_card" />
</Pattern>
</Entity>
The illustration of credit cards in this article can be extended to other sensitive information rules as well. To see the
complete list of the Microsoft-supplied rules in Exchange, use the Get-ClassificationRuleCollection cmdlet in
Exchange Online PowerShell in the following manner:
$rule_collection = Get-ClassificationRuleCollection
In Exchange Online, you can create DLP policies that contain rules for not only traditional message classifications
and existing mail flow rules (also known as transport rules) but also combine these with rules for sensitive
information found within messages. The existing mail flow rules framework offers rich capabilities to define
messaging policies, covering the entire spectrum of soft to hard controls. Examples include:
Limiting the interaction between recipients and senders, including interactions between departmental
groups inside an organization.
Applying separate policies for communications within and outside of an organization.
Preventing inappropriate content from entering or leaving an organization.
Filtering confidential information.
Tracking or archiving messages that are sent to or received from specific individuals.
Redirecting inbound and outbound messages for inspection before delivery.
Applying disclaimers to messages as they pass through the organization.
Mail flow rules allow you to apply messaging policies to email messages that flow through the mail flow pipeline
in the Transport service on Mailbox servers and on Edge Transport servers. These rules allow system
administrators to enforce messaging policies, help keep messages more secure, help to protect messaging
systems, and help prevent accidental information loss. For more information about mail flow rules, see Mail flow
rules (transport rules) in Exchange Online.
In Microsoft Exchange Server and Exchange Online, you can use data loss prevention (DLP ) policy templates as a
starting point for building DLP policies that help you meet your specific regulatory and business policy needs. You
can modify the templates to meet the specific needs of your organization.
Cau t i on
You should enable your DLP policies in test mode before running them in your production environment. During
such tests, it is recommended that you configure sample user mailboxes and send test messages that invoke your
test policies in order to confirm the results. > Use of these policies does not ensure compliance with any
regulation. After your testing is complete, make the necessary configuration changes in Exchange so the
transmission of information complies with your organization's policies. For example, you might need to configure
TLS with known business partners or add more restrictive mail flow rule (also known as transport rule) actions,
such as adding rights protection to messages that contain a certain type of data.
TEMPLATE DESCRIPTION
Australia Health Records Act (HRIP Act) Helps detect the presence of information commonly
considered to be subject to the Health Records and
Information Privacy (HRIP) act in Australia, like medical
account number and tax file number.
Australia Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
considered to be personally identifiable information (PII) in
Australia, like tax file number and driver's license.
Canada Health Information Act (HIA) Helps detect the presence of information subject to Canada
Health Information Act (HIA) for Alberta, including data like
passport numbers and health information.
Canada Personal Health Act (PHIPA) - Ontario Helps detect the presence of information subject to Canada
Personal Health Information Protection Act (PHIPA) for
Ontario, including data like passport numbers and health
information.
TEMPLATE DESCRIPTION
Canada Personal Health Information Act (PHIA) - Manitoba Helps detect the presence of information subject to Canada
Personal Health Information Act (PHIA) for Manitoba,
including data like health information.
Canada Personal Information Protection Act (PIPA) Helps detect the presence of information subject to Canada
Personal Information Protection Act (PIPA) for British
Columbia, including data like passport numbers and health
information.
Canada Personal Information Protection Act (PIPEDA) Helps detect the presence of information subject to Canada
Personal Information Protection and Electronic Documents
Act (PIPEDA), including data like passport numbers and health
information.
Canada Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
considered to be personally identifiable information (PII) in
Canada, like health ID number and social insurance number.
France Data Protection Act Helps detect the presence of information commonly
considered to be subject to the Data Protection Act in France,
like the health insurance card number.
France Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
considered to be personally identifiable information (PII) in
France, including information like passport numbers.
Germany Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
considered to be personally identifiable information (PII) in
Germany, including information like driver's license and
passport numbers.
Israel Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
considered to be personally identifiable information (PII) in
Israel, like national ID number.
Japan Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
considered to be personally identifiable information (PII) in
Japan, including information like driver's license and passport
numbers.
Japan Protection of Personal Information Helps detect the presence of information subject to Japan
Protection of Personal Information, including data like
resident registration numbers.
PCI Data Security Standard (PCI DSS) Helps detect the presence of information subject to PCI Data
Security Standard (PCI DSS), including information like credit
card or debit card numbers.
Saudi Arabia - Anti-Cyber Crime Law Helps detect the presence of information commonly
considered to be subject to the Anti-Cyber Crime Law in
Saudi Arabia, including international bank account numbers
and SWIFT codes.
Saudi Arabia Financial Data Helps detect the presence of information commonly
considered to be financial data in Saudi Arabia, including
international bank account numbers and SWIFT codes.
Saudi Arabia Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
considered to be personally identifiable information (PII) in
Saudi Arabia, like national ID number.
U.K. Access to Medical Reports Act Helps detect the presence of information subject to United
Kingdom Access to Medical Reports Act, including data like
National Health Service numbers.
U.K. Data Protection Act Helps detect the presence of information subject to United
Kingdom Data Protection Act, including data like national
insurance numbers.
U.K. Personal Information Online Code of Practice (PIOCP) Helps detect the presence of information subject to United
Kingdom Personal Information Online Code of Practice,
including data like health information.
U.K. Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
considered to be personally identifiable information (PII) in
United Kingdom, including information like driver's license and
passport numbers.
U.K. Privacy and Electronic Communications Regulations Helps detect the presence of information subject to United
Kingdom Privacy and Electronic Communications Regulations,
including data like financial information.
TEMPLATE DESCRIPTION
U.S. Federal Trade Commission (FTC) Consumer Rules Helps detect the presence of information subject to U.S.
Federal Trade Commission (FTC) Consumer Rules, including
data like credit card numbers.
U.S. Gramm-Leach-Bliley Act (GLBA) Helps detect the presence of information subject to Gramm-
Leach-Bliley Act (GLBA), including information like social
security numbers or credit card numbers.
U.S. Health Insurance Act (HIPAA) Helps detect the presence of information subject to United
States Health Insurance Portability and Accountability Act
(HIPAA),including data like social security numbers and health
information.
U.S. Patriot Act Helps detect the presence of information commonly subject
to U.S. Patriot Act, including information like credit card
numbers or tax identification numbers.
U.S. Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
considered to be personally identifiable information (PII) in the
United States, including information like social security
numbers or driver's license numbers.
U.S. State Breach Notification Laws Helps detect the presence of information subject to U.S. State
Breach Notification Laws, including data like social security
and credit card numbers.
U.S. State Social Security Number Confidentiality Laws Helps detect the presence of information subject to U.S. State
Social Security Number Confidentiality Laws, including data
like social security numbers.
In Microsoft Exchange, you can use data loss prevention (DLP ) policy templates to help meet the messaging policy
and compliance needs of your organization. These templates contain pre-built sets of rules that can help you
manage message data that is associated with several common legal and regulatory requirements. To see a list of
all the templates supplied by Microsoft, see DLP policy templates supplied in Exchange. Example DLP templates
that are supplied can help you manage:
Gramm-Leach-Bliley Act (GLBA) data
Payment Card Industry Data Security Standard (PCI-DSS )
United States Personally Identifiable Information (U.S. PII)
You can customize any of these DLP templates or use them as-is. DLP policy templates are built on top of mail
flow rules (also known as transport rules) that include new conditions or predicates and actions. DLP policies
support the full range of traditional mail flow rules, and you can add the additional rules after a DLP policy has
been established. For more information about policy templates, see What the DLP policy templates include. To
learn more about mail flow rule capabilities, see Mail flow rules (transport rules) in Exchange Online. Once you
have started enforcing a policy, you can learn about how to observe the results by reviewing the Exchange Online:
DLP policy detection reports
Cau t i on
You should enable your DLP policies in test mode before running them in your production environment. During
such tests, it is recommended that you configure sample user mailboxes and send test messages that invoke your
test policies in order to confirm the results.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
2. On the Create a new DLP policy from a template page, complete the following fields:
3. Name: Add a name that will distinguish this policy from others.
4. Description: Add an optional description that summarizes this policy.
5. Choose a template: Select the appropriate template to begin creating a new policy.
6. More options: Select the mode or state. The new policy is not fully enabled until you specify that it should
be. The default mode for a policy is test without notifications.
7. Click Save to finish creating the policy.
NOTE
In addition to the rules within a specific template, your organization may have additional expectations or company policies
that apply to regulated data within your messaging environment. Exchange Server makes it easy for you to change the basic
template in order to add actions so that your Exchange messaging environment complies with your own requirements.
You can modify policies by editing the rules within them once the policy has been saved in your Exchange Server
environment. An example rule change might include making specific people exempt from a policy or sending a
notice and blocking message delivery if a message is found to have sensitive content. For more information about
editing policies and rules, see Manage DLP Policies.
You have to navigate to the specific policy's rule set on the Edit DLP policy page and use the tools available on
that page in order to change a DLP policy you have already created in Exchange Server.
Some policies allow the addition of rules that invoke RMS for messages. You must have RMS configured on the
Exchange server before adding the actions to make use of these types of rules.
For any of the DLP policies, you can change the rules, actions, exceptions, enforcement time period or whether
other rules within the policy are enforced and you can add your own custom conditions for each.
A custom data loss prevention (DLP ) policy allows you to establish conditions, rules, and actions that can help
meet the specific needs of your organization, and which may not be covered in one of the pre-existing DLP
templates.
The rule conditions that are available to you in a single policy include all the traditional mail flow rules (also
known as transport rules) in addition to the sensitive information types presented in Sensitive Information Types
Inventory. For more information about mail flow rules, see Mail flow rules (transport rules) in Exchange Online.
Cau t i on
You should enable your DLP policies in test mode before running them in your production environment. During
such tests, it is recommended that you configure sample user mailboxes and send test messages that invoke your
test policies in order to confirm the results. for more information about testing, see Test a mail flow rule.
For additional management tasks related to creating a custom DLP policy, see DLP Procedures(Exchange Server)
or DLP Procedures (Exchange Online).
NOTE
Due to the variances in customer environments and content match requirements, Microsoft Support cannot assist in
providing custom content matching definitions; e.g., defining Custom Classifications and/or Regular Expression patterns
("RegEx"). For custom content matching development, testing, and debugging, Office 365 customers will need to rely upon
internal IT resources, or use an external consulting resource such as Microsoft Consulting Services (MCS). Support engineers
can provide limited support for the feature, but cannot provide assurances that any custom content matching development
will fulfill the customer's requirements or obligations. As an example of the type of support which can be provided, sample
regular expression patterns may be provided for testing purposes. Or support can assist with troubleshooting an existing
RegEx pattern which is not triggering as expected with a single specific content example.
For additional information on the .NET regex engine which is used for processing the text, see
https://docs.microsoft.com/dotnet/standard/base-types/regular-expressions.
Use the EAC to create a custom DLP policy without any existing rules
1. In the EAC, navigate to Compliance management > Data loss prevention. Any existing policies that
you have configured are shown in a list.
2. Click the arrow that is beside the Add icon, and select New custom policy.
IMPORTANT
If you click Add icon instead of the arrow, you will create a new policy based on a template. For more information
about using templates, see Create a DLP policy from a template.
You can help to prevent your organization's Outlook, Outlook on the web (formerly known as Outlook Web App),
and OWA for Devices email users from inappropriately sending sensitive information by creating data loss
prevention (DLP ) policies that include Policy Tip notification messages. Similar to MailTips that were introduced
in Exchange Server 2010, Policy Tip notification messages are displayed to users in Outlook while they are
composing an email message. Policy Tip notification messages only show up if something about the sender's
email message seems to violate a DLP policy that you have in place and that policy includes a rule to notify the
sender when the conditions that you establish are met. Watch this video to learn more.
In order to show Policy Tips to your email senders, your rules must include the Notify the sender with a Policy
Tip action. You can add this in the rules editor from the Exchange admin center. For more information, see
Manage policy tips.
DLP policies do not differentiate between email message attachments, body text, or subject lines while evaluating
messages and the conditions within your policies. For example, if a user creates an email message that includes a
credit card number in the body of the message and then attempts to address the message to a recipient outside
your organization, then a Policy Tip notification message can be shown to that user in Outlook or Outlook Web
App reminding them of your enterprise's expectations for such information. However, this type of notification will
only show up if you have configured a DLP policy that restricts the example actions described; in this case adding
an external email alias to the header of a message with credit card data. There is a great variety of conditions,
actions, and exceptions you can choose from while creating DLP policies. This variety allows you to tailor your
data loss prevention efforts in a way that meets your specific organization's needs.
Any time you use either the notify sender action or an override action within a rule, we recommend that you also
include the condition that the message was sent from within your organization. You can do this by using the
policy rules editor to add the following condition: The sender is located... > inside the organization. Learn
more about changing existing DLP policies at Manage DLP Policies. This is a best practice recommendation
because the notify sender action is applied as part of your company's message creation experience. The senders
referred to by the action are the authors of messages within your company. The user interaction presented by
Policy Tips cannot be acted upon by your users for incoming messages and will be ignored when the sender is
located outside your organization. You can apply DLP policies to scan incoming messages and take a variety of
actions, but when you do this, don't add the notify sender action.
If email senders in your organization who are in the act of composing a message are made aware of your
organizational expectations and standards in real time through Policy Tip notifications, then they are less likely to
violate standards that your organization wants to enforce.
NOTE
Exchange Online: DLP is a premium feature that requires an Exchange Online Plan 2 subscription. For more information,
see Exchange Online Licensing.
Exchange Server: DLP is a premium feature that requires an Exchange Enterprise Client Access License (CAL). For more
information about CALs and server licensing, see Exchange Server Licensing.
If your organization is using Exchange Server 2013 SP1 (or above) or Exchange Online, Policy Tips are available to people
sending mail from Outlook 2013, Outlook Web App, or OWA for Devices. However, if your organization is currently
using Exchange Server 2013 before SP1, Policy Tips are only available to people sending email from Outlook 2013.
Default text for Policy Tips and rule options
You have a range of possible options when you add sender notification rules to DLP policies. When you add a
rule to notify the sender by using the Notify the sender with a Policy Tip action within a DLP policy, you can
choose how restrictive to be. The notification options in the following table are available. For general information
about editing policies, see Manage DLP Policies. For specific information about creating Policy Tips, see Manage
policy tips.
Notify only Similar to MailTips, this causes an This message may contain sensitive
informative Policy Tip notification content. All recipients must be
message about a policy violation. A authorized to receive this content.
sender can prevent this type of tip
from showing up by using a Policy Tip
options dialog box that can be
accessed in Outlook.
Reject message The message will not be delivered until This message may contain sensitive
the condition is no longer present. The content. Your organization won't allow
sender is provided with an option to this message to be sent until that
indicate that their email message does content is removed.
not contain sensitive content. This is
also known as a false-positive override.
If the sender indicates this, then
Outlook will allow the message to leave
the outbox so that the user's report
may be audited, but Exchange will
block the message from being sent.
Reject unless false positive override The result with this notification rule is Before the sender selects an option
similar to the Reject message to override: This message may contain
notification rule. However, if you select sensitive content. Your organization
this then Exchange will allow the won't allow this message to be sent
message to be sent to the intended until that content is removed.
recipient, instead of blocking the After the sender selects an option
message. override: Your feedback will be
submitted to your administrator when
the message is sent.
Reject unless silent override The message will not be delivered until Before the sender selects an option
the condition is no longer present or to override: This message may contain
the sender indicates an override. The sensitive content. Your organization
sender is provided with an option to won't allow this message to be sent
indicate that they wish to override the until that content is removed.
policy. After the sender selects an option
override: You have overridden your
organization's policy for sensitive
content in this message. Your action
will be audited by your organization.
DEFAULT POLICY TIP NOTIFICATION
NOTIFICATION RULE MEANING MESSAGE THAT OUTLOOK USERS WILL SEE
Reject unless explicit override The result with this notification rule is Before the sender selects an option
similar to the Reject unless silent to override: This message may contain
override notification rule, except that sensitive content. Your organization
in this case when the sender attempts won't allow this message to be sent
to override the policy, they are required until that content is removed.
to provide a justification for overriding After the sender selects an option
the policy. override: You have overridden your
organization's policy for sensitive
content in this message. Your action
will be audited by your organization.
Notify the sender Your text only appears when a Notify the sender, but allow
them to send action is initiated.
Allow the sender to override Your text only appears when the following actions are
initiated: Block the message unless it's a false positive,
Block the message, but allow the sender to override and
send.
Block the message Your text only appears when a Block the message action is
initiated.
Link to compliance URL The compliance URL is a link to a web page where you can
explain your compliance and override policies. This link is
displayed in the Policy Tip when a user clicks the More
details link.
Policy Tips are informative notices that are displayed to email senders while they're composing a message. The
purpose of the Policy Tip is to educate users that they might be violating the business practices or policies that you
are enforcing with the data loss prevention (DLP ) policies that you have established. The following procedures will
help you begin using Policy Tips. Watch this video to learn more.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
NOTE
Only the following conditions can be used: > SentTo (The recipient is)> SentToScope (The recipient is
located)> From (The sender is)> FromMemberOf (The sender is a member of)> FromScope (The sender is
located)> The following actions can't be used: > RejectMessageReasonText (Reject the message and include
an explanation)> RejectMessageEnhancedStatusCode (Reject the message with the enhanced status code
of)> DeletedMessage (Delete the message without notifying anyone)
9. In the Choose a mode for this rule list, select whether you want the rule to be enforced. We recommend
testing the rule first.
10. Select Save to finish modifying the rule and save your changes.
How do you know this worked?
To verify that you have successfully created a Policy Tip that will only notify a sender, do the following:
1. In the EAC, go to Compliance management > Data loss prevention.
2. Select the policy that you expect to contain a notification message.
3. Select Edit and then select Rules.
4. Select the specific rule that you expect to contain a notification message.
5. Confirm that your Notify the sender action appears in the lower portion of the rule summary.
New-PolicyTipConfig -Name en\Reject -Value "This message appears to contain restricted content and will not be
delivered."
For more information about DLP cmdlets, see Messaging Policy and Compliance Cmdlets.
Use Exchange Online PowerShell to modify custom Policy Tip notification text
The following example modifies an existing English-language, notify-only Policy Tip. The text of this custom Policy
Tip is changed to "Sending bank account numbers in email is not recommended."
For more information about DLP cmdlets, see Messaging Policy and Compliance Cmdlets.
How do you know this worked?
To verify that you have successfully created custom Policy Tip text, do the following:
1. In the EAC, go to Compliance management > Data loss prevention.
2. Select Policy Tip settings .
3. Select Refresh .
4. Confirm that your action, locale and text for that locale appear in the list.
Use audit logging to troubleshoot configuration issues by tracking specific changes made by administrators and to
help you meet regulatory, compliance, and litigation requirements. Exchange Online provides two types of audit
logging:
Administrator audit logging records any action, based on an Exchange Online PowerShell cmdlet,
performed by an administrator. This can help you troubleshoot configuration issues or identify the cause of
security-related or compliance-related problems. In Exchange Online, actions performed by Microsoft
administrators and delegated administrators, are also recorded.
Mailbox audit logging records when a mailbox is accessed by an administrator, a delegated user, or the
person who owns the mailbox. This can help you determine who has accessed a mailbox and what they've
done.
NOTE
By default, admin audit log entries are kept for 90 days. When an entry is older than 90 days, it's deleted. This
setting can't be changed in a cloud-based organization. However, it can be changed in an on-premises
Exchange organization by using the Set-AdminAuditLog cmdlet.
Export mailbox audit logs: When mailbox audit logging is enabled for a mailbox, Microsoft Exchange
stores a record of actions performed on mailbox data by non-owners in the mailbox audit log, which is
stored in a hidden folder in the mailbox being audited. Mailbox audit logging can also be configure to log
owner actions. Entries in this log indicate who accessed the mailbox and when, the actions performed, and
whether the action was successful. When you search for entries in the mailbox audit log and export them,
Microsoft Exchange saves the search results in an XML file and attaches it to an email message. For more
information, see Export mailbox audit logs.
To enable mailbox auditing for all user mailboxes in your organization, run the following commands.
For more information about configuring which actions are logged, see:
Exchange Server: Enable or disable mailbox audit logging for a mailbox
Exchange Online: Enable mailbox auditing in Office 365
Give users access to Auditing reports
By default, administrators can access and run any of the reports on the Auditing page in the EAC. However, other
users, such as a records manager or legal staff, have to be assigned the necessary permissions.
The easiest way to give users access is to add them to the Records Management role group. You can also use
Exchange Online PowerShell to give a user access to the Auditing page in the EAC by assigning the Audit Logs
role to the user.
Add a user to the Records Management role group
1. Go to Permissions > Admin Roles.
2. In the list of role groups, click Records Management, and then click Edit .
3. Under Members, click Add .
4. In the Select Members dialog box, select the user. You can search for a user by typing all or part of a
display name, and then clicking Search . You can also sort the list by clicking the Name or Display
Name column headings.
5. Click Add and then click OK to return to the role group page.
6. Click Save to save the change to the role group.
In the details pane, the user is listed under Members and can access the Auditing page in the EAC, run auditing
reports, and export audit logs.
Assign the Audit Logs role to a user
Run the following command to assign the Audit Logs role to a user.
This enables the user to select Compliance Management > Auditing in the EAC to run any of the reports. The
user can also export the mailbox audit log, and export and view the administrator audit log.
NOTE
To allow a user to run auditing reports but not to export audit logs, use the preceding command to assign the View-Only
Audit Logs role.
When mailbox auditing is enabled for a mailbox, Microsoft Exchange logs information in the mailbox audit log
whenever a user other than the owner accesses the mailbox. Each log entry includes information about who
accessed the mailbox and when, the actions performed by the non-owner, and whether the action was successful.
Entries in the mailbox audit log are retained for 90 days by default. You can use the mailbox audit log to determine
if a user other than the owner has accessed a mailbox.
When you export entries from mailbox audit logs, Microsoft Exchange saves the entries in an XML file and
attaches it to an email message sent to the specified recipients.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
To enable mailbox audit logging for all user mailboxes in your organization, run the following commands.
$UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')}
2. Run the following command to remove XML from the list of blocked file types in Outlook Web App.
A value of `True` for the _AuditEnabled_ property verifies that audit logging is enabled.
2. Run the following command to verify that XML attachments are allowed in Outlook Web App.
3. Run the following command to verify that XML attachments are removed from the blocked file list in Outlook
Web App.
Verify that `.xml` isn't included in the list of blocked file types.
Export the mailbox audit log
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "View -only administrator audit logging" entry in the Shell Infrastructure
Permissions topic.
1. In the Exchange admin center (EAC ), go to Compliance Management > Auditing.
2. Click Export mailbox audit logs.
3. Configure the following search criteria for exporting the entries from the mailbox audit log:
Start and end dates: Select the date range for the entries to include in the exported file.
Mailboxes to search audit log for: Select the mailboxes to retrieve audit log entries for.
Type of non-owner access: Select one of the following options to define the type of non-owner access to
retrieve entries for:
All non-owners: Search for access by administrators and delegated users inside your organization, and by
Microsoft datacenter administrators in Exchange Online.
External users: Search for access by Microsoft datacenter administrators.
Administrators and delegated users: Search for access by administrators and delegated users inside
your organization.
Administrators: Search for access by administrators in your organization.
Recipients: Select the users to send the mailbox audit log to.
4. Click Export.
Microsoft Exchange retrieves entries in the mailbox audit log that meet your search criteria, saves them to a
file named SearchResult.xml, and then attaches the XML file to an email message sent to the recipients that
you specified.
How do you know this worked?
Sign in to the mailbox where the mailbox audit log was sent. If you've successfully exported the audit log, you'll
receive a message sent from Exchange. In Exchange Online, it may take a few days to receive this message. The
mailbox audit log (named SearchResult.xml) will be attached to this message. If you've correctly configured
Outlook Web App to allow XML attachments, you can download the attached XML file.
<Event MailboxGuid="6d4fbdae-e3ae-4530-8d0b-f62a14687939"
Owner="PPLNSL-dom\david50001-1363917750"
LastAccessed="2010-04-30T11:01:55.140625-07:00"
Operation="HardDelete"
OperationResult="Succeeded"
LogonType="Admin"
FolderId="0000000073098C3277988F4CB882F5B82EBF64610100A7C317F68C24304BBD18ABE1F185E79B00000026BD4F0000"
FolderPathName="\Recoverable Items\Deletions"
ClientInfoString="Client=OWA;Action=ViaProxy"
ClientIPAddress="10.196.241.168"
InternalLogonType="Owner"
MailboxOwnerUPN="david@contoso.com"
MailboxOwnerSid="S-1-5-21-290112810-296651436-1966561949-1151"
CrossMailboxOperation="false"
LogonUserDN="Administrator"
LogonUserSid="S-1-5-21-290112810-296651436-1966561949-1149">
<SourceItems>
<ItemId="0000000073098C3277988F4CB882F5B82EBF64610700A7C317F68C24304BBD18ABE1F185E79B00000026BD4F0000A7C
317F68C24304BBD18ABE1F185E79B00000026BD540"
Subject="Notification of litigation hold"
FolderPathName="\Recoverable Items\Deletions" />
</SourceItems>
</Event>
Useful fields in the mailbox audit log: Here's a description of useful fields in the mailbox audit log. They
can help you identify specific information about each instance of non-owner access of a mailbox.
FIELD DESCRIPTION
LastAccessed The date and time when the mailbox was accessed.
Operation The action that was performed by the non-owner. For more
information, see the "What gets logged in the mailbox audit
log?" section in Run a Non-Owner Mailbox Access Report.
FolderPathName The name of the folder that contained the message that was
affected by the non-owner.
Subject The subject line of the email message that was affected by the
non-owner.
[When mailbox auditing is enabled for a mailbox, Microsoft Exchange logs information in the mailbox audit log
whenever a user other than the owner accesses the mailbox. Each log entry includes information about who
accessed the mailbox and when, the actions performed by the non-owner, and whether the action was successful.
Entries in the mailbox audit log are retained for 90 days by default. You can use the mailbox audit log to
determine if a user other than the owner has accessed a mailbox.When you export entries from mailbox audit
logs, Microsoft Exchange saves the entries in an XML file and attaches it to an email message sent to the
specified recipients.](#Introduction.md)
Run a non-owner mailbox access report
3/4/2019 • 5 minutes to read • Edit Online
The Non-Owner Mailbox Access Report in the Exchange admin center (EAC ) lists the mailboxes that have been
accessed by someone other than the person who owns the mailbox. When a mailbox is accessed by a non-owner,
Microsoft Exchange logs information about this action in a mailbox audit log that's stored as an email message in a
hidden folder in the mailbox being audited. Entries from this log are displayed as search results and include a list of
mailboxes accessed by a non-owner, who accessed the mailbox and when, the actions performed by the non-owner,
and whether the action was successful. By default, entries in the mailbox audit log are retained for 90 days.
When you enable mailbox audit logging for a mailbox, Microsoft Exchange logs specific actions by non-owners,
including both administrators and users, called delegated users, who have been assigned permissions to a mailbox.
You can also narrow the search to users inside or outside your organization.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
For example, to enable mailbox auditing for a user named Florence Flipo, run the following command.
To enable mailbox auditing for all user mailboxes in your organization, run the following commands.
A value of True for the AuditEnabled property verifies that audit logging is enabled.
TIP
Want to narrow the search results? Select the start date, end date, or both, and select specific mailboxes to search. Click
Search to re-run the report.
NOTE
An administrator who has been assigned the Full Access permission to a user's mailbox is considered a delegated user.
NOTE
* Audited by default if auditing is enabled for a mailbox.
Run a per-mailbox litigation hold report
3/4/2019 • 2 minutes to read • Edit Online
If your organization is involved in a legal action, you may have to take steps to preserve relevant data, such as
email messages, that may be used as evidence. In situations like this, you can use litigation hold to retain all email
sent and received by specific people or retain all email sent and received in your organization for a specific time
period. For more information about what happens when a mailbox is on litigation hold and how to enable and
disable it, see the "Mailbox Features" section in Manage user mailboxes.
Use the litigation hold report to keep track of the following types of changes made to a mailbox in a given time
period:
Litigation hold was enabled.
Litigation hold was disabled.
For each of these change types, the report includes the user who made the change and the time and date the
change was made.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
TIP
Want to narrow the search results? Select the start date, end date, or both, and select specific mailboxes to search. Click
Search to re-run the report.
NOTE
When a mailbox is put on litigation hold, it can take up to 60 minutes for the hold to take effect.
Search the role group changes or administrator audit
logs in Exchange Online
3/4/2019 • 7 minutes to read • Edit Online
You can search the administrator audit logs to discover who made changes to the organization and recipient
configuration. This can be helpful when you're trying to track the cause of unexpected behavior, to identify a
malicious administrator, or to verify that compliance requirements are being met. For more information about
administrator audit logging, see Administrator audit logging.
If you want to search the mailbox audit log, see Mailbox Audit Logging.
TIP
In Exchange Online, you can use the EAC to view entries in the administrator audit log. For more information, see View the
administrator audit log.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Use the EAC to run the management role group changes report
If you want to know what changes to management role group membership have been made to role groups in
your organization, you can use the Administrator Role Group report in the Exchange admin center (EAC ). Using
the Administrator Role Group report, you can view a list of role groups that have changed during a specified date
range. You can also select the specific role groups you want to view changes for.
1. In the EAC, select Compliance management > Auditing, and then click Run an administrator role
group report.
2. Select a date range using the Start date and End date fields.
3. Click Select role groups, and then select the role groups you want to show changes for or leave this field
blank to search for changes in all role groups.
4. Click Search.
If any changes are found using the criteria you specified, a list of changes will be displayed in the results pane.
Clicking a role group displays the changes to the role group in the details pane.
NOTE
By default, Outlook on the web (formerly known as Outlook Web App) doesn't allow you to open XML attachments. You can
either configure Outlook on the web to allow XML attachments to be viewed, or you can use another email client to view
the attachment (for example, Microsoft Outlook). For information about how to configure Outlook on the web to allow you
to view XML attachments, see View or configure Outlook on the web mailbox policy properties in Exchange Online.
1. In the EAC, select Compliance management > Auditing, and then click Export the administrator
audit log.
2. Select a date range using the Start date and End date fields.
3. In the Send the auditing report to field, click Select users and then select the recipient you want to send
the report to.
4. Click Export.
If any log entries are found using the criteria you specified, an XML file will be created and sent as an email
attachment to the recipient you specified.
NOTE
The Search-AdminAuditLog cmdlet returns a maximum of 1,000 log entries by default. Use the ResultSize parameter to
specify up to 250,000 log entries. Or, use the value Unlimited to return all entries.
This example performs a search for all audit log entries with the following criteria:
Start date: 08/04/2018
End date: 10/03/2018
User IDs: davids, chrisd, kima
Cmdlets: Set-Mailbox
Parameters: ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendSize,
MaxReceiveSize
This example searches for changes made to a specific mailbox. This is useful if you're troubleshooting or you need
to provide information for an investigation. The following criteria are used:
Start date: 05/01/2018
End date: 10/03/2018
Object ID: contoso.com/Users/DavidS
If your searches return many log entries, we recommend that you use the procedure provided in Use Exchange
Online PowerShell to search for audit log entries and send results to a recipient later in this topic. The
procedure in that section sends an XML file as an email attachment to the recipients you specify, enabling you to
more easily extract the data you're interested in.
For detailed syntax and parameter information, see Search-AdminAuditLog.
View details of audit log entries
The Search-AdminAuditLog cmdlet returns the fields described in the "Audit log contents section of
Administrator audit logging. Of the fields returned by the cmdlet, two fields, CmdletParameters and
ModifiedProperties, contain additional information that isn't viewable by default.
To view the contents of the CmdletParameters and ModifiedProperties fields, use the following steps. Or, you
can use the procedure in Use Exchange Online PowerShell to search for audit log entries and send results
to a recipient later in this topic to create an XML file.
This procedure uses the following concepts:
Arrays
User-Defined Variables
1. Decide the criteria you want to search for, run the Search-AdminAuditLog cmdlet, and store the results in
a variable using the following command.
2. Each audit log entry is stored as an array element in the variable $Results . You can select an array element
by specifying its array element index. Array element indexes start at zero (0) for the first array element. For
example, to retrieve the 5th array element, which has an index of 4, use the following command.
$Results[4]
3. The previous command returns the log entry stored in array element 4. To see the contents of the
CmdletParameters and ModifiedProperties fields for this log entry, use the following commands.
$Results[4].CmdletParameters
$Results[4].ModifiedProperties
4. To view the contents of the CmdletParameters or ModifiedParameters fields in another log entry,
change the array element index.
Use Exchange Online PowerShell to search for audit log entries and
send results to a recipient
You can use Exchange Online PowerShell to search for audit log entries that meet the criteria you specify, and then
send those results to a recipient you specify as an XML file attachment. The results are sent to the recipient within
15 minutes. For a list of search criteria, see Administrator audit logging.
NOTE
By default, Outlook on the web (formerly known as Outlook Web App) doesn't allow you to open XML attachments. You can
either configure Outlook on the web to allow XML attachments to be viewed, or you can use another email client to view
the attachment (for example, Microsoft Outlook). For information about how to configure Outlook on the web to allow you
to view XML attachments, see View or configure Outlook on the web mailbox policy properties in Exchange Online.
To search the audit log for criteria you specify, use the following syntax.
New-AdminAuditLogSearch -Cmdlets <cmdlet1, cmdlet2, ...> -Parameters <parameter1, parameter2, ...> -StartDate
<start date> -EndDate <end date> -UserIds <user IDs> -ObjectIds <object IDs> -IsSuccess <$true | $false > -
StatusMailRecipients <recipient1, recipient2, ...> -Name <string to include in subject>
This example performs a search for all audit log entries with the following criteria:
Start date: 08/04/2018
End date: 10/03/2018
User IDs davids, chrisd, kima
Cmdlets: Set-Mailbox
Parameters: ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendSize,
MaxReceiveSize
The command sends the results to the davids@contoso.com SMTP address with "Mailbox limit changes" included
in the subject line of the message.
For more information about the format of the XML file, see Administrator Audit Log Structure.
For detailed syntax and parameter information, see New -AdminAuditLogSearch.
View the administrator audit log
3/4/2019 • 2 minutes to read • Edit Online
In Exchange Online, you can use the Exchange admin center (EAC ) to search for and view entries in the
administrator audit log. The administrator audit log records specific actions, based on Exchange Online PowerShell
cmdlets, performed by administrators and users who have been assigned administrative privileges. Entries in the
administrator audit log provide you with information about what cmdlet was run, which parameters were used,
who ran the cmdlet, and what objects were affected.
NOTE
Administrator auditing logging is enabled by default. > The administrator audit log doesn't record any action that's based on
an Exchange Online PowerShell cmdlet that begins with the verbs Get, Search, or Test. > Audit log entries are kept for 90
days. When an entry is older than 90 days, it's deleted.
In Exchange Server, you can enable administrator audit logging if it's disabled by running the following
command.
In Exchange Online Protection and Exchange Online, administrator audit logging is always enabled. It can't
be disabled.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
NOTE
When a change is made in your organization, it may take up to 15 minutes to appear in audit log search results. If a change
doesn't appear in the administrator audit log, wait a few minutes and run the search again.
View and export the external admin audit log
3/4/2019 • 5 minutes to read • Edit Online
In Exchange Online, actions performed by Microsoft and delegated administrators are logged in the administrator
audit log. You can use the EAC or Exchange Online PowerShell to search for and view audit log entries to
determine if external administrators performed any actions on or changed the configuration of your Exchange
Online organization. You can also use Exchange Online PowerShell to export these audit log entries.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Use the EAC to view the external admin audit log report
Estimated time to complete: 3 minutes
1. Go to Compliance management > Auditing and click View the external admin audit log report. All
configuration changes made by Microsoft datacenter administrators and delegated administrators during the
specified time period are displayed, and can be sorted, using the following information:
Date: The date and time that the configuration change was made. The date and time are stored in
Coordinated Universal Time (UTC ) format.
Cmdlet: The name of the cmdlet that was used to make the configuration change.
If you select an individual search result, the following information is displayed in the details pane:
The date and time that the cmdlet was run.
The user who ran the cmdlet. For all entries in the external admin audit log report, the user is identified as
Administrator, which indicates a Microsoft datacenter administrator or an external administrator.
The cmdlet parameters that were used, and any value specified with the parameter, in the format
Parameter:Value.
2. If you want to print a specific audit log entry, select it in the search results pane and then click Print in the
details pane.
3. To narrow the search, choose dates in the Start date and End date drop-down menus, and then click
Search.
This command returns entries in the administrator audit log for cmdlets run by external administrators between
September 17, 2013 and October 2, 2013.
To verify that the command to export the admin audit log entries performed by external administrators was
successful, and to display information about current administrator audit log searches, run the following command:
Get-AuditLogSearch | Format-List
More information
In Office 365, you can delegate the ability to perform certain administrative tasks to an authorized partner
of Microsoft. These admin tasks include creating or editing users, resetting user passwords, managing user
licenses, managing domains, and assigning admin permissions to other users in your organization. When
you authorize a partner to take on this role, the partner is referred to as a delegated admin. The tasks
performed by a delegated admin are logged in the admin audit log. As previously described, actions
performed by delegated admins can be viewed by running the external admin audit log report or exported
by using the New-AdminAuditLogSearch cmdlet with the ExternalAccess parameter.
The administrator audit log records specific actions, based on Exchange Online PowerShell cmdlets,
performed by administrators and users who have been assigned administrative privileges. Actions
performed by external administrators are also logged. Entries in the admin audit log provide you with
information about the cmdlet that was run, which parameters were used, and what objects were affected.
The administrator audit log doesn't record any action that is based on an Exchange Online PowerShell
cmdlet that begins with the verbs Get, Search, or Test.
Audit log entries are kept for 90 days. When an entry is older than 90 days, it's deleted.
Messaging records management
3/4/2019 • 7 minutes to read • Edit Online
Users send and receive email every day. If left unmanaged, the volume of email generated and received each day
can inundate users, impact user productivity, and expose your organization to risks. As a result, email lifecycle
management is a critical component for most organizations.
Messaging records management (MRM ) is the records management technology in Exchange Server and Exchange
Online that helps organizations manage email lifecycle and reduce the legal risks associated with email. Deploying
MRM can help your organization in several ways:
Meet business requirements: Depending on your organization's messaging policies, you may need to
retain important email messages for a certain period. For example, a user's mailbox may contain critical
messages related to business strategy, transactions, product development, or customer interactions.
Meet legal and regulatory requirements: Many organizations have a legal or regulatory requirement to
store messages for a designated period and remove messages older than that period. Storing messages
longer than necessary may increase your organization's legal or financial risks.
Increase user productivity: If left unmanaged, the ever-increasing volume of email in your users'
mailboxes can also impact their productivity. For example, although newsletter subscriptions and automated
notifications may have informational value when they're received, users may not remove them after reading
(often they're never read). Many of these types of messages don't have a retention value beyond a few days.
Using MRM to remove such messages can help reduce information clutter in users' mailboxes, thereby
increasing productivity.
Improve storage management: Due to expectations driven by free consumer email services, many users
keep old messages for a long period or never remove them. Maintaining large mailboxes is increasingly
becoming a standard practice, and users shouldn't be forced to change their work habits based on restrictive
mailbox quotas. However, retaining messages beyond the period that's necessary for business, legal, or
regulatory reasons also increases storage costs.
MRM provides the flexibility to implement the records management policy that best meets your organization's
requirements. With a good understanding of MRM, In-Place Archiving, and In-Place Hold, you can help meet your
goals of managing mailbox storage and meeting regulatory retention requirements.
Looking for management tasks related to MRM? See Messaging Records Management Procedures.
NOTE
In an Exchange hybrid deployment, you can enable a cloud-based archive mailbox for an on-premises primary mailbox. If you
assign an archive policy to an on-premises mailbox, items are moved to the cloud-based archive. If an item is moved to the
archive mailbox, a copy of it isn't retained in the on-premises mailbox. If the on-premises mailbox is placed on hold, an
archive policy will still move items to the cloud-based archive mailbox where they are preserved for the duration specified by
the hold.
Remove messages based on folder location: In this strategy, you implement MRM policies based on email
location. For example, you can specify that messages in the Inbox are retained for one year and messages in the
Junk Email folder are retained for 60 days. You can implement this policy by using a combination of retention
policy tags (RPTs) for each default folder you want to configure and a DPT for the entire mailbox. The DPT applies
to all custom folders and all default folders that don't have an RPT applied.
NOTE
In Exchange Server, you can create RPTs for the Calendar and Tasks folders. If you don't want items in these folders or other
default folders to expire, you can create a disabled retention tag for that default folder.
Allow users to classify messages: In this strategy, you implement MRM policies that include a baseline retention
setting for all messages but allow users to classify messages based on business or regulatory requirements. In this
case, users become an important part of your records management strategy - often they have the best
understanding of a message's retention value.
Users can apply different retention settings to messages that need to be retained for a longer or shorter period.
You can implement this policy using a combination of the following:
A DPT for the mailbox
Personal tags that users can apply to custom folders or individual messages
(Optional) Additional RPTs to expire items in specific default folders
For example, you can use a retention policy with personal tags that have a shorter retention period (such as two
days, one week, or one month), as well as personal tags that have a longer retention period (such as one, two, or
five years). Users can apply personal tags with the shorter retention periods for items such as newsletter
subscriptions that may lose their value within days of receiving them, and apply the tags with longer periods to
preserve items that have a high business value. They can also automate the process by using Inbox rules in
Outlook to apply a personal tag to messages that match rule conditions.
Retain messages for eDiscovery purposes: In this strategy, you implement MRM policies that remove
messages from mailboxes after a specified period but also retain them in the Recoverable Items folder for In-Place
eDiscovery purposes, even if the messages were deleted by the user or another process.
You can meet this requirement by using a combination of retention policies and In-Place Hold and Litigation Hold
or Litigation Hold. Retention policies remove messages from the mailbox after the specified period. A time-based
In-Place Hold or Litigation Hold preserves messages that were deleted or modified before that period. For
example, to retain messages for seven years, you can create a retention policy with a DPT that deletes messages in
seven years and Litigation Hold to hold messages for seven years. Messages that aren't removed by users will be
deleted after seven years; messages deleted by users before the seven year period will be retained in the
Recoverable Items folder for seven years. To learn more about this folder, see Recoverable Items Folder.
Optionally, you can use RPTs and personal tags to allow users to clean up their mailboxes. However, In-Place Hold
and Litigation Hold continues to retain the deleted messages until the hold period expires.
NOTE
A time-based In-Place Hold or Litigation Hold is similar to what was informally referred to as a rolling legal hold in Exchange
2010. Rolling legal hold was implemented by configuring the deleted item retention period for a mailbox database or
individual mailbox. However, deleted item retention retains deleted and modified items based on the date deleted. In-Place
Hold and Litigation Hold preserves items based on the date they're received or created. This ensures that messages are
preserved for at least the specified period.
In Microsoft Exchange Server and Exchange Online, Messaging records management (MRM ) helps
organizations to manage email lifecycle and reduce legal risks associated with e-mail and other communications.
MRM makes it easier to keep messages needed to comply with company policy, government regulations, or legal
needs, and to remove content that has no legal or business value.
Watch this video for a quick overview of how to apply retention tags and a retention policy to a mailbox in
Exchange Online.
TYPE OF RETENTION
TAG APPLIED... APPLIED BY... AVAILABLE ACTIONS... DETAILS
Default policy tag Automatically to Administrator Move to archive Users can't change
(DPT) entire mailbox Delete and allow DPTs applied to a
A DPT applies to recovery mailbox.
untagged items, Permanently delete
which are mailbox
items that don't have
a retention tag
applied directly or by
inheritance from the
folder.
TYPE OF RETENTION
TAG APPLIED... APPLIED BY... AVAILABLE ACTIONS... DETAILS
Retention policy tag Automatically to a Administrator Delete and allow Users can't change
(RPT) default folder recovery the RPT applied to a
Default folders are Permanently delete default folder.
folders created
automatically in all
mailboxes, for
example: Inbox,
Deleted Items, and
Sent Items. See the
list of supported
default folders in
Default folders that
support Retention
Policy Tags.
Personal tag Manually to items Users Move to archive Personal tags allow
and folders Delete and allow your users to
Users can automate recovery determine how long
tagging by using Permanently delete an item should be
Inbox rules to either retained. For example,
move a message to a the mailbox can have
folder that has a a DPT to delete items
particular tag or to in seven years, but a
apply a personal tag user can create an
to the message. exception for items
such as newsletters
and automated
notifications by
applying a personal
tag to delete them in
three days.
NOTE
Users can apply archive policies to default folders, user-created folders or subfolders, and individual items. Users can apply
a retention policy to user-created folders or subfolders and individual items (including subfolders and items in a default
folder), but not to default folders.
Users can also use the Exchange admin center (EAC ) to select additional personal tags that aren't linked to their
retention policy. The selected tags then become available in Outlook 2010 and Outlook Web App. To enable
users to select additional tags from the EAC, you must add the MyRetentionPolicies Role to the user's role
assignment policy. To learn more about role assignment policies for users, see Understanding Management Role
Assignment Policies. If you allow users to select additional personal tags, all personal tags in your Exchange
organization become available to them.
NOTE
Personal tags are a premium feature. Mailboxes with policies that contain these tags (or as a result of users adding the tags
to their mailbox) require an Exchange Enterprise client access license (CAL).
Retention age
When you enable a retention tag, you must specify a retention age for the tag. This age indicates the number of
days to retain a message after it arrives in the user's mailbox.
The retention age for non-recurring items (such as email messages) is calculated differently than items that have
an end date or recurring items (such as meetings and tasks). To learn how retention age is calculated for different
types of items, see How retention age is calculated.
You can also create retention tags with retention disabled or disable tags after they're created. Because messages
that have a disabled tag applied aren't processed, no retention action is taken. As a result, users can use a
disabled personal tag as a Never Move tag or a Never Delete tag to override a DPT or RPT that would
otherwise apply to the message.
Retention actions
When creating or configuring a retention tag, you can select one of the following retention actions to be taken
when an item reaches its retention age:
Move to Archive1 Moves the message to the user's If the user doesn't have an archive
archive mailbox mailbox, no action is taken.
Only available for DPTs and personal
tags
For details about archiving, see:
In-Place Archiving
Archive Mailboxes in Exchange Online
Delete and Allow Recovery Emulates the behavior when the user If you've set the deleted item retention
empties the Deleted Items folder. period to zero days, items are
Items are moved to the Recoverable permanently deleted. For details, see
Items Folder in the mailbox and Change how long permanently deleted
preserved until the deleted item items are kept for an Exchange Online
retention period. mailbox.
Provides the user a second chance to
recover the item using the Recover
Deleted Items dialog box in Outlook
or Outlook Web App
NOTE
1 In an Exchange hybrid deployment, you can enable a cloud-based archive mailbox for an on-premises primary mailbox. If
you assign an archive policy to an on-premises mailbox, items are moved to the cloud-based archive. If an item is moved
to the archive mailbox, a copy of it isn't retained in the on-premises mailbox. If the on-premises mailbox is placed on hold,
an archive policy will still move items to the cloud-based archive mailbox where they are preserved for the duration
specified by the hold.
For details about how to create retention tags, see Create a Retention Policy.
Retention policies
To apply one or more retention tags to a mailbox, you must add them to a retention policy and then apply the
policy to mailboxes. A mailbox can't have more than one retention policy. Retention tags can be linked to or
unlinked from a retention policy at any time, and the changes automatically take effect for all mailboxes that have
the policy applied.
A retention policy can have the following retention tags:
Default policy tag (DPT) One DPT with the Move to Archive action
One DPT with the Delete and Allow Recovery or
Permanently Delete actions
One DPT for voice mail messages with the Delete and Allow
Recovery or Permanently Delete action
Retention policy tags (RPTs) One RPT for each supported default folder
> [!NOTE]> You can't link more than one RPT for a particular
default folder (such as Deleted Items) to the same retention
policy.
NOTE
Although a retention policy doesn't need to have any retention tags linked to it, we don't recommend using this scenario. If
mailboxes with retention policies don't have retention tags linked to them, this may cause mailbox items to never expire.
A retention policy can contain both archive tags (tags that move items to the personal archive mailbox) and
deletion tags (tags that delete items). A mailbox item can also have both types of tags applied. Archive mailboxes
don't have a separate retention policy. The same retention policy is applied to the primary and archive mailbox.
When planning to create retention policies, you must consider whether they'll include both archive and deletion
tags. As mentioned earlier, a retention policy can have one DPT that uses the Move to Archive action and one
DPT that uses either the Delete and Allow Recovery or Permanently Delete action. The DPT with the Move
to Archive action must have a lower retention age than the DPT with a deletion action. For example, you can use
a DPT with the Move to Archive action to move items to the archive mailbox in two years, and a DPT with a
deletion action to remove items from the mailbox in seven years. Items in both primary and archive mailboxes
will be deleted after seven years.
For a list of management tasks related to retention policies, see Messaging Records Management Procedures.
Default retention policy
Exchange Setup creates the retention policy Default MRM Policy. The Default MRM Policy is applied
automatically to new mailboxes in Exchange Online. In Exchange Server, the policy is applied automatically if you
create an archive for the new user and don't specify a retention policy
You can modify tags included in the Default MRM Policy, for example by changing the retention age or retention
action, disable a tag or modify the policy by adding or removing tags from it. The updated policy is applied to
mailboxes the next time they're processed by the Managed Folder Assistant.
For more details, including a list of retention tags linked to the policy, see Default Retention Policy in Exchange
Online and Exchange Server.
NOTE
The Managed Folder Assistant doesn't take any action on messages that aren't subject to retention, specified by disabling
the retention tag. You can also disable a retention tag to temporarily suspend items with that tag from being processed.
NOTE
The retention period for a disabled retention tag is displayed to the user as Never. If a user tags an item believing it will
never be deleted, enabling the tag later may result in unintentional deletion of items the user didn't want to delete. The
same is true for tags with the Move to Archive action.
Retention hold
When users are temporarily away from work and don't have access to their e-mail, retention settings can be
applied to new messages before they return to work or access their e-mail. Depending on the retention policy,
messages may be deleted or moved to the user's personal archive. You can temporarily suspend retention
policies from processing a mailbox for a specified period by placing the mailbox on retention hold. When you
place a mailbox on retention hold, you can also specify a retention comment that informs the mailbox user (or
another user authorized to access the mailbox) about the retention hold, including when the hold is scheduled to
begin and end. Retention comments are displayed in supported Outlook clients. You can also localize the
retention hold comment in the user's preferred language.
NOTE
Placing a mailbox on retention hold doesn't affect how mailbox storage quotas are processed. Depending on the mailbox
usage and applicable mailbox quotas, consider temporarily increasing the mailbox storage quota for users when they're on
vacation or don't have access to e-mail for an extended period. For more information about mailbox storage quotas, see
Configure Storage Quotas for a Mailbox.
During long absences from work, users may accrue a large amount of e-mail. Depending on the volume of e-
mail and the length of absence, it may take these users several weeks to sort through their messages. In these
cases, consider the additional time it may take the users to catch up on their mail before removing them from
retention hold.
If your organization has never implemented MRM, and your users aren't familiar with its features, you can also
use retention holds during the initial warm up and training phase of your MRM deployment. You can create and
deploy retention policies and educate users about the policies without the risk of having items moved or deleted
before users can tag them. A few days before the warm up and training period ends, you should remind users of
the warm-up deadline. After the deadline, you can remove the retention hold from user mailboxes, allowing the
Managed Folder Assistant to process mailbox items and take the specified retention action.
For details about how to place a mailbox on retention hold, see Place a mailbox on retention hold.
Default Retention Policy in Exchange Online and
Exchange Server
3/29/2019 • 2 minutes to read • Edit Online
Exchange creates the retention policy Default MRM Policy in your Exchange Online and on-premises Exchange
organization. The policy is automatically applied to new users in Exchange Online. In on-premises organizations,
the policy is applied when you create an archive for the mailbox. You can change the retention policy applied to a
user at any time.
You can modify tags included in the Default MRM Policy, for example by changing the retention age or retention
actions, disable a tag, or modify the policy by adding or removing tags from it. The updated policy is applied to
mailboxes the next time they're processed by the Managed Folder Assistant
Default 2 years move to Default Policy Tag (DPT) 730 Move to Archive
archive
Never Delete Personal tag Not applicable Delete and Allow Recovery
Apply the Default MRM Policy Yes, applied by default. No action is Yes, applied by default if you also create
automatically to new users required. an archive for the new user.
If you create an archive for the user
later, the policy is applied automatically
only if the user doesn't have an existing
Retention Policy.
More information
A Retention Tag can be linked to more than one Retention Policy. For details about managing Retention tags
and retention policies, see Messaging Records Management Procedures.
The Default MRM Policy doesn't include a DPT to automatically delete items (but it does contain personal
tags with the delete retention action that users can apply to mailbox items). If you want to automatically
delete items after a specified period, you can create a DPT with the required delete action and add it to the
policy. For details, see Create a Retention Policy and Add retention tags to or remove retention tags from a
retention policy.
Retention policies are applied to mailbox users. The same policy applies to the user's mailbox and archive.
Default folders that support Retention Policy Tags
3/29/2019 • 4 minutes to read • Edit Online
You can use Retention tags and retention policies to manage email lifecycle. Retention Policies contain Retention
Tags, which are settings you can use to specify when a message should be automatically moved to the archive or
when it should be deleted.
A Retention Policy Tag (RPT) is a type of retention tag that you can apply to default folders in a mailbox, such as
Inbox and Deleted Items.
Clutter This folder contains email messages that are low priority.
Clutter looks at what you've done in the past to determine the
messages you're most likely to ignore. It then moves those
messages to the Clutter folder.
Deleted Items This default folder is used to store items deleted from other
folders in the mailbox. Outlook and Outlook Web App users
can manually empty this folder. Users can also configure
Outlook to empty the folder upon closing Outlook.
Drafts This default folder is used to store draft messages that haven't
been sent by the user. Outlook Web App also uses this folder
to save messages that were sent by the user but not
submitted to the Hub Transport server.
Journal This default folder contains actions selected by the user. These
actions are automatically recorded by Outlook and placed in a
timeline view.
Junk E-mail This default folder is used to save messages marked as junk e-
mail by the content filter on an Exchange server or by the
anti-spam filter in Outlook.
Sent Items This default folder is used to store messages that have been
submitted to a Hub Transport server.
Sync Issues This folder contains synchronization logs. To learn more, see
Synchronization error folders.
Tasks This default folder is used to store tasks. To create an RPT for
the Tasks folder, you have to use Exchange Online PowerShell.
For more information, see New-RetentionPolicyTag. After the
RPT for the Tasks folder is created, you can manage it by using
the Exchange admin center.
More Info
RPTs are retention tags for default folders. You can only select a delete action for RPTs - either delete and
allow recovery or permanently delete.
You can't create an RPT to move messages to the archive. To move old items to archive, you can create a
Default Policy Tag (DPT), which applies to the entire mailbox, or Personal Tags, which are displayed in
Outlook and Outlook Web App (OWA) as Archive Policies. Your users can apply them to folders or
individual messages.
You can't apply RPTs to the Contacts folder.
You can only add one RPT for a particular default folder to a Retention Policy. For example, if a retention
policy has an Inbox tag, you can't add another RPT of type Inbox to that retention policy.
To learn how to create RPTs or other types of retention tags and add them to a retention policy, see Create a
Retention Policy.
In Exchange Server and Exchange Online, a DPT also applies to the Calendar and Tasks default folders.
This may result in items being deleted or moved to the archive based on the DPT settings. To prevent the
DPT settings from deleting items in these folders , create RPTs with retention disabled. To prevent the DPT
settings from moving items in a default folder, you can create a disabled Personal Tag with the move to
archive action, add it to the retention policy, and then have users apply it to the default folder. For details, see
Prevent archiving of items in a default folder in Exchange 2010.
How retention age is calculated
3/29/2019 • 4 minutes to read • Edit Online
The Managed Folder Assistant (MFA) is one of many mailbox assistant processes that runs on mailbox servers. Its
job is to process mailboxes that have a Retention Policy applied, add the Retention Tags included in the policy to
the mailbox, and process items in the mailbox. If the items have a retention tag, the assistant tests the age of those
items. If an item has exceeded its retention age, it takes the specified retention action. Retention actions include
moving an item to the user's archive, deleting the item and allowing recovery, or deleting the item permanently.
See Retention tags and retention policies for more information.
Email message Not in the Deleted Items folder Delivery date or date of creation
Document
Fax
Journal item
Meeting request, response, or
cancellation
Missed call
Email message In the Deleted Items folder Date of delivery or creation unless the
Document item was deleted from a folder that
Fax does not have an inherited or implicit
Journal item retention tag.
Meeting request, response, or If an item is in a folder that doesn't have
cancellation an inherited or implicit retention tag
Missed call applied, the item isn't processed by the
MFA and therefore doesn't have a start
date stamped by it. When the user
deletes such an item, and the MFA
processes it for the first time in the
Deleted Items folder, it stamps the
current date as the start date.
Calendar Not in the Deleted Items folder Non-recurring calendar items expire
according to their end date.
Recurring calendar items expire
according to the end date of their last
occurrence. Recurring calendar items
with no end date don't expire.
THE RETENTION AGE IS CALCULATED
IF THE ITEM TYPE IS... AND THE ITEM IS... BASED ON...
Calendar In the Deleted Items folder A calendar item expires according to its
message-received date, if one exists. If a
calendar item doesn't have a message-
received date, it expires according to its
message-creation date. If a calendar
item has neither a message-received
date nor a message-creation date, it
doesn't expire.
Task In the Deleted Items folder A task expires according to its message-
received date, if one exists. If a task
doesn't have a message-received date,
it expires according to its message-
creation date. If a task has neither a
message-received date nor a message-
creation date, it doesn't expire.
Examples
IF THE USER... THE RETENTION TAGS ON FOLDER... THE MANAGED FOLDER ASSISTANT...
IF THE USER... THE RETENTION TAGS ON FOLDER... THE MANAGED FOLDER ASSISTANT...
Receives a message in the Inbox on Inbox: Delete in 365 days Processes the message in the Inbox on
01/26/2013. Deletes the message on Deleted Items: Delete in 30 days 1/26/2013, stamps it with a start date
2/27/2013. of 01/26/2013 and an expiration date
of 01/26/2014. Processes the message
again in the Deleted Items folder on
2/27/2013. It recalculates the expiration
date based on the same start date
(01/26/2013). Because the item is older
than 30 days, it is expired immediately.
Receives a message in the Inbox on Inbox: None (inherited or implicit) Processes the message in the Deleted
01/26/2013. Deletes the message on Deleted Items: Delete in 30 days Items folder on 02/27/2013 and
2/27/2013. determines the item doesn't have a
start date. It stamps the current date as
the start date, and 03/27/2013 as the
expiration date. The item is expired on
3/27/2013, which is 30 days after the
user deleted or moved it to the Deleted
Items folder.
More Info
In Exchange Online, the Managed Folder Assistant processes a mailbox once in seven days. This might
result in items being expired up to seven days after the expiration date stamped on the item.
Items in mailboxes placed on Retention Hold aren't processed by the Managed Folder Assistant until the
Retention Hold is removed.
If a mailbox is placed on In-Place Hold or Litigation Hold, expiring items are removed from the Inbox but
preserved in the Recoverable Items folder until the mailbox is removed from In-Place Hold and Litigation
Hold.
In hybrid deployments, the same retention tags and retention policies must exist in your on-premises and
Exchange Online organizations in order to consistently move and expire items across both organizations.
See Export and Import Retention Tags for more information.
Create a Retention Policy
3/4/2019 • 6 minutes to read • Edit Online
In Exchange Online, you can use retention policies to manage email lifecycle. Retention policies are applied by
creating retention tags, adding them to a retention policy, and applying the policy to mailbox users.
Here's a video that shows you how to create a retention policy and apply it to a mailbox in Exchange Online.
For additional management tasks related to retention policies, see Messaging Records Management Procedures.
NOTE
You can't use the EAC to create a DPT to delete voice mail items. For details about how to create a DPT to delete
voice mail items, see Exchange Online PowerShell example below.
Applied automatically to a specific folder: Select this option to create a retention policy tag (RPT) for a
default folder such as Inbox or Deleted Items.
NOTE
You can only create RPTs with the Delete and allow recovery or Permanently delete actions.
Applied by users to items and folders (Personal): Select this option to create personal tags. These tags
allow Outlook and Outlook Web App users to apply archive or deletion settings to a message or folders
that are different from the settings applied to the parent folder or the entire mailbox.
3. The New retention tag page title and options will vary depending on the type of tag you selected. Complete
the following fields:
Name: Enter a name for the retention tag. The tag name is for display purposes and doesn't have any
impact on the folder or item a tag is applied to. Consider that the personal tags you provision for users are
available in Outlook and Outlook Web App.
Apply this tag to the following default folder: This option is available only if you selected Applied
automatically to a specific folder.
Retention action: Select one of the following actions to be taken after the item reaches its retention
period:
Delete and Allow Recovery: Select this action to delete items but allow users to recover them using the
Recover Deleted Items option in Outlook or Outlook Web App. Items are retained until the deleted item
retention period configured for the mailbox database or the mailbox user is reached.
Permanently Delete: Select this option to permanently delete the item from the mailbox database.
IMPORTANT
Mailboxes or items subject to In-Place Hold or litigation hold will be retained and returned in In-Place eDiscovery
searches. To learn more, see In-Place Hold and Litigation Hold.
Move to Archive: This action is available only if you're creating a DPT or a personal tag. Select this action
to move items to the user's In-Place Archive.
Retention period: Select one of the following options:
Never: Select this option to specify that items should never be deleted or moved to the archive.
When the item reaches the following age (in days): Select this option and specify the number of days
to retain items before they're moved or deleted. The retention age for all supported items except Calendar
and Tasks is calculated from the date an item is received or created. Retention age for Calendar and Tasks
items is calculated from the end date.
Comment: User this optional field to enter any administrative notes or comments. The field isn't displayed
to users.
Use Exchange Online PowerShell to create a retention tag
Use the New-RetentionPolicyTag cmdlet to create a retention tag. Different options available in the cmdlet
allow you to create different types of retention tags. Use the Type parameter to create a DPT ( All ), RPT (specify a
default folder type, such as Inbox ) or a personal tag ( Personal ).
This example creates a DPT to delete all messages in the mailbox after 7 years (2,556 days).
This example creates a DPT to move all messages to the In-Place Archive in 2 years (730 days).
This example creates a DPT to delete voice mail messages after 20 days.
New-RetentionPolicyTag -Name "DPT-Corp-Voicemail" -Type All -MessageClass Voicemail -AgeLimitForRetention 20 -
RetentionAction DeleteAndAllowRecovery
This example creates a RPT to permanently delete messages in the Junk EMail folder after 30 days.
NOTE
Although you can add any number of personal tags to a retention policy, having many personal tags with different
retention settings can confuse users. We recommend linking no more than ten personal tags to a retention policy.
You can create a retention policy without adding any retention tags to it, but items in the mailbox to which the
policy is applied won't be moved or deleted. You can also add and remove retention tags from a retention policy
after it's created.
Use Exchange Online PowerShell to create a retention policy
This example creates the retention policy RetentionPolicy-Corp and uses the RetentionPolicyTagLinks parameter
to associate five tags to the policy.
New-RetentionPolicy "RetentionPolicy-Corp" -RetentionPolicyTagLinks "DPT-Corp-Delete","DPT-Corp-Move","DPT-
Corp-Voicemail","RPT-Corp-JunkMail","Never Delete"
2. Log on to the mailbox using Outlook or Outlook on the web (formerly known as Outlook Web App) and verify
that messages are deleted or moved to an archive in accordance with the policy configuration.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Add retention tags to or remove retention tags from
a retention policy
3/4/2019 • 2 minutes to read • Edit Online
You can add retention tags to a retention policy when the policy is created or any time thereafter. For details about
how to create a retention policy, including how to simultaneously add retention tags, see Create a Retention Policy.
A retention policy can contain the following retention tags:
One or more retention policy tags (RPTs) for supported default folders
One default policy tag (DPT) with the Move to Archive action
One DPT with the Delete and Allow Recovery or the Permanently Delete action
One DPT for voice mail
Any number of personal tags
For more information about retention tags, see Retention tags and retention policies.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
If the policy has retention tags linked to it, this command replaces the existing tags.
This example adds the retention tag VPs-DeletedItems to the retention policy RetPolicy-VPs, which already has
other retention tags linked to it.
This example removes the retention tag VPs-Inbox from the retention policy RetPolicy-VPs.
For detailed syntax and parameter information, see set-RetentionPolicy and get-RetentionPolicy.
You can use retention policies to group one or more retention tags and apply them to mailboxes to enforce
message retention settings. A mailbox can't have more than one retention policy.
Cau t i on
Messages are expired based on settings defined in the retention tags linked to the policy. These settings include
actions such moving messages to the archive or permanently deleting them. Before applying a retention policy to
one or more mailboxes, we recommended that you test the policy and inspect each retention tag associated with it.
For additional management tasks related to messaging records management (MRM ), see Messaging Records
Management Procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
$OldPolicy={Get-RetentionPolicy "Old-Retention-Policy"}.distinguishedName
Get-Mailbox -Filter {RetentionPolicy -eq $OldPolicy} -Resultsize Unlimited | Set-Mailbox -RetentionPolicy
"New-Retention-Policy"
This example applies the retention policy RetentionPolicy-Corp to all mailboxes in the Exchange organization.
This example applies the retention policy RetentionPolicy-Finance to all mailboxes in the Finance organizational
unit.
For detailed syntax and parameter information, see Get-Mailbox and Set-Mailbox.
This command retrieves all mailboxes that have the retention policy RP -Finance applied.
Placing a mailbox on retention hold suspends the processing of a retention policy or managed folder mailbox
policy for that mailbox. Retention hold is designed for situations such as a user being on vacation or away
temporarily.
During retention hold, users can log on to their mailbox and change or delete items. When you perform a mailbox
search, deleted items that are past the deleted item retention period aren't returned in search results. To make sure
items changed or deleted by users are preserved in legal hold scenarios, you must place a mailbox on legal hold.
For more information, see Create or remove an In-Place Hold.
You can also include retention comments for mailboxes you place on retention hold. The comments are displayed
in supported versions of Microsoft Outlook.
For additional management tasks related to messaging records management (MRM ), see Messaging Records
Management Procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
This command retrieves all mailboxes in the Exchange organization, filters the mailboxes that are placed on
retention hold, and lists them along with the retention policy applied to each.
IMPORTANT
Because RetentionHoldEnabled isn't a filterable property in Exchange Server, you can't use the Filter parameter with the Get-
Mailbox cmdlet to filter mailboxes that are placed on retention hold on the server-side. This command retrieves a list of all
mailboxes and filters on the client running Exchange Online PowerShell session. In large environments with thousands of
mailboxes, this command may take a long time to complete.
Journaling can help your organization respond to legal, regulatory, and organizational compliance requirements
by recording inbound and outbound email communications. When planning for messaging retention and
compliance, it's important to understand journaling, how it fits in your organization's compliance policies, and how
Exchange Online helps you secure journaled messages.
IMPORTANT
If you've configured a journaling rule to send the journal reports to a journaling mailbox that doesn't exist or is an invalid
destination, the journal report remains in the transport queue on Microsoft datacenter servers. If this happens, Microsoft
datacenter personnel will attempt to contact your organization and ask you to fix the problem so that the journal reports
can be successfully delivered to a journaling mailbox. If you haven't resolved the issue after two days of being contacted,
Microsoft will disable the problematic journaling rule.
If you configure an alternate journaling mailbox, you must monitor the mailbox to make sure that it doesn't
become unavailable at the same time as the journal mailboxes. If the alternate journaling mailbox also becomes
unavailable or rejects journal reports at the same time, the rejected journal reports are lost and can't be retrieved.
Because the alternate journaling mailbox collects all the rejected journal reports for the entire Exchange Online
organization, you must make sure that this doesn't violate any laws or regulations that apply to your organization.
If laws or regulations prohibit your organization from allowing journal reports sent to different journaling
mailboxes from being stored in the same alternate journaling mailbox, you may be unable to configure an
alternate journaling mailbox. Discuss this with your legal representatives to determine whether you can use an
alternate journaling mailbox.
When you configure an alternate journaling mailbox, you should use the same criteria that you used when you
configured the journaling mailbox.
IMPORTANT
The alternate journaling mailbox should be treated as a special dedicated mailbox. Any messages addressed directly to the
alternate journaling mailbox aren't journaled.
Journal reports
A journal report is the message that the Journaling agent generates when a message matches a journal rule and is
to be submitted to the journaling mailbox. The original message that matches the journal rule is included unaltered
as an attachment to the journal report. The body of a journal report contains information from the original
message such as the sender email address, message subject, message-ID, and recipient email addresses. This is
also referred to as envelope journaling, and is the only journaling method supported by Office 365.
Journal reports and IRM -protected messages
When implementing journaling, you must consider journaling reports and IRM -protected messages. IRM -
protected messages will affect the search and discovery capabilities of third-party archiving systems that don't
have RMS support built-in. In Office 365, you can configure Journal Report Decryption to save a clear-text copy of
the message in a journal report.
Troubleshooting
When a message matches the scope of multiple journal rules, all matching rules will be triggered.
If the matching rules are configured with different journal mailboxes, a journal report will be sent to each
journal mailbox.
If the matching rules are all configured with the same journal mailbox, only one journal report is sent to the
journal mailbox.
Journaling always identifies messages as internal if the email address in the SMTP MAIL FROM command is in a
domain that's configured as an accepted domain in Exchange Online. This includes spoofed messages from
external sources (messages where the X-MS -Exchange-Organization-AuthAs header value is also
Anonymous). Therefore, journal rules that are scoped to external messages won't be triggered by spoofed
messages with SMTP MAIL FROM email addresses in accepted domains.
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online
Protection.
If you're having trouble with the JournalingReportDNRTo mailbox, see Transport and Mailbox Rules in Exchange
Online don't work as expected.
Manage journaling
3/4/2019 • 5 minutes to read • Edit Online
Journaling can help your organization respond to legal, regulatory, and organizational compliance requirements by
recording inbound and outbound email communications. For more information about journaling, see Journaling in
Exchange Online.
This topic shows you how to perform basic tasks related to managing journaling in Exchange Server and Exchange
Online.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection. If
you're having trouble with the JournalingReportDNRTo mailbox, see Transport and Mailbox Rules in Exchange Online don't
work as expected.
NOTE
You can also type the display name or alias of a mail user or a mail contact as the journal mailbox. In this case, journal
reports will be sent to the external email address of the mail user or mail contact. But as previously explained, the
external email address of a mail user or mail contact can't be the address of an Exchange Online mailbox.
Get-JournalRule
This example retrieves the journal rule Brokerage Journal Rule, and pipes the output to the Format-List command
to display rule properties in a list format:
If you want to modify the properties of a specific rule, you need to use the Set-JournalRule cmdlet. This example
changes the name of the journal rule JR-Sales to TraderVault . The following rule settings are also changed:
Recipient
JournalEmailAddress
Scope
Get-JournalRule
Journaling allows you to meet your organization's archiving requirements. You can create journal rules and have
messages matching the rule's conditions delivered to the journaling address specified in the rule. For more
information about journaling, see Journaling in Exchange Online.
Here are two things you need to know before you start creating journal rules.
IMPORTANT
If you've configured a journaling rule to send the journal reports to a journaling mailbox that doesn't exist or is an invalid
destination, the journal report remains in the transport queue on Microsoft datacenter servers; delivery of queued items is
periodically retried. If this happens, Microsoft datacenter personnel will attempt to contact your organization and ask you to
fix the problem so that the journal reports can be successfully delivered to a journaling mailbox. If you haven't resolved the
issue after two days of being contacted, Microsoft will disable the problematic journaling rule.
The original journal report is an attachment in the NDR. When the journaling mailbox for a undelivered journal
report becomes available again, you can use the Resend this message feature in Outlook on the NDRs in the
alternate journaling mailbox to send the unaltered delivery report to the journaling mailbox.
Mail flow rules (transport rules) in Exchange Online
3/29/2019 • 9 minutes to read • Edit Online
You can use mail flow rules (also known as transport rules) to identify and take action on messages that flow
through your Exchange Online organization. Mail flow rules are similar to the Inbox rules that are available in
Outlook and Outlook on the web. The main difference is mail flow rules take action on messages while they're
in transit, and not after the message is delivered to the mailbox. Mail flow rules contain a richer set of
conditions, exceptions, and actions, which provides you with the flexibility to implement many types of
messaging policies.
This article explains the components of mail flow rules, and how they work.
For steps to create, copy, and manage mail flow rules, see Manage mail flow rules. For each rule, you have the
option of enforcing it, testing it, or testing it and notifying the sender. To learn more about the testing options,
see Test a mail flow rule and Policy Tips.
For summary and detail reports about messages that matched mail flow rules, see Use mail protection reports
in Office 365 to view data about malware, spam, and rule detections.
To implement specific messaging policies by using mail flow rules, see these topics:
Use mail flow rules to inspect message attachments in Office 365
Enable message encryption and decryption in Office 365
Common attachment blocking scenarios for mail flow rules
Organization-wide message disclaimers, signatures, footers, or headers in Office 365
Use mail flow rules so messages can bypass Clutter
Use mail flow rules to route email based on a list of words, phrases, or patterns
Use mail flow rules to set the spam confidence level (SCL ) in messages
Create organization-wide safe sender or blocked sender lists in Office 365
Common message approval scenarios
Define rules to encrypt or decrypt email messages
One condition with multiple values OR Some conditions allow you to specify
more than one value. The message
must match any one (not all) of the
specified values. For example, if an
email message has the subject Stock
price information, and the The
subject includes any of these words
condition is configured to match the
words Contoso or stock, the condition
is satisfied because the subject
contains at least one of the specified
values.
Activate this rule on the following ActivationDate Specifies the date range when the rule
date ExpiryDate is active.
Deactivate this rule on the
following date
On check box selected or not selected New rules:Enabled parameter on the You can create a disabled rule, and
New-TransportRule cmdlet. enable it when you're ready to test it.
Existing rules: Use the Enable- Or, you can disable a rule without
TransportRule or Disable- deleting it to preserve the settings.
TransportRule cmdlets.
Defer the message if rule RuleErrorAction You can specify how the message
processing doesn't complete should be handled if the rule
processing can't be completed. By
default, the rule will be ignored, but
you can choose to resubmit the
message for processing.
Stop processing more rules SenderAddressLocation This is an action for the rule, but it
looks like a property in the EAC. You
can choose to stop applying additional
rules to a message after a rule
processes a message.
Office 365 Message Encryption: Messages encrypted by Rules can always access envelope headers and process
Office 365 Message Encryption in Office 365. For more messages based on conditions that inspect those headers.
information, see Office 365 Message Encryption.
For a rule to inspect or modify the contents of an encrypted
message, you need to verify that transport decryption is
enabled (Mandatory or Optional; the default is Optional).
For more information, see Enable or disable transport
decryption.
S/MIME encrypted messages Rules can only access envelope headers and process
messages based on conditions that inspect those headers.
RMS protected messages: Messages that had an Active Rules can always access envelope headers and process
Directory Rights Management Services (AD RMS) or Azure messages based on conditions that inspect those headers.
Rights Management (RMS) policy applied.
For a rule to inspect or modify the contents of an RMS
protected message, you need to verify that transport
decryption is enabled (Mandatory or Optional; the default is
Optional). For more information, see Enable or disable
transport decryption.
Conditions and exceptions in mail flow rules (also known as transport rules) identify the messages that the rule is applied to or not
applied to. For example, if the rule adds a disclaimer to messages, you can configure the rule to only apply to messages that contain
specific words, messages sent by specific users, or to all messages except those sent by the members of a specific distribution group.
Collectively, the conditions and exceptions in mail flow rules are also known as predicates, because for every condition, there's a
corresponding exception that uses the exact same settings and syntax. The only difference is conditions specify messages to include,
while exceptions specify messages to exclude.
Most conditions and exceptions have one property that requires one or more values. For example, the The sender is condition requires
the sender of the message. Some conditions have two properties. For example, the A message header includes any of these words
condition requires one property to specify the message header field, and a second property to specify the text to look for in the header
field. Some conditions or exceptions don't have any properties. For example, the Any attachment has executable content condition
simply looks for attachments in messages that have executable content.
For more information about mail flow rules in Exchange Online, see Mail flow rules (transport rules) in Exchange Online.
For more information about conditions and exceptions in mail flow rules in Exchange Online Protection or Exchange Server, see Mail
flow rule conditions and exceptions (predicates) in Exchange Online Protection or Mail flow rule conditions and exceptions (predicates) in
Exchange Server.
The sender is located FromScope UserScopeFrom Messages that are sent by either
ExceptIfFromScope internal senders or external
The sender > is senders.
external/internal
The sender address includes FromAddressContainsWords Words Messages that contain the
ExceptIfFromAddressContainsWor specified words in the sender's
The sender > address includes ds email address.
any of these words
The sender address matches FromAddressMatchesPatterns Patterns Messages where the sender's email
ExceptIfFromAddressMatchesPatte address contains text patterns that
The sender > address matches rns match the specified regular
any of these text patterns expressions.
The sender is on a recipient's list SenderInRecipientList SupervisionList Messages where the sender is on
ExceptIfSenderInRecipientList the recipient's Allow list or Block
The sender > is on a recipient's list.
supervision list
The sender's specified SenderADAttributeContainsWords First property: ADAttribute Messages where the specified
properties include any of these ExceptIfSenderADAttributeContain Active Directory attribute of the
words sWords Second property: Words sender contains any of the
specified words.
The sender > has specific
properties including any of Note that the Country attribute
these words requires the two-letter country
code value (for example, DE for
Germany).
CONDITION AND EXCEPTION
CONDITION OR EXCEPTION IN THE PARAMETERS IN EXCHANGE ONLINE
EAC POWERSHELL PROPERTY TYPE DESCRIPTION
The sender's specified SenderADAttributeMatchesPattern First property: ADAttribute Messages where the specified
properties match these text s Active Directory attribute of the
patterns ExceptIfSenderADAttributeMatches Second property: Patterns sender contains text patterns that
Patterns match the specified regular
The sender > has specific expressions.
properties matching these text
patterns
The sender has overridden the HasSenderOverride n/a Messages where the sender has
Policy Tip ExceptIfHasSenderOverride chosen to override a data loss
prevention (DLP) policy. For more
The sender > has overridden information about DLP policies, see
the Policy Tip Data loss prevention.
The sender's domain is SenderDomainIs DomainName Messages where the domain of the
ExceptIfSenderDomainIs sender's email address matches the
The sender > domain is specified value.
Recipients
CONDITION AND EXCEPTION
CONDITION OR EXCEPTION IN THE PARAMETERS IN EXCHANGE ONLINE
EAC POWERSHELL PROPERTY TYPE DESCRIPTION
The recipient is located SentToScope UserScopeTo Messages that are sent to internal
ExceptIfSentToScope or external recipients.
The recipient > is
external/external
CONDITION AND EXCEPTION
CONDITION OR EXCEPTION IN THE PARAMETERS IN EXCHANGE ONLINE
EAC POWERSHELL PROPERTY TYPE DESCRIPTION
The recipient address includes RecipientAddressContainsWords Words Messages that contain the
ExceptIfRecipientAddressContains specified words in the recipient's
The recipient > address includes Words email address.
any of these words
Note: This condition doesn't
consider messages that are sent to
recipient proxy addresses. It only
matches messages that are sent to
the recipient's primary email
address.
The recipient address matches RecipientAddressMatchesPatterns Patterns Messages where a recipient's email
ExceptIfRecipientAddressMatchesP address contains text patterns that
The recipient > address atterns match the specified regular
matches any of these text expressions.
patterns
Note: This condition doesn't
consider messages that are sent to
recipient proxy addresses. It only
matches messages that are sent to
the recipient's primary email
address.
The recipient is on the sender's RecipientInSenderList SupervisionList Messages where the recipient is on
list ExceptIfRecipientInSenderList the sender's Allow list or Block list.
The recipient's specified RecipientADAttributeContainsWor First property: ADAttribute Messages where the specified
properties include any of these ds Active Directory attribute of a
words ExceptIfRecipientADAttributeCont Second property: Words recipient contains any of the
ainsWords specified words.
The recipient > has specific
properties including any of Note that the Country attribute
these words requires the two-letter country
code value (for example, DE for
Germany).
The recipient's specified RecipientADAttributeMatchesPatt First property: ADAttribute Messages where the specified
properties match these text erns Active Directory attribute of a
patterns ExceptIfRecipientADAttributeMatc Second property: Patterns recipient contains text patterns
hesPatterns that match the specified regular
The recipient > has specific expressions.
properties matching these text
patterns
CONDITION AND EXCEPTION
CONDITION OR EXCEPTION IN THE PARAMETERS IN EXCHANGE ONLINE
EAC POWERSHELL PROPERTY TYPE DESCRIPTION
NOTE
The search for words or text patterns in the subject or other header fields in the message occurs after the message has been decoded from the MIME
content transfer encoding method that was used to transmit the binary message between SMTP servers in ASCII text. You can't use conditions or
exceptions to search for the raw (typically, Base64) encoded values of the subject or other header fields in messages.
The subject or body includes SubjectOrBodyContainsWords Words Messages that have the specified
ExceptIfSubjectOrBodyContainsWo words in the Subject field or
The subject or body > subject rds message body.
or body includes any of these
words
The subject or body matches SubjectOrBodyMatchesPatterns Patterns Messages where the Subject field
ExceptIfSubjectOrBodyMatchesPatt or message body contain text
The subject or body > subject erns patterns that match the specified
or body matches these text regular expressions.
patterns
The subject includes SubjectContainsWords Words Messages that have the specified
ExceptIfSubjectContainsWords words in the Subject field.
The subject or body > subject
includes any of these words
The subject matches SubjectMatchesPatterns Patterns Messages where the Subject field
ExceptIfSubjectMatchesPatterns contains text patterns that match
The subject or body > subject the specified regular expressions.
matches these text patterns
Attachments
For more information about how mail flow rules inspect message attachments, see Use mail flow rules to inspect message attachments
in Office 365.
Any attachment is greater than AttachmentSizeOver Size Messages where any attachment is
or equal to ExceptIfAttachmentSizeOver greater than or equal to the
specified value.
Any attachment > size is
greater than or equal to In the EAC, you can only specify
the size in kilobytes (KB).
The message didn't complete AttachmentProcessingLimitExceed n/a Messages where the rules engine
scanning ed couldn't complete the scanning of
ExceptIfAttachmentProcessingLimi the attachments. You can use this
Any attachment > didn't tExceeded condition to create rules that work
complete scanning together to identify and process
messages where the content
couldn't be fully scanned.
has these properties, including AttachmentPropertyContainsWor First property: Messages where the specified
any of these words ds DocumentProperties property of an attached Office
ExceptIfAttachmentPropertyContai document contains the specified
Any attachment > has these nsWords Second property: Words words.
properties, including any of
these words This condition helps you integrate
mail flow rules with SharePoint, File
Classification Infrastructure (FCI) in
Windows Server 2012 R2 or later,
or a third-party classification
system.
Any recipient address includes AnyOfRecipientAddressContainsW Words Messages that contain the
ords specified words in the To, Cc, or
Any recipient > address ExceptIfAnyOfRecipientAddressCo Bcc fields of the message.
includes any of these words ntainsWords
Any recipient address matches AnyOfRecipientAddressMatchesPa Patterns Messages where the To, Cc, or Bcc
tterns fields contain text patterns that
Any recipient > address ExceptIfAnyOfRecipientAddressMa match the specified regular
matches any of these text tchesPatterns expressions.
patterns
Message sensitive information types, To and Cc values, size, and character sets
The conditions in this section that look for values in the To and Cc fields behave like the conditions in the Any recipients section (all
recipients of the message are affected by the rule, not just the detected recipients).
Notes:
The recipient conditions in this section do not consider messages that are sent to recipient proxy addresses. They only match
messages that are sent to the recipient's primary email address.
For more information about using Office 365 groups with the recipient conditions in this section, see the Addresses entry in the
Property types section.
The message contains sensitive MessageContainsDataClassificati SensitiveInformationTypes Messages that contain sensitive
information ons information as defined by data loss
ExceptIfMessageContainsDataClas prevention (DLP) policies.
The message > contains any of sifications
these types of sensitive This condition is required for rules
information that use the Notify the sender
with a Policy Tip (NotifySender)
action.
The To box contains a member AnyOfToHeaderMemberOf Addresses Messages where the To field
of ExceptIfAnyOfToHeaderMemberOf contains a recipient who is a
member of the specified
The message > To box contains distribution group, mail-enabled
a member of this group security group, or Office 365
group.
The Cc box contains a member AnyOfCcHeaderMemberOf Addresses Messages where the Cc field
of ExceptIfAnyOfCcHeaderMemberOf contains a recipient who is a
member of the specified
The message > contains a distribution group or mail-enabled
member of this group security group.
The message size is greater MessageSizeOver Size Messages where the total size
than or equal to ExceptIfMessageSizeOver (message plus attachments) is
greater than or equal to the
The message > size is greater specified value.
than or equal to
In the EAC, you can only specify
the size in kilobytes (KB).
The message character set ContentCharacterSetContainsWor CharacterSets Messages that have any of the
name includes any of these ds specified character set names.
words ExceptIfContentCharacterSetConta
insWords
The message > character set
name includes any of these
words
The sender is one of the SenderManagementRelationship ManagementRelationship Messages where the either sender
recipient's ExceptIfSenderManagementRelatio is the manager of a recipient, or
nship the sender is managed by a
The sender and the recipient > recipient.
the sender's relationship to a
recipient is
The message is between BetweenMemberOf1 and Addresses Messages that are sent between
members of these groups BetweenMemberOf2 members of the specified
ExceptIfBetweenMemberOf1 and distribution groups or mail-
The sender and the recipient > ExceptIfBetweenMemberOf2 enabled security groups.
the message is between
members of these groups For more information about using
Office 365 groups with this
condition, see the Addresses entry
in the Property types section.
CONDITION AND EXCEPTION
CONDITION OR EXCEPTION IN THE PARAMETERS IN EXCHANGE ONLINE
EAC POWERSHELL PROPERTY TYPE DESCRIPTION
The manager of the sender or ManagerForEvaluatedUser and First property: EvaluatedUser Messages where either a specified
recipient is ManagerAddress user is the manager of the sender,
ExceptIfManagerForEvaluatedUser Second property: Addresses or a specified user is the manager
The sender and the recipient > and ExceptIfManagerAddress of a recipient.
the manager of the sender or
recipient is this person
The sender's and any recipient's ADAttributeComparisonAttribute First property: ADAttribute Messages where the specified
property compares as and ADComparisonOperator Active Directory attribute for the
ExceptIfADAttributeComparisonAt Second property: Evaluation sender and recipient either match
The sender and the recipient > tribute and or don't match.
the sender and recipient ExceptIfADComparisonOperator
property compares as
Message properties
CONDITION AND EXCEPTION
CONDITION OR EXCEPTION IN THE PARAMETERS IN EXCHANGE ONLINE
EAC POWERSHELL PROPERTY TYPE DESCRIPTION
The message is classified as HasClassification MessageClassification Messages that have the specified
ExceptIfHasClassification message classification. This is a
The message properties > custom message classification that
include this classification you can create in your organization
by using the New-
MessageClassification cmdlet.
The message isn't marked with HasNoClassification n/a Messages that don't have a
any classifications ExceptIfHasNoClassification message classification.
The message has an SCL greater SCLOver SCLValue Messages that are assigned a
than or equal to ExceptIfSCLOver spam confidence level (SCL) that's
greater than or equal to the
The message properties > specified value.
include an SCL greater than or
equal to
The message importance is set WithImportance Importance Messages that are marked with the
to ExceptIfWithImportance specified Importance level.
Message headers
NOTE
The search for words or text patterns in the subject or other header fields in the message occurs after the message has been decoded from the MIME
content transfer encoding method that was used to transmit the binary message between SMTP servers in ASCII text. You can't use conditions or
exceptions to search for the raw (typically, Base64) encoded values of the subject or other header fields in messages.
CONDITION AND EXCEPTION
CONDITION OR EXCEPTION IN THE PARAMETERS IN EXCHANGE ONLINE
EAC POWERSHELL PROPERTY TYPE DESCRIPTION
A message header includes HeaderContainsMessageHeader First property: Messages that contain the
and HeaderContainsWords MessageHeaderField specified header field, and the
A message header > includes ExceptIfHeaderContainsMessageH value of that header field contains
any of these words eader and Second property: Words the specified words.
ExceptIfHeaderContainsWords
The name of the header field and
the value of the header field are
always used together.
A message header matches HeaderMatchesMessageHeader First property: Messages that contain the
and HeaderMatchesPatterns MessageHeaderField specified header field, and the
A message header > matches ExceptIfHeaderMatchesMessageHe value of that header field contains
these text patterns ader and Second property: Patterns the specified regular expressions.
ExceptIfHeaderMatchesPatterns
The name of the header field and
the value of the header field are
always used together.
Property types
The property types that are used in conditions and exceptions are described in the following table.
NOTE
If the property is a string, trailing spaces are not allowed.
ADAttribute Select from a predefined list of Active Directory You can check against any of the following
attributes Active Directory attributes:
City
Company
Country
CustomAttribute1 - CustomAttribute15
Department
DisplayName
Email
FaxNumber
FirstName
HomePhoneNumber
Initials
LastName
Manager
MobileNumber
Notes
Office
OtherFaxNumber
OtherHomePhoneNumber
OtherPhoneNumber
PagerNumber
PhoneNumber
POBox
State
Street
Title
UserLogonName
ZipCode
CharacterSets Array of character set names One or more content character sets that exist in
a message. For example: Arabic/iso-8859-6
Chinese/big5
Chinese/euc-cn
Chinese/euc-tw
Chinese/gb2312
Chinese/iso-2022-cn
Cyrillic/iso-8859-5
Cyrillic/koi8-r
Cyrillic/windows-1251
Greek/iso-8859-7
Hebrew/iso-8859-8
Japanese/euc-jp
Japanese/iso-022-jp
Japanese/shift-jis
Korean/euc-kr
Korean/johab
Korean/ks_c_5601-1987
Turkish/windows-1254
Turkish/iso-8859-9
Vietnamese/tcvn
EvaluatedUser Single value of Sender or Recipient Specifies whether the rule is looking for the
manager of the sender or the manager of the
recipient.
Evaluation Single value of Equal or Not equal ( NotEqual ) When comparing the Active Directory attribute
of the sender and recipients, this specifies
whether the values should match, or not match.
Importance Single value of Low, Normal, or High The Importance level that was assigned to the
message by the sender in Outlook or Outlook
on the web.
PROPERTY TYPE VALID VALUES DESCRIPTION
IPAddressRanges Array of IP addresses or address ranges You enter the IPv4 addresses using the
following syntax:
• Single IP address: For example,
192.168.1.1 .
• IP address range: For example,
192.168.0.1-192.168.0.254 .
• Classless InterDomain Routing (CIDR) IP
address range: For example, 192.168.0.1/25 .
ManagementRelationship Single value of Manager or Direct report ( Specifies the relationship between the sender
DirectReport ) and any of the recipients. The rule checks the
Manager attribute in Active Directory to see if
the sender is the manager of a recipient, or if
the sender is managed by a recipient.
MessageClassification Single message classification In the EAC, you select from the list of message
classifications that you've created.
MessageHeaderField Single string Specifies the name of the header field. The name
of the header field is always paired with the
value in the header field (word or text pattern
match).The message header is a collection of
required and optional header fields in the
message. Examples of header fields are To,
From, Received, and Content-Type. Official
header fields are defined in RFC 5322. Unofficial
header fields start with X- and are known as X-
headers.
MessageType Single message type value Specifies one of the following message types:
• Automatic reply ( OOF )
• Auto-forward ( AutoForward )
• Encrypted
• Calendaring
• Permission controlled (
PermissionControlled )
• Voicemail
• Signed
• Approval request ( ApprovalRequest )
• Read receipt ( ReadReceipt )
Patterns Array of regular expressions Specifies one or more regular expressions that
are used to identify text patterns in values. For
more information, see Regular Expression
Syntax.
SCLValue One of the following values: Specifies the spam confidence level (SCL) that's
• Bypass spam filtering ( -1 ) assigned to a message. A higher SCL value
• Integers 0 through 9 indicates that a message is more likely to be
spam.
SensitiveInformationTypes Array of sensitive information types Specifies one or more sensitive information
types that are defined in your organization. For
a list of built-in sensitive information types, see
What the sensitive information types in
Exchange look for.
Size Single size value Specifies the size of an attachment or the whole
message.
SupervisionList Single value of Allow or Block Supervision policies were a feature in Live@edu
that allowed you to control who could send mail
to and receive mail from users in your
organization (for example, the closed campus
and anti-bullying policies). In Office 365, you
can't configure supervision list entries on
mailboxes.
PROPERTY TYPE VALID VALUES DESCRIPTION
UserScopeFrom Single value of Inside the organization ( A sender is considered to be inside the
InOrganization ) or Outside the organization if either of the following conditions
organization ( NotInOrganization ) is true:
• The sender is a mailbox, mail user, group, or
mail-enabled public folder that exists inside the
organization.
• The sender's email address is in an accepted
domain that's configured as an authoritative
domain or an internal relay domain, and the
message was sent or received over an
authenticated connection. For more information
about accepted domains, see Accepted
Domains.
Words Array of strings Specifies one or more words to look for. The
words aren't case-sensitive, and can be
surrounded by spaces and punctuation marks.
Wildcards and partial matches aren't supported.
For example, "contoso" matches " Contoso".
Actions in mail flow rules (also known as transport rules) specify what you want to do to messages that match
conditions of the rule. For example, you can create a rule that forwards message from specific senders to a
moderator, or adds a disclaimer or personalized signature to all outbound messages.
Actions typically require additional properties. For example, when the rule redirects a message, you need to
specify where to redirect the message. Some actions have multiple properties that are available or required. For
example, when the rule adds a header field to the message header, you need to specify both the name and value of
the header. When the rule adds a disclaimer to messages, you need to specify the disclaimer text, but you can also
specify where to insert the text, or what to do if the disclaimer can't be added to the message. Typically, you can
configure multiple actions in a rule, but some actions are exclusive. For example, one rule can't reject and redirect
the same message.
For more information about mail flow rules in Exchange Online, see Mail flow rules (transport rules) in Exchange
Online.
For more information about conditions and exceptions in mail flow rules, see Mail flow rule conditions and
exceptions (predicates) in Exchange Online.
For more information about actions in mail flow rules in Exchange Online Protection or Exchange Server, see Mail
flow rule actions in Exchange Online Protection or Mail flow rules (transport rules).
ACTION PARAMETER IN
ACTION IN THE EAC POWERSHELL PROPERTY DESCRIPTION
Reject the message with RejectMessageReasonText String Returns the message to the
the explanation sender in a non-delivery
report (also known as an
Block the message > NDR or bounce message)
reject the message and with the specified text as the
include an explanation rejection reason. The
recipient doesn't receive the
original message or
notification.
The default enhanced status
code that's used is 5.7.1 .
When you create or modify
the rule in PowerShell, you
can specify the DSN code by
using the
RejectMessageEnhancedStat
usCode parameter.
ACTION PARAMETER IN
ACTION IN THE EAC POWERSHELL PROPERTY DESCRIPTION
Reject the message with RejectMessageEnhancedStat DSNEnhancedStatusCode Returns the message to the
the enhanced status code usCode sender in an NDR with the
specified enhanced delivery
Block the message > status notification (DSN)
reject the message with code. The recipient doesn't
the enhanced status code receive the original message
of or notification.
Valid DSN codes are 5.7.1
or 5.7.900 through
5.7.999 .
The default reason text
that's used is
Delivery not
authorized, message
refused
.
When you create or modify
the rule in PowerShell, you
can specify the rejection
reason text by using the
RejectMessageReasonText
parameter.
Add recipients to the Bcc BlindCopyTo Addresses Adds one or more recipients
box to the Bcc field of the
message. The original
Add recipients > to the recipients aren't notified, and
Bcc box they can't see the additional
addresses.
Add the sender's manager AddManagerAsRecipientTyp AddedManagerAction Adds the sender's manager
as a recipient e to the message as the
specified recipient type ( To,
Add recipients > add the Cc, Bcc ), or redirects the
sender's manager as a message to the sender's
recipient manager without notifying
the sender or the recipient.
This action only works if the
sender's Manager attribute
is defined in Active
Directory.
Append the disclaimer ApplyHtmlDisclaimerText First property: Applies the specified HTML
ApplyHtmlDisclaimerFallba DisclaimerText disclaimer to the end of the
Apply a disclaimer to the ckAction Second property: message.
message > append a ApplyHtmlDisclaimerLocati DisclaimerFallbackAction When you create or modify
disclaimer on Third property (PowerShell the rule in PowerShell, use
only): the
DisclaimerTextLocation ApplyHtmlDisclaimerLocati
on parameter with the value
Append .
Prepend the disclaimer ApplyHtmlDisclaimerText First property: Applies the specified HTML
ApplyHtmlDisclaimerFallba DisclaimerText disclaimer to the beginning
Apply a disclaimer to the ckAction Second property: of the message.
message > prepend a ApplyHtmlDisclaimerLocati DisclaimerFallbackAction When you create or modify
disclaimer on Third property (PowerShell the rule in PowerShell, use
only): the
DisclaimerTextLocation ApplyHtmlDisclaimerLocati
on parameter with the value
Prepend .
Set the message header SetHeaderName First property: Adds or modifies the
to this value SetHeaderValue MessageHeaderField specified header field in the
Second property: String message header, and sets
Modify the message the header field to the
properties > set a specified value.
message header
Set the spam confidence SetSCL SCLValue Sets the spam confidence
level (SCL) to level (SCL) of the message to
the specified value.
Modify the message
properties > set the spam
confidence level (SCL)
ACTION PARAMETER IN
ACTION IN THE EAC POWERSHELL PROPERTY DESCRIPTION
Apply Office 365 Message ApplyRightsProtectionTempl RMSTemplate Applies the specified Azure
Encryption and rights ate Rights Management (Azure
protection RMS) template to the
message. Azure RMS is part
Apply Office 365 Message of Azure Information
Encryption and rights Protection. For more
protection to the message information, see Set up new
with Office 365 Message
Encryption capabilities.
Modify the message
security > Apply Office
365 Message Encryption
and rights protection
Notify the sender with a NotifySender First property: Notifies the sender or blocks
Policy Tip RejectMessageReasonText NotifySenderType the message when the
RejectMessageEnhancedStat Second property: String message matches a DLP
usCode (PowerShell only) Third property (PowerShell policy.
only): When you use this action,
DSNEnhancedStatusCode you need to use the The
message contains
sensitive information (
MessageContainsDataClass
ification condition.
When you create or modify
the rule in PowerShell, the
RejectMessageReasonText
parameter is optional. If you
don't use this parameter, the
default text
Delivery not
authorized, message
refused
is used.
In PowerShell, you can also
use the
RejectMessageEnhancedStat
usCode parameter to specify
the enhanced status code. If
you don't use this
parameter, the default
enhanced status code
5.7.1 is used.
This action limits the other
conditions, exceptions, and
actions that you can
configure in the rule.
Generate incident report GenerateIncidentReport First property: Addresses Sends an incident report
and send it to IncidentReportContent Second property: that contains the specified
IncidentReportContent content to the specified
recipients.
An incident report is
generated for messages that
match data loss prevention
(DLP) policies in your
organization.
Notify the recipient with a GenerateNotification NotificationMessageText Specifies the text, HTML
message tags, and message keywords
to include in the notification
message that's sent to the
message's recipients. For
example, you can notify
recipients that the message
was rejected by the rule, or
marked as spam and
delivered to their Junk Email
folder.
ACTION PARAMETER IN
ACTION IN THE EAC POWERSHELL PROPERTY DESCRIPTION
Property values
The property values that are used for actions in mail flow rules are described in the following table.
AddedManagerAction One of the following values: Specifies how to include the sender's
To manager in messages.
If you select To, Cc, or Bcc, the sender's
Cc manager is added as a recipient in the
specified field.
Bcc If you select Redirect, the message is
only delivered to the sender's manager
Redirect without notifying the sender or the
recipient.
This action only works if the sender's
Manager is defined.
AuditSeverityLevel One of the following values: The values Low, Medium, or High
Uncheck Audit this rule with severity specify the severity level that's assigned
level, or select Audit this rule with to the incident report and to the
severity level with the value Not corresponding entry in the message
specified ( DoNotAudit ) tracking log.
Low The other value prevents an incident
report from being generated, and
Medium prevents the corresponding entry from
being written to the message tracking
High log.
PROPERTY VALID VALUES DESCRIPTION
DSNEnhancedStatusCode Single DSN code value: Specifies the DSN code that's used. You
5.7.1 can create custom DSNs by using the
5.7.900 through 5.7.999 New-SystemMessage cmdlet.
If you don't specify the rejection reason
text along with the DSN code, the
default reason text that's used is
Delivery not authorized, message
refused
.
When you create or modify the rule in
PowerShell, you can specify the
rejection reason text by using the
RejectMessageReasonText parameter.
PROPERTY VALID VALUES DESCRIPTION
IncidentReportContent One or more of the following values: Specifies the original message
Sender properties to include in the incident
report. You can choose to include any
Recipients combination of these properties. In
addition to the properties you specify,
Subject the message ID is always included. The
available properties are:
Cc'd recipients ( Cc ) Sender: The sender of the original
Bcc'd recipients ( Bcc ) message.
Severity Recipients, Cc'd recipients, and Bcc'd
recipients: All recipients of the
Sender override information ( message, or only the recipients in the
Override ) Cc or Bcc fields. For each property, only
Matching rules ( RuleDetections ) the first 10 recipients are included in
False positive reports ( the incident report.
FalsePositive )
Subject: The Subject field of the
original message.
Detected data classifications (
Severity: The audit severity of the rule
DataClassifications )
that was triggered. Message tracking
Matching content ( IdMatch ) logs include all the audit severity levels,
Original mail ( AttachOriginalMail ) and can be filtered by audit severity. In
the EAC, if you clear the Audit this rule
with severity level check box (in
PowerShell, the SetAuditSeverity
parameter value DoNotAudit ), rule
matches won't appear in the rule
reports. If a message is processed by
more than one rule, the highest
severity is included in any incident
reports.
Sender override information: The
override if the sender chose to override
a Policy Tip. If the sender provided a
justification, the first 100 characters of
the justification are also included.
Matching rules: The list of rules that
the message triggered.
False positive reports: The false
positive if the sender marked the
message as a false positive for a Policy
Tip.
Detected data classifications: The list
of sensitive information types detected
in the message.
Matching content: The sensitive
information type detected, the exact
matched content from the message,
and the 150 characters before and after
the matched sensitive information.
Original mail: The entire message that
triggered the rule is attached to the
incident report.
In PowerShell, you specify multiple
values separated by commas.
MessageClassification Single message classification object In the EAC, you select from the list of
available message classifications.
In PowerShell, use the Get-
MessageClassification cmdlet to see
the message classification objects that
are available.
PROPERTY VALID VALUES DESCRIPTION
NotificationMessageText Any combination of plain text, HTML Specified the text to use in a recipient
tags, and keywords notification message.
In addition to plain text and HTML tags,
you can specify the following keywords
that use values from the original
message:
%%From%%
%%To%%
%%Cc%%
%%Subject%%
%%Headers%%
%%MessageDate%%
NotifySenderType One of the following values: Specifies the type of Policy Tip that the
Notify the sender, but allow them to sender receives if the message violates
send ( NotifyOnly ) a DLP policy. The settings are described
Block the message ( RejectMessage ) in the following list:
Block the message unless it's a false Notify the sender, but allow them to
positive ( send: The sender is notified, but the
RejectUnlessFalsePositiveOverride message is delivered normally.
) Block the message: The message is
Block the message, but allow the rejected, and the sender is notified.
sender to override and send ( Block the message unless it's a false
RejectUnlessSilentOverride ) positive: The message is rejected
Block the message, but allow the unless it's marked as a false positive by
sender to override with a business the sender.
justification and send ( Block the message, but allow the
RejectUnlessExplicitOverride )
sender to override and send: The
message is rejected unless the sender
has chosen to override the policy
restriction.
Block the message, but allow the
sender to override with a business
justification and send: This is similar
to Block the message, but allow the
sender to override and send type,
but the sender also provides a
justification for overriding the policy
restriction.
When you use this action, you need to
use the The message contains
sensitive information (
MessageContainsDataClassification)
condition.
PROPERTY VALID VALUES DESCRIPTION
RMSTemplate Single Azure RMS template object Specifies the Azure Rights Management
(Azure RMS) template that's applied to
the message.
In the EAC, you select the RMS
template from a list.
In PowerShell, use the Get-
RMSTemplate cmdlet to see the RMS
templates that are available.
For more information about RMS in
Office 365, see What is Azure
Information Protection?.
SCLValue One of the following values: Specifies the spam confidence level
Bypass spam filtering ( -1 ) (SCL) that's assigned to the message. A
Integers 0 through 9 higher SCL value indicates that a
message is more likely to be spam.
Follow these best practice recommendations for mail flow rules (also known as transport rules) in order to avoid
common configuration errors. Each recommendation links to a topic with an example and step-by-step
instructions.
If you have lots of keywords or patterns to match, load them from a file
For example, you might want to prevent emails from being sent if they contain a list of unacceptable or bad words.
You can create a text file containing these words and phrases, and then use PowerShell to set up a mail flow rule
that blocks messages that use them.
The text file can contain regular expressions for patterns. These expressions are not case-sensitive. Common
regular expressions include:
EXPRESSION MATCHES
For an example that shows a text file with regular expressions and the Exchange module Windows PowerShell
commands to use, see Use mail flow rules to route email based on a list of words, phrases, or patterns in Exchange
Online.
To learn how to specify patterns using regular expressions, see Regular Expression Reference.
Use mail flow rules to inspect message attachments
in Exchange Online
3/4/2019 • 8 minutes to read • Edit Online
You can inspect email attachments in your Exchange Online organization by setting up mail flow rules (also
known as transport rules). Exchange Online offers mail flow rules that provide the ability to examine email
attachments as a part of your messaging security and compliance needs. When you inspect attachments, you can
then take action on the messages that were inspected based on the content or characteristics of those
attachments. Here are some attachment-related tasks you can do by using mail flow rules:
Search for files with text that matches a pattern you specify, and add a disclaimer to the end of the
message.
Inspect content within attachments and, if there are any keywords you specify, redirect the message to a
moderator for approval before it's delivered.
Check for messages with attachments that can't be inspected and then block the entire message from
being sent.
Check for attachments that exceed a certain size and then notify the sender of the issue if you choose to
prevent the message from being delivered.
Check whether the properties of an attached Office document match the values that you specify. With this
condition, you can integrate the requirements of your mail flow rules and DLP policies with a third-party
classification system, such as SharePoint or the Windows Server File Classification Infrastructure (FCI).
Create notifications that alert users if they send a message that has matched a mail flow rule.
Block all messages containing attachments. For examples, see Common attachment blocking scenarios for
mail flow rules in Exchange Online.
NOTE
All of these conditions will scan compressed archive attachments.
Exchange Online admins can create mail flow rules in the Exchange admin center (EAC ) at Mail flow > Rules.
You need to be assigned permissions before you can perform this procedure. After you start to create a new rule,
you can see the full list of attachment-related conditions by clicking More options > Any attachment under
Apply this rule if. The attachment-related options are shown in the following diagram.
For more information about mail flow rules, including the full range of conditions and actions that you can
choose, see Mail flow rules (transport rules) in Exchange Online. Exchange Online Protection (EOP ) and hybrid
customers can benefit from the mail flow rules best practices provided in Best Practices for Configuring EOP. If
you're ready to start creating rules, see Manage mail flow rules in Exchange Online.
Any attachment's content includes AttachmentContainsWords This condition matches messages with
Any attachment > content includes supported file type attachments that
any of these words contain a specified string or group of
characters.
Any attachment's content matches AttachmentMatchesPatterns This condition matches messages with
Any attachment > content matches supported file type attachments that
these text patterns contain a text pattern that matches a
specified regular expression.
Any attachment's content can't be AttachmentIsUnsupported Mail flow rules only can inspect the
inspected content of supported file types. If the
Any attachment > content can't be mail flow rule encounters an
inspected attachment that isn't supported, the
AttachmentIsUnsupported condition is
triggered. The supported file types are
described in the next section.
Notes:
The conditions names in Exchange Online PowerShell are parameters names on the New-TransportRule
and Set-TransportRule cmdlets. For more information, see New -TransportRule.
Learn more about property types for these conditions at Mail flow rule conditions and exceptions
(predicates) in Exchange Online and Mail flow rule conditions and exceptions (predicates) in Exchange
Online Protection.
To learn how to use Windows PowerShell to connect to Exchange Online, see Connect to Exchange Online
PowerShell.
Supported file types for mail flow rule content inspection
The following table lists the file types supported by mail flow rules. The system automatically detects file types by
inspecting file properties rather than the actual file name extension, thus helping to prevent malicious hackers
from being able to bypass mail flow rule filtering by renaming a file extension. A list of file types with executable
code that can be checked within the context of mail flow rules is listed later in this topic.
Office 2007 and later .docm, .docx, .pptm, .pptx, .pub, .one, Microsoft OneNote and Microsoft
.xlsb, .xlsm, .xlsx Publisher files aren't supported by
default.
The contents of any embedded parts
contained within these file types are
also inspected. However, any objects
that aren't embedded (for example,
linked documents) aren't inspected.
Text .txt, .asm, .bat, .c, .cmd, .cpp, .cxx, .def, None
.dic, .h, .hpp, .hxx, .ibq, .idl, .inc, inf, .ini,
inx, .js, .log, .m3u, .pl, .rc, .reg, .txt, .vbs,
.wtx
OpenDocument .odp, .ods, .odt No parts of .odf files are processed. For
example, if the .odf file contains an
embedded document, the contents of
that embedded document aren't
inspected.
Compressed archive files .bz2, cab, .gz, .rar, .tar, .zip, .7z The content of these files, which were
originally in a supported file type
format, are inspected and processed in
a manner similar to messages that have
multiple attachments. The properties of
the compressed archive file itself are
not inspected. For example, if the
container file type supports comments,
that field isn't inspected.
Any attachment's file name matches AttachmentNameMatchesPatterns This condition matches messages with
attachments whose file name contains
Any attachment > file name the characters you specify.
matches these text patterns
Any attachment's file extension AttachmentExtensionMatchesWords This condition matches messages with
matches attachments whose file name extension
matches what you specify.
Any attachment > file extension
includes these words
Any attachment is greater than or AttachmentSizeOver This condition matches messages with
equal to attachments when those attachments
are greater than or equal to the size
Any attachment > size is greater you specify.
than or equal to
The message didn't complete AttachmentProcessingLimitExceeded This condition matches messages when
scanning an attachment is not inspected by the
mail flow rules agent.
Any attachment > didn't complete
scanning
Any attachment has executable AttachmentHasExecutableContent This condition matches messages that
content contain executable files as attachments.
The supported file types are listed here.
Any attachment > has executable
content
Notes:
The conditions names in Exchange Online PowerShell are parameters names on the New-TransportRule
and Set-TransportRule cmdlets. For more information, see New -TransportRule.
Learn more about property types for these conditions at Mail flow rule conditions and exceptions
(predicates) in Exchange Online and Mail flow rule conditions and exceptions (predicates) in Exchange
Online Protection.
To learn how to connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
Supported executable file types for mail flow rule inspection
The mail flow rules use true type detection to inspect file properties rather than merely the file extensions. This
helps to prevent malicious hackers from being able to bypass your rule by renaming a file extension. The
following table lists the executable file types supported by these conditions. If a file is found that is not listed here,
the AttachmentIsUnsupported condition is triggered.
IMPORTANT
.rar (self-extracting archive files created with the WinRAR archiver), .jar (Java archive files), and .obj (compiled source code,
3D object, or sequence files) files are not considered to be executable file types. To block these files, you can use mail flow
rules that look for files with these extensions as described earlier in this topic, or you can configure an antimalware policy
that blocks these file types (the common attachment types filter). For more information, see Configure Anti-Malware
Policies.
Office 365 Message Encryption lets email users send encrypted messages to people inside or outside their
organization. For information about Office 365 Message Encryption, see Set up new Office 365 Message
Encryption capabilities. To learn how to create mail flow rules (also known as transport rules) for encryption, see
Define rules to encrypt or decrypt email messages .
See also
Encryption in Office 365
Common attachment blocking scenarios for mail
flow rules in Exchange Online
3/4/2019 • 4 minutes to read • Edit Online
Your organization might require that certain types of messages be blocked or rejected in order to meet legal or
compliance requirements, or to implement specific business needs. This article discusses examples of common
scenarios for blocking all attachments which you can set up using mail flow rules (also known mail flow rules) in
Exchange Online.
For additional examples showing how to block specific attachments, see:
Using mail flow rules to inspect message attachments (Exchange Server)
Use mail flow rules to inspect message attachments in Office 365 (Exchange Online, Exchange Online
Protection)
The malware filter includes a Common Attachment Types Filter. In the Exchange admin center (EAC ), go to
Protection, then click New ( ) to add filters. In the Exchange Online portal, browse to Protection, and then
select Malware Filter.
To get started implementing any of these scenarios to block certain message types:
1. Open the Exchange admin center (EAC ). For more information, see Exchange admin center in Exchange
Online.
2. Go to Mail flow > Rules.
3. Click New ( ) and then select Create a new rule.
4. In the Name box, specify a name for the rule, and then click More options.
5. Select the conditions and actions you want.
Note: In the EAC, the smallest attachment size that you can enter is 1 kilobyte, which should detect most
attachments. However, if you want to detect every possible attachment of any size, you need to use PowerShell to
adjust the attachment size to 1 byte after you create the rule in the EAC. To learn how to connect to Exchange
Online PowerShell, see Connect to Exchange Online PowerShell. To learn how to connect to Exchange Online
Protection PowerShell, see Connect to Exchange Online Protection PowerShell.
Replace <Rule Name> with the name of the existing rule, and run the following command to set the attachment
size to 1 byte:
After you adjust the attachment size to 1 byte, the value that's displayed for the rule in the EAC is 0.00 KB.
Headers from the original message. This is similar to the list of %%Headers%%
headers in a delivery status notification (DSN) generated for
the original message.
In this example, all messages that contain attachments and are sent to people inside your organization are
blocked, and the recipient is notified.
Example 3: Modify the subject line for notifications
When a notification is sent to the recipient, the subject line is the subject of the original message. If you want to
modify the subject so that it is clearer to the recipient, you must use two mail flow rules:
The first rule adds the word "undeliverable" to the beginning of the subject of any messages with
attachments.
The second rule blocks the message and sends a notification message to the sender using the new subject
of the original message.
IMPORTANT
The two rules must have identical conditions. Rules are processed in order, so the first rule adds the word "undeliverable",
and the second rule blocks the message and notifies the recipient.
Here's what the first rule would look like if you want to add "undeliverable" to the subject:
And the second rule does the blocking and notification (the same rule from Example 2):
Example 4: Apply a rule with a time limit
If you have a malware outbreak, you might want to apply a rule with a time limit so that you temporarily block
attachments. For example, the following rule has both a start and stop day and time:
See also
Mail flow rules (transport rules) in Exchange Online
Mail flow rules (Exchange Server)
Mail flow rules (Exchange Online Protection)
Organization-wide message disclaimers, signatures,
footers, or headers in Exchange Online
3/4/2019 • 4 minutes to read • Edit Online
You can add an HTML or plain text legal disclaimer, disclosure statement, signature, or other information to the
top or bottom of email messages that enter or leave your organization. To do this, you create a mail flow rule (also
known as a transport rule) that adds the required information to messages.
Notes:
Users can apply signatures to their own outgoing messages in Outlook or Outlook on the web (formerly
known as Outlook Web App). For more information, see Create and add an email signature in Outlook
Web App.
If you want the information to be added only to outgoing messages, you need to add a corresponding
condition (for example, recipients located outside the organization). By default, mail flow rules are applied
to incoming and outgoing messages.
To avoid multiple disclaimers being added in an email conversation, add an exception that looks for unique
text in your disclaimer. This ensures that the disclaimer is only added to the original message.
Test the disclaimer. When you create the mail flow rule, you have the option to start using it immediately (
Enforce), or to test it first and view the results in the messaging log. We recommend testing all mail flow
rules prior to setting them to Enforce.
For examples and information about how to scope and format disclaimers, signatures, and other additions to
email messages, see Organization-wide disclaimers, signatures, footers, or headers in Exchange 2016.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
This example creates a new mail flow rule that adds an advertisement for one month to the beginning of all
outgoing messages.
For more examples of how to scope your disclaimer, see Scoping your disclaimer.
You can begin using mail flow rules (also known as transport rules) in Exchange Online by using the following
procedures. To learn about concepts and objectives for mail flow rules, see Mail flow rules (transport rules) in
Exchange Online.
Organization-wide message disclaimers, signatures, footers, or headers in Exchange Online Information to help
you set up a legal disclaimer, email disclaimer, consistent signature, email header, or email footer by using mail
flow rules.
Create organization-wide safe sender or blocked sender lists in Office 365 Information to help you create domain
or user-based safe sender and blocked sender lists by using mail flow rules.
Manage message approval Information to help you create moderated distribution groups, and forward messages
matching a wide variety of criteria to specific approvers.
Use mail flow rules to route email based on a list of words, phrases, or patterns Information to help you comply
with your organization's email policies.
Use mail flow rules so messages can bypass Clutter Information to help you make sure messages are sent to an
inbox instead of the Clutter folder.
Topics related to preventing spam:
Use mail flow rules to set the spam confidence level (SCL ) in messages
Use mail flow rules to inspect message attachments in Office 365
Common attachment blocking scenarios for mail flow rules
https://docs.microsoft.com/office365/SecurityCompliance/use-transport-rules-to-configure-bulk-email-filtering)
Additional considerations when configuring IP Allow lists
Manage mail flow rules Information to help you create, view, modify, enable, disable, or remove a mail flow rule,
and information about importing and exporting mail flow rule collections.
Test a mail flow rule Information on various ways to test a mail flow rule.
Best practices for configuring mail flow rules Information to help you avoid common configuration errors.
Use mail protection reports in Office 365 to view data about malware, spam, and rule detections Information on
how to view summary and detail reports about mail flow rule matches.
Manage mail flow rules in Exchange Online
3/4/2019 • 14 minutes to read • Edit Online
You can use mail flow rules (also known as transport rules) in Exchange Online to look for specific conditions on
messages that pass through your organization and take action on them. This topic shows you how to create,
copy, adjust the order, enable or disable, delete, or import or export rules, and how to monitor rule usage.
TIP
To make sure your rules work the way you expect, be sure to thoroughly test each rule and interactions between rules.
Interested in scenarios where these procedures are used? See the following topics:
Common attachment blocking scenarios for mail flow rules
Use mail flow rules to route email based on a list of words, phrases, or patterns
Common message approval scenarios
Use mail flow rules so messages can bypass Clutter
Best practices for configuring mail flow rules
Use mail flow rules to inspect message attachments in Office 365
Define rules to encrypt or decrypt messages
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online
Protection.
NOTE
If you clear the Audit this rule with severity level checkbox, rule matches will not show up in the rule reports.
d. Set the mode for the rule. You can use one of the two test modes to test the rule without impacting
mail flow. In both test modes, when the conditions are met, an entry is added to the message trace.
Enforce: This turns on the rule and it starts processing messages immediately. All actions on the
rule will be performed.
Test with Policy Tips: This turns on the rule, and any Policy Tip actions ( Notify the sender with
a Policy Tip) will be sent, but no actions related to message delivery will be performed. Data Loss
Prevention (DLP ) is required in order to use this mode. To learn more, see Policy Tips.
Test without Policy Tips: Only the Generate incident report action will be enforced. No actions
related to message delivery are performed.
4. If you are satisfied with the rule, go to step 5. If you want to add more conditions or actions, or if you want
to specify exceptions or set additional properties, click More options. After you click More options,
complete the following fields to create your rule:
a. To add more conditions, click Add condition. If you have more than one condition, you can
remove any one of them by clicking Remove X next to it. Note that there are a larger variety of
conditions available once you click More options.
b. To add more actions, click Add action. If you have more than one action, you can remove any one
of them by clicking Remove X next to it. Note that there are a larger variety of actions available
once you click More options.
c. To specify exceptions, click Add exception, then select exceptions using the Except if... dropdown.
You can remove any exceptions from the rule by clicking the Remove X next to it.
d. If you want this rule to take effect after a certain date, click Activate this rule on the following
date: and specify a date. Note that the rule will still be enabled prior to that date, but it won't be
processed.
Similarly, you can have the rule stop processing at a certain date. To do so, click Deactivate this
rule on the following date: and specify a date. Note that the rule will remain enabled, but it won't
be processed.
e. You can choose to avoid applying additional rules once this rule processes a message. To do so,
click Stop processing more rules. If you select this, and a message is processed by this rule, no
subsequent rules are processed for that message.
f. You can specify how the message should be handled if the rule processing can't be completed. By
default, the rule will be ignored and the message will be processed regularly, but you can choose to
resubmit the message for processing. To do so, check the Defer the message if rule processing
doesn't complete check box.
g. If your rule analyzes the sender address, it only examines the message headers by default.
However, you can configure your rule to also examine the SMTP message envelope. To specify
what's examined, click one of the following values for Match sender address in message:
Header: Only the message headers will be examined.
Envelope: Only the SMTP message envelope will be examined.
Header or envelope: Both the message headers and SMTP message envelope will be
examined.
h. You can add comments to this rule in the Comments box.
5. Click Save to complete creating the rule.
Use Exchange Online PowerShell to create a mail flow rule
This example uses the New -TransportRule cmdlet to create a new mail flow rule that prepends "
External message to Sales DG: " to messages sent from outside the organization to the Sales Department
distribution group.
New-TransportRule -Name "Mark messages from the Internet to Sales DG" -FromScope NotInOrganization -SentTo
"Sales Department" -PrependSubject "External message to Sales DG:"
The rule parameters and action used in the above procedure are for illustration only. Review all the available mail
flow rule conditions and actions to determine which ones meet your requirements.
How do you know this worked?
To verify that you have successfully created a new mail flow rule, do the following:
In the EAC, verify that the new mail flow rule you created is listed in the Rules list.
From Exchange Online PowerShell, verify that you created the new mail flow rule successfully by running
the following command (the example below verifies the rule created in Exchange Online PowerShell
example above):
Get-TransportRule
To view the properties of a specific mail flow rule, you provide the name of that rule or its GUID. It is usually
helpful to send the output to the Format-List cmdlet to format the properties. The following example returns all
the properties of the mail flow rule named Sender is a member of Marketing:
Get-TransportRule "Sender is a member of marketing" | Format-List
To modify the properties of an existing rule, use the Set-TransportRule cmdlet. This cmdlet allows you to change
any property, condition, action or exception associated with a rule. The following example adds an exception to
the rule "Sender is a member of marketing" so that it won't apply to messages sent by the user Kelly Rollin:
Rule modes Mode Enables you to set the mode for the
rule
The following example enables the mail flow rule "Sender is a member of marketing":
Get-TransportRule
NOTE
While most data is in the report within 24 hours, some data may take as long as 5 days to appear.
Each time you create a mail flow rule (also known as a transport rule) you should test it before turning it on. This
way, if you accidentally create a condition that doesn't do exactly what you want or interacts with other rules in
unexpected ways, you won't have any unintended consequences.
IMPORTANT
Wait 30 minutes after creating a rule before you test it. If you test immediately after you create the rule, you may get
inconsistent behavior. If you're using Exchange Server and have multiple Exchange servers, it may take even longer for all
the servers to receive the rule.
TIP
To avoid surprises, inform your users about new rules.
Troubleshooting suggestions
Here are some common problems and resolutions:
Everything looks right, but the rule isn't working.
Occasionally it takes longer than 15 minutes for a new mail flow to be available. Wait a few hours, and then
test again. Also check to see if another rule might be interfering. Try changing this rule to priority 0 by
moving it to the top of the list.
Disclaimer is added to original message and all replies, instead of just the original message.
To avoid this, you can add an exception to your disclaimer rule to look for a unique phrase in the disclaimer.
My rule has two conditions, and I want the action to happen when either of the conditions is
met, but it only is matched when both conditions are met.
You need to create two rules, one for each condition. You can easily copy the rule by selecting Copy and
then remove one condition from the original and the other condition from the copy.
I'm working with distribution groups, and The sender is ( SentTo) doesn't seem to be working.
SentTo matches messages where one of the recipients is a mailbox, mail-enabled user, or contact, but you
can't specify a distribution group with this condition. Instead, use To box contains a member of this
group ( SentToMemberOf).
NOTE
While most data is in the report within 24 hours, some data may take as long as 5 days to appear.
To learn more, see View mail protection reports.
If you want to be sure that you receive particular messages, you can create a mail flow rule (also known as a
transport rule) that makes sure that these messages bypass your Clutter folder. Check out Use Clutter to sort low -
priority messages in Outlook for more info on Clutter.
For additional management tasks related to mail flow rules, check out Mail flow rules (transport rules) in Exchange
Online and the New -TransportRule PowerShell topic. If you're new to Exchange Online PowerShell, check out
Connect to Exchange Online PowerShell.
Use the Exchange admin center to create a mail flow rule to bypass the
clutter folder
This example allows all messages with title "Meeting" to bypass clutter.
1. In the Exchange admin center (EAC ), go to Mail flow > Rules. Click New and then choose Create a
new rule....
2. After you're done creating the new rule, click Save to start the rule.
IMPORTANT
In this example, both X-MS-Exchange-Organization-BypassClutter and true are case sensitive.
NOTE
Calendar items (accepted, sent, or declined meetings notifications) won't contain this header.
Use mail flow rules to route email based on a list of
words, phrases, or patterns
3/4/2019 • 2 minutes to read • Edit Online
To help your users comply with your organization's email policies, you can use Exchange mail flow rules (also
known as transport rules) to determine how email containing specific words or patterns is routed. For a short list
of words or phrases, you can use the Exchange admin center (EAC ). For a longer list, you might want to use
Exchange Online PowerShell to read the list from a text file.
If your organization uses Data Loss Prevention (DLP ), see Data loss prevention for additional options for
identifying and routing email that contains sensitive information.
:----- :-----
[mn]sft
[mn]icrosft
[mn]icro soft
[mn].crosoft
To learn how to specify patterns using regular expressions, see Regular Expression Reference.
Use mail flow rules to automatically add meetings to
calendars in Exchange Online
3/4/2019 • 5 minutes to read • Edit Online
With the Direct to Calendar feature in Exchange Online, administrators can configure mail flow rules (also known
as transport rules) that allow designated users to add meetings to calendars. The benefits of Direct to Calendar are:
The event is automatically added to the recipient's calendar without any action from them. If the user
received the meeting invitation, it's on their calendar.
The sender doesn't need to deal with Out of Office or other unwanted response messages that result from
sending meeting invitations to a large number of recipients.
No meeting-related messages are seen by attendees unless the meeting is cancelled.
Direct to Calendar requires two mail flow rules with specific conditions and actions. These rules are described in
the following table:
This mail flow rule turns The sender is or The Set the message header to We recommend that you use
regular meeting invitations sender > is this person this value or Modify the dedicated mailboxes (shared
into Direct to Calendar (the From parameter). message properties > set mailboxes are OK) for
meeting invitations. This condition identifies the a message header (the sending Direct to Calendar
users who are authorized to SetHeaderName and meeting invitations, because
send Direct to Calendar SetHeaderValue any meeting invitations from
meeting invitations. parameters). these senders will be
Although you can use other This action sets the X-MS- automatically added to
conditions, restricting the Exchange-Organization- recipient calendars.
invitations by sender helps CalendarBooking- The dedicated mailboxes
prevent unauthorized use of Response header to the require no special
Direct to Calendar meeting value Accept . Other valid permissions to send Direct
invitations. values are Tentative and to Calendar meeting
Decline . invitations.
This mail flow rule prevents The sender is or The Set the message header to Technically, this rule is
Direct to Calendar meeting sender > is this person this value or Modify the optional (without it,
invitations from appearing in (the From parameter). message properties > set meetings are still
the Inbox of recipients. a message header (the automatically added to
SetHeaderName and recipient calendars).
SetHeaderValue Note that this rule doesn't
parameters). prevent meeting cancellation
This action sets the X-MS- messages for Direct to
Exchange-Organization- Calendar meetings from
CalendarBooking- appearing in the Inbox of
TriageAction header to the recipients.
value MoveToDeletedItems .
The other valid value is
None .
For more information about mail flow rules, see Mail flow rules (transport rules) in Exchange Online.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Use the Exchange admin center to create Direct to Calendar mail flow
rules
1. In the EAC, go to Mail flow > rules.
2. Click New ( ), and then select Create a new rule.
3. In the New rule page that opens, click More options.
5. Back at Mail flow > Rules, click New ( ) again, and then select Create a new rule.
6. In the New rule page that opens, click More options.
New-TransportRule -Name "Direct to Calendar response" -From "<designated sender 1>","<designated sender
2>"... -SetHeaderName "X-MS-Exchange-Organization-CalendarBooking-Response" -SetHeaderValue Accept
This example configures the rule using the dedicated mailbox named Direct to Calendar invites.
New-TransportRule -Name "Direct to Calendar response" -From "Direct to Calendar invites" -SetHeaderName
"X-MS-Exchange-Organization-CalendarBooking-Response" -SetHeaderValue Accept
2. To create the mail flow rule that prevents Direct to Calendar meeting invitations from appearing in the Inbox
of recipients, use the following syntax:
New-TransportRule -Name "Direct to Calendar triage action" -From "<designated sender 1>","<designated
sender 2>"... -SetHeaderName "X-MS-Exchange-Organization-CalendarBooking-TriageAction" -SetHeaderValue
MoveToDeletedItems
This example configures the rule using the dedicated mailbox named Direct to Calendar invites.
New-TransportRule -Name "Direct to Calendar triage action" -From "Direct to Calendar invites" -
SetHeaderName "X-MS-Exchange-Organization-CalendarBooking-TriageAction" -SetHeaderValue
MoveToDeletedItems
Sometimes it makes sense to have a second set of eyes on a message before the message is delivered. As an
Exchange administrator, you can set this up. This process is called moderation, and the approver is called the
moderator. Depending on which messages need approval, you can use one of two approaches:
Change the distribution group properties
Create a mail flow rule
This article explains:
How to decide which approval approach to use
How the approval process works
To learn how to implement common scenarios, see Common message approval scenarios.
Create a moderated distribution group Set up message approval for the Go to the Exchange admin center (EAC)
where all messages to the group must distribution group. > Recipients> Groups, edit the
be approved. distribution group, and then select
Message approval.
Require approval for messages that Create a mail flow rule (also known as a Go to the EAC > Mail flow > Rules.
match specific criteria or that are sent transport rule) using the Forward the
to a specific person. message for approval action.
You can specify message criteria,
including text patterns, senders, and
recipients. Your criteria can also contain
exceptions.
1. If approved, the message goes to the original intended recipients. The original sender isn't notified.
2. If rejected, a rejection message is sent to the sender. The moderator can add an explanation:
3. If the approver either deletes or ignores the approval message, an expiration message is sent to the sender.
This happens after two days in Exchange Online, and after five days in Exchange Server. (In Exchange
Server, you can change this time period).
The message that's waiting for approval gets temporarily stored in a system mailbox called the arbitration mailbox.
Until the moderator decides to approve or reject the message, deletes the approval message, or lets the approval
message expire, the original message is kept in the arbitration mailbox.
Your organization may require certain types of messages be approved in order to meet legal or compliance
requirements, or to implement a specific business workflow. This article discusses examples of common scenarios
that you can set up by using Exchange.
To require that messages to a specific distribution group be approved, in the Exchange admin center (EAC ), go to
Recipients > Groups, edit the distribution group, and then select Message approval. To open the EAC, see
Exchange admin center in Exchange Online.
To get started, go to EAC > Mail flow > Rules, and create a new rule using the Send messages to a moderator
template. To open the EAC, see Exchange admin center in Exchange Online.
IMPORTANT
Some conditions and actions, including forwarding to the sender's manager, are hidden by default in the New rule page. To
see all the conditions and actions, select More options.
Example 3: Set up a message approval chain
You can require multiple levels of approval for messages. For example, you can require that messages to a specific
customer be approved first by a customer relationship manager and then by a compliance officer, or you can
require that expense reports be approved by two levels of managers.
To create this type of multiple-level approval, create one mail flow rule for each level of approval. Each rule
detects the same patterns in the messages, as follows:
The first rule forwards the message to the first approver. When the first approver accepts the message, the
message automatically goes to the approver in the second rule.
If all approvers in the chain select Approve when they receive the approval request, when the last
approval in the chain is complete, the original message is sent to the intended recipients.
If anyone in the approval chain selects Reject when they receive the approval request, the sender receives
a rejection message.
If any of the approval requests aren't approved within the expiration time (2 days for Exchange Online, 5
days for Exchange Server), the sender receives an expiration message.
The following example assumes that you have a customer called Blue Yonder Airlines, and you want both the
customer relationship manager and the compliance officer to approve all messages that go to this customer. You
create two rules, one for each approver. The first rule goes to the first-level approver. The second rule goes to the
second-level approver.
The first rule identifies all messages with the company name Blue Yonder Airlines in the subject or message, and
it sends these messages to the internal customer relationship manager for Blue Yonder Airlines, Garret Vargas.
The second rule sends these messages to the compliance officer, Tony Krijnen.
Example 4: Forward messages that match one of several criteria
Within a mail flow rule, all conditions configured within the rule must be true for the rule to match. If you want
the same actions applied for either condition, you should create a separate rule for each one.
To do this, on the Rules page in EAC, create a rule for the first condition. Then select the rule, select Copy, and
change the conditions in the new rule to match the second condition.
Be careful when you create multiple rules with "OR" conditions so you don't end up with a message being sent
multiple times to the approver. To avoid this, add an exception to the second rule so it ignores messages that
matched the first rule.
For example, a single rule can't check whether a message has "sales quote" in either the subject or in the
attachment title. To avoid the message being sent multiple times to the approver, if the first rule checks for "sales
quote" in the subject or body of the message, the second rule that checks for "sales quote" in attachment content
needs an exception that contains the first rule's criteria.
NOTE
Exceptions are hidden by default in the New rule page. To see all the conditions and actions, select More options.
Example 5: Forward a message that contains sensitive information
If you have the Data loss prevention(DLP ) feature, many types of sensitive information are predefined. With DLP,
you see that the message contains a sensitive information condition. Whether or not you have DLP, you can
create conditions that identify specific sensitive information patterns that are unique to your organization.
Here's an example where messages with sensitive information require approval. In this example, messages that
contain a credit card number require approval.
See also
Manage message approval
Recoverable Items folder in Exchange Online
3/29/2019 • 9 minutes to read • Edit Online
To protect from accidental or malicious deletion and to facilitate discovery efforts commonly undertaken before or
during litigation or investigations, Exchange Online use the Recoverable Items folder. The Recoverable Items folder
replaces the feature that was known as the dumpster in earlier versions of Exchange. The following Exchange
features use the Recoverable Items folder:
Deleted item retention
Single item recovery
In-Place Hold
Litigation Hold
eDiscovery hold
Office 365 retention policies
Mailbox audit logging
Calendar logging
Terminology
Knowledge of the following terms will help you understand the content in this topic.
Delete
Describes when an item is deleted from any folder and placed in the Deleted Items default folder.
Soft delete
Describes when an item is deleted from the Deleted Items default folder and placed in the Recoverable Items
folder. Also describes when an Outlook user deletes an item by pressing Shift+Delete, which bypasses the Deleted
Items folder and places the item directly in the Recoverable Items folder.
Hard delete
Describes when an item is marked to be purged from the mailbox database. This is also known as a store hard
delete.
MANAGED FOLDER
ASSISTANT
USERS CAN PURGE AUTOMATICALLY
RECOVERABLE ITEMS RECOVERABLE ITEMS ITEMS FROM THE PURGES ITEMS FROM
STATE OF SINGLE ITEM FOLDER CONTAINS FOLDER CONTAINS RECOVERABLE ITEMS THE RECOVERABLE
RECOVERY SOFT-DELETED ITEMS HARD-DELETED ITEMS FOLDER ITEMS FOLDER
NOTE
If you put a mailbox on both In-Place Hold and Litigation Hold, Litigation Hold takes preference because this puts the entire
mailbox on hold.
The following table lists the contents of and actions that can be performed in the Recoverable Items folder if
Litigation Hold is enabled.
Recoverable Items folder and holds
MANAGED FOLDER
ASSISTANT
RECOVERABLE ITEMS USERS CAN PURGE AUTOMATICALLY
RECOVERABLE ITEMS FOLDER CONTAINS ITEMS FROM THE PURGES ITEMS FROM
FOLDER CONTAINS MODIFIED AND HARD- RECOVERABLE ITEMS THE RECOVERABLE
STATE OF HOLD SOFT-DELETED ITEMS DELETED ITEMS FOLDER ITEMS FOLDER
To learn more about In-Place eDiscovery, In-Place Hold, and Litigation Hold, see the following topics:
In-Place eDiscovery in Exchange Online
In-Place Hold and Litigation Hold in Exchange Online
Copy-on-write page protection and modified items
If a user who is placed on In-Place Hold or Litigation Hold modifies specific properties of a mailbox item, a copy of
the original mailbox item is created before the changed item is written. The original copy is saved in the Versions
subfolder. This process is known as copy-on-write page protection. Copy-on-write page protection applies to items
residing in any mailbox folder. The Versions subfolder isn't visible to users.
The following table lists the message properties that trigger copy-on-write page protection.
Properties that trigger copy-on-write page protection
Items other than messages and posts Any change to a visible property, except the following:
• Item location (when an item is moved between folders)
• Item status change (read or unread)
• Changes to a retention tag applied to an item
Items in the Drafts default folder None. Items in the Drafts folder are exempt from copy-on-
write page protection.
IMPORTANT
Copy-on-write page protection doesn't save a version of the meeting when a meeting organizer receives responses from
attendees and the meeting's tracking information is updated. Also, changes to RSS feeds aren't captured by copy-on-write
page protection.
When a mailbox is no longer on In-Place Hold or Litigation Hold, copies of modified items stored in the Versions
folder are removed.
More information
Copy-on-write is only enabled when a mailbox is on In-Place Hold or Litigation Hold.
If users need to recover deleted items from the Recoverable Items folder, point them to the following topics:
Recover deleted items in Outlook for Windows
Recover deleted items or email in Outlook on the web
Clean up or delete items from the Recoverable Items
folder in Exchange Online
3/4/2019 • 2 minutes to read • Edit Online
The Recoverable Items folder (known in earlier versions of Exchange as the dumpster) exists to protect from
accidental or malicious deletions and to facilitate discovery efforts commonly undertaken before or during
litigation or investigations.
How you clean up or delete items from a user's Recoverable Items folder depends on whether the mailbox is
placed on In-Place Hold or Litigation Hold, or had single item recovery enabled:
If a mailbox isn't placed on In-Place Hold or Litigation Hold or other types of holds in Office 365, or if a
mailbox doesn't have single item recovery enabled, you can simply delete items from the Recoverable Items
folder. After items are deleted, you can't use single item recovery to recover them.
If the mailbox is placed on In-Place Hold or Litigation Hold or other types of holds in Office 365, or if single
item recovery is enabled, you'll want to preserve the mailbox data until the hold is removed or single item
recovery is disabled. In this case, you need to perform more detailed steps to clean up the Recoverable
Items folder.
To learn more about In-Place Hold and Litigation Hold, see In-Place Hold and Litigation Hold in Exchange Online.
To learn more about single item recovery, see Single item recovery.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Online or Exchange Online Protection.
NOTE
To delete items from the mailbox without copying them to another mailbox, use the preceding command without the
TargetMailbox and TargetFolder parameters.
Use Microsoft Exchange Online and Office 365 to manage mail flow. Find out how, and get tips and best practices
for setting up and managing your email.
This article is intended for IT Pros. Want something else?
Try Set up Office 365 for business or Deploy Office 365 Enterprise for your organization.
Office 365 gives you flexibility in determining the best arrangement for how email is delivered to your
organization's mailboxes. The path email takes from the internet to a mailbox and vice versa is called mail flow.
Most organizations want Office 365 to manage all their mailboxes and filtering, and some organizations need
more complex mail flow setups to make sure that they comply with specific regulatory or business needs. If you're
part of a small business or simply an organization that wants Office 365 to manage all your mailboxes and mail
flow, we recommend following the steps in Set up Office 365 for business. That article provides a complete
checklist for setting up Office 365 services and programs, including how to set up your mail flow and email
clients.
For information about how your email is protected with EOP, see Exchange Online Protection Overview.
TIP
Are you new to Office 365 mail flow? Check out the External Domain Name System records for Office 365 topic. We
especially recommend reading the part about SPF records because customers often list the wrong values in their SPF record,
which can cause mail flow problems.
For information about migrating your email to Microsoft Exchange Online, see Ways to migrate multiple email
accounts to Office 365.
Hostname: contoso-com.mail.protection.outlook.com
Priority: 0
TTL: 1 hour
SPF (sender policy framework) is a specially formatted TXT record in DNS. SPF validates that only the
organization that owns a domain is actually sending email from that domain. SPF is a security measure that helps
makes sure someone doesn't impersonate another organization. This impersonation is often called spoofing. As a
domain owner, you can use SPF to publish a list of IP addresses or subnets that are authorized to send email on
your organization's behalf. This can be helpful if you want to send email from multiple servers or services with
different IP addresses.
IMPORTANT
You can only have one SPF record per domain. Having multiple SPF records will invalidate all SPF records and cause mail flow
problems.
Because most modern email servers look up a domain's SPF record before they accept any email from it, it's
important to set up a valid SPF record in DNS when you first set up mail flow. For a quick introduction to SPF
and to get it configured quickly, see Set up SPF in Office 365 to help prevent spoofing. For a more in-depth
understanding of how Office 365 uses SPF, or for troubleshooting or non-standard deployments such as hybrid
deployments, start with How Office 365 uses Sender Policy Framework (SPF ) to prevent spoofing.
DomainKeys Identified Mail (DKIM ). lets you attach a digital signature to email messages in the message
header of emails you send. Email systems that receive email from your domain use this digital signature to
determine if incoming email that they receive is legitimate. For information about DKIM and Office 365, see Use
DKIM to validate outbound email sent from your domain in Office 365.
Domain-based Message Authentication, Reporting, and Conformance (DMARC ). helps receiving mail
systems determine what to do with messages that fail SPF or DKIM checks and provides another level of trust for
your email partners. For information on setting up DMARC, see Use DMARC to validate email in Office 365.
Use SPF, DKIM, and DMARC together for the best experience.
How MX records affect spam filtering
For the best mail flow experience-especially for spam filtering—we recommend pointing the MX record for your
organization's domain to Office 365. Spam scanning is the initial connection point to the Office 365 service. Who
is sending the message, the IP address of the server that originally sent the message, and the behavior of the
connecting mail server, all help determine whether a message is legitimate or spam. If your domain's MX record
doesn't point to Office 365, the spam filters won't be as effective. If your MX record doesn't point to Office 365,
there will be some valid messages that the service misclassifies as spam and some spam messages that the
service misclassifies as legitimate email.
With that said, there are legitimate business scenarios that require your domain's MX record to point to
somewhere other than Office 365. For example, email destined for your organization might need to initially arrive
at another destination (such as a third-party archiving solution), then route through Office 365, and then be
delivered to mailboxes on your organization's mail server. This setup might provide the best solution to meet your
business requirements.
Whatever your needs, this guide will help you understand how your MX records, SPF, and, potentially, connectors
need to be set up.
To validate and troubleshoot mail flow from Office 365 to your organization's email server (also called on-
premises server), validate your connectors. You can set up and validate connectors on the connectors page in the
Exchange admin center (EAC ). The built-in validation tests that your mail flow from Office 365 reaches:
Your organization's email server
A partner organization.
For more information, see Validate connectors in Office 365
Mail flow issues can also happen when your MX record is not setup correctly. To verify your MX record, see Find
and fix issues after adding your domain or DNS records in Office 365.
NOTE
These tests replace Office 365 mail flow troubleshooting that was previously available in the Remote Connectivity Analyzer.
See also
Configure mail flow using connectors in Office 365
Set up connectors to route mail between Office 365 and your own email servers
Fixing connector validation errors
When do I need a connector?
Troubleshoot Office 365 mail flow
3/4/2019 • 2 minutes to read • Edit Online
Can't send or receive email? Office 365 for business has several ways that can troubleshoot the issue as an admin.
We recommend using the automated solutions because they are typically easier and faster than manual
troubleshooting.
For instructions about troubleshooting options, see Find and fix email delivery issues as an Office 365 for
business admin.
Connectors are a collection of instructions that customize the way your email flows to and from your Office 365
organization. Actually, most Office 365 organizations don't need connectors for regular mail flow. This topic
describes the mail flow scenarios that require connectors.
NOTE
Graylisting is a delay tactic that's used to protect email systems from spam. In Office 365, graylisting is done by throttling
IPs to limit senders from sending suspiciously large amounts of email. Office 365 responds to these abnormal influxes of
mail by returning a temporary non-delivery report error (also known as an NDR or bounce message) in the range 451
4.7.500-699 (ASxxx). For more details on these types of delivery issues, see Fix email delivery issues for error code 451
4.7.500-699 (ASxxx) in Office 365.
You have a standalone You have your own on- Yes Connector for incoming
EOPsubscription. premises email servers, and email:
you subscribe to EOP only • From: Your on-premises
for email protection services email server
for your on-premises • To: Office 365
mailboxes (you have no
mailboxes in Exchange Connector for outgoing
Online). email:
• From: Office 365
For more information, see • To: Your on-premises mail
the topic Exchange Online server
Protection overview and
theHow connectors work
with my on-premises email
servers section later in this
topic.
Some of your mailboxes are Before you manually Yes Connector for incoming
on your on-premises email configure connectors, check email:
servers, and some are in whether an Exchange hybrid • From: Your on-premises
Exchange Online. deployment better meets email server
your business needs. • To: Office 365
For details, see the I have
my own email servers Connector for outgoing
section later in this topic email:
and the Exchange Server • From: Office 365
Hybrid Deployments topic. • To: Your on-premises
email server
All of your mailboxes are in You don't have your own Optional Only one connector for
Exchange Online, but you email servers, but you need incoming email:
need to send email from to send email from non- • From: Your organization's
sources in your on-premises mailboxes: printers, fax email server
organization. machines, apps, or other • To: Office 365
devices.
You frequently exchange You want to use Transport Optional Connector for incoming
sensitive information with Layer Security (TLS) to email:
business partners, and you encrypt sensitive • From: Partner
want to apply security information or you want to organization
restrictions. limit the source (IP • To: Office 365
addresses) for email from Connector for outgoing
the partner domain. email:
• From: Office 365
For details, see Set up • To: Partner organization
connectors for secure mail
flow with a partner
organization.
TIP
If you don't have Exchange Online or EOP and are looking for information about Send connectors and Receive connectors
in Exchange 2016 or Exchange 2019, see Connectors.
I have my own email servers
If you have Exchange Online or EOP and your own on-premises email servers, you definitely need connectors.
This is more complicated and has more options as described in the following table:
Exchange 2010 or later Exchange Online Protection Not available Yes. Follow the instructions
in Set up connectors to
route mail between Office
365 and your own email
servers.
If a hybrid deployment is
the right option for your
organization, use the Hybrid
Configuration wizard to
integrate Exchange Online
with your on-premises
Exchange organization.
Exchange 2007 or earlier Exchange Online Protection Not available Yes. Follow the instructions
or Exchange Online in Set up connectors to
route mail between Office
365 and your own email
servers.
In limited circumstances,
you might have a hybrid
configuration with Exchange
Server 2007 and Office 365.
Check whether connectors
are already set up for your
organization by going to the
Connectors page in the
EAC.
Non-Microsoft SMTP server Exchange Online Protection Not available Yes. Follow the instructions
or Exchange Online in Set up connectors to
route mail between Office
365 and your own email
servers.
In this example, John and Bob are both employees at your company. John has a mailbox on an email server that
you manage, and Bob has a mailbox in Exchange Online. John and Bob both exchange mail with Sun, a customer
with an internet email account:
When email is sent between John and Bob, connectors are needed
When email is sent between John and Sun, connectors are needed. (All internet email is delivered via
Office 365).
When email is sent between Bob and Sun, no connector is needed.
IMPORTANT
Always confirm that your internet-facing email servers aren't accidentally configured to allow open relay. An open relay
allows mail from any source (spammers) to be transparently re-routed through the open relay server. This behavior masks
the original source of the messages, and makes it look like the mail originated from the open relay server.
See also
Set up connectors to route mail between Office 365 and your own email servers
Mail flow best practices for Exchange Online and Office 365 (overview )
Set up connectors for secure mail flow with a partner organization
What happens when I have multiple connectors for the same scenario?
Do I need to create a connector in Exchange Online?
3/29/2019 • 2 minutes to read • Edit Online
Find your mail flow scenario to see if you need to create a connector for your Exchange Online organization.
You have a standalone You have your own on- Yes Connector for incoming
EOPsubscription. premises email servers, and email:
you subscribe to EOP only • From: Your on-premises
for email protection services email server
for your on-premises • To: Office 365
mailboxes (you have no
mailboxes in Exchange Connector for outgoing
Online). email:
• From: Office 365
For more information, see • To: Your on-premises mail
the topic Exchange Online server
Protection overview and
How connectors work with
my on-premises email
servers.
Some of your mailboxes are Before you manually Yes Connector for incoming
on your on-premises email configure connectors, check email:
servers, and some are in whether an Exchange hybrid • From: Your on-premises
Exchange Online. deployment better meets email server
your business needs. • To: Office 365
For details, see I have my
own email servers and Connector for outgoing
Exchange Server Hybrid email:
Deployments. • From: Office 365
• To: Your on-premises email
server
All of your mailboxes are in You don't have your own Optional Only one connector for
Exchange Online, but you email servers, but you need incoming email:
need to send email from to send email from non- • From: Your organization's
sources in your on-premises mailboxes: printers, fax email server
organization. machines, apps, or other • To: Office 365
devices.
You frequently exchange You want to use Transport Optional Connector for incoming
sensitive information with Layer Security (TLS) to email:
business partners, and you encrypt sensitive • From: Partner organization
want to apply security information or you want to • To: Office 365
restrictions. limit the source (IP Connector for outgoing
addresses) for email from email:
the partner domain. • From: Office 365
• To: Partner organization
For details, see Set up
connectors for secure mail
flow with a partner
organization.
NOTE
For more information about these scenarios, see Configure mail flow using connectors in Office 365.
Set up connectors to route mail between Office 365
and your own email servers
3/29/2019 • 12 minutes to read • Edit Online
This topic helps you set up the connectors you need for the following two scenarios:
You have your own email servers (also called on-premises servers), and you subscribe to Exchange Online
Protection (EOP ) for email protection services.
You have (or intend to have) mailboxes in two places; some mailboxes in Office 365, and some of your
mailboxes are on your organization email servers (also called on-premises servers).
NOTE
Before you get started, make sure you check on your specific scenario in f I have my own email servers.
In this example, John and Bob are both employees at your company. John has a mailbox on an email server that
you manage, and Bob has a mailbox in Office 365. John and Bob both exchange mail with Sun, a customer with
an internet email account:
When email is sent between John and Bob, connectors are needed.
When email is sent between John and Sun, connectors are needed. (All internet email is delivered via
Office 365.)
When email is sent between Bob and Sun, no connector is needed.
If you have your own email servers and Office 365, you must set up connectors in Office 365. Without
connectors, email will not flow between Office 365 and your organization's email servers.
How do connectors route mail between Office 365 and my own email
server?
You need two connectors to route email between Office 365 and your email servers, as follows:
A connector from Office 365 to your own email server
When you set up Office 365 to accept all email on behalf of your organization, you will point your domain's MX
(mail exchange) record to Office 365. To prepare for this mail delivery scenario, you must set up an alternative
server (called a "smart host") so that Office 365 can send email to your organization's email server (also called
"on-premises server"). To complete the scenario, you might need to configure your email server to accept
messages delivered by Office 365.
A connector from your own email server to Office 365
When this connector is set up, Office 365 will accept messages from your organization's email server and send
the messages to recipients on your behalf. This recipient could be a mailbox for your organization in Office 365,
or it could be a recipient on the internet. To complete this scenario, you'll also need to configure your email
server to send email messages directly to Office 365.
This connector enables Office 365 to scan your email for spam and malware, and to enforce compliance
requirements such as running data loss prevention policies. When your email server sends all email messages
directly to Office 365, your own IP addresses are shielded from being added to a spam block list. To complete
the scenario, you might need to configure your email server to send messages to Office 365.
NOTE
This scenario requires two connectors: one from Office 365 to your mail servers, and one to manage mail flow in the
opposite direction. Before you start, make sure you have all the information you need, and continue with the instructions
until you have set up and validated both connectors.
NOTE
You can set up mail flow rules as described in Mail flow rule actions in Exchange Online. For example, you might want to
use mail flow rules with connectors if your mail is currently directed via distribution lists to multiple sites.
Before you set up a new connector, check any connectors that are already listed here for your organization. For
example, if you ran the Exchange Hybrid Configuration wizard, connectors that deliver mail between Office 365
and Exchange Server will be set up already and listed here. You don't need to set them up again, but you can edit
them here if you need to. If you don't plan to use the hybrid configuration wizard, or if you're running Exchange
Server 2007 or earlier, or if you're running a non-Microsoft SMTP mail server, set up connectors using the
wizard.
To start the wizard, click the plus symbol +. On the first screen, choose the options that are depicted in the
following screenshot:
Click Next, and follow the instructions in the wizard. Click the Help or Learn More links if you need more
information. The wizard will guide you through setup. At the end, make sure your connector validates. If the
connector does not validate, double-click the message displayed to get more information, and see About fixing
connector validation errors for help resolving issues.
3. Change your MX record to redirect your mail flow from the internet to Office 365
To redirect email flow to Office 365, change the MX (mail exchange) record for your domain. For instructions on
how to do this, see Add MX record to route email.
Part 2: Configure mail to flow from your email server to Office 365
There are two steps for this:
1. Set up a connector from your email server to Office 365.
2. Set up your email server to relay mail to the internet via Office 365.
Once you have completed Part 2, see the instructions at the end to check that your configuration works.
1. Set up a connector from your email server to Office 365
To create a connector in Office 365, click Admin, click Exchange, and then to go to the Exchange admin center.
Next, click mail flow, and click connectors. If any connectors already exist for your organization, you can see
them listed here.
To start the wizard, click the plus symbol +. On the first screen, choose the options that are depicted in the
following screenshot:
Click Next, and follow the instructions in the wizard. Click the Help or Learn More links if you need more
information. In particular, see Identifying email from your email server for help configuring certificate or IP
address settings for this connector. The wizard will guide you through setup. At the end, save your connector.
2. Set up your email server to relay mail to the internet via Office 365
Next, you must prepare your email server to send mail to Office 365. This enables mail flow from your email
servers to the internet via Office 365.
If your on-premises email environment is Microsoft Exchange, you create a Send connector that uses smart host
routing to send messages to Office 365. For more information, see Create a Send connector to route outbound
email through a smart host . For instructions on how to do this with Exchange Server 2010, see Create an SMTP
Send Connector.
To create the Send connector in Exchange Server, use the following syntax in the Exchange Management Shell.
To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open
the Exchange Management Shell.
NOTE
In the following procedures, the CloudServicesMailEnabled parameter is available in Exchange 2013 or later.
New-SendConnector -Name <DescriptiveName> -AddressSpaces * -CloudServicesMailEnabled $true -Fqdn
<CertificateHostNameValue> -RequireTLS $true -DNSRoutingEnabled $false -SmartHosts <YourDomain>-
com.mail.protection.outlook.com -TlsAuthLevel CertificateValidation
This example creates a new Send Connector with the following properties:
Name: My company to Office 365
FQDN: mail.contoso.com
SmartHosts: contoso-com.mail.protection.outlook.com
New-SendConnector -Name "My company to Office 365" -AddressSpaces * -CloudServicesMailEnabled $true -Fqdn
mail.contoso.com -RequireTLS $true -DNSRoutingEnabled $false -SmartHosts contoso-
com.mail.protection.outlook.com -TlsAuthLevel CertificateValidation
The connector wizard opens, and you can make changes to the existing connector settings. While you change the
connector settings, Office 365 continues to use the existing connector settings for mail flow. When you save
changes to the connector, Office 365 starts using the new settings.
Connector 2 is set up specifically for your company domain Contoso.com. The following screen shot shows the
connectors wizard screen where you define which domains the connector applies to. In this case, the setting
chosen is Only when email messages are sent to these domains. For Connector 2, your company domain
Contoso.com is specified.
Connector 3 is also set up by using the option Only when email messages are sent to these domains. But,
instead of the specific domain Contoso.com, the connector uses a wildcard: *.Contoso.com as shown in the
following screen shot.
For each email sent from Office 365 to mailboxes on your email server, Office 365 selects the most specific
connector possible. For email sent to:
john@fabrikam.com, Office 365 selects Connector 1.
john@contoso.com, Office 365 selects Connector 2.
john@sales.contoso.com, Office 365 selects Connector 3.
See also
Configure mail flow using connectors in Office 365
Mail flow best practices for Exchange Online and Office 365 (overview )
Validate connectors in Office 365
Set up connectors for secure mail flow with a partner organization
Set up connectors for secure mail flow with a partner
organization
3/6/2019 • 8 minutes to read • Edit Online
You can create connectors to apply security restrictions to mail exchanges with a partner organization or service
provider. A partner can be an organization you do business with, such as a bank. It can also be a third-party cloud
service that provides services such as archiving, anti-spam, and filtering.
You can create a connector to enforce encryption via transport layer security (TLS ). You can also apply other
security restrictions such as specifying domain names or IP address ranges that your partner organization sends
mail from.
NOTE
Setting up a connector to exchange mail with a partner organization is optional; mail flows to and from your partner
organization without connectors.
If you use a third-party cloud service for email filtering and need instructions for making this work with Office
365, see Mail flow best practices for Exchange Online and Office 365 (overview ).
NOTE
For information about TLS, see How Exchange Online uses TLS to secure email connections in Office 365 and for detailed
technical information about how Exchange Online uses TLS with cipher suite ordering, see Enhancing mail flow security for
Exchange Online.
When you set up a connector, email messages are checked to make sure they meet the security restrictions that
you specify. If email messages don't meet the security restrictions that you specify, the connector will reject them,
and those messages will not be delivered. This makes it possible to set up a secure communication channel with a
partner organization.
You can set up one or both of the following depending on your requirements:
Set up a connector to apply security restrictions to mail sent from Office 365 to your partner organization
Set up a connector to apply security restrictions to mail sent from your partner organization to Office 365
Also in this article:
Change a connector that Office 365 is using for mail flow
Example security restrictions you can apply to email sent from a partner organization
Review this section to help you determine the specific settings you need for your business.
Set up a connector to apply security restrictions to mail sent from
Office 365 to your partner organization
To create a connector in Office 365, click Admin, then click Exchange to go to the Exchange admin center.
Next, click mail flow, and click connectors. If any connectors already exist for your organization, you can see
them listed here.
Before you set up a new connector, check any connectors that are already listed here for your organization. For
example, if you already have a connector set up for a partner organization, you'll see it listed. Make sure you don't
create duplicate connectors for a single organizational partner; when this happens, it can cause errors, and your
mail might not be delivered.
To start the wizard, click the plus symbol +. On the first screen, choose the options that are depicted in the
following screenshot:
Click Next, and follow the instructions in the wizard. Click the Help or Learn More links if you need more
information. The wizard will guide you through setup. At the end, make sure your connector validates. If the
connector does not validate, see About fixing connector validation errors for help resolving issues.
If you want to create a secure channel with your partner organization in both directions, set up a connector that
restricts mail flow from your partner organization to Office 365.
Set up a connector to apply security restrictions to mail sent from your
partner organization to Office 365
You can set up a connector to apply security restrictions to email that your partner organization sends to you. To
start the wizard, click the plus symbol +. On the first screen, choose the following options:
Click Next, and follow the instructions in the wizard. Click the Help or Learn More links if you need more
information. The wizard will guide you through setup. At the end, save your connector.
Ask your partner organization to send a test email. Make sure the email your partner organization sends will
cause the connector to be applied. For example, if you specified security restrictions for mail sent from a specific
partner domain, make sure they send test mail from that domain. Check that the test email is delivered to
confirm that the connector works correctly.
The connector wizard opens, and you can make changes to the existing connector settings. While you change the
connector settings, Office 365 continues to use the existing connector settings for mail flow. When you save
changes to the connector, Office 365 starts using the new settings.
Once you choose this mail flow scenario, you can set up a connector that will apply security restrictions to email
that your partner organization sends to you. For some security restrictions, you might need to talk to your
partner organization to obtain information to complete some settings. Look for the examples that best meet your
needs to help you set up your partner connector.
NOTE
Any email sent from your partner organization that does not meet security restrictions that you specify will not be
delivered.
Example 1: Require that email sent from your partner organization domain contosobank.com is encrypted
using transport layer security (TLS )
To do this, specify your partner organization domain name to identify mail from that partner, and then choose
transport layer security (TLS ) encryption when you create your Partner to Office 365 connector. Use these
options during setup:
Use this screen to enter your partner organization's domain name(s) so the connector can identify mail sent by
your partner:
Choose this setting to require encryption for all email from ContosoBank.com using TLS:
When you choose these settings, all email from your partner organization's domain, ContosoBank.com, must be
encrypted using TLS. Any mail that is not encrypted will be rejected.
Example 2: Require that email sent from your partner organization domain ContosoBank.com is encrypted and
uses their domain certificate
To do this, use all the settings shown in Example 1. Also, add the certificate domain name that your partner
organization uses to connect with Office 365. Use this option during setup:
When you set these restrictions, all mail from your partner organization domain must be encrypted using TLS,
and sent from a server with the certificate name you specify. Any email that does not meet these conditions will
be rejected.
Example 3: Require that all email is sent from a specific IP address range
This email could be from a partner organization, such as ContosoBank.com, or from your on-premises
environment. For instance, the MX record for your domain, contoso.com, points to on-premises, and you want all
email sent to contoso.com to come from your on-premises IP addresses only. This helps prevent spoofing and
makes sure your compliance policies can be enforced for all messages.
To do this, specify your partner organization domain name to identify mail from that partner, and then restrict the
IP addresses that you accept mail from. Using an IP address makes the connector more specific because it
identifies a single address or an address range that your partner organization sends mail from. Enter your
partner domain as described in Example 1, then use this option during setup:
When you set these restrictions, all email sent from your partner organization domain, ContosoBank.com, or
from your on-premises environment must be sent from the IP address or an address range you specify. Any mail
that does not meet these conditions will be rejected.
Example 4: Require that all email sent to your organization from the internet is sent from a specific IP address
(third-party email service scenario )
Mail flow from a third-party email service to Office 365 works without a connector. However, in this scenario you
can optionally use a connector to restrict all mail delivery to your organization. If you use the settings described
in this example, they will apply to all email sent to your organization. When all email sent to your organization
comes from a single third-party email service, you can optionally use a connector to restrict all mail delivery; only
mail sent from a single IP address or address range will be delivered.
NOTE
Make sure you identify the full range of IP addresses that your third-party email service sends mail from. If you miss an IP
address, or if one gets added without your knowledge, some mail will not be delivered to your organization.
To restrict all mail sent to your organization from a specific IP address or address range, use these options during
setup:
When you set these restrictions, all mail sent to your organization must be sent from a specific IP address range.
Any internet email that does not originate from this IP address range will be rejected.
Example 5: Require that all mail sent from your partner organization IP address or address range is encrypted
using TLS
To identify your partner organization by IP address, use these options during setup:
When you set these restrictions, all mail from your partner organization sent from the IP address or address
range you specify must be sent using TLS. Any mail that does not meet this restriction will be rejected.
See also
Configure mail flow using connectors in Office 365
Mail flow best practices for Exchange Online and Office 365 (overview )
About fixing connector validation errors
What happens when I have multiple connectors for the same scenario?
Validate connectors in Office 365
2/28/2019 • 2 minutes to read • Edit Online
If your organization has its own email server (also called on-premises server), you must set up connectors to
enable mail flow between Office 365 and your email server. For mail flow to work correctly, your connectors must
be validated and turned on. Connector validation runs as part of the connector setup process. This article helps if
you want to validate your connectors at a different time, or if you want to understand more about the process. Use
built-in connector validation to test whether a connector is set up correctly and fix any mail flow issues before you
turn the connector on.
NOTE
If you want to change connector settings, Office 365 uses the existing connector settings for mail flow until you save your
changes. For more information, see Change a connector that Office 365 is using for mail flow
3. When you select a connector for mail flow that originates in Office 365, you can choose the Validate this
connector link. You can also see whether the connector was validated previously as shown in the following
screen shot.
4. With the connector selected, choose Validate this connector. The Validate this connector dialog box
opens. Enter one or more email addresses to start the validation. Office 365 uses these addresses to make
sure your mail flow is set up correctly. For example, if you want to validate a connector for mail flow from
Office 365 to your organization's email server, enter an email address for a mailbox located on that email
server.
5. Choose Validate to continue. To find out what issues validation examines, and for details about fixing any
validation errors, see Fixing connector validation errors.
6. For each connector, check whether the connector is turned on. If a connector that you need for mail flow
isn't turned on, under Status choose Turn it on.
NOTE
If you continue to have mail flow issues after validating a connector, check whether you have set up multiple connectors that
might apply in a single scenario. For example, problems can occur if you have more than one connector set up for mail flow
from Office 365 to your email server. If you need multiple connectors for mail flow from Office 365 to your email server (or
to a partner), make sure you validate and turn on each connector. > If you want to change a connector, Office 365 uses the
existing connector settings for mail flow until you save your changes. For more information, see Change a connector that
Office 365 is using for mail flow
See also
Set up connectors to route mail between Office 365 and your own email servers
Configure mail flow using connectors in Office 365
Fixing connector validation errors
When do I need a connector?
Scenario: Conditional mail routing in Exchange
Online
2/28/2019 • 2 minutes to read • Edit Online
There might be times you need to route mail differently depending on who the mail is sent to or from, where it's
being sent, the contents of the message, and so on. For example, if you have multiple sites around the world, you
might want to route mail to a specific site. You can do this using connectors and mail flow rules (also known as
transport rules).
When the steps below are completed, a mail flow rule will redirect messages addressed to users whose City
property is set to New Orleans to the IP address specified by the Outbound connector.
6. Specify one or more smart hosts to which Office 365 will deliver email messages.
7. Define your Transport Layer Security (TLS ) settings depending on your security needs.
8. Review your new connector configurations and click Next to validate the connector.
IMPORTANT
Check the accuracy of user attributes in Active Directory to ensure that the mail flow rule works as intended. > Note
that outbound connector changes may take time to replicate.
4. For *Do the following..., choose Redirect the message to... and then specify the following connector.
The select connector box appears. Choose the Outbound connector you created previously.
You can choose additional properties for the rule, such as the test mode and when to activate the rule.
5. To save the connector, click Save.
Scenario: Integrate Office 365 with an email add-on
service
2/28/2019 • 11 minutes to read • Edit Online
Many third-party cloud service solutions provide add-on services for Office 365. For security reasons, we don't
allow third-party email add-on services to be installed in Office 365. But, you can work with the service provider to
configure the settings in your Office 365 organization so you can use the service.
This topic describes the best practices for how your organization can use a third-party email add-on service by
examining a fictional service named Contoso Signature Service. This fictional service runs in Azure and provides
custom email signatures (note that the service could be deployed in a cloud environment other than Azure). The
mail flow and a high-level summary of the service are shown in the following diagram.
1. When a user in your Office 365 organization composes and sends a message, the message is diverted to
Contoso Signature Service by using a connector and a mail flow rule (also known as a transport rule) that
you create.
Connections from Office 365 to Contoso Signature Service are encrypted by TLS, because you configure
the certificate domain name for the service in the connector settings (for example,
smtp.contososignatureservice.com).
2. Contoso Signature Service accepts the message and adds an email signature to the message. The service
also stamps the message with a custom header to indicate the message has been processed.
3. Contoso Signature Service routes the message back to Office 365. A connector that you create accepts the
incoming messages from Contoso Signature Service.
Contoso Signature Service uses smart host routing to route messages back to the region where your
Office 365 organization is located. For example, if your Office 365 domain is
fabrikam.onmicrosoft.com, the destination smart host is fabrikam.mail.protection.outlook.com.
Contoso Signature Service provides a unique certificate domain name for each customer. You
configure this domain name as an accepted domain in your Office 365 organization, and in the
connector settings (for example,
S5HG3DCG14H8S1R2303RZHM4RX.smtp.contososignatureservice.com).
4. Office 365 sends the message with the customized signature to the original recipients.
The rest of this topic explains how to configure mail flow in Office 365 to work with the email add-on service.
NOTE
These elements are required for any email add-on service that you want to integrate with your Office 365 organization. You
need to work with the email add-on service provider to configure their required settings in Office 365.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
2. The new connector wizard opens. On the Select your mail flow scenario page, configure these settings:
From: Office 365
To: Your organization's email server
When you're finished, click Next.
3. On the next page, configure these settings:
Name: Enter a descriptive name (for example, Office 365 to Contoso Signature Service).
Retain internal Exchange email headers (recommended): Configure one of these values:
Checked: Preserves internal headers in messages that are sent to the email add-on service, which
means the messages are treated as trusted internal messages. If you select this value, you'll also need
to use the same value on this setting for the inbound connector that you create in Step 4 (otherwise,
the inbound connector will remove the internal Exchange headers from the returning messages).
Unchecked: Removes internal headers from messages before they're sent to the email add-on
service. If you select this value, the value of this setting on the inbound connector that you create in
Step 4 is meaningless (by definition, there will be no internal Exchange headers to keep or remove in
returning messages).
6. On the How should Office 365 connect to your email server? page, configure these settings:
Verify Always use Transport Layer Security (TLS ) to secure the connection (recommended) is
selected.
Verify Issued by a trusted certificate authority (CA ) is selected.
Select And the subject name or subject alternative name (SAN ) matches this domain name,
and enter the smart host that you used in the previous step (for example,
smtp.contososignatureservice.com).
8. On the Validate this connector page, click Add . In the Add email dialog that appears, enter an email
address that isn't in Office 365 to test the connector (for example, admin@fabrikam.com), click OK, and then
click Validate.
A progress indicator appears. When the connector validation is complete, click Close.
This example creates the mail flow rule with these settings:
Name: Route email to Contoso Signature Service
Outbound connector name: Office 365 to Contoso Signature Service
Header field and value that indicates processing by the email add-on serviceSignatureContoso with
the value true.
Step 3: Add the custom certificate domain provided by the email add-
on service as an accepted domain in Office 365
1. Go to the Office 365 admin center at https://portal.office.com/adminportal/home, and then click Setup >
Domains, and then click Add domain.
2. In the Add a domain page that appears, enter the custom certificate domain that the email add-on service
provided when you enrolled in the service (for example,
S5HG3DCG14H8S1R2303RZHM4RX.smtp.contososignatureservice.com), and then click Next.
3. On the Verify domain page, use the details on the TXT record or MX record tabs to create a TXT or MX
proof of domain ownership record for the custom certificate domain. After you've created the proof of
domain ownership record, click Verify. After the domain has been verified, click Save and close.
For more information, see Add your domain to Office 365
2. The new connector wizard opens. On the Select your mail flow scenario page, configure these settings:
From Your organization's email server
To Office 365
When you're finished, click Next.
3. On the next page, configure these settings:
Name: Enter a descriptive name (for example, Contoso Signature Service to Office 365).
Retain internal Exchange email headers (recommended): Configure one of these values:
Checked: Preserves internal headers in messages that are returning from the email add-on service. If
you selected this value on this setting for the outbound connector that you create in Step 1, you'll
need to configure the same value here. The internal Exchange headers in the returning messages are
preserved, which means the messages returning from the email add-on service are treated as trusted
internal messages.
Unchecked: Removes the internal Exchange headers (if any) from messages that are returning from
the email add-on service.
Use Exchange Online PowerShell to create an inbound connector to receive messages from the email add-on
service
To create the inbound connector from the email add-on service in Exchange Online PowerShell, use this syntax:
Directory Based Edge Blocking (DBEB ) in Exchange Online and Exchange Online Protection (EOP ) lets you reject
messages for invalid recipients at the service network perimeter. DBEB lets admins add mail-enabled recipients to
Office 365 and block all messages sent to email addresses that aren't present in Office 365.
If a message is sent to a valid email address in Office 365, the message continues through the rest of the service
filtering layers: antimalware, antispam, and mail flow rules (also known as transport rules). If the address isn't, the
service blocks the message before filtering even occurs, and a non-delivery report (also known as an NDR or
bounce message) is returned to the sender. The NDR looks like this:
550 5.4.1 [<InvalidAlias>@\<Domain>]: Recipient address rejected: Access denied .
If all recipients for your domain are in Exchange Online, DBEB is already in effect, and you don't need
to do anything. If you're migrating from another email system to Exchange Online, you can use the procedure in
this topic to enable DBEB for the domain before the migration.
NOTE
In hybrid environments, in order for DBEB to work, email for the domain must be routed to Office 365 first (the MX record
for the domain must point to Office 365).
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Online, or Exchange Online Protection.
Configure DBEB
1. Verify that your accepted domain in Exchange Online is to Internal relay: a. In the EAC, go to Mail flow >
Accepted domains.
2. Select the domain and click Edit.
3. Ensure that the domain type is set to Internal relay. If it's set to Authoritative, change it to Internal relay
and click Save.
4. Add users to Office 365. For example:
Directory synchronization: Add valid users to Office 365 by synchronizing from your on-premises Active
Directory environment to Azure Active Directory in the cloud. For more information about how to set up
directory synchronization, see "Use directory synchronization to manage recipients" in Manage Mail Users in
EOP.
Add users via PowerShell or the EAC: For more information about how to do this, see Manage Mail Users
in EOP or Manage mail users in Exchange Online.
3. Set your accepted domain in Exchange Online to Authoritative: a. In the EAC, go to Mail flow > Accepted
domains. b. Select the domain and click Edit. c. Set the domain type to Authoritative.
4. Choose Save to save your changes, and confirm that you want to enable DBEB.
Notes:
Until all of your valid recipients have been added to Exchange Online and replicated through the system,
you should leave the accepted domain configured as Internal relay. Once the domain type has been
changed to Authoritative, DBEB is designed to allow any SMTP address that has been added to the
service (except for mail-enabled public folders). There might be infrequent instances where recipient
addresses that do not exist in your Office 365 organization are allowed to relay through the service.
For more information about DBEB and mail-enabled public folders, see Office 365 Directory Based Edge
Blocking support for on-premises Mail Enabled Public Folders.
Manage accepted domains in Exchange Online
3/4/2019 • 4 minutes to read • Edit Online
When you add your domain to Office 365, it's called an accepted domain. This means that users in this domain
can send and receive mail. For more information on how to add your domain to Office 365 using the Office 365
admin center, see Add a domain to Office 365.
After you add your domain using the Office 365 admin center, you can use the Exchange admin center (EAC ) to
view your accepted domains and configure the domain type.
There are two types of accepted domains in Exchange Online:
Authoritative: Email is delivered to email addresses that are listed for recipients in Office 365 for this
domain. Emails for unknown recipients are rejected.
If you just added your domain to Office 365 and you select this option, it's critical that you add your
recipients to Office 365 before setting up mail to flow through the service.
Typically, you use this option when all the email recipients in your domain are using Office 365. You
can also use it if some recipients exist on your own email servers. However, if recipients exist on
your own email servers, you must add your recipients to this Office 365 domain in order to make
sure that mail is delivered as expected. For more information about how to manage your recipients,
see these topics:
Exchange Online: Manage mail users
Exchange Online Protection: Manage Mail Users in EOP
Setting this option enables Directory Based Edge Blocking (DBEB ), which rejects messages for
invalid recipients at the service network perimeter. For more information about configuring DBEB
during a migration, see Use Directory Based Edge Blocking to reject messages sent to invalid
recipients.
Internal relay (also known as non-authoritative): Recipients for this domain can be in Office 365 or
your own email servers. Email is delivered to known recipients in Office 365 or is relayed to your own
email server if the recipients aren't known to Office 365.
You should not select this option if all of the recipients for this domain are in Office 365.
If you select this option, you must create a connector for mail flow from Office 365 to your on-
premises email server; otherwise recipients on the domain who are not hosted in Office 365 won't
be able to receive mail on your own email servers. For more information about setting up
connectors, see Set up connectors to route mail between Office 365 and your own email servers.
This option is required if you enable the subdomain routing option on a domain in order to let email
pass through the service and be delivered to any subdomains of your accepted domains. For more
information, see Enable mail flow for subdomains in Exchange Online.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Get-AcceptedDomain
To view details about a specific accepted domain, use the following syntax.
This example shows details about the accepted domain named contoso.com.
This example configures the accepted domain named contoso.com as an internal relay domain.
If you have a hybrid environment, with mailboxes hosted both in Exchange Online and on-premises Exchange, and
you have subdomains of the accepted domains that only exist in your on-premises environment, you can enable
email flow to and from these on-premises subdomains. For example, if you have an accepted domain called
Contoso.com, and you enable match subdomains, users can send email to, or receive email from all subdomains
of Contoso.com that exist in your on-premises environment, such as marketing.contoso.com and
nwregion.contoso.com. In Microsoft Forefront Online Protection for Exchange (FOPE ), this feature was called
catch-all domains.
IMPORTANT
If you have a limited number of subdomains, and know all the subdomain names, we recommend setting up each
subdomain as an accepted domain by using the Office 365 admin center, rather than using the procedures in this topic. By
setting up each subdomain separately, you can have finer control over mail flow, and include unique mail flow rules (also
known transport rules) for each subdomain. For more information about adding a domain in the Office 365 admin center,
see Add your domain to Office 365. > > In order to enable match subdomains, an accepted domain must be set up as an
internal relay domain. For information about setting the domain type to internal relay, see Manage accepted domains in
Exchange Online. > > After you enable match subdomains, in order for the service to deliver mail for all subdomains to your
organization's email server (outside Office 365), you must also change the outbound connector. For instructions, see Use the
EAC to add the domain to your outbound connector.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
NOTE
If you don't yet have an outbound connector, see Configure mail flow using connectors in Office 365.
There are many reasons why you might want to control the types and the format of messages that your users
send from Exchange Online to recipients in external domains (domains that aren't configured as accepted domains
in Exchange Online). For example:
You don't want to let your users forward messages to recipients in other domains.
You work with an organization that you don't want to receive automatic messages from (for example, non-
delivery reports and out-of-office replies).
You have a business partner that's outside your organization, and you'd like that partner to receive the
same out-of-office replies as those received by people inside your organization.
Your users frequently send email to a company that supports limited email formats, and you'd like to make
sure all emails sent to that organization are sent in a format that they can read.
To accomplish this, you use what's called a remote domain. The remote domain settings override settings that
your users might configure in Outlook or Outlook on the web (formerly known as Outlook Web App), or that you
configure in the Exchange admin center (EAC ) or Exchange Online PowerShell. For example, users might have an
out-of-office reply set up for people outside the organization, but if a sender from a remote domain sends mail to
them, and the remote domain is not set to receive out-of-office replies, no out-of-office reply is sent. To change the
settings, you can:
Create a remote domain for a specific domain, and set unique properties for emails sent to that domain.
Modify the settings for the default remote domain. If you have no other remote domains set up, changes to
the default remote domain apply to all external domains. If you have other remote domains set up, changes
to the default remote domain apply to all other external domains.
For instructions on how to create and configure remote domains, see Manage remote domains in Exchange
Online.
Out-of-office messages Specify whether an out-of-office This setting overrides out-of-office reply
message should be sent to people on settings specified by individual users in
the remote domain, and if so, which Outlook or Outlook on the web.
message to use. You can select either
the reply that the user on your domain
set up for people outside your
organization, or the one for people
inside your organization. The default is
to send the out-of-office reply for
people outside your organization.
Automatic replies Allow or prevent automatic replies to This setting overrides automatic replies
senders on the remote domain. The set up by admins using the Set-
default is to allow automatic replies. MailboxAutoReplyConfiguration cmdlet.
Delivery reports Allow or prevent a delivery receipt to An email sender on the remote domain
be sent to people on the remote can request a delivery receipt on a
domain. The default is to allow sending message. This remote domain setting
delivery reports. can override the sender's request for a
delivery receipt and prevent the
delivery receipt from being sent. For
more information about requesting a
delivery receipt, see Add tracking to
email messages.
PER-USER SETTINGS THAT THIS REMOTE
TYPE OF REPLY DESCRIPTION DOMAIN SETTING OVERRIDES
Non-delivery report Allow or prevent non-delivery reports This remote domain setting is the only
(also known a NDRs or bounce way to prevent non-delivery reports
messages) to be sent to people on the from being sent when a message can't
remote domain. The default is to allow be delivered.
sending non-delivery reports.
Meeting forward notifications Prevent or allow meeting forward Meeting forward notifications are
notifications to be sent to people on automatically created and sent to the
the remote domain. The default is to meeting organizer when a meeting
prevent sending meeting forward participant forwards a meeting.
notifications. Typically, they are sent to meeting
organizers only on domains that are
part of your Exchange Online
organization. Admins can enable them
to be sent to meeting organizers on the
remote domain.
Rich Text Format (RTF) Choose how to format messages: Message format can be defined in
• Always: Use this value if the remote several places: Outlook or Outlook on
domain uses Exchange. the web, and the admin can also use
• Never: If the remote domain does the Set-MailContact or Set-MailUser
not use Exchange, use this value. cmdlets to modify settings per recipient.
• Follow user settings: Use message Remote domain settings override
format settings defined by the user. Use settings specified by a user or by the
this value if you don't know what email admin. For more information about the
system the remote domain uses. message formats and the order of
The default is to follow the user's precedence of message format settings,
settings. see Message format and transmission
in Exchange Online.
MIME character set and Non-MIME • None: Use the character set specified These settings are used only if the
character set in the message. message doesn't include a character set.
• Select a character set from the list: For a complete list of supported
If the message does not have a character sets, see Supported character
character set, the selected character set sets for remote domains.
is used.
By default, no character sets are
specified.
If you specify a particular message format for the remote domain, the format of the headers and message content
sent to the domain are modified.
Other settings
You can configure other message settings for remote domains by using Exchange Online PowerShell. For a
complete list of settings, see Set-RemoteDomain.
What else do I need to know?
You can set up a remote domain only for an external domain. A domain is defined as external if it isn't listed
on the Office 365 admin center > Domains page. For example, if fabrikam.com is one of your domains,
you can't create a remote domain for fabrikam.com.
You can't remove the default remote domain.
You can specify all subdomains when you create a remote domain.
See also
Manage remote domains in Exchange Online
Manage remote domains in Exchange Online
3/13/2019 • 6 minutes to read • Edit Online
Remote domains define settings based on the destination domain of each email message. All organizations have a
default remote domain named "Default" that's applied to the domain "*". The default remote domain applies the
same settings to all email messages regardless of the destination domain. However, you can configure specific
settings for a specific destination domain.
The following table shows the default values for common settings:
SETTING DEFAULT
Out of office replies Send external out of office replies to people on the remote
domain.
Delivery and non-delivery reports Allow delivery and non-delivery reports to be sent to people
on the remote domain.
Meeting forward notifications Don't allow meeting forward notifications to be sent to people
on the remote domain.
Rich Text format (RTF) Follow settings created by each user in Outlook or Outlook
Web App when a message is sent to people on the remote
domain.
Supported character set Do not specify a MIME or non-MIME character set if the
character set isn't specified in the message sent to the remote
domain.
For information about when to configure remote domains, descriptions of the available settings, and information
about how remote domain settings override per-user settings, see Remote domains in Exchange Online.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Create and configure remote domains
Notes:
You can configure a remote domain for any domain that's listed on the Office 365 admin center >
Domains page. For example, if fabrikam.com is one of your accepted domains, you can't create a remote
domain for fabrikam.com.
If you create a remote domain for a specific destination domain, and a setting for the specific remote
domain conflicts with the same setting in the default remote domain, the setting for the specific remote
domain overrides the setting in the default remote domain.
Once you've created a remote domain, you can't change or replace the domain inside the remote domain.
Instead, create and configure a new remote domain with the new domain name.
Use the EAC to create and configure a remote domain
1. In the EAC, go to Mail flow > Remote domains.
2. To create a new domain:
3. Select New .
4. In the Name box, enter a descriptive name for the domain.
5. In the Remote Domain box, enter the full domain name. Use the wildcard character (*) for all subdomains
of a specified domain, for example, *.contoso.com.
6. To change settings for the default domain, select Default, and then select Edit.
7. Select the options you want:
In the Out of Office reply types section, specify which type of out of office replies should be sent to
people at this domain.
In the Automatic replies section, specify whether you want to allow automatic replies, automatic
forwarding, or both.
In the Message reporting section, specify:
Whether you want to allow delivery reports and non-delivery reports.
If a meeting set up by someone on the remote domain is forwarded to another person in your organization,
whether the notification message should go to the meeting organizer on the remote domain.
In the Use Rich-text format section, specify whether to follow each user's message settings, or whether to
always or never preserve RTF formatting. Selecting Never means that RTF messages are sent as plain text
or HTML.
In the Supported Character Set area, specify which character set to use if the message doesn't specify the
character set.
5. Click Save. If you created a new remote domain, it is added to the list.
Use Exchange Online PowerShell to create and configure a remote domain
After you create the remote domain, you can configure the settings (you can't create the remote domain and
configure the settings in one step).
Step 1: Create the remote domain
To create a new remote domain, use the following syntax:
New-RemoteDomain -Name "<Unique Name"> -DomainName <single SMTP domain | domain with subdomains>
This example creates a remote domain for messages sent to the contoso.com domain.
This example creates a remote domain for messages sent to the contoso.com domain and all its subdomains.
This example disables automatic replies, automatic forwarding, and out-of-office replies to recipients at all remote
domains that aren't specified with their own remote domain.
This example sends internal out of office replies to users at the remote domain named Contoso.
This example disables prevents delivery reports and non-delivery reports from being sent to users at Contoso.
This example sends all messages to Contoso using Transport Neutral Encapsulation Formation (TNEF ) encoding,
rather than MIME encoding. This preserves Rich Text format in messages.
This example sends all messages to Contoso using MIME encoding, which means that all RTF messages are
always converted to HTML or plain text.
This example uses the message format settings the user has defined in Outlook or Outlook Web App for encoding
messages.
This example uses the Korean (ISO ) character set for MIME messages sent to Contoso.
Set-RemoteDomain -Identity Contoso -CharacterSet iso-2022-kr
This example specifies using the Unicode character set for non-MIME messages sent to Contoso.
Remote domains define settings based on the destination domain of each email message. All organizations have a
default remote domain named "Default" that's applied to the domain "*". The default remote domain applies the
same settings to all email messages regardless of the destination domain. However, you can configure specific
settings for a specific destination domain.
For more information about remote domains, see Remote domains in Exchange Online.
For remote domain procedures, see Manage remote domains in Exchange Online.
The following table describes the character sets that you can configure in remote domains.
In the Exchange admin center (EAC ), go to Mail flow > Remote domains. Click New to create a new
remote domain or select the existing remote domain and click Edit . In the settings window that opens,
use the MIME character set and Non-MIME character set drop-down lists to select the character set.
In Exchange Online PowerShell, use the value in the Name column in the following table for the
CharacterSet parameter or NonMimeCharacterSet parameter on the Set-RemoteDomain cmdlet.
NAME DESCRIPTION
There are settings in Outlook, Outlook on the web, and Exchange Online that control the format of email
messages and how they are sent to people on other domains. The default settings work in most cases. If specific
recipients have trouble reading messages sent from your organization, you can adjust the settings for individual
users, or for all users on a specific domain. For example, you can prevent recipients from receiving a winmail.dat
attachment.
There are two types of settings you can use:
Message format: When a user creates a message, they can choose the message format in which to author
the message. In Outlook, they have a choice between plain text, HTML, and rich-text format. In Outlook
Web App they have a choice between plain text and HTML.
Message transmission: This means how the message is actually sent to the other email system. Exchange
can send messages to other domains by using Multipurpose Internet Mail Extensions (MIME ) or Transport
Neutral Encapsulation Format (TNEF ). All three message formats can be sent using TNEF. Only HTML and
plain text can be sent using MIME. Message transmission format can be set by an admin per domain or per
recipient, and users can also specify message transmission format.
Message formats
The following list describes the three message formats available in Exchange Online, and shows which ones are
available in Outlook and Outlook Web App:
AVAILABLE IN OUTLOOK ON
FORMAT DESCRIPTION AVAILABLE IN OUTLOOK THE WEB
Rich text format (RTF) RTF supports text Yes Can read messages
formatting and other formatted in RTF, but can't
graphical elements. format or send this format
Only Outlook, Outlook Web
App, and a few other MAPI
email clients understand RTF
messages.
Transport Neutral Encapsulation Format (TNEF) TNEF is a Microsoft-specific format for transmitting formatted
email messages. A TNEF message contains a plain text version
of the message and an attachment that packages the original
formatted version of the message. Typically, this attachment is
named Winmail.dat. The Winmail.dat attachment includes
formatting, attachments, and Outlook-specific features such
as meeting requests.
An email client that fully understands TNEF, such as Outlook,
processes the Winmail.dat attachment and displays the
original message content without ever displaying the
Winmail.dat attachment. An email client that doesn't
understand TNEF may present a TNEF message in any of the
following ways:
The plain text version of the message is displayed, and the
message contains an attachment named Winmail.dat, Win.dat,
or some other generic name such as Att_nnnnn_.dat or
Att_nnnnn_.eml where the nnnnn placeholder represents a
random number.
The plain text version of the message is displayed. The TNEF
attachment is ignored or removed. The result is a plain text
message.
There are third-party utilities that can help convert
Winmail.dat attachments.
Multipurpose Internet Mail Extensions (MIME) MIME is an internet standard that supports text in character
sets other than ASCII, non-text attachments, message bodies
with multiple parts, and header information in non-ASCII
character sets.
The external postmaster address is used as the sender for system-generated messages and notifications sent to
message senders that exist outside your Microsoft Exchange Online organization. An external sender is any sender
that has an email address in a domain that isn't configured as an accepted domain in your organization.
By default, the value of the external postmaster address setting is blank. This default value sets the external
postmaster address to the value postmaster@<Default accepted domain> for your organization.
There's no mailbox associated with the postmaster@<Default accepted domain> email address.
This example sets the external postmaster address to the value postmaster@contoso.com .
This example returns the external postmaster address to the default value.
Manage all mailboxes and mail flow using Office 365 (recommended).
Hosted mail flow scenarios
I'm a new Office 365 customer, and all my users' mailboxes are in Office 365. I want to use all filtering
solutions that Office 365 offers.
I'm a new Office 365 customer. I have an existing email service, but I plan to immediately move all existing
mailboxes to the cloud. I want to use all filtering solutions that Office 365 offers.
For this scenario, your organization's mail flow setup looks like the following diagram:
For a full list of setup instructions, check out Set up Office 365 for business or Deploy Office 365 Enterprise for
your organization.
See also
Mail flow best practices for Exchange Online and Office 365 (overview )
Manage mail flow using a third-party cloud service with Office 365
Manage mail flow with mailboxes in multiple locations (Office 365 and on-prem)
Manage mail flow using a third-party cloud service with mailboxes on Office 365 and on-prem
Troubleshoot Office 365 mail flow
Test mail flow by validating your Office 365 connectors
Manage mail flow using a third-party cloud service
with Exchange Online
3/22/2019 • 2 minutes to read • Edit Online
This topic covers the following complex mail flow scenarios using Exchange Online:
Scenario 1 - MX record points to third-party spam filtering
Scenario 2 - MX record points to third-party solution without spam filtering
NOTE
Examples in this topic use the fictitious organization, Contoso, which owns the domain contoso.com. The IP address of the
Contoso mail server is 131.107.21.231, and its third-party provider uses 10.10.10.1 for their IP address. These are just
examples. You can adapt these examples to fit your organization's domain name and public-facing IP address where
necessary.
Best practices for using a third-party cloud filtering service with Office 365
1. Add your custom domains in Office 365. To prove that you own the domains, follow the instructions in Add
users and domains.
2. Create user mailboxes in Exchange Online or move all users' mailboxes to Office 365.
3. Update the DNS records for the domains that you added in step 1. (Not sure how to do this? Follow the
instructions on this page.) The following DNS records control mail flow:
MX record: Your domain's MX record must point to your third-party service provider. Follow their
guidelines for how to configure your MX record.
SPF record: All mail sent from your domain to the internet originates in Office 365, so your SPF
record requires the standard value for Office 365:
You would only need to include the third-party service in your SPF record if your organization sends
outbound internet email through the service (where the third-party service would be a source for
email from your domain).
Scenario 2 (unsupported) - MX record points to third-party solution without spam filtering
I plan to use Exchange Online to host all my organization's mailboxes. All email that's sent to my domain from the
internet must first flow through a third-party archiving or auditing service before arriving in Exchange Online. All
outbound email that's sent from my Exchange Online organization to the internet must also flow through the
service. However, the service doesn't provide a spam filtering solution.
We don't recommend or support this scenario because the inbound mail flow through the service causes Office
365 spam and phish filtering to not work properly (mail from all internet senders appears to originate from the
third-party service, not the true email source on the internet). If you choose this scenario, your organization's mail
flow setup looks like the following diagram:
Best practices for using a third-party cloud service with Office 365
Don't use this scenario because it isn't currently supported. We recommend that you use the archiving and
auditing solutions that are provided by Office 365.
See also
Mail flow best practices for Exchange Online and Office 365 (overview )
Set up connectors for secure mail flow with a partner organization
Manage all mailboxes and mail flow using Office 365
Manage mail flow with mailboxes in multiple locations (Office 365 and on-premises Exchange)
Manage mail flow using a third-party cloud service with Exchange Online and on-premises mailboxes
Troubleshoot Office 365 mail flow
Test mail flow by validating your Office 365 connectors
Manage mail flow with mailboxes in multiple
locations (Exchange Online and on-premises)
3/4/2019 • 11 minutes to read • Edit Online
Summary: How to manage mail flow in an Exchange hybrid environment, which is when some mailboxes are on-
premises and some are in Office 365.
This topic covers the following complex mail flow scenarios using Office 365:
Scenario 1: MX record points to Office 365 and Office 365 filters all messages
Scenario 2: MX record points to Office 365 and mail is filtered on-premises
Scenario 3: MX record points to my on-premises servers
Scenario 4: MX record points to my on-premises server, which filters and provides compliance solutions for
your messages. Your on-premises server needs to relay messages to the internet through Office 365.
NOTE
Examples in this topic use the fictitious organization, Contoso, which owns the domain contoso.com. The IP address of the
Contoso email server is 131.107.21.231, and its third-party provider uses 10.10.10.1 for their IP address. These are just
examples. You can adapt these examples to fit your organization's domain name and public-facing IP address where
necessary.
Manage mail flow where some mailboxes are in Office 365 and some
mailboxes are on your organization's email servers
Scenario 1: MX record points to Office 365 and Office 365 filters all messages
I'm migrating my mailboxes to Exchange Online, and I want to keep some mailboxes on my organization's
email server (on-premises server). I want to use Office 365 as my spam filtering solution and want to send my
messages from my on-premises server to the internet by using Office 365. Office 365 sends and receives all
messages.
Most customers who need a hybrid mail flow setup should allow Office 365 to perform all their filtering and
routing. We recommend that you point your MX record to Office 365 because this provides for the most accurate
spam filtering. For this scenario, your organization's mail flow setup looks like the following diagram.
Best practices
1. Add your custom domains in Office 365. To prove that you own the domains, follow the instructions in Add
users and domains.
2. Create user mailboxes in Exchange Online or move all users' mailboxes to Office 365.
3. Update the DNS records for the domains that you added in step 1. (Not sure how to do this? Follow the
instructions on this page.) The following DNS records control mail flow:
MX record: Point your MX record to Office 365 in the following format: <domainKey>-
com.mail.protection.outlook.com
For example, if your domain is contoso.com, the MX record should be: contoso-
com.mail.protection.outlook.com.
SPF record: This should list Office 365 as a valid sender, plus any IP addresses from your on-premises
servers that connect to EOP, and any third parties that send email on behalf of your organization. For
example, if your organization's email server's internet-facing IP address is131.107.21.231, the SPF record
for contoso.com should be:
Alternatively, depending on the third-party's requirements, you might need to include the domain from the third-
party, as shown in the following example:
```
v=spf1 include:spf.protection.outlook.com include:third_party_cloud_service.com -all
```
4. In the Exchange admin center, use the connector wizard to Configure mail flow using connectors in Office 365
for the following scenarios:
Sending messages from Office 365 to your organization's email servers
Sending messages from your on-premises servers to Office 365
If either of the following scenarios apply to your organization, you must create a connector to support
sending mail from your on-premises servers to Office 365.
Your organization is authorized to send messages on behalf of your client, but your organization doesn't
own the domain. For example, contoso.com is authorized to send email through fabrikam.com, which
doesn't belong to contoso.com.
Your organization relays non-delivery reports (also known as NDRs or bounce messages) to the internet
through Office 365.
To create the connector, choose the first option in the connector creation wizard on the How should Office
365 identify email for your email server screen.
This enables Office 365 to identify your email server by using the certificate. In this scenario, the certificate
CN or Subject Alternative Name (SAN ) contains the domain that belongs to your organization. For more
details, see Identifying email from your email server. For connector configuration details see, Part 2:
Configure mail to flow from your email server to Office 365.
5. You don't need connectors in the following scenarios unless one of your partners has a special requirement,
such as enforcing TLS with a bank.
Sending mail from Office 365 to a partner organization
Sending mail from a partner organization to Office 365
NOTE
If your organization's uses Exchange 2010 or later, we recommend that you use the Hybrid Configuration Wizard to
configure connectors in Office 365 as well as on your on-premises Exchange servers. For this scenario, your domain's MX
record can't point to your organization's email server.
Best practices
1. Add your custom domains in Office 365. To prove that you own the domains, follow the instructions in Add
users and domains.
2. Create user mailboxes in Exchange Online or Move all users' mailboxes to Office 365.
3. Update the DNS records for the domains that you added in step 1. (Not sure how to do this? Follow the
instructions on this page.) The following DNS records control mail flow:
MX record: Point your MX record to Office 365 in the following format: <domainKey>-
com.mail.protection.outlook.com
For example, if your domain is contoso.com, the MX record should be: contoso-
com.mail.protection.outlook.com.
SPF record: This should list Office 365 as a valid sender, plus any IP addresses from your on-premises
servers that connect to EOP, and any third parties that send email on behalf of your organization. For
example, if your organization's email server's internet-facing IP address is131.107.21.231, the SPF record
for contoso.com should be:
4. Because you're not relaying messages from your on-premises servers to the internet through Office 365, you
don't technically need to create connectors for the following scenarios. But if at some point you change your
MX record to point to Office 365, you'll need to create connectors; therefore, it's best to do it up front. In the
Exchange admin center, use the connector wizard to Part 2: Configure mail to flow from your email server to
Office 365 for the following scenarios, or use the Hybrid Configuration Wizard to create connectors:
Sending mail from Office 365 to your organization's email servers
Sending mail from your on-premises servers to Office 365
5. To make sure that messages are sent to your organization's on-premises servers through MX, go to Example
security restrictions you can apply to email sent from a partner organization, and follow "Example 3: Require
that all email from your partner organization domain ContosoBank.com is sent from a specific IP address
range."
Scenario 4: MX record points to my on-premises server, which filters and provides compliance solutions for
your messages. Your on-premises server needs to relay messages to the internet through Office 365.
I'm migrating my mailboxes to Exchange Online, and I want to keep some mailboxes on my organization's
email server (on-premises server). I want to use the filtering and compliance solutions that are already in my
on-premises email environment. All messages sent from my on-premises servers must relay through Office
365 to the internet. I need to point my domain's MX record to my on-premises server.
For this scenario, your organization's mail flow setup looks like the following diagram.
Best practices
If the MX record for your domain needs to point to your on-premises IP address, use the following best practices:
1. Add your custom domains in Office 365. To prove that you own the domains, follow the instructions in Add
users and domains.
2. Create user mailboxes in Exchange Online or move all users' mailboxes to Office 365.
3. Update the DNS records for the domains that you added in step 1. (Not sure how to do this? Follow the
instructions on this page.) The following DNS records control mail flow:
MX record: Point your MX record to your on-premises server in the following format: mail.
<domainKey>.com
For example, if your domain is contoso.com, the MX record should be: .mail.contoso.com.
SPF record: This should list Office 365 as a valid sender. It should also include any IP addresses from your
on-premises servers that connect to EOP and any third parties that send email on behalf of your
organization. For example, if your organization's email server's internet-facing IP address is
131.107.21.231, the SPF record for contoso.com should be:
4. In the Exchange admin center, use the connector wizard to Configure mail flow using connectors in Office 365
for the following scenarios:
Sending mail from Office 365 to your organization's email servers
Sending mail from your on-premises servers to Office 365
You need to create a connector to support the scenario "Sending mail from your on-premises servers to
Office 365" if any of the following scenarios apply to your organization:
Your organization is authorized to send mail on behalf of your client, but your organization doesn't own the
domain. For example, contoso.com is authorized to send email through fabrikam.com, which doesn't belong
to contoso.com.
Your organization relays non-delivery reports (NDRs) to the internet through Office 365.
The MX record for your domain, contoso.com, points to your on-premises server, and users in your
organization automatically forward messages to email addresses outside your organization. For example,
kate@contoso.com has forwarding enabled, and all messages go to kate@tailspintoys.com. If
john@fabrikam.com sends a message to kate@contoso.com, by the time the message arrives at Office 365
the sender domain is fabrikam.com and the recipient domain is tailspin.com. Neither the sender domain
nor recipient domain belongs to your organization.
To create the connector, choose the first option in the connector creation wizard on the How should Office
365 identify email for your email server screen.
This allows Office 365 to identify your email server by using the certificate. In this scenario, the certificate
CN or Subject Alternative Name (SAN ) contains the domain that belongs to your organization. For more
details, see Identifying email from your email server. For connector configuration details see, Part 2:
Configure mail to flow from your email server to Office 365.
5. Set up connectors for secure mail flow with a partner organization to make sure that messages are sent to your
organization's on-premises servers via MX.
See also
Mail flow best practices for Exchange Online and Office 365 (overview )
Manage all mailboxes and mail flow using Office 365
Manage mail flow using a third-party cloud service with Office 365
Manage mail flow using a third-party cloud service with mailboxes on Office 365 and on-prem
Troubleshoot Office 365 mail flow
Test mail flow by validating your Office 365 connectors
Manage mail flow using a third-party cloud service
with Exchange Online and on-premises mailboxes
3/4/2019 • 2 minutes to read • Edit Online
This topic covers the most complex mail flow scenario using Office 365.
NOTE
Examples in this guide use the fictitious organization, Contoso, which owns the domain contoso.com. The IP address of the
Contoso mail server is 131.107.21.231, and its third-party provider uses 10.10.10.1 for their IP address. These are just
examples. You can adapt these examples to fit your organization's domain name and public-facing IP address where
necessary.
Alternatively, depending on the third-party's requirements, you might need to include the domain from the third-
party, as shown in the following example:
See also
Mail flow best practices for Exchange Online and Office 365 (overview )
Manage all mailboxes and mail flow using Office 365
Manage mail flow using a third-party cloud service with Office 365
Manage mail flow with mailboxes in multiple locations (Office 365 and on-prem)
Troubleshoot Office 365 mail flow
Test mail flow by validating your Office 365 connectors
How to set up a multifunction device or application
to send email using Office 365
3/28/2019 • 16 minutes to read • Edit Online
NOTE
Beginning September 1st, 2018, Office 365 is slowly rolling out changes to SMTP client submission (also known as SMTP
Authenticated Submission), which may affect your devices and your applications that send emails. For more information, see
the KB article Improvements to the SMTP Authenticated Submission client protocol.
Username/email address and password Enter the sign in credentials of the hosted mailbox being used
For more information, expand the following sections.
TLS and other encryption options
Determine what version of TLS your device supports by checking the device guide or with the vendor. If your
device or application does not support TLS 1.2 or above:
Use direct send (Option 2) or Office 365 SMTP relay (Option 3) for sending mail instead (depending on
your requirements).
If it is essential to use SMTP client submission and your printer only supports SSL 3.0, you can set up an
alternative configuration called Indirect SMTP client submission. This uses a local SMTP relay server to
connect to Office 365. This is a much more complex setup. Instructions can be found here: How to configure
IIS for relay with Office 365.
NOTE
If your device recommends or defaults to port 465, it does not support SMTP client submission.
NOTE
For information about TLS, see How Exchange Online uses TLS to secure email connections in Office 365 and for detailed
technical information about how Exchange Online uses TLS with cipher suite ordering, see Enhancing mail flow security for
Exchange Online.
Port Port 25
TLS/StartTLS Enabled
Email address Any email address for one of your Office 365 accepted
domains. This email address does not need to have a mailbox.
We recommend adding an SPF record to avoid having messages flagged as spam. If you are sending from a static
IP address, add it to your SPF record in your domain registrar's DNS settings as follows:
4. Go back to the device, and in the settings, under what would normally be called Server or Smart Host,
enter the MX record POINTS TO ADDRESS value you recorded in step 3.
5. Now that you are done configuring your device settings, go to your domain registrar's website to update
your DNS records. Edit your sender policy framework (SPF ) record. In the entry, include the IP address that
you noted in step 1. The finished string looks similar to this:
v=spf1 ip4:10.5.3.2 include:spf.protection.outlook.com ~all
NOTE
Skipping this step might cause email to be sent to recipients' junk mail folders.
6. To test the configuration, send a test email from your device or application, and confirm that the recipient
received it.
How direct send works
In the following diagram, the application or device in your organization's network uses direct send and your Office
365 mail exchange (MX) endpoint to email recipients in your organization. It's easy to find your MX endpoint in
Office 365 if you need to look it up.
You can configure your device to send email direct to Office 365. Use direct send to relay email to recipients with
Office 365 mailboxes in your organization. Direct send also works for external recipients with mailboxes in Office
365. If your device uses direct send to try to relay an email for a recipient who doesn't have an Office 365 mailbox,
the email will be rejected.
NOTE
If your device or application has the ability to act as a email server to deliver messages to Office 365 as well as other email
providers, there are no Office 365 settings needed for this scenario. Consult your device or application instructions for more
information.
Port Port 25
TLS/StartTLS Enabled
Email address Any email address in one of your Office 365 verified domains.
This email address does not need a mailbox.
If you already have a connector that's configured to deliver messages from your on-premises organization to
Office 365 (for example, a hybrid environment), you probably don't need to create a dedicated connector for Office
365 SMTP relay. If you need to create a connector, use the following settings to support this scenario:
To Office 365
Domain restrictions: IP address/range Your on-premises IP address or address range that the device
or application will use to connect to Office 365
We recommend adding an SPF record to avoid having messages flagged as spam. If you are sending from a static
IP address, add it to your SPF record in your domain registrar's DNS settings as follows:
4. Check that the domains that the application or device will send to have been verified. If the domain is not
verified, emails could be lost, and you won't be able to track them with the Exchange Online message trace
tool.
5. In Office 365, click Admin, and then click Exchange to go to the Exchange admin center.
6. In the Exchange admin center, go to Mail flow > Connectors.
7. Check the list of connectors set up for your organization. If there is no connector listed from your
organization's email server to Office 365, create one.
8. To start the wizard, click the plus symbol +. On the first screen, choose the options that are depicted in the
following screenshot:
The Office 365 connector that you configure authenticates your device or application with Office 365 using
an IP address. Your device or application can send email using any address (including ones that can't receive
mail), as long as the address uses one of your domains. The email address doesn't need to be associated
with an actual mailbox. For example, if your domain is contoso.com, you could send from an address like
do_not_reply@contoso.com.
Office 365 SMTP relay uses a connector to authenticate the mail sent from your device or application. This
allows Office 365 to relay those messages to your own mailboxes as well as external recipients. Office 365
SMTP relay is very similar to direct send except that it can send mail to external recipients.
Due to the added complexity of configuring a connector, direct send is recommended over Office 365
SMTP relay, unless you must send email to external recipients. To send email using Office 365 SMTP relay,
your device or application server must have a static IP address or address range. You can't use SMTP relay
to send email directly to Office 365 from a third-party hosted service, such as Microsoft Azure.
Features of Office 365 SMTP relay
Office 365 SMTP relay does not require the use of a licensed Office 365 mailbox to send emails.
Office 365 SMTP relay has higher sending limits than SMTP client submission; senders are not bound by
the 30 messages per minute or 10,000 recipients per day limits.
Requirements for Office 365 SMTP relay
Static IP address or address range: Most devices or applications are unable to use a certificate for
authentication. To authenticate your device or application, use one or more static IP addresses that are not
shared with another organization.
Connector: You must set up a connector in Exchange Online for email sent from your device or application.
Port: Port 25 is required and must not be blocked on your network or by your ISP.
Licensing: SMTP relay doesn't use a specific Office 365 mailbox to send email. This is why it's important
that only licensed users send email from devices or applications configured for SMTP relay. If you have
senders using devices or LOB applications who don't have an Office 365 mailbox license, obtain and assign
an Exchange Online Protection license to each unlicensed sender. This is the least expensive license that
allows you to send email via Office 365.
Limitations of Office 365 SMTP relay
Sent mail can be disrupted if your IP addresses are blocked by a spam list.
Reasonable limits are imposed for sending. For more information, see Higher Risk Delivery Pool for
Outbound Messages.
Requires static unshared IP addresses (unless a certificate is used).
Features
Relay to internet via Office Yes No. Direct delivery only. Yes
365
Bypasses antispam Yes, if the mail is destined No. Suspicious emails might No. Suspicious emails might
for one of your Office 365 be filtered. We recommend a be filtered. We recommend a
mailboxes. custom Sender Policy custom SPF record.
Framework (SPF) record.
Requirements
Requires authentication Office 365 user name and None One or more static IP
password required addresses. Your printer or
the server running your LOB
app must have a static IP
address to use for
authentication with Office
365.
Limitations
SMTP CLIENT SUBMISSION DIRECT SEND SMTP RELAY
Throttling limits 10,000 recipients per day. Standard throttling is in Reasonable limits are
30 messages per minute. place to protect Office 365. imposed. The service can't
be used to send spam or
bulk mail. For more
information about
reasonable limits, see Higher
Risk Delivery Pool for
Outbound Messages.
Use your own email server to send email from multifunction devices
and applications
If you happen to have an on-premises email server, you should seriously consider using that server for SMTP
relay instead of Office 365. A local email server that you have physical access to is much easier to configure for
SMTP relay by devices and applications on your local network. The details about how to do this depend on your
on-premises email server. For Exchange Server, see the following topics:
Allow anonymous relay on Exchange servers
Receive messages from a server, service, or device that doesn't use Exchange
Related Topics
Fix issues with printers, scanners, and LOB applications that send email using Office 365
How to configure IIS for relay with Office 365
How to configure IIS for relay with Office 365
3/4/2019 • 6 minutes to read • Edit Online
When you set up a multifunction device or application to send email through Office 365, there are some cases
where the device or application can't connect directly to Office 365. In these cases, you need to set up Internet
Information Services (IIS ) to work as an intermediary.
You might want to do this in the following scenarios:
You don't have an on-premises messaging system any longer
You have line-of-business (LOB ) programs or devices in an on-premises environment
Your LOB programs and devices have to send email messages to remote domains and to your Exchange
Online mailboxes
Before proceeding, review How to set up a multifunction device or application to send email using Office 365 as
there may be an available option that doesn't require setting up an additional server to relay.
NOTE
These instructions can be modified for other SMTP relays that you might have in your organization.
If the SMTP server can't deliver the message, a non-delivery report (NDR ) is created in the
C:\InetPub\MailRoot\BadMail folder. You can use this NDR to diagnose delivery issues.
Related Topics
Troubleshoot email sent from printers and business applications
How to set up a multifunction device or application to send email using Office 365
Fix issues with printers, scanners, and LOB
applications that send email using Office 365
3/29/2019 • 9 minutes to read • Edit Online
Email clients provide actionable error messages when something goes wrong. Sending email from devices and
applications is less easy to fix, and you might not get clear information to help you. This article can help you
troubleshoot, and it uses printer configurations as examples.
As a first step to fixing any problems, check your configuration. See How to set up a multifunction device or
application to send email using Office 365 for detailed information about the configuration options.
2. Direct send
Your printer is connected to an Office 365 server whose name ends with "mail.protection.outlook.com."
There is no connector set up in Office 365 for emails sent from your organization's network.
The printer can send email only to people in your organization; email can't be sent to recipients outside your
organization.
3. Office 365 SMTP relay
Your printer is connected to an Office 365 server whose name ends with "mail.protection.outlook.com."
There is a connector set up in Office 365 for emails sent from your organization's network to Office 365.
The printer can send email to people inside and outside your organization.
:----- :-----
Server/smart host smtp.office365.com
Username/email address and password Login credentials of Office 365 mailbox the printer uses
2. If your printer didn't require a password for the email address you entered, your printer is trying to send
emails without logging on to Office 365. SMTP client submission requires your printer to log on to Office
365. Direct send and Office 365 SMTP relay do not require a logon; consider one of these options instead.
3. Your printer or application must send email from the same address that you entered logon credentials for
during email setup. If the printer or application tries to send email from a different account, this results in an
error similar to:
5.7.60 SMTP; Client does not have permissions to send as this sender.
For example, if you entered login credentials for sales@contoso.com in your application settings, but the
application tries to send emails from salesperson1@contoso.com, this is not supported. For this scenario,
use Office 365 SMTP relay instead.
4. Test the user name and password by logging on to Outlook on the web, and try to send a test email to make
sure the account is not blocked. If the user is blocked, you can find help in the article, Removing a user,
domain, or IP address from a block list after sending spam email.
5. Next, test that you can connect to Office 365 from your network by doing the following:
6. Follow the instructions to install the Telnet Client tool on a computer on the same network as the device or
application.
7. Run the tool from the command line by typing telnet.
8. Type open smtp.office365.com 587 (or substitute 25 for 587 if you are using that port setting instead).
9. If you connected successfully to an Office 365 server, expect to receive a response line similar to this:
220 BY1PR10CA0041.outlook.office365.com Microsoft ESMTP MAIL Service ready at Mon, 1 Jun
2015 12:00:00 +0000
10. If you can't connect to Office 365, your network firewall or Internet Service Provider (ISP ) might have
blocked port 587 or 25. Correct this so you can send email from your printer.
11. If none of these issues applies to your device, it might not meet requirements for Transport Layer Security
(TLS ) encryption. Your device must support TLS version 1.0 or above. Update the firmware on the device to
solve this, or try one of the other configuration options where TLS is optional.
For more information about TLS, see How Exchange Online uses TLS to secure email connections in Office
365 and for detailed technical information about how Exchange Online uses TLS with cipher suite ordering,
see Enhancing mail flow security for Exchange Online.
I receive an authentication error when my device tries to send email
This can be caused by a number of issues:
1. Make sure that you entered the correct user name and password.
2. Try logging into OWA with the printer's user name and password. Send an email to make sure that the
mailbox is active and has not been blocked for sending spam.
3. Check that your device or application supports TLS version 1.0 or above. The best way to check is by
upgrading the firmware on the device or updating the application you're sending email from to the latest
version. Contact your device manufacturer to confirm that it supports TLS version 1.0 or above.
Error: 5.7.60 SMTP; Client does not have permissions to send as this sender
This error indicates that the device is trying to send an email from an address that doesn't match the logon
credentials. An example would be if your entered login credentials for sales@contoso.com in your application
settings but the application tries to send emails from salesperson1@contoso.com. If your application or printer
behaves this way, use Office 365 SMTP relay because SMTP client submission does not support this scenario.
Error: Client was not authenticated to send anonymous mail during MAIL FROM
This error indicates that your printer connects to the SMTP client submission endpoint (smtp.office365.com).
However, your printer must also logon to a mailbox to send a message. This error occurs when you have not
entered mailbox logon credentials in the printer's settings. If there is no option to enter credentials, this printer
does not support SMTP client submission; use either direct send or Office 365 SMTP relay instead. See How to
set up a multifunction device or application to send email using Office 365.
Error: 550 5.1.8 Bad outbound sender
This error indicates that the device is trying to send an email from an Office 365 mailbox that is on a spam block
list. For help, see Removing a user, domain, or IP address from a block list after sending spam email.
See also
How to configure IIS for relay with Office 365
Recipients in Exchange Online
3/29/2019 • 2 minutes to read • Edit Online
In Exchange Online, the Exchange admin center (EAC ) has replaced the Exchange Control Panel (ECP ) as the GUI-
based administrative tool used to manage cloud-based recipients. The EAC also replaces the Exchange
Management Console in Exchange Server. For more information, see Exchange admin center.
The content in this topic has been moved to another topic. Check out the new topic at Exchange Online Limits.
Create user mailboxes in Exchange Online
3/4/2019 • 2 minutes to read • Edit Online
You have to use the Office 365 admin center or Exchange Online PowerShell to create an Exchange Online user
mailbox. You can't create new user mailboxes using the Exchange admin center (EAC ). However, after Exchange
Online mailboxes are created, you can manage them using the EAC.
NOTE
After you create a new mailbox using Exchange Online PowerShell, you have to assign it an Exchange Online license or it
will be disabled when the 30-day grace period ends.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online
Protection..
After you create a mailbox by running the previous command, an Office 365 user account is also created. You
have to activate this user account by assigning a license. To assign a license in the Office 365 admin center, see
Assign or remove a license.
If a license is assigned to the mailbox, the value for the SKUAssigned property is True . If a license hasn't
been assigned, the value is blank.
Delete or restore user mailboxes in Exchange Online
3/4/2019 • 7 minutes to read • Edit Online
There are several things you should consider before you decide to delete a user mailbox. There's different kinds of
deletions that you can do on a user mailbox and some of them won't allow you to restore or recover the mailbox.
This article walks you through the deleted mailbox scenarios, as well as how to delete, recover or permanently
remove a mailbox from Exchange Online.
NOTE
If you run the Azure cmdlet Remove-MsolUser with the -RemoveFromRecycleBin parameter in order to remove a user from
the Azure AD recycle bin, it will always put an existing Exchange Online mailbox associated with the Azure AD user in a soft-
deleted state, as long as the user's license was not removed. However, if you remove the user's license prior to removing the
user from the recycle bin, the user will not go into a soft-deleted user mailbox state.
If in the 30 day time period a new Azure Active Directory user is synchronized from the original on-premises
recipient account with the same ExchangeGuid or ArchiveGuid, this will result in an ExchangeGuid validation
conflict error.
Check out Overview of inactive mailboxes in Office 365 for more info about creating an inactive mailbox by placing
a Litigation Hold on a mailbox before deleting it.
The command will return an error stating that the mailbox couldn't be found, which verifies that the mailbox
was deleted.
If you permanently deleted the user mailbox, verify that the user mailbox isn't still showing up in the Azure
active directory recycle bin.
Get-Mailbox <Identity>
For the soft-deleted mailbox that you want to restore, note its GUID value (you'll use the value in Step 4).
3. Create a new target mailbox for the restored mailbox. For more information, see Create user mailboxes in
Exchange Online. After you create the target mailbox, run the following command to get the GUID value of
the target mailbox that you'll need in the next step.
4. Replace <SoftDeletedMailboxGUID> with the GUID value from Step 2, and <NewTargetMailboxGUID>
with the GUID value from Step 3, and run the following cmdlet to restore the mailbox:
License removal
For info on removing a license from a user in Office 365 and Exchange Online, check out Change in behavior for
delicensed Exchange Online users.
Additional information
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Manage user mailboxes
3/29/2019 • 23 minutes to read • Edit Online
After you create a user mailbox, you can make changes and set additional properties by using the EAC or
Exchange Online PowerShell.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the General section to view or change basic information about the user.
First name, Initials, Last name
* Name: This is the name that's listed in Active Directory. If you change this name, it can't exceed 64
characters.
* Display name: This name appears in your organization's address book, on the To: and From: lines in
email, and in the Mailbox list. This name can't contain empty spaces before or after the display name.
* Alias: This specifies the email alias for the user. The user's alias is the portion of the email address on the
left side of the at (@) symbol. It must be unique in the forest.
* User logon name: This is the name that the user uses to sign in to their mailbox and to log on to the
domain. Typically the user logon name consists of the user's alias on the left side of the @ symbol, and the
domain name in which the user account resides on the right side of the @ symbol.
NOTE
This box is labeled User ID in Exchange Online.
Require password change on next logon: Select this check box if you want the user to reset their
password the next time they sign in to their mailbox.
NOTE
This check box isn't available in Exchange Online.
Hide from address lists: Select this check box to prevent the recipient from appearing in the address book
and other address lists that are defined in your Exchange organization. After you select this check box, users
can still send messages to the recipient by using the email address.
Click More options to view or change these additional properties:
Organizational unit: This read-only box displays the organizational unit (OU ) that contains the user
account. You have to use Active Directory Users and Computers to move the user account to a different
OU.
NOTE
This box isn't available in Exchange Online.
Mailbox database: This read-only box displays the name of the mailbox database that hosts the mailbox.
To move the mailbox to a different database, select it in the mailbox list, and then click Move mailbox to
another database in the Details pane.
NOTE
This option isn't available in Exchange Online.
Custom attributes: This section displays the custom attributes defined for the user mailbox. To specify
custom attribute values, click Edit. You can specify up to 15 custom attributes for the recipient.
Mailbox Usage
Use the Mailbox Usage section to view or change the mailbox storage quota and deleted item retention settings
for the mailbox. These settings are configured by default when the mailbox is created. They use the values that are
configured for the mailbox database and apply to all mailboxes in that database. You can customize these settings
for each mailbox instead of using the mailbox database defaults.
Last logon: This read-only box displays the last time that the user signed in to their mailbox.
Mailbox usage: This area shows the total size of the mailbox and the percentage of the total mailbox quota
that has been used.
NOTE
To obtain the information that's displayed in the previous two boxes, the EAC queries the mailbox database that hosts the
mailbox. If the EAC is unable to communicate with the Exchange store that contains the mailbox database, these boxes will
be blank. A warning message is displayed if the user hasn't signed in to the mailbox for the first time.
Click More options to view or change the mailbox storage quota and the deleted item retention settings for the
mailbox.
NOTE
These settings aren't available in the EAC in Exchange Online.
Storage quota settings: To customize these settings for the mailbox and not use the mailbox database
defaults, click Customize the settings for this mailbox, type a new value, and then click Save.
The value range for any of the storage quota settings is from 0 through 2047 gigabytes (GB ).
Issue a warning at (GB ): This box displays the maximum storage limit before a warning is issued to
the user. If the mailbox size reaches or exceeds the value specified, Exchange sends a warning
message to the user.
Prohibit send at (GB ): This box displays the prohibit send limit for the mailbox. If the mailbox size
reaches or exceeds the specified limit, Exchange prevents the user from sending new messages and
displays a descriptive error message.
Prohibit send and receive at (GB ): This box displays the prohibit send and receive limit for the
mailbox. If the mailbox size reaches or exceeds the specified limit, Exchange prevents the mailbox
user from sending new messages and won't deliver any new messages to the mailbox. Any
messages sent to the mailbox are returned to the sender with a descriptive error message.
Deleted item retention settings: To customize these settings for the mailbox and not use the mailbox
database defaults, click Customize the settings for this mailbox, type a new value, and then click Save.
Keep deleted items for (days): This box displays the length of time that deleted items are retained
before they are permanently deleted and can't be recovered by the user. When the mailbox is
created, this value is based on the deleted item retention settings configured for the mailbox
database. By default, a mailbox database is configured to retain deleted items for 14 days. The value
range for this property is from 0 through 24855 days.
Don't permanently delete items until the database is backed up: Select this check box to
prevent mailboxes and email messages from being deleted until after the mailbox database on which
the mailbox is located has been backed up.
Contact Information
Use the Contact Information section to view or change the user's contact information. The information on this
page is displayed in the address book. Click More options to display additional boxes.
TIP
You can use the State/Province box to create recipient conditions for dynamic distribution groups, email address policies,
or address lists.
Mailbox users can use Outlook or Outlook Web App to view and change their own contact information. But they
can't change the information in the Notes and Web page boxes.
Organization
Use the Organization section to record detailed information about the user's role in the organization. This
information is displayed in the address book. Also, you can create a virtual organization chart that is accessible
from email clients such as Outlook.
Title: Use this box to view or change the recipient's title.
Department: Use this box to view or change the department in which the user works. You can use this box
to create recipient conditions for dynamic distribution groups, email address policies, or address lists.
Company: Use this box to view or change the company for which the user works. You can use this box to
create recipient conditions for dynamic distribution groups, email address policies, or address lists.
Manager: To add a manager, click Browse. In Select Manager, select a person, and then click OK.
Direct reports: You can't modify this box. A direct report is a user who reports to a specific manager. If
you've specified a manager for the user, that user appears as a direct report in the details of the manager's
mailbox. For example, Kari manages Chris and Kate, so Kari's mailbox is specified in the Manager box of
Chris's mailbox and Kate's mailbox, and Chris and Kate appear in the Direct reports box in the properties
of Kari's mailbox.
Email Address
Use the Email Address section to view or change the email addresses associated with the user mailbox. This
includes the user's primary SMTP address and any associated proxy addresses. The primary SMTP address (also
known as the default reply address) is displayed in bold text in the address list, with the uppercase SMTP value in
the Type column.
Add: Click Add to add a new email address for this mailbox. Select one of following address types:
SMTP: This is the default address type. Click this button and then type the new SMTP address in the
* Email address box.
EUM: An EUM (Exchange Unified Messaging) address is used by the Microsoft Exchange Unified
Messaging service to locate UM -enabled users within an Exchange organization. EUM addresses
consist of the extension number and the UM dial plan for the UM -enabled user. Click this button and
type the extension number in the Address/Extension box. Then click Browse and select a dial plan
for the user.
Custom address type: Click this button and type one of the supported non-SMTP email address
types in the * Email address box.
NOTE
With the exception of X.400 addresses, Exchange doesn't validate custom addresses for proper formatting.
You must make sure that the custom address you specify complies with the format requirements for that
address type.
Make this the reply address: In Exchange Online, you can select this check box to make the new
email address the primary SMTP address for the mailbox. This check box isn't available in the EAC in
Exchange Server.
Automatically update email addresses based on the email address policy applied to this recipient:
Select this check box to have the recipient's email addresses automatically updated based on changes made
to email address policies in your organization. This box is selected by default.
NOTE
This check box isn't available in Exchange Online.
Use the Mailbox Features section to view or change the following mailbox features and settings:
Sharing policy: This box shows the sharing policy applied to the mailbox. A sharing policy controls how
users in your organization can share calendar and contact information with users outside your Exchange
organization. The Default Sharing Policy is assigned to mailboxes when they are created. To change the
sharing policy that's assigned to the user, select a different one from the drop-down list.
Role assignment policy: This box shows the role assignment policy assigned to the mailbox. The role
assignment policy specifies the role-based access control (RBAC ) roles that are assigned to the user and
control what specific mailbox and distribution group configuration settings users can modify. To change the
role assignment policy that's assigned to the user, select a different one from the drop-down list.
Retention policy: This box shows the retention policy assigned to the mailbox. A retention policy is a
group of retention tags that are applied to the user's mailbox. They allow you to control how long to keep
items in users' mailboxes and define what action to take on items that have reached a certain age. A
retention policy isn't assigned to mailboxes when they are created. To assign a retention policy to the user,
select one from the drop-down list.
Address book policy: This box shows the address book policy applied to the mailbox. An address book
policy allows you to segment users into specific groups to provide customized views of the address book.
To apply or change the address book policy applied to the mailbox, select one from the drop-down list.
Unified Messaging: This feature is disabled by default. When you enable Unified Messaging (UM ), the
user will be able to use your organization's UM features and a default set of UM properties are applied to
the user. Click Enable to enable UM for the mailbox. For information about how to enable UM, see Enable
a user for voice mail.
NOTE
A UM dial plan and a UM mailbox policy must exist before you can enable UM.
Mobile Devices: Use this section to view and change the settings for Exchange ActiveSync, which is
enabled by default. Exchange ActiveSync enables access to an Exchange mailbox from a mobile device.
Click Disable Exchange ActiveSync to disable this feature for the mailbox.
Outlook Web App: This feature is enabled by default. Outlook Web App enables access to an Exchange
mailbox from a web browser. Click Disable to disable Outlook Web App for the mailbox. Click Edit details
to add or change an Outlook Web App mailbox policy for the mailbox.
IMAP: This feature is enabled by default. Click Disable to disable IMAP for the mailbox.
POP3: This feature is enabled by default. Click Disable to disable POP3 for the mailbox.
MAPI: This feature is enabled by default. MAPI enables access to an Exchange mailbox from a MAPI client
such as Outlook. Click Disable to disable MAPI for the mailbox.
Litigation hold: This feature is disabled by default. Litigation hold preserves deleted mailbox items and
records changes made to mailbox items. Deleted items and all instances of changed items are returned in a
discovery search. Click Enable to put the mailbox on litigation hold. If the mailbox is on litigation hold, click
Disable to remove the litigation hold. Mailboxes on litigation hold are inactive mailboxes and can't be
deleted. To delete the mailbox, remove the litigation hold. If the mailbox is on litigation hold, click Edit
details to view and change the following litigation hold settings:
Hold date: This read-only box indicates the date and time when the mailbox was put on litigation
hold.
Put on hold by: This read-only box indicates the user who put the mailbox on litigation hold.
Note: Use this box to notify the user about the litigation hold, explain why the mailbox is on
litigation hold, or provide additional guidance to the user, such as informing them that the litigation
hold won't affect their day-to-day use of email.
URL: Use this box to provide a URL to a website that provides information or guidance about the
litigation hold on the mailbox.
NOTE
The text from these boxes appears in the user's mailbox only if they are using Outlook 2010 or later versions.
It doesn't appear in Outlook Web App or other email clients. To view the text from the Note and URL boxes
in Outlook, click the File tab, and on the Info page, under Account Settings, you'll see the litigation hold
comment.
Archiving: If an archive mailbox doesn't exist for the user, this feature is disabled. To enable an archive
mailbox, click Enable. If the user has an archive mailbox, the size of the archive mailbox and usage statistics
are displayed. Click Edit details to view and change the following archive mailbox settings:
Status: This read-only box indicates whether an archive mailbox exists.
Database: This read-only box shows the name of the mailbox database that hosts the archive
mailbox. This box isn't available in Exchange Online.
Name: Type the name of the archive mailbox in this box. This name is displayed under the folder list
in Outlook or Outlook Web App.
Archive quota (GB ): This box shows the total size of the archive mailbox. To change the size, type a
new value in the box or select a value from the drop-down list.
Issue warning at (GB ): This box shows the maximum storage limit for the archive mailbox before a
warning is issued to the user. If the archive mailbox size reaches or exceeds the value specified,
Exchange sends a warning message to the user. To change this limit, type a new value in the box or
select a value from the drop-down list.
NOTE
The archive quota and the issue warning quota for the archive mailbox can't be changed in Exchange Online.
Delivery Options: Use to forward email messages sent to the user to another recipient and to set the
maximum number of recipients that the user can send a message to. Click View details to view and
change these settings.
Forwarding address: Select the Enable forwarding check box and then click Browse to display
the Select Mail User and Mailbox page. Use this page to select a recipient to whom you want to
forward all email messages that are sent to this mailbox.
Deliver message to both forwarding address and mailbox: Select this check box so that
messages will be delivered to both the forwarding address and the user's mailbox.
Recipient limit: This setting controls the maximum number of recipients the user can send a
message to. Select the Maximum recipients check box to limit the number of recipients allowed in
the To:, Cc:, and Bcc: boxes of an email message and then specify the maximum number of recipients.
NOTE
For on-premises Exchange organizations, the recipient limit is unlimited. For Exchange Online organizations,
the limit is 500 recipients.
Message Size Restrictions: These settings control the size of messages that the user can send and receive.
Click View details to view and change maximum size for sent and received messages.
NOTE
These settings can't be changed in Exchange Online.
Sent messages: To specify a maximum size for messages sent by this user, select the Maximum
message size (KB ) check box and type a value in the box. The message size must be between 0 and
2,097,151 KB. If the user sends a message larger than the specified size, the message will be
returned to the user with a descriptive error message.
Received messages: To specify a maximum size for messages received by this user, select the
Maximum message size (KB ) check box and type a value in the box. The message size must be
between 0 and 2,097,151 KB. If the user receives a message larger than the specified size, the
message will be returned to the sender with a descriptive error message.
Message Delivery Restrictions: These settings control who can send email messages to this user. Click
View details to view and change these restrictions.
Accept messages from: Use this section to specify who can send messages to this user.
All senders: Select this option to specify that the user can accept messages from all senders. This
includes both senders in your Exchange organization and external senders. This option is selected by
default. This option includes external users only if you clear the Require that all senders are
authenticated check box. If you select this check box, messages from external users will be rejected.
Only senders in the following list: Select this option to specify that the user can accept messages
only from a specified set of senders in your Exchange organization. Click Add to display the
Select Recipients page, which displays a list of all recipients in your Exchange organization. Select
the recipients you want, add them to the list, and then click OK. You can also search for a specific
recipient by typing the recipient's name in the search box and then clicking Search .
Require that all senders are authenticated: Select this option to prevent anonymous users from
sending messages to the user.
Reject messages from: Use this section to block people from sending messages to this user.
No senders: Select this option to specify that the mailbox won't reject messages from any senders in
the Exchange organization. This option is selected by default.
Senders in the following list: Select this option to specify that the mailbox will reject messages
from a specified set of senders in your Exchange organization. Click Add to display the Select
Recipients page, which displays a list of all recipients in your Exchange organization. Select the
recipients you want, add them to the list, and then click OK. You can also search for a specific
recipient by typing the recipient's name in the search box and then clicking Search .
Member Of
Use the Member Of section to view a list of the distribution groups or security groups to which this user belongs.
You can't change membership information on this page. Note that the user may match the criteria for one or more
dynamic distribution groups in your organization. However, dynamic distribution groups aren't displayed on this
page because their membership is calculated each time they are used.
MailTip
Use the MailTip section to add a MailTip to alert users of potential issues if they send a message to this recipient.
A MailTip is text that is displayed in the InfoBar when this recipient is added to the To, Cc, or Bcc boxes of a new
email message.
NOTE
MailTips can include HTML tags, but scripts aren't allowed. The length of a custom MailTip can't exceed 175 displayed
characters. HTML tags aren't counted in the limit.
Mailbox Delegation
Use the Mailbox Delegation section to assign permissions to other users (also called delegates) to allow them to
sign in to the user's mailbox or send messages on behalf of the user. You can assign the following permissions:
Send As: This permission allows users other than the mailbox owner to use the mailbox to send messages.
After this permission is assigned to a delegate, any message that a delegate sends from this mailbox will
appear as if it was sent by the mailbox owner. However, this permission doesn't allow a delegate to sign in
to the user's mailbox.
Send on Behalf Of: This permission also allows a delegate to use this mailbox to send messages.
However, after this permission is assigned to a delegate, the From: address in any message sent by the
delegate indicates that the message was sent by the delegate on behalf of the mailbox owner.
Full Access: This permission allows a delegate to sign in to the user's mailbox and view the contents of the
mailbox. However, after this permission is assigned to a delegate, the delegate can't send messages from
the mailbox. To allow a delegate to send email from the user's mailbox, you still have to assign the delegate
the Send As or the Send on Behalf Of permission.
To assign permissions to delegates, click Add under the appropriate permission to display a page that displays a
list of all recipients in your Exchange organization that can be assigned the permission. Select the recipients you
want, add them to the list, and then click OK. You can also search for a specific recipient by typing the recipient's
name in the search box and then clicking Search .
Use Exchange Online PowerShell to change user mailbox properties
Use the Get-Mailbox and Set-Mailbox cmdlets to view and change properties for user mailboxes. One
advantage of using Exchange Online PowerShell is the ability to change the properties for multiple mailboxes. For
information about what parameters correspond to mailbox properties, see the following topics:
Get-Mailbox
Set-Mailbox
Here are some examples of using Exchange Online PowerShell to change user mailbox properties.
This example shows how to forward Pat Coleman's email messages to Sunil Koduri's (sunilk@contoso.com)
mailbox.
This example uses the Get-Mailbox command to find all user mailboxes in the organization, and then uses the
Set-Mailbox command to set the recipient limit to 500 recipients allowed in the To:, Cc:, and Bcc: boxes of an
email message.
This example uses the Get-Mailbox command to find all the mailboxes in the Marketing organizational unit, and
then uses the Set-Mailbox command to configure these mailboxes. The custom warning, prohibit send, and
prohibit send and receive limits are set to 200 megabytes (MB ), 250 MB, and 280 MB respectively, and the
mailbox database's default limits are ignored. This command can be used to configure a specific set of mailboxes
to have larger or smaller limits than other mailboxes in the organization.
This example uses the Get-Mailbox cmdlet to find all users in the Customer Service department, and then uses
the Set-Mailbox cmdlet to change the maximum message size for sending messages to 2 MB.
For the example above where the message limits were changed, run this command.
NOTE
The estimated time to complete this task is 2 minutes, but may take longer if you change multiple properties or features.
TIP
You can select multiple adjacent mailboxes by holding down the Shift key and clicking the first mailbox, and then
clicking the last mailbox you want to edit. You can also select multiple non-adjacent mailboxes by holding down the
Ctrl key and clicking each mailbox that you want to edit.
3. In the Details pane, under Bulk Edit, select the mailbox properties or feature that you want to edit.
4. Make the changes on the properties page and then save your changes.
How do you know this worked?
To verify that you've successfully bulk edited user mailboxes, do one of the following:
In the EAC, select each of the mailboxes that you bulk edited and then click Edit to view the property or
feature that you changed.
In Exchange Online PowerShell, use the Get-Mailbox cmdlet to verify the changes. One advantage of
using Exchange Online PowerShell is that you can view multiple properties for multiple mailboxes. For
example, say you used the bulk edit feature in the EAC to enable the archive mailbox and assign a retention
policy to all users in your organization. To verify these changes, you could run the following command:
For more information about the available parameters for the Get-Mailbox cmdlet, see Get-Mailbox.
Add or remove email addresses for a mailbox
3/4/2019 • 6 minutes to read • Edit Online
You can configure more than one email address for the same mailbox. The additional addresses are called proxy
addresses. A proxy address lets a user receive email that's sent to a different email address. Any email message
sent to the user's proxy address is delivered to their primary email address, which is also known as the primary
SMTP address or the default reply address.
IMPORTANT
If you're using Office 365 for business, you should add or remove email addresses for user mailboxes in the Add another
email alias for a user
For additional management tasks related to managing recipients, see the "Recipients documentation" table in
Recipients.
NOTE
On the Email Address page, the primary SMTP address is displayed in bold text in the address list, with the
uppercase SMTP value in the Type column.
4. Click Add , and then click SMTP to add an SMTP email address to this mailbox.
NOTE
SMTP is the default email address type. You can also add Exchange Unified Messaging (EUM) addresses or custom
addresses to a mailbox. For more information, see "Change user mailbox properties" in the Manage user mailboxes
topic.
5. Type the new SMTP address in the Email address box, and then click OK.
The new address is displayed in the list of email addresses for the selected mailbox.
6. Click Save to save the change.
Use Exchange Online PowerShell to add an email address
The email addresses associated with a mailbox are contained in the EmailAddresses property for the mailbox.
Because it can contain more than one email address, the EmailAddresses property is known as a multivalued
property. The following examples show different ways to modify a multivalued property.
This example shows how to add an SMTP address to the mailbox of Dan Jump.
For more information about how to use this method of adding and removing values for multivalued properties, see
Modifying Multivalued Properties.
This example shows another way to add email addresses to a mailbox by specifying all addresses associated with
the mailbox. In this example, danj@tailspintoys.com is the new email address that you want to add. The other two
email addresses are existing addresses. The address with the case-sensitive qualifier SMTP is the primary SMTP
address. You have to include all email addresses for the mailbox when you use this command syntax. If you don't,
the addresses specified in the command will overwrite the existing addresses.
For more information about how to use this method of adding and removing values for multivalued properties, see
Modifying Multivalued Properties.
You can also remove an email address by omitting it from the command to set email addresses for a mailbox. For
example, let's say Janet Schorr's mailbox has three email addresses: janets@contoso.com (the primary SMTP
address), janets@corp.contoso.com, and janets@tailspintoys.com. To remove the address
janets@corp.contoso.com, you would run the following command.
Because janets@corp.contoso.com was omitted in the previous command, it's removed from the mailbox.
For detailed syntax and parameter information, see Set-Mailbox.
How do you know this worked?
To verify that you've successfully removed an email address from a mailbox, do one of the following:
In the EAC, navigate to Recipients > Mailboxes, click the mailbox, and then click Edit .
On the mailbox properties page, click Email Address.
In the list of email addresses for the mailbox, verify that the email address isn't included.
Or
Run the following command in Exchange Online PowerShell.
Mailbox,NewEmailAddress
Dan Jump,danj@northamerica.contoso.com
David Pelton,davidp@northamerica.contoso.com
Kim Akers,kima@northamerica.contoso.com
Janet Schorr,janets@northamerica.contoso.com
Jeffrey Zeng,jeffreyz@northamerica.contoso.com
Spencer Low,spencerl@northamerica.contoso.com
Toni Poe,tonip@northamerica.contoso.com
...
Run the following command to use the data in the CSV file to add the email address to each mailbox specified in
the CSV file.
NOTE
The column names in the first row of this CSV file ( Mailbox,NewEmailAddress ) are arbitrary. Whatever you use for column
names, make sure you use the same column names in Exchange Online PowerShell command.
Verify that the new email address is included in the results for each mailbox.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Change how long permanently deleted items are
kept for an Exchange Online mailbox
3/4/2019 • 3 minutes to read • Edit Online
If you've permanently deleted an item in Microsoft Outlook or Outlook on the web (formerly known as Outlook
Web App), the item is moved to a folder ( Recoverable Items > Deletions) and kept there for 14 days, by
default. You can change how long items are kept, up to a maximum of 30 days.
NOTE
You must use Exchange Online PowerShell to make the change. Unfortunately, you can't currently do this directly in the
Outlook or Outlook on the web.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Example 2:: Set all user mailboxes in the organization to keep deleted items for 30 days. In Exchange Online
PowerShell, run the following command.
Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Set-Mailbox -
RetainDeletedItemsFor 30
Need more details about using these commands? See Exchange Online PowerShell Help topic Set-Mailbox.
TIP
Need to keep deleted items for longer than 30 days? To do this, place the mailbox on In-Place Hold or Litigation Hold. This
works because when a mailbox is placed on hold, deleted items are kept and retention settings for deleted items are ignored.
See In-Place Hold and Litigation Hold.
Email forwarding lets you to set up a mailbox to forward email messages sent to that mailbox to another user's
mailbox in or outside of your organization.
IMPORTANT
If you're using Office 365 for business, you should configure email forwarding in the Office 365 admin center: Configure
email forwarding in Office 365
If your organization uses an on-premises Exchange or hybrid Exchange environment, you should use the on-
premises Exchange admin center (EAC ) to create and manage shared mailboxes.
Additional information
This topic is for admins. If you want to forward your own email to another recipient, check out the following topics:
Forward email to another email account
Manage email messages by using rules
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts
for the Exchange admin center.
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online
Protection.
Configure message delivery restrictions for a mailbox
3/4/2019 • 5 minutes to read • Edit Online
You can use the EAC or Exchange Online PowerShell to place restrictions on whether messages are delivered to
individual recipients. Message delivery restrictions are useful to control who can send messages to users in your
organization. For example, you can configure a mailbox to accept or reject messages sent by specific users or to
accept messages only from users in your Exchange organization.
IMPORTANT
Message delivery restrictions do not impact mailbox permissions. A user with Full Access permissions on a mailbox will still be
able to update the contents in that mailbox, such as by copying messages into the mailbox, even if that user has been
restricted.
The message delivery restrictions covered in this topic apply to all recipient types. To learn more about the
different recipient types, see Recipients.
For additional management tasks related to recipients, see the following topics:
Manage user mailboxes
Create and manage distribution groups
Manage dynamic distribution groups
Manage mail users
Manage mail contacts
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
NOTE
If you're configuring a mailbox to accept messages only from individual senders, you have to use the
AcceptMessagesOnlyFrom parameter. If you're configuring a mailbox to accept messages only from senders that are
members of a specific distribution group, use the AcceptMessagesOnlyFromDLMembers parameter.
This example adds the user named David Pelton to the list of users whose messages will be accepted by the
mailbox of Robin Wood.
This example configures the mailbox of Robin Wood to require all senders to be authenticated. This means the
mailbox will only accept messages sent by other users in your Exchange organization.
Set-Mailbox -Identity "Robin Wood" -RequireSenderAuthenticationEnabled $true
This example configures the mailbox of Robin Wood to reject messages from the users Joe Healy, Terry Adams,
and members of the distribution group Legal Team 2.
This example configures the mailbox of Robin Wood to also reject messages sent by members of the group Legal
Team 3.
NOTE
If you're configuring a mailbox to reject messages from individual senders, you have to use the RejectMessagesFrom
parameter. If you're configuring a mailbox to reject messages from senders that are members of a specific distribution group,
use the RejectMessagesFromDLMembers parameter.
For detailed syntax and parameter information related to configuring delivery restrictions for different types of
recipients, see the following topics:
Set-DistributionGroup
Set-DynamicDistributionGroup
Set-Mailbox
Set-MailContact
Set-MailUser
Converting a mailbox to a different type of mailbox is very similar to the experience in earlier versions of Exchange.
You must still use the Set-Mailbox cmdlet in Exchange Online PowerShell to do the conversion.
You can convert the following mailboxes from one type to another:
User mailbox to resource (room or equipment) mailbox
Shared mailbox to user mailbox
Shared mailbox to resource mailbox
Resource mailbox to user mailbox
Resource mailbox to shared mailbox
Note that if your organization uses a hybrid Exchange environment, you need to manage your mailboxes by using
the on-premises Exchange management tools. To convert a mailbox in a hybrid environment, you might need to
move the mailbox back to on-premises Exchange, convert the mailbox type, and then move it back to Office 365.
IMPORTANT
If you are converting a user mailbox to a shared mailbox, you should either remove any mobile devices from the mailbox
before the conversion, or you should block mobile access to the mailbox after the conversion. This is because once the
mailbox is converted to a shared mailbox, mobile functionality will not work properly. Additionally, if you are trying to prevent
access to the converted mailbox, you might have to reset the password. For more information on blocking access, see
Remove a former employee from Office 365.
You can use the following values for the Type parameter:
Regular
Room
Equipment
Shared
For detailed syntax and parameter information, see Set-Mailbox.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Enable or disable Exchange ActiveSync for a mailbox
3/29/2019 • 2 minutes to read • Edit Online
You can use the EAC or Exchange Online PowerShell to enable or disable Microsoft Exchange ActiveSync for a user
mailbox. Exchange ActiveSync is a client protocol that lets users synchronize a mobile device with their Exchange
mailbox. Exchange ActiveSync is enabled by default when a user mailbox is created. To learn more, see Exchange
ActiveSync.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
NOTE
You can enable and disable Exchange ActiveSync for multiple user mailboxes by using the EAC bulk edit feature. For more
information about how to do this, see the "Bulk edit user mailboxes" section in Manage user mailboxes.
This example enables Exchange ActiveSync for the mailbox of Elly Nkya.
Get-CASMailbox <identity>
If Exchange ActiveSync is enabled, the value for the ActiveSyncEnabled property is True . If Exchange
ActiveSync is disabled, the value is False .
Enable or disable MAPI for a mailbox
3/29/2019 • 2 minutes to read • Edit Online
You can use the Exchange admin center or Exchange Online PowerShell to enable or disable MAPI for a user
mailbox. When MAPI is enabled, a user's mailbox can be accessed by Outlook or other MAPI email clients. When
MAPI is disabled, it can't be accessed by Outlook or other MAPI clients. However, the mailbox will continue to
receive email messages, and, assuming that the mailbox is enabled to support access by those clients, a user can
access the mailbox to send and receive email by using Outlook Web App, a POP email client, or an IMAP client.
NOTE
Support for Outlook Web App and MAPI, POP3, and IMAP4 email clients is enabled by default when a user mailbox is
created.
For additional management tasks related to managing email client access to a mailbox, see the following topics:
Enable or disable Outlook Web App for a mailbox
Enable or Disable IMAP4 Access for a User
Enable or Disable POP3 Access for a User
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Get-CASMailbox <identity>
If MAPI is enabled, the value for the MapiEnabled property is True . If MAPI is disabled, the value is False .
Enable or disable Outlook Web App for a mailbox
3/29/2019 • 2 minutes to read • Edit Online
You can use the EAC or Exchange Online PowerShell to enable or disable Outlook Web App for a user mailbox.
When Outlook Web App is enabled, a user can use Outlook Web App to send and receive email. When Outlook
Web App is disabled, the mailbox will continue to receive email messages, and a user can access it to send and
receive email by using a MAPI client, such as Microsoft Outlook, or with a POP or IMAP email client, assuming
that the mailbox is enabled to support access by those clients.
NOTE
Support for Outlook Web App and MAPI, POP3, and IMAP4 email clients is enabled by default when a user mailbox is
created.
For additional management tasks related to managing email client access to a mailbox, see the following topics:
Enable or disable MAPI for a mailbox
Enable or Disable IMAP4 Access for a User
Enable or Disable POP3 Access for a User
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
NOTE
You can enable and disable Outlook Web App for multiple user mailboxes by using the EAC bulk edit feature. For more
information about how to do this, see the "Bulk edit user mailboxes" section in Manage user mailboxes.
This example enables Outlook Web App for the mailbox of Elly Nkya.
Get-CASMailbox <identity>
If Outlook Web App is enabled, the value for the OWAEnabled property is True . If Outlook Web App is
disabled, the value is False .
Mailbox plans in Exchange Online
3/29/2019 • 6 minutes to read • Edit Online
A mailbox plan is a template that automatically configures mailbox properties in Exchange Online. Mailbox plans
correspond to Office 365 license types. When you assign a license to a new user, the corresponding mailbox plan is
used to configure the settings on the new mailbox that's created. If you change the license that's assigned to an
existing user, the settings in the mailbox plan that's associated with the new license are applied to the user's existing
mailbox.
The following table describes the mailbox plans that you're likely to see in Exchange Online.
Notes:
The availability of a mailbox plan in your organization is determined by your selection when you enroll in
Office 365. A subscription might contain multiple mailbox plans. A mailbox plan might not be available to
you based on your subscription or the age of your organization.
The name value of the mailbox plan is appended with (for example,
-<GUID>
ExchangeOnlineEnterprise-44107b46-a8c4-4573-a7ba-bb004fde4d58 ).
For every mailbox plan (returned by the Get-MailboxPlan cmdlet), there's a corresponding Client Access services
(CAS ) mailbox plan (returned by the Get-CasMailboxPlan cmdlet). The names and display names of the mailbox
plans and CAS mailbox plans are identical, and the relationship between them is unbreakable (both the mailbox
plan and the corresponding CAS mailbox plan are assigned to the mailbox when you license the user; you can't
assign just the mailbox plan or just the CAS mailbox plan separately).
The modifiable settings that are available in mailbox plans by using the Set-MailboxPlan cmdlet are described in
the following table:
RoleAssignmentPolicy Default Role Assignment Policy Grants users permissions to their own
mailbox and distribution groups. For
more information, see Role assignment
policies.
The modifiable settings that are available in CAS mailbox plans by using the Set-CasMailboxPlan cmdlet are
described in the following table:
Modifying the settings of a mailbox plan won't update the settings of an existing mailbox that's already has the
mailbox plan applied. To modify these settings on a existing mailbox, you can:
Modify the corresponding mailbox settings directly in the Exchange admin center (EAC ) or in Exchange
Online PowerShell (the Set-Mailbox and Set-CasMailbox cmdlets).
Assign a different license to the user. The mailbox plan that corresponds to the new license will be applied to
the existing mailbox (the settings in the mailbox plan will be applied to the existing mailbox).
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Get-MailboxPlan
Get-CasMailboxPlan
These examples return the modifiable property values in all mailbox plans:
Get-MailboxPlan | Format-List
DisplayName,IsDefault,Max*Size,IssueWarningQuota,Prohibit*Quota,RetainDeletedItemsFor,RetentionPolicy,RoleAssi
gnmentPolicy
These examples return detailed information for the mailbox plan named ExchangeOnlineEnterprise.
This example returns the mailbox plan that's assigned to the user named Suk-Jae Yoo.
2. Use the following syntax to return the mailboxes that have the mailbox plan assigned:
This example returns the mailboxes that have the ExchangeOnline mailbox plan applied.
For detailed syntax and parameter information, see Get-MailboxPlan and Get-CasMailboxPlan.
Create a new mailbox without assigning a license as described in Create user mailboxes in Exchange Online.
Replace <MailboxIdentity> with the name, alias, account name, or email address of the mailbox, and run the
following command in Exchange Online PowerShell to verify the MailboxPlan property value:
This example modifies the mailbox plan named ExchangeOnlineEnterprise to use the retention policy named
Contoso Retention Policy.
This example disables Exchange ActiveSync, POP3, and IMAP4 access to mailboxes in all CAS mailbox plans.
For detailed syntax and parameter information, see Set-MailboxPlan and Set-CasMailboxPlan.
How do you know this worked?
To verify that you've successfully modified a mailbox plan, use any of the following steps:
In Exchange Online PowerShell, run the following commands to verify the property values:
Get-MailboxPlan | Format-List
DisplayName,IsDefault,Max*Size,IssueWarningQuota,Prohibit*Quota,RetainDeletedItemsFor,RetentionPolicy,Ro
leAssignmentPolicy
Using the license that corresponds to the modified mailbox plan, do one of the following steps:
Create a new mailbox and assign the license as described in Create user mailboxes in Exchange
Online.
Assign the license to an existing mailbox user who currently has a different license (therefore,
mailbox plan) assigned.
Replace <MailboxIdentity> with the name, alias, account name, or email address of the mailbox, and run the
following commands in Exchange Online PowerShell to verify the property values:
Mailboxes in Office 365 can be set up so that someone (such as an executive assistant) can access the mailbox of
another person (such as a manager) and send mail as them. These people are often called the delegate and the
delegator, respectively. We'll call them "assistant" and "manager" for simplicity's sake. When an assistant is granted
access to a manager's mailbox, it's called delegated access.
People often set up delegated access and send permissions to allow an assistant to manage a manager's calendar
where they need to send and respond to meeting requests. By default, when an assistant sends mail as, or on
behalf of, a manager, the sent message is stored in the assistant's Sent Items folder. You can use this article to
change this behavior so that the sent message is stored in both the assistant and manager's Sent Items folders.
Let's take a look at a quick example of how this would work in real life:
Mary is the Vice President of Global Sales. She has an extremely busy schedule and has Rob, her executive
assistant, to help manage her calendar.
To help Mary, Rob's been granted delegated access to Mary's mailbox and to send messages on her behalf.
This allows him to see what's on her calendar; schedule, accept, and decline meeting requests; and respond
to messages.
Messages that Rob sends on behalf of Mary are stored in his Sent Items folder. Mary wants a copy so Rob
manually copies messages he's sent on her behalf from his Sent Items folder to her Sent Item folder.
Rob's wonders if there's a better way to handle Sent Items so he asks his IT Help Desk. He learns Mary's
mailbox can be set up to store messages he sends on her behalf in both his Sent Items and her Sent Items
automatically. This is exactly what he wants so he asks the Help Desk to set it up.
For example, if Mary's email address is mary@contoso.com, her IT department would run the command `Set-Mailbox
mary@contoso.com -MessageCopyForSentAsEnabled $true`.
That's it! The manager will now automatically get a copy of any messages sent by an assistant, in their Sent Items
folder.
TIP
You can turn this off by going through the steps above and replacing $true with $false in the [Set-Mailbox] command. For
example, to turn it off for Mary, they'd run the command
Set-Mailbox mary@contoso.com -MessageCopyForSentAsEnabled $false .
That's it! The manager will now automatically get a copy of any messages sent by an assistant, in their Sent Items
folder.
TIP
You can turn this off by going through the steps above and replacing $true with $false in the [Set-Mailbox] command. For
example, to turn it off for Mary, they'd run the command
Set-Mailbox mary@contoso.com -MessageCopyForSendOnBehalfEnabled $false .
Clutter notifications in Outlook
3/4/2019 • 2 minutes to read • Edit Online
Clutter is a feature in Office 365 designed to help users focus on the most important messages in their Inbox by
moving lower priority messages into a new Clutter folder.
Clutter Notifications
Clutter is enabled by users in their O365 Settings options. This article contains information for O365
administrators about notifications from Clutter to end-users.
These notifications are an integral part of the Clutter feature and therefore can't be suspended by administrators.
Clutter is a user election, similar to someone opting to use Conversation view, and the notifications help the user
understand the state of Clutter across all clients. There is no central reporting available at this time. For information
on how to change the branding of the notifications see Change the branding of Clutter notifications.
NOTE
For information on how end users can enable and begin using Clutter, see Use Clutter to sort low priority messages in
Outlook Web App.
Hard at work
During the first three weeks of Clutter usage, the following notification is sent periodically for two reasons. First, it
reminds the user to inspect the Clutter folder and make sure that Clutter is filtering messages correctly. Second,
this notification provides a way for the user to provide feedback on Clutter. Additionally, there are links that
provide more information about the feature and that turn Clutter off.
Change the branding of Clutter notifications
3/4/2019 • 2 minutes to read • Edit Online
The Clutter feature uses Inbox notifications to invite users and to send status messages. The default branding used
for these notifications is Outlook, but you can modify the branding for your organization.
NOTE
For more information about the types of Clutter notifications that end users in your organization receive, see Clutter
notifications in Outlook.
To begin, you will need to sign in to Office 365 with your work or school account.
1. Once signed in to Office 365, go to the Office 365 admin center.
2. Click to expand Users, then select Active Users.
3. Select the plus [ +] sign to add a user. The Create a new user account dialog will open.
4. In the Create a new user account dialog, enter a Display name and a username. The display name will
appear in the Sender field for all Clutter notifications sent to your users. Office 365 generates a new
temporary password for the new user account. Click Create to create the account.
5. Go the Exchange admin center.
6. Click recipients, and then click mailboxes.
7. Select the user you just created, and then click the pencil icon to edit the account, as shown in the following
example.
8. In the user account dialog, click Email address, and then click the plus sign [ +] to add an email address to
the new user account.
9. In the new email address dialog, select SMTP as the email address type, and then, in the Email address
box, type the following: 7a694ec2-b7c9-41eb-b562-08fd2b277ae0@[your default domain], where
[your default domain] is the domain that your organization uses. For most organizations, this would be
[your domain name].onmicrosoft.com.
When finished, click OK.
10. Back in the user account dialog, click save to associate the new email address with the user account. All
Clutter notifications sent to end users in your organization will now originate from this account.
New-Mailbox -Shared -Name branding@contoso.com -DisplayName "Branding Clutter Mailbox" -Alias branding
Set-Mailbox "IT Admin" -EmailAddresses SMTP: branding@contoso
Enable or disable single item recovery for a mailbox
3/4/2019 • 3 minutes to read • Edit Online
You can use Exchange Online PowerShell to enable or disable single item recovery on a mailbox. In Exchange
Online, single item recovery is enabled by default when a new mailbox is created. In Exchange Server, single item
recovery is disabled when a mailbox is created. If single item recovery is enabled, messages that are permanently
deleted (purged) by the user are retained in the Recoverable Items folder of the mailbox until the deleted item
retention period expires. This lets an administrator recover messages purged by the user before the deleted item
retention period expires. Also, if a message is changed by a user or a process, copies of the original item are also
retained when single item recovery is enabled.
This example enables single item recovery for the mailbox of Pilar Pinilla and sets the number of days that deleted
items are retained to 30 days.
This example enables single item recovery for all user mailboxes in the organization.
You can use this same command to verify that single item recovery is disabled for a mailbox.
More information
To learn more about single item recovery, see Recoverable Items folder. To recover messages purged by the
user before the deleted item retention period expires, see Recover deleted messages in a user's mailbox.
If a mailbox is placed on In-Place Hold or Litigation Hold, messages in the Recoverable Items folder are
retained until the hold duration expires. If the hold duration is unlimited, then items are retained until the
hold is removed or the hold duration is changed.
Recover deleted messages in a user's mailbox
3/29/2019 • 8 minutes to read • Edit Online
NOTE
In addition to using this procedure to search for and recover deleted items (which are moved to the Recoverable
Items\Purges folder if either single item recovery or litigation hold is enabled), you can also use this procedure to search for
items residing in other folders in the mailbox and to delete items from the source mailbox (also known as search and
destroy).
NOTE
When using the Search-Mailbox cmdlet, you can also specify a target mailbox that isn't a discovery mailbox.
However, you can't specify the same mailbox as the source and target mailbox.
Search criteria: Criteria include sender or recipient, or keywords (words or phrases) in the message.
This topic focuses on using PowerShell to recover deleted items in a user's mailbox. You can also use the
GUI-based In-Place eDiscovery tool to find and export deleted items to a PST file. The user will use this
PST file to restore the deleted messages to their mailbox. For detailed instructions, see Recover deleted
items in a user's mailbox - Admin Help.
$UserCredential = Get-Credential
In the **Windows PowerShell Credential Request** dialog box, type username and password for an Office 365
global admin account, and then click **OK**.
Import-PSSession $Session
4. To verify that you're connected to your Exchange Online organization, run the following command to get a list
of all the mailboxes in your organization.
Get-Mailbox
For more information or if you have problems connecting to your Exchange Online organization, see Connect to
Exchange Online using remote PowerShell.
NOTE
You can use In-Place eDiscovery in the Exchange admin center (EAC) to search for missing items. However, when using the
EAC, you can't restrict the search to the Recoverable Items folder. Messages matching your search parameters will be
returned even if they're not deleted. After they're recovered to the specified discovery mailbox, you may need to review the
search results and remove unnecessary messages before recovering the remaining messages to the user's mailbox or
exporting them to a .pst file. > For details about how to use the EAC to perform an In-Place eDiscovery search, see Create
an In-Place eDiscovery search.
The first step in the recovery process is to search for messages in the source mailbox. Use one of the following
methods to search a user mailbox and copy messages to a discovery mailbox.
This example searches for messages in April Stewart's mailbox that meet the following criteria:
Sender: Ken Kwok
Keyword: Seattle
Search-Mailbox "April Stewart" -SearchQuery "from:'Ken Kwok' AND seattle" -TargetMailbox "Discovery Search
Mailbox" -TargetFolder "April Stewart Recovery" -LogLevel Full
NOTE
When using the Search-Mailbox cmdlet, you can scope the search by using the SearchQuery parameter to specify a query
formatted using Keyword Query Language (KQL). You can also use the SearchDumpsterOnly switch to search only items in
the Recoverable Items folder.
NOTE
You can't use the EAC to restore recovered items.
After messages have been recovered to a discovery mailbox, you can restore them to the user's mailbox by using
the Search-Mailbox cmdlet. In Exchange Server, you can also use the New-MailboxExportRequest and New-
MailboxImportRequest cmdlets to export the messages to or import the messages from a .pst file.
Use Exchange Online PowerShell to restore messages
This example restores messages to April Stewart's mailbox and deletes them from the Discovery Search Mailbox.
Search-Mailbox "Discovery Search Mailbox" -SearchQuery "from:'Ken Kwok' AND seattle" -TargetMailbox "April
Stewart" -TargetFolder "Recovered Messages" -LogLevel Full -DeleteContent
More information
The ability to recover deleted items is enabled by single item recovery, which lets an administrator recover a
message that's been purged by a user or by retention policy as long as the deleted item retention period
hasn't expired for that item. To learn more about single item recovery, see Recoverable Items Folder.
An Exchange Online mailbox is configured to retain deleted items for 14 days, by default. You can change
this setting to a maximum of 30 days. In Exchange Server, a mailbox database is configured to retain
deleted items for 14 days, by default. You can configure deleted item retention settings for a mailbox or
mailbox database. For more information, see:
Change how long permanently deleted items are kept for an Exchange Online mailbox
Configure Deleted Item Retention and Recoverable Items Quotas
As previously explained, you can also use the In-Place eDiscovery tool to find and export deleted items to a
PST file. The user will use this PST file to restore the deleted messages to their mailbox. For detailed
instructions, see Recover deleted items in a user's mailbox - Admin Help.
Users can recover a deleted item if it hasn't been purged and if the deleted item retention period for that
item hasn't expired. If users need to recover deleted items from the Recoverable Items folder, point them to
the following topics:
Recover deleted items in Outlook 2010
Recover deleted items in Outlook 2013
Recover deleted items or email in Outlook Web App
This topic shows you how to use the Search-Mailbox cmdlet to search for and recover missing items. If
you use this cmdlet, you can search only one mailbox at a time. If you want to search multiple mailboxes at
the same time, you can use In-Place eDiscovery in the Exchange admin center (EAC ) or the New -
MailboxSearch cmdlet in Windows PowerShell.
In addition to using this procedure to search for and recover deleted items, you can also use a similar
procedure to search for items in user mailboxes and then delete those items from the source mailbox. For
more information, see Search and delete messages.
Use Exchange Online PowerShell to display Office 365
mailbox information
2/28/2019 • 3 minutes to read • Edit Online
Admins can learn how to use Exchange Online PowerShell to display information about mailboxes in their Office
365 organization.
To give you an idea of some of the things you can do with PowerShell in Office 365, let's take a look at user
mailboxes in Exchange Online PowerShell
You can see things like Ken's alias and his mailbox size quota. But there's a lot more information that's associated
with an Exchange Online mailbox than just the four properties returned by the Get-Mailbox cmdlet.
Here's an example command that displays all the information for a specific mailbox:
The command instructs Exchange Online PowerShell to return all of the available properties for the mailbox in a
list. There are about 200 different properties and property values. You can also use the Format-List and Format-
Table cmdlets to return only specific property values. For example, you can also view litigation hold-related
properties for Ken Myer with this command:
You can also use wildcard characters when working with the Format-List cmdlet. For example, all the litigation
hold properties start with the letters lit . You can retrieve this same information by using this command:
You can return information about multiple mailboxes by leaving out the Identity parameter. This example returns
the DisplayName and LitigationHoldEnabled properties for all mailboxes:
In many cases, you only want to look at a subset of your mailboxes. For example, suppose you are asked to come
up with a list of all the mailboxes that have been assigned a litigation hold. You can use the Where-Object cmdlet
in conjunction with the Get-Mailbox cmdlet. The Where-Object cmdlet needs a filter phrase to tell Exchange
Online PowerShell what set of mailboxes you are interested in.
In their simplest form, filter phrases use the syntax {<PropertyName> -<ComparisonOperator> <PropertyValue>} .
Some commonly used comparison operators are:
eq (equals; not case-sensitive)
ne (does not equal; not case-sensitive)
gt (greater than)
lt (less than)
For another example, suppose you'd like to make sure that all of your users have the junk email rule enabled.
Here's a quick command to find any users who don't have that rule enabled:
Get-Mailbox -ResultSize unlimited | Get-MailboxJunkEmailConfiguration | Where-Object {$_.Enabled -eq $False}
This is just one example. If you want to display a set of mailboxes based on a setting and can't filter on that setting
in the Office 365 admin center, do these steps:
1. Find the mailbox property that corresponds to the setting you're interested in by running the command
Get-Mailbox -Identity "<MailboxIdentity" | Select-Object * to list all the properties of a mailbox.
<MailboxIdentity> is any unique identifier for the mailbox (name, email address, alias, etc.)
Use the Exchange admin center (EAC ) or Exchange Online PowerShell to create a new distribution group in your
Exchange Online organization or to mail-enable an existing group.
There are two types of groups that can be used to distribute messages:
Mail-enabled universal distribution groups (also called distribution groups) can be used only to distribute
messages.
Mail-enabled universal security groups (also called security groups) can be used to distribute messages as
well as to grant access permissions to resources. For more information, see Manage mail-enabled security
groups.
It's important to note the terminology differences between Active Directory and Exchange Online. In Active
Directory, a distribution group refers to any group that doesn't have a security context, whether it's mail-enabled
or not. In contrast, in Exchange, all mail-enabled groups are referred to as distribution groups, whether they have
a security context or not.
3.
You can now create an Office 365 group instead of a distribution group, if you have an Office 365 for
business plan or an Exchange Online plan. Office 365 groups have the features of a distribution group and
much more. With Office 365 groups, you can send email to a group, share a common calendar, have a
library for storing and working on group files and folders. Click New > Office 365 group to get started
and check out Office 365 Groups - Admin help.
If you have existing distribution groups that you want to migrate to Office 365 groups, check out Migrate
distribution lists to Office 365 Groups - Admin help.
If you still want to create a distribution group, click or tap the New distribution group wizard.
4. On the New distribution group page, complete the following boxes:
* Display name: Use this box to type the display name. This name appears in your organization's address
book, on the To: line when email is sent to this group, and in the Groups list in the EAC. The display name
is required and should be user-friendly so people recognize what it is. It also must be unique in the forest.
* Alias: Use this box to type the name of the alias for the group. The alias can't exceed 64 characters and
must be unique in the forest. When a user types the alias in the To: line of an email message, it resolves to
the group's display name.
Organizational unit (You'll only see this option in Exchange Server on-premises) You can select an
organizational unit (OU ) other than the default (which is the recipient scope). If the recipient scope is set to
the forest, the default value is set to the Users container in the Active Directory domain that contains the
computer on which the EAC is running. If the recipient scope is set to a specific domain, the Users
container in that domain is selected by default. If the recipient scope is set to a specific OU, that OU is
selected by default.
To select a different OU, click Browse. The dialog box displays all OUs in the forest that are within the
specified scope. Select the OU you want, and then click OK.
* Owners: By default, the person who creates a group is the owner. All groups must have at least one
owner. You can add owners by clicking Add .
Members: Use this section to add members and to specify whether approval is required for people to join
or leave the group.
Group owners don't have to be members of the group. Use Add group owners as members to add or
remove the owners as members.
To add members to the group, click Add . When you've finished adding members, click OK to return to
the New distribution group page.
Under Choose whether owner approval is required to join the group, specify whether approval is
required for people to join the group. Select one of the following settings:
Open: Anyone can join this group without being approved by the group owners: This is the default
setting.
Closed: Members can be added only by the group owners. All requests to join will be rejected
automatically
Owner Approval: All requests are manually approved or rejected by the group owners: If you
select this option, the group owner or owners will receive an email message requesting approval to join
the group.
Under Choose whether the group is open to leave, specify whether approval is required for people to
leave the group. Select one of the following settings:
Open: Anyone can leave this group without being approved by the group owners: This is
the default setting.
Closed: Members can be removed only by the group owners. All requests to leave will be
rejected automatically
5. When you've finished, click Save to create the distribution group.
NOTE
By default, new distribution groups require that all senders be authenticated. This prevents external senders from sending
messages to distribution groups. To configure a distribution group to accept messages from all senders, you must modify
the message delivery restriction settings for that distribution group.
For more information about using Exchange Online PowerShell to create distribution groups, see New -
DistributionGroup.
How do you know this worked?
To verify that you've successfully created a distribution group, do one of the following:
In the EAC, navigate to Recipients > Groups. The new distribution group is displayed in the group list.
Under Group Type, the type is Distribution group.
In Exchange Online PowerShell, run the following command to display information about the new
distribution group.
NOTE
You can create or mail-enable only universal distribution groups. To convert a domain-local or a global group to a universal
group, you can use the Set-Group cmdlet using Exchange Online PowerShell. You may have mail-enabled groups that were
migrated from previous versions of Exchange that are not universal groups. You can use the EAC or Exchange Online
PowerShell to manage these groups
Use this section to view or change basic information about the group.
* Display name: This name appears in the address book, on the To: line when email is sent to this group,
and in the Groups list. The display name is required and should be user-friendly so people recognize what
it is. It also has to be unique in your domain.
If you've implemented a group naming policy, the display name has to conform to the naming format
defined by the policy.
* Alias: This is the portion of the email address that appears to the left of the at (@) symbol. If you change
the alias, the primary SMTP address for the group will also be changed, and contain the new alias. Also,
the email address with the previous alias will be kept as a proxy address for the group.
Description: Use this box to describe the group so people know what the purpose of the group is. This
description appears in the address book and in the Details pane in the EAC.
Hide this group from address lists: Select this check box if you don't want users to see this group in the
address book. To send email to this group, a sender has to type the group's alias or email address on the
To: or Cc: lines.
TIP
Consider hiding security groups because they're typically used to assign permissions to group members and not to
send email.
Organizational unit: This read-only box displays the organizational unit (OU ) that contains the
distribution group. You have to use Active Directory Users and Computers to move the group to a
different OU.
Ownership
Use this section to assign group owners. The group owner can add members to the group, approve or reject
requests to join or leave the group, and approve or reject messages sent to the group. By default, the person who
creates a group is the owner. All groups must have at least one owner.
You can add owners by clicking Add . You can remove an owner by selecting the owner and then clicking
Remove .
Membership
Use this section to add or remove members. Group owners don't have to be members of the group. Under
Members, you can add members by clicking Add . You can remove a member by selecting a user in the
member list and then clicking Remove .
Membership approval
Use this section to specify whether approval is required for users to join or leave the group.
Choose whether owner approval is required to join the group: Select one of the following settings:
Open: Anyone can join this group without being approved by the group owners
Closed: Members can be added only by the group owners. All requests to join will be
rejected automatically
Owner Approval: All requests are approved or rejected by the group owners: If you select
this option, the group owner or owners receive an email requesting approval to join the group.
Choose whether the group is open to leave: Select one of the following settings:
Open: Anyone can leave this group without being approved by the group owners
Closed: Members can be removed only by the group owners. All requests to leave will be
rejected automatically
Delivery management
Use this section to manage who can send email to this group.
Only senders inside my organization: Select this option to allow only senders in your organization to
send messages to the group. This means that if someone outside of your organization sends an email
message to this group, it will be rejected. This is the default setting.
Senders inside and outside of my organization: Select this option to allow anyone to send messages
to the group.
You can further limit who can send messages to the group by allowing only specific senders to send
messages to this group. Click Add and then select one or more recipients. If you add senders to this list,
they are the only ones who can send mail to the group. Mail sent by anyone not in the list will be rejected.
To remove a person or a group from the list, select them in the list and then click Remove .
IMPORTANT
If you've configured the group to allow only senders inside your organization to send messages to the group, email
sent from a mail contact will be rejected, even if they are added to this list.
Message approval
Use this section to set options for moderating the group. Moderators approve or reject messages sent to the
group before they reach the group members.
Messages sent to this group have to be approved by a moderator: This check box isn't selected by
default. If you select this check box, incoming messages are reviewed by the group moderators before
delivery. Group moderators can approve or reject incoming messages.
Group moderators: To add group moderators, click Add . To remove a moderator, select the moderator,
and then click Remove . If you've selected "Messages sent to this group have to be approved by a
moderator" and you don't select a moderator, messages to the group are sent to the group owners for
approval.
Senders who don't require message approval: To add people or groups that can bypass moderation for
this group, click Add . To remove a person or a group, select the item, and then click Remove .
Select moderation notifications: Use this section to set how users are notified about message approval.
Notify all senders when their messages aren't approved: This is the default setting. Notify all
senders, inside and outside your organization, when their message isn't approved.
Notify senders in your organization when their messages aren't approved: When you select
this option, only people or groups in your organization are notified when a message that they sent
to the group isn't approved by a moderator.
Don't notify anyone when a message isn't approved: When you select this option, notifications
aren't sent to message senders whose messages aren't approved by the group moderators.
Email options
Use this section to view or change the email addresses associated with the group. This includes the group's
primary SMTP addresses and any associated proxy addresses. The primary SMTP address (also known as the
reply address) is displayed in bold text in the address list, with the uppercase SMTP value in the Type column.
Add: Click Add to add a new email address for this mailbox. Select one of following address types:
SMTP: This is the default address type. Click this button and then type the new SMTP address in
the * Email address box.
NOTE
To make the new address the primary SMTP address for the group, select the Make this the reply address
check box.
Custom address type: Click this button and type one of the supported non-SMTP email address
types in the * Email address box.
NOTE
With the exception of X.400 addresses, Exchange doesn't validate custom addresses for correct formatting.
You must make sure that the custom address you specify complies with the format requirements for that
address type.
Edit: To change an email address associated with the group, select it in the list, and then click Edit .
NOTE
To make an existing address the primary SMTP address for the group, select the Make this the reply address
check box.
Remove: To delete an email address associated with the group, select it in the list, and then click Remove
.
Automatically update email addresses based on the email address policy applied to this
recipient: Select this check box to have the recipient's email addresses automatically updated based on
changes made to email address policies in your organization. This box is selected by default.
MailTip
Use this section to add a MailTip to alert users of potential issues if they send a message to this group. A MailTip
is text that's displayed in the InfoBar when this group is added to the To, Cc, or Bcc lines of a new email message.
For example, you could add a MailTip to large groups to warn potential senders that their message will be sent to
lots of people.
NOTE
MailTips can include HTML tags, but scripts aren't allowed. The length of a custom MailTip can't exceed 175 displayed
characters. HTML tags aren't counted in the limit.
Group delegation
Use this section to assign permissions to a user (called a delegate) to allow them to send messages as the group
or send messages on behalf of the group. You can assign the following permissions:
Send As: This permission allows the delegate to send messages as the group. After this permission is
assigned, the delegate has the option to add the group to the From line to indicate that the message was
sent by the group.
Send on Behalf Of: This permission also allows a delegate to send messages on behalf of the group.
After this permission is assigned, the delegate has the option to add the group in the From line. The
message will appear to be sent by the group and will say that it was sent by the delegate on behalf of the
group.
To assign permissions to delegates, click Add under the appropriate permission to display the Select Recipient
page, which displays a list of all recipients in your Exchange organization that can be assigned the permission.
Select the recipients you want, add them to the list, and then click OK. You can also search for a specific recipient
by typing the recipient's name in the search box and then clicking Search.
Use Exchange Online PowerShell to change distribution group properties
Use the Get-DistributionGroup and Set-DistributionGroup cmdlets to view and change properties for
distribution groups. Advantages of using Exchange Online PowerShell are the ability to change the properties
that aren't available in the EAC and to change properties for multiple groups. For information about which
parameters correspond to distribution group properties, see the following topics:
Get-DistributionGroup
Set-DistributionGroup
Here are some examples of using Exchange Online PowerShell to change distribution group properties.
This example changes the primary SMTP address (also called the reply address) for the Seattle Employees
distribution group from employees@contoso.com to sea.employees@contoso.com. Also, the previous reply
address will be kept as a proxy address.
This example limits the maximum message size that can be sent to all distribution groups in the organization to
10 megabytes (MB ).
This example enables moderation for the distribution group Customer Support and sets the moderator to Amy.
In addition, this moderated distribution group will notify senders who send mail from within the organization if
their messages aren't approved.
This example changes the user-created distribution group Dog Lovers to require the group manager to approve
users' requests to join the group. In addition, by using the BypassSecurityGroupManagerCheck parameter, the
group manager will not be notified that a change was made to the distribution group's settings.
For the example above where the message limits were changed, run this command.
A group naming policy lets you standardize and manage the names of distribution groups created by users in your
organization. You can require a specific prefix and suffix be added to the name for a distribution group when it's
created, and you can block specific words from being used. This helps you minimize the use of inappropriate
words in group names.
A group naming policy:
Enforces a consistent naming strategy for groups created by users.
Identifies distribution groups in the shared address book.
Suggests the function or membership of the group.
Identifies the type of users who are likely members of the group.
Identifies the geographic region the group is used in.
Blocks inappropriate words in group names.
How does a group naming policy work? When a user creates a group, they specify a name in the Display Name
field. After the group is created, Microsoft Exchange applies the group naming policy by adding any prefix or suffix
that you've defined in the group naming policy. The full name is displayed in the distribution groups list in the
Exchange admin center (EAC ), the shared address book, and the To:, Cc:, and From: fields in email messages. If a
user tries to use a word that you've blocked, they get an error message when they try to save the new group and
are asked to remove the blocked word and save the group again.
Here are some examples of a group naming policy. In each, <Group Name> is a descriptive name provided by
the person who creates the group. Exchange adds the prefixes and suffixes defined by the policy to the display
name when the group is created.
Text strings, with underscore characters, used for a single prefix (DG ) and suffix (Users):
DG_<Group Name>_Users
Multiple prefixes (DG and Contoso) and one suffix (Users), using text strings:
DG_Contoso_<Group Name>_Users
An attribute (Department) used for the prefix:
Department_<Group Name>
For example, say that your school populates the Department attribute for faculty members. Here's an
example of a group name created by a faculty member in the Psychology department:
Psychology_Cognitive201
In this example, the underscore character (_) is provided as the only text string in a second prefix to separate
the department name from the group name.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
The group naming policy for distribution groups is applied only to groups created by users. When you or other
administrators use the Exchange admin center (EAC ) to create distribution groups, the group naming policy is
ignored and not applied to the group name.
However, if you use Exchange Online PowerShell to create or rename a distribution group, the group naming
policy is applied to groups created by administrators unless you use the IgnoreNamingPolicy parameter to
override the group naming policy.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
For example, if the group naming policy for your organization is DG_<Group Name>_Users, run the following
command to create a group named All Administrators.
When Microsoft Exchange creates this group, it uses All Administrators for both the Name and DisplayName
parameters.
Set-DistributionGroup -Identity <Old Group Name> -Name <New Group Name> -DisplayName <New Group Name> -
IgnoreNamingPolicy
For example, let's say you created a group naming policy late one night and the next morning you realized you
misspelled the text string in the prefix. The next morning, you see that a new group has already been created with
the misspelled prefix. You can fix the group naming policy in the EAC, but you have to use Exchange Online
PowerShell to rename the group with the misspelled name. Run the following command.
IMPORTANT
Be sure to include the DisplayName parameter when you rename a group. If you don't, the old name is still displayed in the
shared address book on the To:, Cc:, and From: lines in email messages.
If the format of the display name for the group is different than the one enforced by your organization's group
naming policy, it worked.
Manage dynamic distribution groups
3/29/2019 • 15 minutes to read • Edit Online
Dynamic distribution groups are mail-enabled Active Directory group objects that are created to expedite the mass
sending of email messages and other information within a Microsoft Exchange organization.
Unlike regular distribution groups that contain a defined set of members, the membership list for dynamic
distribution groups is calculated each time a message is sent to the group, based on the filters and conditions that
you define. When an email message is sent to a dynamic distribution group, it's delivered to all recipients in the
organization that match the criteria defined for that group.
IMPORTANT
A dynamic distribution group includes any recipient in Active Directory with attribute values that match its filter. If a
recipient's properties are modified to match the filter, the recipient could inadvertently become a group member and start
receiving messages that are sent to the group. Well-defined, consistent account provisioning processes will reduce the
chances of this issue occurring.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
NOTE
Group naming policy isn't applied to dynamic distribution groups.
* Alias: Use this box to type the name of the alias for the group. The alias cannot exceed 64 characters and
must be unique in the forest. When a user types the alias in the To: line of an email message, it resolves to
the group's display name.
Description: Use this box to describe the group so people know what the purpose of the group is. This
description appears in the shared address book.
Organizational unit: You can select an organizational unit (OU ) other than the default (which is the
recipient scope). If the recipient scope is set to the forest, the default value is set to the Users container in
the Active Directory domain that contains the computer on which the EAC is running. If the recipient scope
is set to a specific domain, the Users container in that domain is selected by default. If the recipient scope is
set to a specific OU, that OU is selected by default.
To select a different OU, click Browse. The dialog box displays all OUs in the forest that are within the
specified scope. Select the OU you want, and then click OK.
Owner: An owner for a dynamic distribution group is optional. You can add owners by clicking Browse and
then selecting users from the list.
3. Use the Members section to specify the types of recipients for the group and set up rules that will determine
membership. Select one of the following boxes:
All recipient types: Choose this option to send messages that meet the criteria defined for this group to all
recipient types.
Only the following recipient types: Messages that meet the criteria defined for this group will be sent to
one or more of the following recipient types:
Users with Exchange mailboxes: Select this check box if you want to include users that have Exchange
mailboxes. Users that have Exchange mailboxes are those that have a user domain account and a mailbox in
the Exchange organization.
Users with external email addresses: Select this check box if you want to include users that have external
email addresses. Users that have external email accounts have user domain accounts in Active Directory,
but use email accounts that are external to the organization. This enables them to be included in the global
address list (GAL ) and added to distribution lists.
Resource mailboxes: Select this check box if you want to include Exchange resource mailboxes. Resource
mailboxes allow you to administer company resources through a mailbox, such as a conference room or a
company vehicle.
Contacts with external email addresses: Select this check box if you want to include contacts that have
external email addresses. Contacts that have external email addresses don't have user domain accounts in
Active Directory, but the external email address is available in the GAL.
Mail-enabled groups: Select this check box if you want to include security groups or distribution groups
that have been mail-enabled. Mail-enabled groups are similar to distribution groups. Email messages that
are sent to a mail-enabled group account will be delivered to several recipients.
4. Click Add a rule to define the criteria for membership in this group.
5. Select one of the following recipient attributes from the drop-down list and provide a value. If the value for
the selected attribute matches that value you define, the recipient receives a message sent to this group.
Recipient container The recipient object resides in the specified domain or OU.
State or province The specified value matches the recipient's State or province
property.
ATTRIBUTE SEND MESSAGE TO A RECIPIENT IF...
Custom attributeN (where N is a number from 1 to 15) The specified value matches the recipient's CustomAttributeN
property.
**Important**: The values that you enter for the selected attribute must exactly match those that appear in
the recipient's properties. For example, if you enter **Washington** for **State or province**, but the value
for the recipient's property is **WA**, the condition will not be met. Also, text-based values that you
specify aren't case-sensitive. For example, if you specify **Contoso** for the **Company** attribute, messages
will be sent to a recipient if this value is **contoso**.
6. In the Specify words or phrases window, type the value in the text box. Click Add and then click OK.
7. To add another rule to define the criteria for membership, click Add a rule under the previous rule that you
created.
IMPORTANT
If you add multiple rules to define membership, a recipient must meet the criteria of each rule to receive a message
sent to the group. In other words, each rule is connected with the Boolean operator AND.
8. When you've finished, click Save to create the dynamic distribution group.
NOTE
If you want to specify rules for attributes other than the ones available in the EAC, you must use Exchange Online PowerShell
to create a dynamic distribution group. Keep in mind that the filter and condition settings for dynamic distribution groups
that have custom recipient filters can be managed only by using Exchange Online PowerShell. For an example of how to
create a dynamic distribution group with a custom query, see the next section on using Exchange Online PowerShell to
create a dynamic distribution group.
This example creates a dynamic distribution group with a custom recipient filter. The dynamic distribution group
contains all mailbox users on a server called Server1.
This example creates a dynamic distribution group with a custom recipient filter. The dynamic distribution group
contains all mailbox users that have a value of "FullTimeEmployee" in the CustomAttribute10 property.
New-DynamicDistributionGroup -Name "Full Time Employees" -RecipientFilter {(RecipientTypeDetails -eq
'UserMailbox') -and (CustomAttribute10 -eq 'FullTimeEmployee')}
Use this section to view or change basic information about the group.
* Display name: This name appears in the address book, on the To: line when email is sent to this group,
and in the Groups list. The display name is required and should be user-friendly so people recognize what it
is. It also has to be unique in your domain.
* Alias: This is the portion of the email address that appears to the left of the at (@) symbol. If you change
the alias, the primary SMTP address for the group will also be changed, and contain the new alias. Also, the
email address with the previous alias will be kept as a proxy address for the group.
Description: Use this box to describe the group so people know what the purpose of the group is. This
description appears in the address book and in the Details pane in the EAC.
Hide this group from address lists: Select this check box if you don't want users to see this group in the
address book. To send email to this group, a sender has to type the group's alias or email address on the To:
or Cc: lines.
Organizational unit: This read-only box displays the organizational unit (OU ) that contains the dynamic
distribution group. You have to use Active Directory Users and Computers to move the group to a different
OU.
Ownership
Use this section to assign a group owner. A dynamic distribution group can have only one owner. The group owner
appears on the Managed by tab of the object in Active Directory Users and Computers.
You can add owners by clicking Browse and selecting the owner from the list. To remove the owner, click Clear
and then click Save. .
Membership
Use this section to change the criteria used to determine membership of the group. You can delete or change
existing membership rules and add new rules. For procedures that tell you how to do this, see Use the EAC to
create a dynamic distribution group in the procedures for configuring membership when you use the EAC to
create a new dynamic distribution group.
Delivery management
Use this section to manage who can send email to this group.
Only senders inside my organization: Select this option to allow only senders in your organization to
send messages to the group. This means that if someone outside your organization sends an email
message to this group, it is rejected. This is the default setting.
Senders inside and outside of my organization: Select this option to allow anyone to send messages to
the group.
You can further limit who can send messages to the group by allowing only specific senders to send
messages to this group. Click Add and then select one or more recipients. If you add senders to this list,
they are the only ones who can send mail to the group. Mail sent by anyone not in the list will be rejected.
To remove a person or a group from the list, select them in the list and then click Remove .
IMPORTANT
If you've configured the group to allow only senders inside your organization to send messages to the group, email
sent from a mail contact is rejected, even if they're added to this list.
Message approval
Use this section to set options for moderating the group. Moderators approve or reject messages sent to the
group before they reach the group members.
Messages sent to this group have to be approved by a moderator: This check box isn't selected by
default. If you select this check box, incoming messages are reviewed by the group moderators before
delivery. Group moderators can approve or reject incoming messages.
Group moderators: To add group moderators, click Add . To remove a moderator, select the moderator,
and then click Remove . If you've selected "Messages sent to this group have to be approved by a
moderator" and you don't select a moderator, messages to the group are sent to the group owners for
approval.
Senders who don't require message approval: To add people or groups that can bypass moderation for
this group, click Add . To remove a person or a group, select the item, and then click Remove .
Select moderation notifications: Use this section to set how users are notified about message approval.
Notify all senders when their messages aren't approved: This is the default setting. Notify all
senders, inside and outside your organization, when their message isn't approved.
Notify senders in your organization only when their messages aren't approved: When you
select this option, only people or groups in your organization are notified when a message that they
sent to the group isn't approved by a moderator.
Don't notify anyone when a message isn't approved: When you select this option, notifications
aren't sent to message senders whose messages aren't approved by the group moderators.
Email options
Use this section to view or change the email addresses associated with the group. This includes the group's
primary SMTP addresses and any associated proxy addresses. The primary SMTP address (also known as the
reply address) is displayed in bold text in the address list, with the uppercase SMTP value in the Type column.
Add: Click Add to add a new email address for this mailbox. Select one of following address types:
SMTP: This is the default address type. Click this button and then type the new SMTP address in the
* Email address box.
NOTE
To make the new address the primary SMTP address for the group, select the Make this the reply address
check box.
Custom address type: Click this button and type one of the supported non-SMTP email address
types in the * Email address box.
NOTE
With the exception of X.400 addresses, Exchange doesn't validate custom addresses for proper formatting.
You must make sure that the custom address you specify complies with the format requirements for that
address type.
Edit: To change an email address associated with the group, select it from the list, and then click Edit .
NOTE
To make an existing address the primary SMTP address for the group, select the Make this the reply address check
box.
Remove: To delete an email address associated with the group, select it from the list, and then click
Remove .
Automatically update email addresses based on the email address policy applied to this recipient:
Select this check box to have the recipient's email addresses automatically updated based on changes made
to email address policies in your organization. This box is selected by default.
MailTip
Use this section to add a MailTip to alert users of potential issues before they send a message to this group. A
MailTip is text that's displayed in the InfoBar when this group is added to the To, Cc, or Bcc lines of a new email
message. For example, you could add a MailTip to large groups to warn potential senders that their message will
be sent to lots of people.
NOTE
MailTips can include HTML tags, but scripts aren't allowed. The length of a custom MailTip can't exceed 175 displayed
characters. HTML tags aren't counted in the limit.
Group delegation
Use this section to assign permissions to a user (called a delegate) to allow them to send messages as the group or
send messages on behalf of the group. You can assign the following permissions:
Send As: This permission allows the delegate to send messages as the group. After this permission is
assigned, the delegate has the option to add the group to the From line to indicate that the message was
sent by the group.
Send on Behalf Of: This permission also allows a delegate to send messages on behalf of the group. After
this permission is assigned, the delegate has the option to add the group on the From line. The message
will appear to be sent by the group and will say that it was sent by the delegate on behalf of the group.
To assign permissions to delegates, click Add under the appropriate permission to display the Select Recipient
page, which displays a list of all recipients in your Exchange organization that can be assigned the permission.
Select the recipients you want, add them to the list, and then click OK. You can also search for a specific recipient
by typing the recipient's name in the search box and then clicking Search.
Use Exchange Online PowerShell to change dynamic distribution group properties
Use the Get-DynamicDistributionGroup and Set-DynamicDistributionGroup cmdlets to view and change
properties for dynamic distribution groups. Advantages of using Exchange Online PowerShell are the ability to
change the properties that aren't available in the EAC and change properties for multiple groups. For information
about what parameters correspond to distribution group properties, see the following topics:
Get-DynamicDistributionGroup
Set-DynamicDistributionGroup
Here are some examples of using Exchange Online PowerShell to change dynamic distribution group properties.
This example changes the following parameters for all dynamic distribution groups in the organization:
Hide all dynamic distribution groups from the address book
Set the maximum message size that can be sent to the group to 5MB
Enable moderation
Assign the administrator as the group moderator
This example adds the proxy SMTP email address, Seattle.Employees@contoso.com, to the All Employees group.
For the example above where the message limits were changed, run this command.
Get-Mailbox -OrganizationalUnit "Marketing" | Format-List
Name,IssueWarningQuota,ProhibitSendQuota,ProhibitSendReceiveQuota,UseDatabaseQuotaDefaults
View members of a dynamic distribution group
3/4/2019 • 2 minutes to read • Edit Online
Dynamic distribution groups are distribution groups whose membership is based on specific recipient filters rather
than a defined set of recipients. Microsoft Exchange provides precanned filters to make it easier to create recipient
filters for dynamic distribution groups. A precanned filter is a commonly used filter that you can use to meet a
variety of recipient-filtering criteria. You can specify the recipient types you want to include in a dynamic
distribution group. Additionally, you can also specify a list of conditions that the recipients must meet. You can use
Exchange Online PowerShell to preview the list of recipients for a dynamic distribution group that uses precanned
filters.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
For detailed syntax and parameter information, see Get-DynamicDistributionGroup and Get-Recipient.
NOTE
You cannot view members of a dynamic distribution group by using the EAC.
A mail-enabled security group can be used to distribute messages as well as to grant access permissions to
resources in Active Directory. For more information, see Recipients.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
NOTE
If a group naming policy is applied, you must follow the naming constraints enforced for your organization. For more
information, see Create a distribution group naming policy. If you want to override your organization's group naming
policy, see Override the distribution group naming policy.
* Alias: Use this box to type the alias for the security group. The alias can't exceed 64 characters and must
be unique in the forest. When a user types the alias on the To: line of an email message, it resolves to the
group's display name.
Description: Use this box to describe the security group so people know what the purpose of the group is.
Organizational unit: You can select an organizational unit (OU ) other than the default (which is the
recipient scope). If the recipient scope is set to the forest, the default value is set to the Users container in
the Active Directory domain that contains the computer on which the EAC is running. If the recipient scope
is set to a specific domain, the Users container in that domain is selected by default. If the recipient scope is
set to a specific OU, that OU is selected by default.
To select a different OU, click Browse. The dialog box displays all OUs in the forest that are within the
specified scope. Select the desired OU, and then click OK.
* Owners: By default, the person who creates a group is the owner. All groups must have at least one
owner. You can add owners by clicking Add.
Members: Use this section to add members and to specify whether approval is required for people to join
or leave the group.
Group owners don't have to be members of the group. Use Add group owners as members to add or
remove the owners as members.
To add members to the group, click Add . When you've finished adding members, click OK to return to
the New security group page.
Select the Owner approval is required check box if you want the group owners to receive user requests
to join the group. If you select this option, members can only be removed by the group owners.
4. When you've finished, click Save to create the security group.
NOTE
By default, all new mail-enabled security groups require that all senders be authenticated. This prevents external senders
from sending messages to mail-enabled security groups. To configure a mail-enabled security group to accept messages
from all senders, you must modify the message delivery restriction settings for that group.
For more information about using Exchange Online PowerShell to create mail-enabled security groups, see New -
DistributionGroup.
How do you know this worked?
To verify that you've successfully created a mail-enabled security group, do one of the following:
In the EAC, navigate to Recipients > Groups. The new mail-enabled security group is displayed in the
group list. Under Group Type, the type is Security group.
In Exchange Online PowerShell, run the following command to display information about the new mail-
enabled security group.
Use this section to view or change basic information about the group.
* Display name: This name appears in the address book, on the To: line when email is sent to this group,
and in the Groups list. The display name is required and should be user-friendly so people recognize what it
is. It also has to be unique in your domain.
* Alias: This is the portion of the email address that appears to the left of the at (@) symbol. If you change
the alias, the primary SMTP address for the group will also be changed, and contain the new alias. Also, the
email address with the previous alias will be kept as a proxy address for the group.
Description: Use this box to describe the group so people know what the purpose of the group is. This
description appears in the address book and in the Details pane in the EAC.
Hide this group from address lists: Select this check box if you don't want users to see this group in the
address book. If this check box is selected, a sender has to type the group's alias or email address on the To:
or Cc: lines to send mail to the group.
TIP
Consider hiding security groups because they're typically used to assign permissions to group members and not to
send email.
Organizational unit: This read-only box displays the organizational unit (OU ) that contains the security
group. You have to use Active Directory Users and Computers to move the group to a different OU.
Ownership
Use this section to assign group owners. The group owner can add members to the group, and approve or reject
requests to join the group. By default, the person who creates a group is the owner. All groups must have at least
one owner.
You can add owners by clicking Add . You can remove an owner by selecting the owner and then clicking
Remove .
Membership
Use this section to add or remove members. Group owners don't have to be members of the group. Under
Members, you can add members by clicking Add . You can remove a member by selecting a user in the
member list and then clicking Remove .
Membership approval
Use this section to specify whether owner approval is required for users to join the group. If you select the Owner
approval is required check box, the group owner or owners receive an email requesting approval to join the
group. As previously mentioned, only owners can remove members from the group.
NOTE
This option will not work with mail-enabled security groups because of security-related limitations.
Delivery management
Use this section to manage who can send email to this group.
Only senders inside my organization: Select this option to allow only senders in your organization to
send messages to the group. This means that if someone outside of your organization sends an email
message to this group, it will be rejected. This is the default setting.
Senders inside and outside of my organization: Select this option to allow anyone to send messages to
the group.
You can further limit who can send messages to the group by allowing only specific senders to send
messages to this group. Click Add and then select one or more recipients. If you add senders to this list,
they are the only ones who can send mail to the group. Mail sent by anyone not in the list will be rejected.
To remove a person or a group from the list, select them in the list and then click Remove .
IMPORTANT
If you've configured the group to allow only senders inside your organization to send messages to the group, email
sent from a mail contact will be rejected, even if they're added to this list.
Message approval
Use this section to set options for moderating the group. Moderators approve or reject messages sent to the
group before they reach the group members.
Messages sent to this group have to be approved by a moderator: This check box isn't selected by
default. If you select this check box, incoming messages will be reviewed by the group moderators before
delivery. Group moderators can approve or reject incoming messages.
Group moderators: To add group moderators, click Add . To remove a moderator, select the moderator,
and then click Remove . If you've selected "Messages sent to this group have to be approved by a
moderator" and you don't select a moderator, messages to the group will be sent to the group owners for
approval.
Senders who don't require message approval: To add people or groups that can bypass moderation for
this group, click Add . To remove a person or a group, select the item, and then click Remove .
Select moderation notifications: Use this section to set how users are notified about message approval.
Notify all senders when their messages aren't approved: This is the default setting. Senders
inside and outside your organization will be notified when their messages aren't approved.
Notify senders in your organization when their messages aren't approved: When you select
this option, only people or groups in your organization are notified when a message that they sent to
the group isn't approved by a moderator.
Don't notify anyone when a message isn't approved: When you select this option, notifications
aren't sent to message senders whose messages aren't approved by the group moderators.
Email options
Use this section to view or change the email addresses associated with the group. This includes the group's
primary SMTP addresses and any associated proxy addresses. The primary SMTP address (also known as the
reply address) is displayed in bold text in the address list, with the uppercase SMTP value in the Type column.
Add: Click Add to add a new email address for this mailbox. Select one of following address types:
SMTP: This is the default address type. Click this button and then type the new SMTP address in the
* Email address box.
NOTE
To make the new address the primary SMTP address for the group, select the Make this the reply address
check box. This check box is displayed only when the Automatically update email addresses based on
the email address policy applied to this recipient check box isn't selected.
Custom address type: Click this button and type one of the supported non-SMTP email address
types in the * Email address box.
NOTE
With the exception of X.400 addresses, Exchange doesn't validate custom addresses for correct formatting.
You must make sure that the custom address you specify complies with the format requirements for that
address type.
Edit: To change an email address associated with the group, select it in the list, and then click Edit .
NOTE
To make an existing address the primary SMTP address for the group, select the Make this the reply address check
box. As previously mentioned, this check box is displayed only when the Automatically update email addresses
based on the email address policy applied to this recipient check box isn't selected.
Remove: To delete an email address associated with the group, select it in the list, and then click Remove
.
Automatically update email addresses based on the email address policy applied to this recipient:
Select this check box to have the recipient's email addresses automatically updated based on changes made
to email address policies in your organization. By default, this box is selected.
MailTip
Use this section to add a MailTip to alert users of potential issues before they send a message to this group. A
MailTip is text that's displayed in the InfoBar when this group is added to the To, Cc, or Bcc lines of a new email
message. For example, you could add a MailTip to large groups to warn potential senders that their message will
be sent to lots of people.
NOTE
MailTips can include HTML tags, but scripts aren't allowed. The length of a custom MailTip can't exceed 175 displayed
characters. HTML tags aren't counted in the limit.
Group delegation
Use this section to assign permissions to a user (called a delegate) to allow them to send messages as the group or
send messages on behalf of the group. You can assign the following permissions:
Send As: This permission allows the delegate to send messages as the group. After this permission is
assigned, the delegate has the option to add the group to the From line to indicate that the message was
sent by the group.
Send on Behalf Of: This permission also allows a delegate to send messages on behalf of the group. After
this permission is assigned, the delegate has the option to add the group in the From line. The message will
appear to be sent by the group and will say that it was sent by the delegate on behalf of the group.
To assign permissions to delegates, click Add under the appropriate permission to display the Select Recipient
page, which displays a list of all recipients in your Exchange organization that can be assigned the permission.
Select the recipients you want, add them to the list, and then click OK. You can also search for a specific recipient
by typing the recipient's name in the search box and then clicking Search .
Use Exchange Online PowerShell to change security group properties
Use the Get-DistributionGroup and Set-DistributionGroup cmdlets to view and change properties for security
groups. Advantages of using Exchange Online PowerShell are the ability to change the properties that aren't
available in the EAC and to change properties for multiple security groups. For information about which
parameters correspond to which distribution group properties, see the following topics:
Get-DistributionGroup
Set-DistributionGroup
Here are some examples of using Exchange Online PowerShell to change security group properties.
This example displays a list of all security groups in the organization.
This example changes the primary SMTP address (also called the reply address) for the Seattle Administrators
security group from admins@contoso.com to seattle.admins@contoso.com. The previous reply address will be
kept as a proxy address.
This example hides all security groups in the organization from the address book.
You can allow or block guest users who are using a specific domain. For example, let's say your business (Contoso)
has a partnership with another business (Fabrikam). You can add Fabrikam to your Allow list so your users can add
those guests to their groups.
Or, let's say you want to block personal email address domains. You can set up a Block list that contains domains
like Gmail.com and Outlook.com.
Install the preview version of the Azure Active Directory Module for
Windows PowerShell
IMPORTANT: The procedures in this article require the PREVIEW version Azure Active Directory Module for
Windows PowerShell, specifically, the AzureADPreview module version 2.0.0.98 or later.
1. Open Windows PowerShell as an administrator:
2. In your search bar, type Windows PowerShell.
3. Right-click on Windows PowerShell and select Run as Administrator.
The Windows PowerShell window will pop open. The prompt C:\Windows\system32 means you opened it as an
administrator.
2. Run this command to see if you have any versions of the Azure Active Directory Module for Windows
PowerShell installed on your computer:
If no results are returned, run this command to install the latest version of the AzureADPreview module:
Install-Module AzureADPreview
If only the AzureAD module is shown in the results, run these commands to install the AzureADPreview
module:
Uninstall-Module AzureAD
Install-Module AzureADPreview
If only the AzureADPreview module is shown in the results, but the version is less than 2.0.0.98, run these
commands to update it:
Uninstall-Module AzureADPreview
Install-Module AzureADPreview
If both the AzureAD and AzureADPreview modules are shown in the results, but the version of the
AzureADPreview module is less than 2.0.0.98, run these commands to update it:
Uninstall-Module AzureAD
Uninstall-Module AzureADPreview
Install-Module AzureADPreview
Where you replace **contoso.com** and **fabrikam.com** with the domains you want to allow.
OR
Remember, you can create only one policy. You'll get an error if you try to create another one.
Where you replace contoso.com and fabrikam.com with the domains you want to allow.
OR
Set-GuestAllowBlockDomainPolicy.ps1 -MigrateFromSharepoint
Set-GuestAllowBlockDomainPolicy.ps1 -Remove
Mail contacts are mail-enabled directory service objects that contain information about people or organizations
that exist outside your Exchange or Exchange Online organization. Each mail contact has an external email
address. For more information about mail contacts, see Recipients.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
NOTE
The Organizational unit box is only available in Exchange Server. It isn't available in Exchange Online.
This example creates a mail contact for Alan Shen in Exchange Online.
This example mail-enables an existing contact named Karen Toh in Exchange Server.
Use the General section to view or change basic information about the mail contact.
First name, Initials, Last name
* Name: This is the name that's listed in Active Directory. If you change this name, it can't exceed 64
characters.
* Display name: This name appears in your organization's address book, on the To and From lines in
email, and in the Mailbox list. This name can't contain empty spaces before or after the display name.
* Alias: This is the mail contact's alias. If you change it, it must be unique in the organization and must be
64 characters or less.
* External email address: This is mail contact's primary SMTP address and their outside email account.
Email sent to this contact is forwarded to this email address.
Click More options to display the OU that contains the mail contact account. You have to use Active
Directory Users and Computers to move the contact to a different OU.
Contact Information
Use the Contact Information section to view or change the recipient's contact information, such as mailing
address and telephone numbers. This information is displayed in the address book.
Organization
Use the Organization section to record detailed information about the mail contact's role in the organization.
This information is displayed in the address book. Also, you can create a virtual organization chart that's
accessible from email clients such as Outlook.
Title: Use this box to view or change the contact's title.
Department: Use this box to view or change the department in which the contact works. You can use this
box to create recipient conditions for dynamic distribution groups and address lists.
Company: Use this box to view or change the company for which the contact works. You can also use this
box to create recipient conditions for dynamic distribution groups.
Manager: To add a manager, click Browse. In Select Manager, select a person, and then click OK.
Direct reports: You can't modify this box. A direct report is a recipient who reports to a specific manager. If
you've specified a manager for the recipient, that recipient appears as a direct report in the details of the
manager's mailbox. For example, Toby manages Ann and Spencer, who are mail contacts, so Toby is
specified in the Manager box in the organization properties for Ann and Spencer, and Ann and Spencer
appear in the Direct reports box in the properties of Toby's mailbox.
Email Options
Use the Email Options section to add or remove proxy addresses for the mail contact or edit existing proxy
addresses. The mail contact's primary SMTP address is also displayed in this section, but you can't change it. To
change it, you have to change the contact's external email address in the General section.
NOTE
The Email Options section is only available in Exchange Server. It's not available in Exchange Online.
MailTip
Use the MailTip section to add a MailTip to alert users of potential issues before they send a message to this
recipient. A MailTip is text that's displayed in the InfoBar when this recipient is added to the To, Cc, or Bcc lines of
a new email message.
NOTE
MailTips can include HTML tags, but scripts aren't allowed. The length of a custom MailTip can't exceed 175 displayed
characters. HTML tags aren't counted in the limit.
Set-Contact "Kai Axford" _-Title Consultant -Department "Public Relations" -Company Fabrikam -Manager "Karen
Toh"
This example sets the CustomAttribute1 property to a value of PartTime for all mail contacts and hides them from
the organization's address book.
This example sets the CustomAttribute15 property to a value of TemporaryEmployee for all mail contacts in the
Public Relations department.
In the example above where the CustomAttribute15 was set for all mail contacts in the Public Relations
department, run the following command to verify the changes.
Get-Contact -Filter "Department -eq 'Public Relations'" | Get-MailContact | Format-List
Name,CustomAttribute15
TIP
You can select multiple adjacent mail contacts by holding down the Shift key and clicking the first mail contact, and
then clicking the last mail contact you want to edit. You can also select multiple mail contacts by holding down the
Ctrl key and clicking each one that you want to edit.
3. In the Details pane, under Bulk Edit, click Update under Contact Information or Organization.
4. Make the changes on the properties page and then save your changes.
How do you know this worked?
To verify that you've successfully bulk edited mail contacts, do one of the following:
In the EAC, select each of the mail contacts that you bulk edited, and then click Edit to view the
properties that you changed.
In Exchange Online PowerShell, use the Get-Contact cmdlet to verify the changes. For example, say you
used the bulk edit feature in the EAC to change the manager and the office for all mail contacts from a
vendor company named A. Datum Corporation. To verify these changes, you could run the following
command in Exchange Online PowerShell.
Mail users are similar to mail contacts. Both have external email addresses and both contain information about
people outside your Exchange or Exchange Online organization that can be displayed in the shared address book
and other address lists. However, unlike a mail contact, a mail user has logon credentials in your Exchange or
Office 365 organization and can access resources. For more information, see Recipients.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
NOTE
SMTP addresses are validated for correct formatting. If your entry is inconsistent with the SMTP format, an error
message will be displayed when you click Save to create the mail user.
To specify a custom address type, click the option button and then type the custom address type. For
example, you can specify an X.500, GroupWise, or Lotus Notes address.
4. In the * External email address box, type the mail user's external email address. Email sent to this mail
user is forwarded to this email address. This box is required.
5. Select one of the following options:
Existing user: Select to mail-enable an existing user.
Click Browse to open the Select User - Entire Forest dialog box. This dialog box displays a list of user
accounts in the organization that aren't mail-enabled or don't have mailboxes. Select the user account you
want to mail-enable, and then click OK. If you select this option, you don't have to provide user account
information because this information already exists in Active Directory.
New user: Select to create a new user account in Active Directory and mail-enable the user. If you select
this option, you'll have to provide the required user account information.
6. If you selected New User in Step 5, complete the following boxes on the New mail user page. Otherwise
skip to Step 7.
First name: Use this box to type the first name of the mail user.
Initials: Use this box to type the initials of the mail user.
Last name: Use this box to type the last name of the mail user.
* Display name: Use this box to type a display name for the user. This is the name that's listed in
the contacts list in the EAC and in your organization's address book. By default, this box is populated
with the names you enter in the First name, Initials, and Last name boxes. If you didn't use those
boxes, you must still type a name in this box because it's required. The name can't exceed 64
characters.
* User ID: Use this box to type the name that the mail user will use to log on to the domain. The
user logon name consists of a username on the left side of the at (@) symbol and a suffix on the
right side. Typically, the suffix is the domain name the user account resides in.
* New Password: Use this box to type the password that the mail user must use to log on to the
domain.
NOTE
Make sure that the password you supply complies with the password length, complexity, and history requirements
of the domain you're creating the user account in.
* Confirm password: Use this box to confirm the password that you typed in the Password box.
Require password change on next logon: Select this check box if you want mail users to reset the
password when they first log on to the domain.
If you select this check box, at first logon, the new mail user will be prompted with a dialog box in which to
change the password. The mail user won't be allowed to perform any tasks until the password is changed
successfully.
7. When you've finished, click Save to create the mail user.
Use Exchange Online PowerShell to create a mail user
This example creates a mail-enabled user account for Jeffrey Zeng with the following details:
The name and display name is Jeffrey Zeng (if you don't use the DisplayName parameter, the value of the
Name parameter is used for the display name).
The alias is jeffreyz.
The external email address is jzeng@tailspintoys.com.
The first name is Jeffrey and the last name is Zeng.
The logon name is jeffreyz@contoso.com.
The password is Pa$$word1.
New-MailUser -Name "Jeffrey Zeng" -Alias jeffreyz -ExternalEmailAddress jzeng@tailspintoys.com -FirstName
Jeffrey -LastName Zeng -UserPrincipalName jeffreyz@contoso.com -Password (ConvertTo-SecureString -String
'Pa$$word1' -AsPlainText -Force)
This example creates a mail-enabled user account for Rene Valdes in Exchange Online.
Use the General section to view or change basic information about the mail user.
First name, Initials, Last name
* Name: This is the name that's listed in Active Directory. If you change this name, it can't exceed 64
characters.
* Display name: This name appears in your organization's address book, on the To: and From: lines in
email, and in the list of contacts in the EAC. This name can't contain empty spaces before or after the
display name.
* User logon name: This is the name that the user uses to log on to the domain. In Exchange Online, this
is the User ID that the user uses to sign in to Office 365.
Hide from address lists: Select this check box to prevent the mail user from appearing in the address
book and other address lists that are defined in your Exchange organization. After you select this check box,
users can still send messages to the recipient by using the email address.
Click More options to view or change these additional properties:
Custom attributes: This section displays the custom attributes defined for the mail user. To specify custom
attribute values, click Edit . You can specify up to 15 custom attributes for the recipient.
Contact Information
Use the Contact Information section to view or change the user's contact information. The information on this
page is displayed in the address book. Click More options to display additional boxes.
TIP
You can use the State/Province box to create recipient conditions for dynamic distribution groups, email address policies,
or address lists.
Organization
Use the Organization section to record detailed information about the user's role in the organization. This
information is displayed in the address book. Also, you can create a virtual organization chart that's accessible
from email clients such as Outlook.
Title: Use this box to view or change the recipient's title.
Department: Use this box to view or change the department in which the user works. You can use this box
to create recipient conditions for dynamic distribution groups, email address policies, or address lists.
Company: Use this box to view or change the company for which the user works. You can use this box to
create recipient conditions for dynamic distribution groups, email address policies, or address lists.
Manager: To add a manager, click Browse. In Select Manager, select a person, and then click OK.
Direct reports: You can't modify this box. A direct report is a user who reports to a specific manager. If
you've specified a manager for the user, that user appears as a direct report in the details of the manager's
mailbox. For example, Kari manages Chris and Kate, so Kari is specified in the Manager box for Chris and
Kate, and Chris and Kate appear in the Direct reports box in the properties of Kari's account.
Email Addresses
Use the Email Addresses section to view or change the email addresses associated with the mail user. This
includes the mail user's primary SMTP address, their external email address, and any associated proxy addresses.
The primary SMTP address (also known as the default reply address) is displayed in bold text in the address list,
with the uppercase SMTP value in the Type column. By default, after the mail user is created, the primary SMTP
address and the external email address are the same.
Add: Click Add to add a new email address for this mailbox. Select one of following address types:
SMTP: This is the default address type. Click this button and then type the new SMTP address in
the * Email address box.
Custom address type: Click this button and type one of the supported non-SMTP email address
types in the * Email address box.
NOTE
With the exception of X.400 addresses, Exchange doesn't validate custom addresses for correct formatting. You must
make sure that the custom address you specify complies with the format requirements for that address type.
Set the external email address: Use this box to change the mail user's external address. Email sent to this
mail user is forwarded to this email address.
Mail Flow Settings
Use the Mail Flow Settings section to view or change the following settings:
Message Size Restrictions: These settings control the size of messages that the mail user can send and
receive. Click View details to view and change maximum size for sent and received messages.
Sent messages: To specify a maximum size for messages sent by this user, select the Maximum
message size (KB ) check box and type a value in the box. The message size must be between 0 and
2,097,151 KB. If the user sends a message larger than the specified size, the message will be
returned to the user with a descriptive error message.
Received messages: To specify a maximum size for messages received by this user, select the
Maximum message size (KB ) check box and type a value in the box. The message size must be
between 0 and 2,097,151 KB. If the user receives a message larger than the specified size, the
message will be returned to the sender with a descriptive error message.
Message Delivery Restrictions: These settings control who can send email messages to this mail user.
Click View details to view and change these restrictions.
Accept messages from: Use this section to specify who can send messages to this user.
All senders: Select this option to specify that the user can accept messages from all senders. This
includes both senders in your Exchange organization and external senders. This option is selected by
default. This option includes external users only if you clear the Require that all senders are
authenticated check box. If you select this check box, messages from external users will be rejected.
Only senders in the following list: Select this option to specify that the user can accept messages
only from a specified set of senders in your Exchange organization. Click Add to display the
Select Recipients page, which displays a list of all recipients in your Exchange organization. Select
the recipients you want, add them to the list, and then click OK. You can also search for a specific
recipient by typing the recipient's name in the search box and then clicking Search .
Require that all senders are authenticated: Select this option to prevent anonymous users from
sending messages to the user.
Reject messages from: Use this section to block people from sending messages to this user.
No senders: Select this option to specify that the mailbox won't reject messages from any senders
in the Exchange organization. This option is selected by default.
Senders in the following list: Select this option to specify that the mailbox will reject messages
from a specified set of senders in your Exchange organization. Click Add to display the Select
Recipients page, which displays a list of all recipients in your Exchange organization. Select the
recipients you want, add them to the list, and then click OK. You can also search for a specific
recipient by typing the recipient's name in the search box and then clicking Search .
Member Of
Use the Member Of section to view a list of the distribution groups or security groups to which this user belongs.
You can't change membership information on this page. Note that the user may match the criteria for one or
more dynamic distribution groups in your organization. However, dynamic distribution groups aren't displayed
on this page because their membership is calculated each time they're used.
MailTip
Use the MailTip section to add a MailTip to alert users of potential issues before they send a message to this
recipient. A MailTip is text that's displayed in the InfoBar when this recipient is added to the To, Cc, or Bcc lines of
a new email message.
NOTE
MailTips can include HTML tags, but scripts aren't allowed. The length of a custom MailTip can't exceed 175 displayed
characters. HTML tags aren't counted in the limit.
This example hides all mail users from the organization's address book.
This example sets the Company property for all mail users to Contoso.
Get-User -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'mailuser')} | Set-User -Company Contoso
This example sets the CustomAttribute1 property to a value of ContosoEmployee for all mail users that have a
value of Contoso in the Company property.
Get-User -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'mailuser') -and (Company -eq 'Contoso')}|
Set-MailUser -CustomAttribute1 ContosoEmployee
In the example above where all mail users had the CustomAttribute1 property set to ContosoEmployee,
run the following command to verify the changes.
TIP
You can select multiple adjacent mail users by holding down the Shift key and clicking the first mail user, and then
clicking the last mail user you want to edit. You can also select multiple mail users by holding down the Ctrl key and
clicking each one that you want to edit.
3. In the Details pane, under Bulk Edit, click Update under Contact Information or Organization.
4. Make the changes on the properties page and then save your changes.
How do you know this worked?
To verify that you've successfully bulk edited mail users, do one of the following:
In the EAC, select each of the mail users that you bulk edited and then click Edit to view the properties
that you changed.
In Exchange Online PowerShell, use the Get-User cmdlet to verify the changes. For example, say you used
the bulk edit feature in the EAC to change the manager and the office for all mail users from a vendor
company named A. Datum Corporation. To verify these changes, you could run the following command in
Exchange Online PowerShell:
Get-User -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'mailuser') -and (Company -eq
'Adatum')} | Format-List Name,Office,Manager
Use directory synchronization to manage mail users in Exchange
Online
This section provides information about managing email users by using directory synchronization in Exchange
Online. Directory synchronization is available for hybrid customers with on-premises and cloud-hosted
mailboxes, and for fully hosted Exchange Online customers whose Active Directory is on-premises.
Notes:
If you use directory synchronization to manage your recipients, you can still add and manage users in the
Office 365 admin center, but they will not be synchronized with your on-premises Active Directory. This is
because directory synchronization only syncs recipients from your on-premises Active Directory to the
cloud.
Using directory synchronization is recommended for use with the following features:
Outlook safe sender and blocked sender lists: When synchronized to the service, these lists will
take precedence over spam filtering in the service. This lets users manage their own safe sender and
blocked sender lists on a per-user or per-domain basis.
Directory Based Edge Blocking (DBEB ): For more information about DBEB, see Use Directory
Based Edge Blocking to reject messages sent to invalid recipients.
End user spam quarantine: In order to access the end user spam quarantine, end users must have
a valid Office 365 user ID and password. Customers with on-premises mailboxes must be valid
email users. >
Mail flow rules (also known as transport rules): When you use directory synchronization, your
existing Active Directory users and groups are automatically uploaded to the cloud, and you can
then create mail flow rules that target specific users and/or groups without having to manually add
them via the EAC or Exchange Online PowerShell. Note that dynamic distribution groups can't be
synchronized via directory synchronization.
Before you begin
Get the necessary permissions and prepare for directory synchronization, as described in Prepare for directory
synchronization.
To synchronize user directories
1. Activate directory synchronization, as described in Activate directory synchronization.
2. Set up your directory synchronization computer, as described in Set up your directory sync computer.
3. Synchronize your directories, as described in Use the Configuration Wizard to sync your directories.
IMPORTANT
When you finish the Azure Active Directory Sync Tool Configuration Wizard, the MSOL_AD_SYNC account is created
in your Active Directory forest. This account is used to read and synchronize your on-premises Active Directory
information. In order for directory synchronization to work correctly, make sure that TCP 443 on your local directory
synchronization server is open.
A room mailbox is a resource mailbox that's assigned to a physical location, such as a conference room, an
auditorium, or a training room. After an administrator creates room mailboxes, users can easily reserve rooms by
including room mailboxes in meeting requests. For more details, check out Recipients.
For info about another type of resource mailbox, check out Manage equipment mailboxes.
IMPORTANT
If you're running Exchange Server in a hybrid scenario, make sure you create the room mailboxes in the appropriate place.
Create your room mailboxes for your on-premises organization on-premises, and room mailboxes for Exchange Online side
should be created in the cloud.
TIP
Although there are other fields that describe the details of the room, for example, Location and Capacity, consider
summarizing the most important details in the room name using a consistent naming convention. Why? So users
can easily see the details when they select the room from the address book in the meeting request.
* Email address: A room mailbox has an email address so it can receive booking requests. The email
address consists of an alias on the left side of the @ symbol, which must be unique in the forest, and your
domain name on the right. The email address is required.
Location, Phone, Capacity: You can use these fields to enter details about the room. However, as
explained earlier, you can include some or all of this information in the room name so users can see it.
4. When you're finished, click Save to create the room mailbox.
Once you've created your room mailbox, you can edit your room mailbox to update info about booking options,
MailTips and mailbox delegation. Check out the Use the Exchange admin center section below to change room
mailbox properties.
Use Exchange Online PowerShell to create a room mailbox
This example creates a room mailbox with the following configuration:
The mailbox's name is ConfRoom1. This name will also be used to create the room's email address.
The display name in the Exchange admin center and the address book will be Conference Room 1.
The Room switch specifies that this mailbox will be created as a room mailbox.
Use the General section to view or change basic information about the resource.
* Room name: This name appears in the resource mailbox list in the Exchange admin center and in your
organization's address book. It can't exceed 64 characters if you change it.
* Email address: This read-only box displays the email address for the room mailbox. You can change it in
the Email Address section.
Capacity: Use this box to enter the maximum number of people who can safely occupy the room.
Click More options to view or change these additional properties:
Organizational unit: This read-only box displays the organizational unit (OU ) that contains the account for
the room mailbox. You have to use Active Directory Users and Computers to move the account to a
different OU.
Mailbox database: This read-only box displays the name of the mailbox database that hosts the room
mailbox. Use the Migration page in the Exchange admin center to move the mailbox to a different
database.
* Alias: Use this box to change the alias for the room mailbox.
Hide from address lists: Select this check box to prevent the room mailbox from appearing in the address
book and other address lists that are defined in your Exchange organization. After you select this check box,
users can still send booking messages to the room mailbox by using the email address.
Department: Use this box to specify a department name that the room is associated with. You can use this
property to create recipient conditions for dynamic distribution groups and address lists.
Company: Use this box to specify a company that the room is associated with, if applicable. Like the
Department property, you can use this property to create recipient conditions for dynamic distribution
groups and address lists.
Address book policy: Use this option to specify an address book policy (ABP ) for the room mailbox. ABPs
contain a global address list (GAL ), an offline address book (OAB ), a room list, and a set of address lists. To
learn more, see Address book policies.
In the drop-down list, select the policy that you want associated with this mailbox.
Custom attributes: This section displays the custom attributes defined for the room mailbox. To specify
custom attribute values, click Edit . You can specify up to 15 custom attributes for the recipient.
Delegates
Use this section to view or change how the room mailbox handles reservation requests and to define who can
accept or decline booking requests if it isn't done automatically.
Booking requests: Select one of the following options to handle booking requests.
Accept or decline booking requests automatically: A valid meeting request automatically
reserves the room. If there's a scheduling conflict with an existing reservation, or if the booking
request violates the scheduling limits of the resource, for example, the reservation duration is too
long, the meeting request is automatically declined.
Select delegates who can accept or decline booking requests: Resource delegates are
responsible for accepting or declining meeting requests that are sent to the room mailbox. If you
assign more than one resource delegate, only one of them has to act on a specific meeting request.
Delegates: If you selected the option requiring that booking requests be sent to delegates, the specified
delegates are listed. Click Add or Remove to add or remove delegates from this list.
Booking Options
Use the Booking Options section to view or change the settings for the booking policy that defines when the
room can be scheduled, how long it can be reserved, and how far in advance it can be reserved.
Allow repeating meetings: This setting allows or prevents repeating meetings for the room. By default,
this setting is enabled, so repeating meetings are allowed.
Allow scheduling only during working hours: This setting accepts or declines meeting requests that
aren't during the working hours defined for the room. By default, this setting is disabled, so meeting
requests are allowed outside the working hours. By default, working hours are 8:00 A.M. to 5:00 P.M.
Monday through Friday. You can configure the working hours of the room mailbox in the Appearance
section on the Calendar page.
Always decline if the end date is beyond this limit: This setting controls the behavior of repeating
meetings that extend beyond the date specified by the maximum booking lead time setting.
If you enable this setting, a repeating booking request is automatically declined if the bookings start
on or before the date specified by the value in the Maximum booking lead time box, and they
extend beyond the specified date. This is the default setting.
If you disable this setting, a repeating booking request is automatically accepted if booking requests
start on or before the date specified by the value in the Maximum booking lead time box, and
they extend beyond the specified date. However, the number of bookings is reduced so bookings
won't occur after the specified date.
Maximum booking lead time (days): This setting specifies the maximum number of days in advance that
the room can be booked. Valid input is an integer between 0 and 1080. The default value is 180 days.
Maximum duration (hours): This setting specifies the maximum duration that the room can be reserved
in a booking request. The default value is 24 hours.
For repeating booking requests, the maximum booking duration applies to the length of Exchange admin
center instance of the repeating booking request.
There's also a box on this page that you can use to write a message that will be sent to users who send booking
requests to reserve the room.
Contact Information
Use the Contact Information section to view or change the contact information for the room. The information on
this page is displayed in the address book.
TIP
You can use the State/Province box to create recipient conditions for dynamic distribution groups, email address policies, or
address lists.
Email Address
Use the Email Address section to view or change the email addresses associated with the room mailbox. This
includes the mailbox's primary SMTP address and any associated proxy addresses. The primary SMTP address
(also known as the reply address) is displayed in bold text in the address list, with the uppercase SMTP value in
the Type column.
Add: Click Add to add a new email address for this mailbox. Select one of following address types:
SMTP: This is the default address type. Click this button and then type the new SMTP address in the
* Email address box.
EUM: An EUM (Exchange Unified Messaging) address is used by the Microsoft Exchange Unified
Messaging service to locate UM -enabled recipients within an Exchange organization. EUM
addresses consist of the extension number and the UM dial plan for the UM -enabled user. Click this
button and type the extension number in the Address/Extension box. Then click Browse and select
a dial plan for the mailbox.
Custom address type: Click this button and type one of the supported non-SMTP email address
types in the * Email address box.
NOTE
With the exception of X.400 addresses, Exchange doesn't validate custom addresses for correct formatting.
You must make sure that the custom address you specify complies with the format requirements for that
address type.
NOTE
When you add a new email address, you have the option to make it the primary SMTP address.
Automatically update email addresses based on the email address policy applied to this recipient:
Select this check box to have the recipient's email addresses automatically updated based on changes made
to email address policies in your organization.
MailTip
Use the MailTip section to add a MailTip to alert users of potential issues before they send a booking request to
the room mailbox. A MailTip is text that's displayed in the InfoBar when this recipient is added to the To, Cc, or Bcc
lines of a new email message.
NOTE
MailTips can include HTML tags, but scripts aren't allowed. The length of a custom MailTip can't exceed 175 displayed
characters. HTML tags aren't counted in the limit.
Set-Mailbox "Conf Room 123" -DisplayName "Conf Room 31/123 (12)" -EmailAddresses
SMTP:Rm33.123@contoso.com,smtp:rm123@contoso.com -ResourceCapacity 12
This example configures room mailboxes to allow booking requests to be scheduled only during working hours
and sets a maximum duration of 9 hours.
This example uses the Get-User cmdlet to find all room mailboxes that correspond to private conference rooms,
and then uses the Set-CalendarProcessing cmdlet to send booking requests to a delegate named Robin Wood to
accept or decline.
Get-User -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'RoomMailbox') -and (DisplayName -like
'Private*')} | Set-CalendarProcessing -AllBookInPolicy $false -AllRequestInPolicy $true -ResourceDelegates
"Robin Wood"
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts
for the Exchange admin center.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Manage equipment mailboxes
3/29/2019 • 11 minutes to read • Edit Online
An equipment mailbox is a resource mailbox assigned to a resource that's not location specific, such as a portable
computer, projector, microphone, or a company car. After an administrator creates an equipment mailbox, users
can easily reserve the piece of equipment by including the corresponding equipment mailbox in a meeting request.
You can use the EAC and Exchange Online PowerShell to create an equipment mailbox or change equipment
mailbox properties. For more information, see Recipients.
For information about another type of resource mailbox, a room mailbox, see Create and manage room mailboxes.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
TIP
Although there are other fields that describe the details of the room, for example, Capacity, consider summarizing the
most important details in the equipment name using a consistent naming convention. Why? So users can easily see
the details when they select the equipment from the address book in a meeting request.
* Email address: An equipment mailbox has an email address so it can receive booking requests. The email
address consists of an alias on the left side of the @ symbol, which must be unique in the forest, and your
domain name on the right. The email address is required.
4. When you're finished, click Save to create the equipment mailbox.
Once you've created your equipment mailbox, you can edit your equipment mailbox to update info about booking
options, MailTips and delegates. Check out the Change equipment mailbox properties section below to change
room mailbox properties
Use Exchange Online PowerShell to create an equipment mailbox
This example creates an equipment mailbox with the following configuration:
The equipment mailbox resides on Mailbox Database 1.
The equipment's name is MotorVehicle2 and the name will display in the GAL as Motor Vehicle 2.
The email address is MotorVehicle2@contoso.com.
The mailbox is in the Equipment organizational unit.
The Equipment parameter specifies that this mailbox will be created as an equipment mailbox.
New-Mailbox -Database "Mailbox Database 1" -Name MotorVehicle2 -OrganizationalUnit Equipment -DisplayName
"Motor Vehicle 2" -Equipment
Use the General section to view or change basic information about the resource.
* Equipment name: This name appears in the resource mailbox list in the EAC and in your organization's
address book. It can't exceed 64 characters if you change it.
* Email address: This read-only box displays the email address for the equipment mailbox. You can change
it in the Email Address section.
Capacity: Use this box to enter the maximum number of people who can use this resource, if applicable,
For example, if the equipment mailbox corresponds to a compact car, you could enter 4.
Click More options to view or change these additional properties:
Organizational unit: This read-only box displays the organizational unit (OU ) that contains the account for
the equipment mailbox. You have to use Active Directory Users and Computers to move the account to a
different OU.
Mailbox database: This read-only box displays the name of the mailbox database that hosts the
equipment mailbox. Use the Migration page in the EAC to move the mailbox to a different database.
* Alias: Use this box to change the alias for the equipment mailbox.
Hide from address lists: Select this check box to prevent equipment mailbox from appearing in the
address book and other address lists that are defined in your Exchange organization. After you select this
check box, users can still send booking messages to the equipment mailbox by using the email address.
Department: Use this box to specify a department name that the resource is associated with. You can use
this property to create recipient conditions for dynamic distribution groups and address lists.
Company: Use this box to specify a company that the resource is associated with. Like the Department
property, you can use this property to create recipient conditions for dynamic distribution groups and
address lists.
Address book policy: Use this option to specify an address book policy (ABP ) for the resource. ABPs
contain a global address list (GAL ), an offline address book (OAB ), a room list, and a set of address lists. To
learn more, see Address book policies.
In the drop-down list, select the policy that you want associated with this mailbox.
Custom attributes: This section displays the custom attributes defined for the equipment mailbox. To
specify custom attribute values, click Edit . You can specify up to 15 custom attributes for the recipient.
Delegates
Use this section to view or change how the equipment mailbox handles reservation requests and to define who
can accept or decline booking requests if it isn't done automatically.
Booking requests: Select one of the following options to handle booking requests.
Accept or decline booking requests automatically: A valid meeting request automatically
reserves the resource. If there's a scheduling conflict with an existing reservation, or if the booking
request violates the scheduling limits of the resource, for example, the reservation duration is too
long, the meeting request is automatically declined.
Select delegates who can accept or decline booking requests: Resource delegates are
responsible for accepting or declining meeting requests that are sent to the equipment mailbox. If
you assign more than one resource delegate, only one of them has to act on a specific meeting
request.
Delegates: If you selected the option requiring that booking requests be sent to delegates, the specified
delegates are listed. Click Add or Remove to add or remove delegates from this list.
Booking Options
Use the Booking Options section to view or change the settings for the booking policy that defines when the
resource can be scheduled, how long it can be reserved, and how far in advance it can be reserved.
Allow repeating meetings: This setting allows or prevents repeating meetings for the resource. By
default, this setting is enabled, so repeating meetings are allowed.
Allow scheduling only during working hours: This setting accepts or declines meeting requests that
aren't during the working hours defined for the resource. By default, this setting is disabled, so meeting
requests are allowed outside the working hours.By default, working hours are 8:00 A.M. to 5:00 P.M.
Monday through Friday. You can configure the working hours of the equipment mailbox in the Appearance
section on the Calendar page.
Always decline if the end date is beyond this limit: This setting controls the behavior of repeating
meetings that extend beyond the date specified by the maximum booking lead time setting.
If you enable this setting, a repeating booking request is automatically declined if the bookings start
on or before the date specified by the value in the Maximum booking lead time box, and they
extend beyond the specified date. This is the default setting.
If you disable this setting, a repeating booking request is automatically accepted if the booking
requests start on or before the date specified by the value in the Maximum booking lead time
box, and they extend beyond the specified date. However, the number of bookings is reduced so
bookings won't occur after the specified date.
Maximum booking lead time (days): This setting specifies the maximum number of days in advance that
the resource can be booked. Valid input is an integer between 0 and 1080. The default value is 180 days.
Maximum duration (hours): This setting specifies the maximum duration that the resource can be
reserved in a booking request. The default value is 24 hours.
For repeating booking requests, the maximum booking duration applies to the length of each instance of
the repeating booking request.
There is also a box on this page that you can use to write a message that will be sent to users who send meeting
requests to reserve the resource.
Contact Information
Use the Contact Information section to view or change the contact information for the resource. The information
on this page is displayed in the address book.
TIP
You can use the State/Province box to create recipient conditions for dynamic distribution groups, email address policies, or
address lists.
Email Address
Use the Email Address section to view or change the email addresses associated with the equipment mailbox.
This includes the mailbox's primary SMTP address and any associated proxy addresses. The primary SMTP
address (also known as the reply address) is displayed in bold text in the address list, with the uppercase SMTP
value in the Type column.
Add: Click Add to add a new email address for this mailbox. Select one of following address types:
SMTP: This is the default address type. Click this button and then type the new SMTP address in the
* Email address box.
EUM: An EUM (Exchange Unified Messaging) address is used by the Microsoft Exchange Unified
Messaging service to locate UM -enabled recipients within an Exchange organization. EUM
addresses consist of the extension number and the UM dial plan for the UM -enabled user. Click this
button and type the extension number in the Address/Extension box. Then click Browse and select
a dial plan for the mailbox.
Custom address type: Click this button and type one of the supported non-SMTP email address
types in the * Email address box.
NOTE
With the exception of X.400 addresses, Exchange doesn't validate custom addresses for correct formatting.
You must make sure that the custom address you specify complies with the format requirements for that
address type.
NOTE
When you add a new email address, you have the option to make it the primary SMTP address.
Automatically update email addresses based on the email address policy applied to this recipient:
Select this check box to have the recipient's email addresses automatically updated based on changes made
to email address policies in your organization.
MailTip
Use the MailTip section to add a MailTip to alert users of potential issues before they send a booking request to
the equipment mailbox. A MailTip is text that's displayed in the InfoBar when this recipient is added to the To, Cc,
or Bcc lines of a new email message.
NOTE
MailTips can include HTML tags, but scripts aren't allowed. The length of a custom MailTip can't exceed 175 displayed
characters. HTML tags aren't counted in the limit.
This example configures equipment mailboxes to allow booking requests to be scheduled only during working
hours.
This example uses the Get-User cmdlet to find all equipment mailboxes in the Audio Visual department, and then
uses the Set-CalendarProcessing cmdlet to send booking requests to a delegate named Ann Beebe to accept or
decline.
Get-User -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'EquipmentMailbox') -and (Department -eq
'Audio Visual')} | Set-CalendarProcessing -AllBookInPolicy $false -AllRequestInPolicy $true -ResourceDelegates
"Ann Beebe"
In Exchange Online, you can use the Exchange admin center (EAC ) or Exchange Online PowerShell to assign
permissions to a mailbox or group so that other users can access the mailbox (the Full Access permission), or send
email messages that appear to come from the mailbox or group (the Send As or Send on Behalf permissions). The
users that are assigned these permissions on other mailboxes or groups are called delegates.
The permissions that you can assign to delegates for mailboxes and groups in Exchange Online are described in
the following table:
Note: Although you might be able use Exchange Online PowerShell to assign some or all of these permissions to
other delegate types on other kinds of recipient objects, this topic focuses on the delegate and recipient object
types that produce useful results.
Full Access Allows the delegate User mailboxes Discovery mailboxes Mailboxes with user
to open the mailbox, accounts
and view, add and Resource mailboxes
remove the contents Mail users with
of the mailbox. Shared mailboxes accounts
Doesn't allow the
delegate to send Mail-enabled security
messages from the groups
mailbox.
By default, the
mailbox auto-
mapping feature uses
Autodiscover to
automatically open
the mailbox in the
delegate's Outlook
profile (in addition to
their own mailbox). If
you don't want this to
happen, you need to
take one of the
following actions:
Send As Allows the delegate User mailboxes n/a Mailboxes with user
to send messages as accounts
if they came directly Resource mailboxes
from the mailbox or Mail users with
group. There's no Shared mailboxes accounts
indication that the
message was sent by Distribution groups Mail-enabled security
the delegate. groups
Dynamic distribution
Doesn't allow the groups
delegate to read the
contents of the Mail-enabled security
mailbox. groups
Send on Behalf Allows the delegate User mailboxes Shared mailboxes Mailboxes with user
to send messages accounts
from the mailbox or Resource mailboxes
group. The From Mail users with
address of these Distribution groups accounts
messages clearly
shows that the Dynamic distribution Mail-enabled security
message was sent by groups groups
the delegate ("
<Delegate> on Mail-enabled security Distribution groups
behalf of groups
<MailboxOrGroup>")
. However, replies to Office 365 groups
these messages are
sent to the mailbox or
group, not to the
delegate.
This example assigns the delegate Raymond Sam the Full Access permission to the mailbox of Terry Adams.
Add-MailboxPermission -Identity "Terry Adams" -User raymonds -AccessRights FullAccess -InheritanceType All
This example assigns Esther Valle the Full Access permission to the organization's default discovery search
mailbox, and prevents the mailbox from automatically opening in Esther Valle's Outlook.
This example assigns members of the Helpdesk mail-enabled security group the Full Access permission to the
shared mailbox named Helpdesk Tickets.
This example removes Full Access permission for Jim Hance from Ayla Kol's mailbox.
Remove-MailboxPermission -Identity ayla -User "Jim Hance" -AccessRights FullAccess -InheritanceType All
This example assigns the Send As permission to the Printer Support group on the shared mailbox named
Contoso Printer Support.
Add-RecipientPermission -Identity "Contoso Printer Support" -Trustee "Printer Support" -AccessRights SendAs
This example removes the Send As permission for the user Karen Toh on the mailbox for Yan Li.
The GrantSendOnBehalfTo parameter has the following options for delegate values:
Replace existing delegates: <DelegateIdentity> or "<DelegateIdentity1>","<DelegateIdentity2>",...
This example assigns the delegate Holly Holt the Send on Behalf permission to the mailbox of Sean Chai.
This example adds the group tempassistants@contoso.com to the list of delegates that have Send on Behalf
permission to the Contoso Executives shared mailbox.
This example assigns the delegate Sara Davis the Send on Behalf permission to the Printer Support distribution
group.
This example removes the Send on Behalf permission that was assigned to the administrator on the All
Employees dynamic distribution group.
Next steps
For more information about how delegates can use the permissions that are assigned to them on mailboxes and
groups, see the following topics:
Access another person's mailbox
Open and use a shared mailbox in Outlook
Open and use a shared mailbox in Outlook on the Web
Send email from another person or group in Outlook on the Web
Manage Facebook contact sync in your organization
3/4/2019 • 2 minutes to read • Edit Online
Facebook contact synchronization lets people set up a connection between their Facebook account and their Office
365 account by using Outlook Web App. After they set up a Facebook connection, all their Facebook friends are
listed as contacts in People in Office 365. They can then interact with their Facebook friends as they do with their
other contacts. Facebook contact sync is turned on by default if the feature is available in your region.
TIP
As an administrator, you probably want to keep Facebook contact sync turned on if your organization uses Facebook for
business purposes, such as networking and marketing. Turn it off if you don't want your users to download their Facebook
friends as contacts in Outlook Web App. For information about how people set up Facebook contact sync, see Add Facebook
friends as contacts.
NOTE
The features that are available to your Office 365 organization are determined by the service plan for your account. Some
features aren't available to mailboxes or organizations in specific regions.
LinkedIn contact synchronization lets people set up a connection between their LinkedIn account and their Office
365 account by using Outlook Web App. After they set up LinkedIn contact sync, all their LinkedIn connections are
listed as contacts in People in Office 365. They can then interact with their LinkedIn connections as they do with
other contacts. LinkedIn contact sync is turned on by default if the feature is available for your region.
TIP
As an administrator, you probably want to keep LinkedIn contact sync turned on if your organization uses LinkedIn for
business purposes, such as networking and marketing. Turn it off if you don't want your users to download their LinkedIn
connections as contacts in Outlook Web App. For more information about how people can set up LinkedIn contact sync, see
Managed LinkedIn contact sync in your organization.
NOTE
The features that are available to your Office 365 organization are determined by the service plan for your account. Some
features aren't available to mailboxes or organizations in specific regions.
In your Exchange Online organization, you may need to restrict access to specific recipients. The most common
scenario is the need to control messages sent to large distribution groups. Depending on your organization's
requirements, you may also need to control the messages sent to executive mailboxes or partner contacts. You can
use moderated recipients to accomplish these tasks. When you configure a recipient for moderation, all messages
sent to that recipient are subject to approval by the designated moderators.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
This example configures the following moderation settings for the distribution group named All Employees:
Enable moderation for the distribution group.
Designate David Hamilton and Yossi Ran as moderators.
Allow the members of the distribution group named HR to bypass moderation.
Notify internal senders if their message to the distribution group is rejected, but do not send any
notifications to external senders.
To accomplish the tasks in this example scenario, run the following command:
To add or remove users from the list of moderators or recipients who bypass moderation without affecting other
entries, use the following syntax:
This example configures the following moderation settings for the distribution group named All Employees:
Add the user chris@contoso.com to the list of existing moderators.
Remove the user michelle@contoso.com from the list of existing senders who bypass moderation.
Your organization can migrate email to Office 365 from other systems. Your administrators can Migrate
mailboxes from Exchange Server or Migrate email from another IMAP -enabled email system. And your users can
Have users import their own email their own email, contacts, and other mailbox information to an Office 365
mailbox created for them. Your organization also can Work with a partner to migrate email to migrate email.
Before you start an email migration, review limits and best practices for Exchange Online to make sure you get
the performance and behavior you expect after migration.
See Decide on a migration path or Exchange migration advisors for help with choosing the best option for your
organization.
TIP
Another option available to assist you with your email migration is FastTrack Center Benefit for Office 365. FastTrack
specialists can help you plan and perform your migration. For more information, see Data Migration.
There are three types of email migrations that can be made from an Exchange Server:
Migrate all mailboxes at once (cutover migration) or Express migration
Use this type of migration if you're running Exchange 2003, Exchange 2007, Exchange 2010, or Exchange
2013, and if there are fewer than 2000 mailboxes. You can perform a cutover migration by starting from
the Exchange admin center (EAC ); see Perform a cutover migration to Office 365. See Use express
migration to migrate Exchange mailboxes to Office 365 to use the Express migration.
IMPORTANT
With cutover migration, you can move up to 2000 mailboxes, but due to length of time it takes to create and
migrate 2000 users, it is more reasonable to migrate 150 users or less.
Migrate mailboxes in batches (staged migration)
Use this type of migration if you're running Exchange 2003 or Exchange 2007, and there are more than
2,000 mailboxes. For an overview of staged migration, see What you need to know about a staged email
migration to Office 365. To perform the migration tasks, see Perform a staged migration of Exchange
Server 2003 and Exchange 2007 to Office 365.
Migrate using an integrated Exchange Server and Office 365 environment (hybrid)
Use this type of migration to maintain both on-premises and online mailboxes for your organization and
to gradually migrate users and email to Office 365. Use this type of migration if:
You have Exchange 2010 and more than 150-2,000 mailboxes.
You have Exchange 2010 and want to migrate mailboxes in small batches over time.
You have Exchange 2013.
For more information, see Plan an Exchange Online hybrid deployment in Office 365.
You can use the Office 365 Import Service to either upload the PST files through a network, or to mail the PST
files in a drive that you prepare.
For instructions, see Office 365 Import Service.
To migrate email from another mail system, see Migrate your IMAP mailboxes to Office 365. After the email
migration is done, any new mail sent to the source email isn't migrated.
Have users import their own email
Users can import their own email, contacts, and other mailbox information to Office 365. See Migrate email and
contacts to Office 365 to learn how.
METHOD DESCRIPTION
Related Topics
Use PowerShell for email migration to Office 365
Decide on a migration path
3/6/2019 • 5 minutes to read • Edit Online
Deciding on the best migration path of your users' email to Office 365 can be difficult. This article gives guidance
based on your current email system and other factors, such as how quickly you want to migrate to Office 365. Your
migration performance will vary based on your network, mailbox size, migration speed, and so on.
IMPORTANT
This topic is intended for Office 365 global administrators. If you want to migrate email for a single account, see Migrate
email and contacts to Office 365 instead.
IMPORTANT
Staged and Exchange Hybrid migrations require that you also set up directory synchronization. For more information, see
Office 365 integration with on-premises environments.
For migration recommendations, expand one of the following sections based on your source system:
NOTE
Even though cutover migration supports moving up to 2000 mailboxes, due to length of time it takes to create and migrate
2000 users, it is more reasonable to migrate 150 users or less.
HOW QUICKLY DO YOU WANT TO
NUMBER OF MAILBOXES MIGRATE? USE
If the mailboxes you're migrating contain a large amount of data, you can also use Office 365 Import Service to
import PST files to Office 365. You can use the Office 365 Import Service to either ship the files or to import them
across the network.
If you have an extremely large number of mailboxes (5,000+), you might want to hire a partner to help you
migrate your email data.
You'll find a list of partners in the Microsoft Partner Center.
NOTE
Even though cutover migration support moving up to 2000 mailboxes, due to length of time it takes to create and migrate
2000 users, it is more reasonable to migrate 150 users or less.
Fewer than 150 Over a weekend or a few days. Cutover or Express migration.
If the mailboxes you're migrating contain a large amount of data, you can also use Office 365 Import Service to
import PST files to Office 365. You can use the Office 365 Import Service to either ship the files or to import them
across the network.
If you have an extremely large number of mailboxes (5,000+), you might want to hire a partner to help you
migrate your email data.
You'll find a list of partners in the Microsoft Partner Center.
Leave us a comment
Were these instructions helpful? If so, please let us know at the bottom of this topic. If they weren't, and you're still
having trouble deciding on a migration strategy, tell us what source email system you want to migrate from and
we'll use your feedback to improve our content.
Use Minimal Hybrid to quickly migrate Exchange
mailboxes to Office 365
3/4/2019 • 4 minutes to read • Edit Online
You can use the minimal hybrid, also known as express migration, option in the Exchange Hybrid Configuration
Wizard to migrate the contents of user mailboxes to Office 365 over a course of couple of weeks or less.
Pre-requisites
Use minimal hybrid to migrate emails if you:
Are running at least one Exchange 2010, Exchange 2013, and/or Exchange 2016 server on-premises.
Plan to move to Exchange Online over a course of few weeks or less.
Do not plan to continue to run directory synchronization to manage your users.
4. On the Add a domain page, type in the domain name (for example, Contoso.com) you use for your on-
premises Exchange organization, and then choose Next.
5. On the Verify domain page, select either Sign in to GoDaddy (if your DNS records are managed by
GoDaddy) or Add a TXT record instead for any other registrars > Next.
6. Follow the instructions provided for your DNS hosting provider. The TXT record usually is chosen to verify
ownership.
You can also find the instructions in Create DNS records at any DNS hosting provider for Office 365.
After you add your TXT or MX record, wait about 15 minutes before proceeding to the next step.
7. In the Office 365 domain wizard, choose done, verify now, and you'll see a verification page. Choose
Finish.
If the verification fails at first, wait awhile, and try again.
Do not continue to the next step in the domains wizard. You now have verified that you own the on-
premises Exchange organization domain and are ready to continue with an email migration.
You will finish setting up your domain after the migrations are complete.
Step 2: Start express migration
On a computer that is domain joined to your on-premises organization, sign in to your Office 365 account by
using your global admin credentials, and start the Exchange Hybrid Configuration Wizard on the Data migration
page of the Office 365 admin page.
1. In the Office 365 Admin center, go to Setup > Data migration.
3. On the first Hybrid Configuration Wizard page, choose next and on the On-premises Exchange
Server Organization page, accept the default values and choose next.
By default the wizard connects to the Exchange server running the latest version.
4. On the Credentials page, choose Use current Windows credentials for on-premises Exchange server, and
enter admin credentials for it and your Office 365 tenant choose next, and then choose next again once
the connections and credentials have validated.
5. On the Hybrid Features page, select Minimal Hybrid Configuration > next.
6. On the Ready for Update page, choose update to prepare the on-premises mailboxes for migration.
See also
Office 365 migration performance and best practices
How to decommission Exchange servers in a Hybrid environment
Modify or remove Exchange 2010
How to remove an Exchange 2007 organization
What you need to know about a cutover email
migration to Office 365
3/6/2019 • 3 minutes to read • Edit Online
As part of an Office 365 deployment, you can migrate the contents of user mailboxes from a source email system
to Office 365. When you do this all at one time, it's called a cutover migration. Choosing a cutover migration is
suggested when:
Your current on-premises Exchange organization is Microsoft Exchange Server 2003, Microsoft Exchange
Server 2007, Microsoft Exchange Server 2010, Microsoft Exchange Server 2013, or Exchange Server 2016.
Your on-premises Exchange organization has fewer than 2,000 mailboxes.
NOTE
Even though cutover migration supports moving up to 2000 mailboxes, due to length of time it takes to create and
migrate 2000 users, it is more reasonable to migrate 150 users or less.
If a cutover migration won't work for you, see Ways to migrate email to Office 365 for other options.
Things to consider
Setting up an email cutover migration to Office 365 requires careful planning. Before you begin, here are a few
things to consider:
You can move your entire email organization to Office 365 over a few days and manage user accounts in
Office 365.
A maximum of 2,000 mailboxes can be migrated to Office 365 by using a cutover Exchange migration.
However, it is recommended that you only migrate 150 mailboxes.
The primary domain name used for your on-premises Exchange organization must be an accepted as a
domain owned by you in your Office 365 organization.
After the migration is complete, each user who has an on-premises Exchange mailbox also will be a new
user in Office 365. But you'll still have to assign licenses to users whose mailboxes are migrated.
Impact to users
After your on-premises and Office 365 organizations are set up for a cutover migration, post-setup tasks could
impact your users.
Administrators or users must configure desktop computers: Make sure that desktop computers are
updated and set up for use with Office 365. These actions allow users to use local user credentials to sign in
to Office 365 from desktop applications. Users with permission to install applications can update and set up
their own desktops. Or updates can be installed for them. After updates are made, users can send email
from Outlook 2013, Outlook 2010, or Outlook 2007.
Potential delay in email routing: Email sent to on-premises users whose mailboxes were migrated to
Office 365 are routed to their on-premises Exchange mailboxes until the MX record is changed.
How does cutover migration work?
The main steps you perform for a cutover migration are shown in the following illustration.
1. The administrator communicates upcoming changes to users and verifies domain ownership with the
domain registrar.
2. The administrator prepares the servers for a cutover migration and creates empty mail-enabled security
groups in Office 365.
3. The administrator connects Office 365 to the on-premises email system (this is called creating a migration
endpoint).
4. The administrator migrates the mailboxes and then verifies the migration.
5. Grant Office 365 licences to your users.
6. The administrator configures the domain to begin routing email directly to Office 365.
7. The administrator verifies that routing has changed, and then deletes the cutover migration batch.
8. The administrator completes post-migration tasks in Office 365 (assigns licenses to users and creates an
Autodiscover Domain Name System (DNS ) record), and optionally decommissions the on-premises
Exchange servers.
See how -to steps in Complete post migration tasks.
9. The administrator sends a welcome letter to users to tell them about Office 365 and to describe how to sign
in to their new mailboxes.
Ready to start?
If you're comfortable setting up a migration to Office 365, here are the tasks that need to be done:
Set up Exchange Server by using the Exchange admin center.
Change your organization's MX record to point to Office 365 when the migration is complete. Your MX
record is how other mail systems find the location of your email system. Changing your MX record allows
other mail systems to begin to send email directly to the new mailboxes in Office 365. We provide
instructions on how to do this for many DNS providers. To set up your public DNS servers, you need to
change your organization's MX record to point to Office 365 if you choose to route all incoming internet
mail for your on-premises Exchange organization through Office 365.
If you're ready to begin a cutover migration, go to Perform a cutover migration of email to Office 365.
See also
Ways to migrate email to Office 365
Use PowerShell to perform a cutover migration to Office 365
Migrate email using the Exchange cutover method
3/4/2019 • 15 minutes to read • Edit Online
As part of an Office 365 deployment, you can migrate the contents of user mailboxes from a source email system
to Office 365. When you do this all at one time, it's called a cutover migration. Choosing a cutover migration is
suggested when:
Your current on-premises Exchange organization is Microsoft Exchange Server 2003 or later.
Your on-premises Exchange organization has fewer than 2,000 mailboxes.
NOTE
Even though cutover migration supports moving up to 2000 mailboxes, due to length of time it takes to create and
migrate 2000 users, it is more reasonable to migrate 150 users or less.
NOTE
If you have turned on directory synchronization, you need to turn it off before you can perform a cutover migration. You
can do this by using PowerShell. For instructions, see Turn off directory synchronization for Office 365.
1. Configure Outlook Anywhere on your on-premises Exchange Server: The email migration service uses
Outlook Anywhere (also known as RPC over HTTP ), to connect to your on-premises Exchange Server.
Outlook Anywhere is automatically configured for Exchange 2013. For information about how to set up
Outlook Anywhere for Exchange 2010, Exchange 2007, and Exchange 2003, see the following:
Exchange 2010: Enable Outlook Anywhere
Exchange 2007: How to Enable Outlook Anywhere
How to configure Outlook Anywhere with Exchange 2003
2. You must use a certificate issued by a trusted certification authority (CA) with your Outlook Anywhere
configuration in order for Office 365 to run a cutover migration. For cutover migration you will to add the
Outlook Anywhere and Autodiscover services to your certificate. For instructions on how to set up certificates,
see:
Add an SSL certificate to Exchange 2013
Add an SSL certificate to Exchange 2010
Add an SSL certificate to Exchange 2007
3. Optional: Verify that you can connect to your Exchange organization using Outlook Anywhere: Try
one of the following methods to test your connection settings.
Use Outlook from outside your corporate network to connect to your on-premises Exchange mailbox.
Use the Microsoft Exchange Remote Connectivity Analyzer to test your connection settings. Use the
Outlook Anywhere (RPC over HTTP ) or Outlook Autodiscover tests.
Wait for the connection to automatically be tested when you connect Office 365 to your email system later
in this procedure.
4. Set permissions: The on-premises user account that you use to connect to your on-premises Exchange
organization (also called the migration administrator) must have the necessary permissions to access the
on-premises mailboxes that you want to migrate to Office 365. This user account is used when you
connect Office 365 to your email system later in this procedure.
5. To migrate the mailboxes, the admin must have one of the following permissions:
The migration administrator must be assigned the FullAccess permission for each on-premises mailbox.
or
The migration administrator must be assigned the Receive As permission on the on-premises mailbox
database that stores user mailboxes.
For instructions about how to set these permissions, see Assign Exchange permissions to migrate
mailboxes to Office 365.
6. Disable Unified Messaging (UM ): If UM is turned on for the on-premises mailboxes you're migrating,
turn off UM before migration. Turn on UM or the mailboxes after migration is complete.
7. Create security groups and clean up delegates: Because the email migration service can't detect
whether on-premises Active Directory groups are security groups, it can't provision any migrated groups
as security groups in Office 365. If you want to have security groups in Office 365, you must first provision
an empty mail-enabled security group in Office 365 before starting the cutover migration.
Additionally, this migration method only moves mailboxes, mail users, mail contacts, and mail-enabled
groups. If any other Active Directory object, such as user mailbox that is not migrated to Office 365 is
assigned as a manager or delegate to an object being migrated, you must remove them from the object
before migration.
4. On the Add a domain page, type in the domain name (for example, Contoso.com) you use for your on-
premises Exchange organization, and then choose Next.
5. On the Verify domain page, select either Sign in to GoDaddy (if your DNS records are managed by
GoDaddy) or Add a TXT record instead for any other registrars > Next.
6. Follow the instructions provided for your DNS hosting provider. The TXT record usually is chosen to verify
ownership.
You can also find the instructions in Create DNS records for Office 365 when you manage your DNS
records.
After you add your TXT or MX record, wait about 15 minutes before proceeding to the next step.
7. In the Office 365 domain wizard, choose done, verify now, and you'll see a verification page. Choose
Finish.
If the verification fails at first, wait awhile, and try again.
Do not continue to the next step in the domain wizard. You now have verified that you own the on-
premises Exchange organization domain and are ready to continue with an email migration.
If the test connection to the source server isn't successful, provide the following information:
Exchange server: Type the fully qualified domain name (FQDN ) for the on-premises Exchange Server.
This is the host name for your Mailbox server. For example, EXCH-SRV -01.corp.contoso.com.
RPC proxy server: Type the FQDN for the RPC proxy server for Outlook Anywhere. Typically, the proxy
server is the same as your Outlook Web App URL. For example, mail.contoso.com, which is also the URL
for the proxy server that Outlook uses to connect to an Exchange Server
8. On the Enter general information page, type a Migration endpoint name, for example, Test5-endpoint.
Leave the other two boxes blank to use the default values.
9. Choose New to create the migration endpoint.
To validate your Exchange Online is connected to the on-premises server, you can run the command in
Example 4 of Test-MigrationServerAvailability.
3. On the Select a migration type page, choose Cutover migration > next.
4. On the Confirm the migration endpoint page, the migration endpoint information is listed. Verify the
information and then choose next.
5. On the Move configuration page, type the name (cannot contain spaces or special characters) of the
migration batch, and then choose next. The batch name is displayed in the list of migration batches on the
Migration page after you create the migration batch.
6. On the Start the batch page, choose one of the following:
Automatically start the batch: The migration batch is started as soon as you save the new migration
batch with a status of Syncing.
Manually start the batch later: The migration batch is created but is not started. The status of the batch
is set to Created. To start a migration batch, select it on the migration dashboard, and then choose Start.
7. Choose new to create the migration batch.
The new migration batch is displayed on the migration dashboard.
NOTE
It can take a few minutes or the batch to be removed.
Office 365 uses a CNAME record to implement the Autodiscover service for Outlook and mobile clients.
The Autodiscover CNAME record must contain the following information:
Alias: autodiscover
Target: autodiscover.outlook.com
For more information, see Create DNS records for Office 365 when you manage your DNS records.
2. Decommission on-premises Exchange Servers: After you've verified that all email is being routed
directly to the Office 365 mailboxes, and no longer need to maintain your on-premises email organization
or don't plan on implementing a single sign-on solution, you can uninstall Exchange from your servers and
remove your on-premises Exchange organization.
For more information, see the following:
Modify or Remove Exchange 2010
How to Remove an Exchange 2007 Organization
How to Uninstall Exchange Server 2003
NOTE
Decommissioning Exchange can have unintended consequences. Before decommissioning your on-premises
Exchange organization, we recommend that you contact Microsoft Support.
See also
Ways to migrate email to Office 365
Decide on a migration path
What you need to know about a staged email
migration to Office 365
3/5/2019 • 6 minutes to read • Edit Online
As part of an Office 365 deployment, you can migrate the contents of user mailboxes from a source email system
to Office 365. When you do this over time, it's called a staged migration. A staged migration is recommended
when:
Your source email system is Microsoft Exchange Server 2003 or Microsoft Exchange Server 2007.
NOTE
Microsoft Exchange Server 2003 and Microsoft Exchange Server 2007 are out of support. Support for Exchange
2003 ended on April 8, 2014. Support for Exchange 2007 ended on April 11, 2017.
NOTE
You can't use a staged migration to migrate Exchange 2013 or Exchange 2010 mailboxes to Office 365. Consider
using a cutover migration or a hybrid email migration instead.
Things to consider
Here are a few items to be aware of:
You must synchronize accounts between your on-premises Active Directory domain and Office 365 by
using Azure Active Directory sync for a staged migration to work.
The primary domain name used for your on-premises Exchange organization must be a domain verified to
your Office 365 organization.
You can migrate only user mailboxes and resource mailboxes. Other recipient types, such as distribution
groups, contacts, and mail-enabled users are migrated to Office 365 through the process of directory
synchronization.
Out of Office messages aren't migrated with user mailboxes. If a user turns on the Out of Office feature
before the migration, the feature will remain enabled on the migrated mailbox, but the Out of Office
message is blank. People who send messages to the mailbox won't receive an Out of Office notification. To
allow Out of Office notifications to be sent, the user needs to recreate the Out of Office message after the
mailbox is migrated.
If you limited the connections to your source email system, it's a good idea to increase them to improve
migration performance. Common connection limits include client/server total connections, per-user
connections, and IP address connections on either the server or the firewall. If you didn't limit these
connections, you can skip this task.
NOTE
If you implement a single sign-on solution, it is strongly recommended that you maintain at least one Exchange
Server so that you can access Exchange System Manager (Exchange 2003) or the Exchange Management
Console/Exchange Management Shell (Exchange 2007) to manage mail-related attributes on the on-premises mail-
enabled users. For Exchange 2007, the Exchange Server that you maintain should have the Hub Transport, Client
Access, and Mailbox server roles installed.
Ready to start?
If you're comfortable setting up a migration to Office 365, here are the tasks that need to be done.
Using either Microsoft Azure Active Directory Synchronization Tool or Microsoft Azure Active Directory
Sync Services (AAD Sync) to synchronize and create your on-premises users in Office 365.
Configuring Exchange Server by using the Exchange admin center.
Changing your organization's MX record to point to Office 365 when the migration is complete. Your MX
record is how other mail systems find the location of your email system. Changing your MX record allows
other mail systems to begin to send email directly to the new mailboxes in Office 365.
To finish a staged email migration successfully, it's a good idea to be comfortable doing these tasks:
You configure or verify that directory synchronization is working.
You configure or verify that Outlook Anywhere is working.
You create one or more lists of mailboxes to migrate in Excel.
You use step-by-step wizards in Office 365 to configure and start the migration process.
You add or change your organization's DNS records, such as the Autodiscover and MX records.
You mail-enable on-premises mailboxes.
If you're ready to begin a staged email migration, you can use the steps given in Perform a staged migration email
to Office 365.
See also
Ways to migrate email to Office 365
Use PowerShell to perform a staged migration to Office 365
Perform a staged migration of email to Office 365
3/29/2019 • 18 minutes to read • Edit Online
You can migrate the contents of user mailboxes from an Exchange 2003 or Exchange 2007 email to Office 365
over time by using a staged migration.
This article walks you through the tasks involved with for a staged email migration. What you need to know
about a staged email migration to Office 365 gives you an overview of the migration process. When you're
comfortable with the contents of that article, use this one to begin migrating mailboxes from one email system to
another.
For Windows PowerShell steps, see Use PowerShell to perform a staged migration to Office 365.
Migration Tasks
Here are the tasks to do when you're ready to get started with your staged migration.
1. Prepare for a staged migration
2. Verify you own the domain
3. Use directory synchronization to create users in Office 365
4. Create a list of mailboxes to migrate
5. Connect Office 365 to your email system
6. Migrate your mailboxes
7. Start the staged migration batch
8. Convert on-premises mailboxes to mail-enabled users so that migrated users can get to their email
9. Route your email directly to Office 365
10. Delete the staged migration batch
11. Complete post migration tasks
2. (Optional) Verify that you can connect to your Exchange organization using Outlook Anywhere: Try
one of the following methods to test your connection settings.
Use Outlook from outside your corporate network to connect to your on-premises Exchange mailbox.
Use the Microsoft Exchange Remote Connectivity Analyzer to test your connection settings. Use the
Outlook Anywhere (RPC over HTTP ) or Outlook Autodiscover tests.
Wait for the connection to automatically be tested when you Connect Office 365 to your email system later
in this procedure.
3. Set permissions: The on-premises user account that you use to connect to your on-premises Exchange
organization (also called the migration administrator) must have the necessary permissions to access the
on-premises mailboxes that you want to migrate to Office 365. This user account is used when you
Connect Office 365 to your email system later in this procedure.
4. To migrate the mailboxes, the admin must have one of the following permission sets:
Be assigned the FullAccess permission for each on-premises mailbox and be assigned the
WriteProperty permission to modify the TargetAddress property on the on-premises user accounts.
or
Be assigned the Receive As permission on the on-premises mailbox database that stores user mailboxes,
and the WriteProperty permission to modify the TargetAddress property on the on-premises user
accounts.
For instructions about how to set these permissions, see Assign Exchange permissions to migrate
mailboxes to Office 365.
5. Disable Unified Messaging (UM ): If UM is turned on for the on-premises mailboxes you're migrating, turn
off UM before migration. Turn on UM for the mailboxes after migration is complete. For how -to steps, see
disable unified messaging.
NOTE
You must be a global admin in Office 365 to complete these steps.
NOTE
There isn't a limit for the number of mailboxes that you can migrate to Office 365 using a staged migration. The CSV file for
a migration batch can contain a maximum of 2,000 rows. To migrate more than 2,000 mailboxes, create additional CSV files
and use each file to create a new migration batch.
Supported attributes
The CSV file for a staged migration supports the following three attributes. Each row in the CSV file corresponds
to a mailbox and must contain a value for each of these attributes.
ATTRIBUTE DESCRIPTION REQUIRED?
EmailAddress,Password,ForceChangePassword
pilarp@contoso.com,Pa$$w0rd,False
tobyn@contoso.com,Pa$$w0rd,False
briant@contoso.com,Pa$$w0rd,False
Each row under the header row represents one user and supplies the information that will be used to migrate the
user's mailbox. The attribute values in each row must be in the same order as the attribute names in the header
row.
Use any text editor, or an application like Excel, to create the CSV file. Save the file as a .csv or .txt file.
NOTE
If the CSV file contains non-ASCII or special characters, save the CSV file with UTF-8 or other Unicode encoding. Depending
on the application, saving the CSV file with UTF-8 or other Unicode encoding may be easier when the system locale of the
computer matches the language used in the CSV file.
3. On the Select a migration type page, choose Staged migration > next.
4. On the Select the users page, choose Browse and select the CSV file to use for this migration batch.
After you select a CSV file, Office 365 checks the CSV file to make sure that:
It isn't empty.
It uses comma-separated formatting.
It doesn't contain more than 2,000 rows.
It includes the required EmailAddress column in the header row.
All rows have the same number of columns as the header row.
If any one of these checks fails, you'll get an error that describes the reason for the failure. At this point,
you must fix any errors in the CSV file and resubmit it to create a migration batch. After the CSV file is
validated, the number of users listed in the CSV file is displayed as the number of mailboxes to migrate.
5. Choose next.
6. On the Confirm the migration endpoint page, verify the migration endpoint information that is listed
and then choose next.
7. On the Move configuration page, type the name (no spaces or special characters) of the migration batch,
and then choose next. This name is displayed in the list of migration batches on the Migration page after
you create the migration batch.
8. On the Start the batch page, choose one of the following:
Automatically start the batch: The migration batch is started as soon as you save the new migration
batch. The batch starts with a status of Syncing.
Manually start the batch later: The migration batch is created but not started. The status of the batch is
set to Created. To start a migration batch, select it on the migration dashboard and then choose Start.
9. Choose new to create the migration batch.
The new migration batch is displayed on the migration dashboard.
Start the staged migration batch
If you created a migration batch and configured it to be manually started, you can start it by using the Exchange
Admin center.
To start a staged migration batch
1. In the Exchange admin center, go to Recipients> Migration.
2. On the migration dashboard, select the batch, and then choose Start.
3. If a migration batch starts successfully, its status on the migration dashboard changes to Syncing.
NOTE
Decommissioning Exchange can have unintended consequences. Before decommissioning your on-premises
Exchange organization, we recommend that you contact Microsoft Support.
See also
What you need to know about a staged email migration to Office 365
Ways to migrate email to Office 365
Convert Exchange 2007 mailboxes to mail-enabled
users
3/29/2019 • 7 minutes to read • Edit Online
After you have completed a staged migration, convert the mailboxes to mail-enabled users so that the mailboxes
can automatically connect to the cloud mailbox.
Param($migrationCSVFileName = "migration.csv")
function O365Logon
{
#Check for current open O365 sessions and allow the admin to either use the existing session or create a new
one
$session = Get-PSSession | ?{$_.ConfigurationName -eq 'Microsoft.Exchange'}
if($session -ne $null)
{
$a = Read-Host "An open session to Office 365 already exists. Do you want to use this session? Enter y to
use the open session, anything else to close and open a fresh session."
if($a.ToLower() -eq 'y')
{
Write-Host "Using existing Office 365 Powershell Session." -ForeGroundColor Green
return
}
$session | Remove-PSSession
}
Write-Host "Please enter your Office 365 credentials" -ForeGroundColor Green
$cred = Get-Credential
$s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -
Credential $cred -Authentication Basic -AllowRedirection
$importresults = Import-PSSession -Prefix "Cloud" $s
}
function Main
{
#Verify the migration CSV file exists
if(!(Test-Path $migrationCSVFileName))
{
Write-Host "File $migrationCSVFileName does not exist." -ForegroundColor Red
Exit
}
The following script converts on-premises Exchange 2007 mailboxes to MEUs. Run this script after you have ran
the script to collect information from the cloud mailboxes.
Copy the script below to a .txt file and then save the file and give it a filename Exchange2007MBtoMEU.ps1.
param($DomainController = [String]::Empty)
function Main
{
#Script Logic flow
#1. Pull User Info from cloud.csv file in the current directory
#2. Lookup AD Info (DN, mail, proxyAddresses, and legacyExchangeDN) using the SMTP address from the CSV file
#3. Save existing proxyAddresses
#4. Add existing legacyExchangeDN's to proxyAddresses
#5. Delete Mailbox
#6. Mail-Enable the user using the cloud email address as the targetAddress
#7. Disable RUS processing
#8. Add proxyAddresses and mail attribute back to the object
#9. Add msExchMailboxGUID from cloud.csv to the user object (for offboarding support)
#Check existing proxies for On-Premise and Cloud Legacy DN's as x500 proxies. If not present add them.
$CloudLegacyDNPresent = $false
$LegacyDNPresent = $false
foreach($Proxy in $UserInfo.ProxyAddresses)
{
if(("x500:$UserInfo.CloudLegacyDN") -ieq $Proxy)
{
$CloudLegacyDNPresent = $true
}
if(("x500:$UserInfo.LegacyDN") -ieq $Proxy)
{
$LegacyDNPresent = $true
}
}
if(-not $CloudLegacyDNPresent)
{
{
$X500Proxy = "x500:" + $UserInfo.CloudLegacyDN
Write-Host "Adding $X500Proxy to EmailAddresses" -ForegroundColor Green
$UserInfo.ProxyAddresses += $X500Proxy
}
if(-not $LegacyDNPresent)
{
$X500Proxy = "x500:" + $UserInfo.LegacyDN
Write-Host "Adding $X500Proxy to EmailAddresses" -ForegroundColor Green
$UserInfo.ProxyAddresses += $X500Proxy
}
#Disable Mailbox
Write-Host "Disabling Mailbox" -ForegroundColor Green
Disable-Mailbox -Identity $UserInfo.OnPremiseEmailAddress -DomainController $DomainController -
Confirm:$false
#Mail Enable
Write-Host "Enabling Mailbox" -ForegroundColor Green
Enable-MailUser -Identity $UserInfo.Identity -ExternalEmailAddress $UserInfo.CloudEmailAddress -
DomainController $DomainController
#Disable RUS
Write-Host "Disabling RUS" -ForegroundColor Green
Set-MailUser -Identity $UserInfo.Identity -EmailAddressPolicyEnabled $false -DomainController
$DomainController
#Set Mailbox GUID. Need to do this via S.DS as Set-MailUser doesn't expose this property.
$ADPath = "LDAP://" + $DomainController + "/" + $UserInfo.DistinguishedName
$ADUser = New-Object -TypeName System.DirectoryServices.DirectoryEntry -ArgumentList $ADPath
$MailboxGUID = New-Object -TypeName System.Guid -ArgumentList $UserInfo.MailboxGUID
[Void]$ADUser.psbase.invokeset('msExchMailboxGUID',$MailboxGUID.ToByteArray())
Write-Host "Setting Mailbox GUID" $UserInfo.MailboxGUID -ForegroundColor Green
$ADUser.psbase.CommitChanges()
$UserInfo
}
Main
.\ExportO365UserInfo.ps1
You will be prompted to use the existing session or open a new session.
For example:
.\Exchange2007MBtoMEU.ps1 DC1.contoso.com
The script converts on-premises mailboxes to MEUs for all users included in the Cloud.csv.
7. Verify that the new MEUs have been created. In Active Directory Users and Computers, do the following:
8. Click Action > Find
9. Click the Exchange tab
10. Select Show only Exchange recipients, and then select Users with external email address.
11. Click Find Now.
The mailboxes that were converted to MEUs are listed under Search results.
12. Use Active Directory Users and Computers, ADSI Edit, or Ldp.exe to verify that the following MEU
properties are populated with the correct information.
legacyExchangeDN
mail
msExchMailboxGuid
proxyAddresses
targetAddress
Convert Exchange 2003 mailboxes to mail-enabled
users
3/29/2019 • 13 minutes to read • Edit Online
After you have completed a staged migration, convert the mailboxes to mail-enabled users so that the mailboxes
can automatically connect to the cloud mailbox.
Param($migrationCSVFileName = "migration.csv")
function O365Logon
{
#Check for current open O365 sessions and allow the admin to either use the existing session or create a new
one
$session = Get-PSSession | ?{$_.ConfigurationName -eq 'Microsoft.Exchange'}
if($session -ne $null)
{
$a = Read-Host "An open session to Office 365 already exists. Do you want to use this session? Enter y to
use the open session, anything else to close and open a fresh session."
if($a.ToLower() -eq 'y')
{
Write-Host "Using existing Office 365 Powershell Session." -ForeGroundColor Green
return
}
$session | Remove-PSSession
}
Write-Host "Please enter your Office 365 credentials" -ForeGroundColor Green
$cred = Get-Credential
$s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -
Credential $cred -Authentication Basic -AllowRedirection
$importresults = Import-PSSession $s
}
function Main
{
#Verify the migration CSV file exists
if(!(Test-Path $migrationCSVFileName))
{
Write-Host "File $migrationCSVFileName does not exist." -ForegroundColor Red
Exit
}
#Import user list from migration.csv file
$MigrationCSV = Import-Csv $migrationCSVFileName
#Get mailbox list based on email addresses from CSV file
$MailBoxList = $MigrationCSV | %{$_.EmailAddress} | Get-Mailbox
$Users = @()
#Get LegacyDN, Tenant, and On-Premise Email addresses for the users
foreach($user in $MailBoxList)
{
$UserInfo = New-Object System.Object
$CloudEmailAddress = $user.EmailAddresses | ?{($_ -match 'onmicrosoft') -and ($_ -cmatch 'smtp:')}
if ($CloudEmailAddress.Count -gt 1)
{
$CloudEmailAddress = $CloudEmailAddress[0].ToString().ToLower().Replace('smtp:', '')
Write-Host "$user returned more than one cloud email address. Using $CloudEmailAddress" -ForegroundColor
Yellow
}
else
{
$CloudEmailAddress = $CloudEmailAddress.ToString().ToLower().Replace('smtp:', '')
}
$UserInfo | Add-Member -Type NoteProperty -Name LegacyExchangeDN -Value $user.LegacyExchangeDN
$UserInfo | Add-Member -Type NoteProperty -Name CloudEmailAddress -Value $CloudEmailAddress
$UserInfo | Add-Member -Type NoteProperty -Name OnPremiseEmailAddress -Value
$user.PrimarySMTPAddress.ToString()
$Users += $UserInfo
}
#Check for existing csv file and overwrite if needed
if(Test-Path ".\cloud.csv")
{
$delete = Read-Host "The file cloud.csv already exists in the current directory. Do you want to delete it?
Enter y to delete, anything else to exit this script."
if($delete.ToString().ToLower() -eq 'y')
{
Write-Host "Deleting existing cloud.csv file" -ForeGroundColor Red
Remove-Item ".\cloud.csv"
}
else
{
Write-Host "Will NOT delete current cloud.csv file. Exiting script." -ForeGroundColor Green
Exit
}
}
$Users | Export-CSV -Path ".\cloud.csv" -notype
(Get-Content ".\cloud.csv") | %{$_ -replace '"', ''} | Set-Content ".\cloud.csv" -Encoding Unicode
Write-Host "CSV File Successfully Exported to cloud.csv" -ForeGroundColor Green
}
O365Logon
Main
The following Visual Basic script converts on-premises Exchange 2003 mailboxes to MEUs. Run this script after
you have ran the script to collect information from the cloud mailboxes.
Copy the script below to a .txt file and then save the file as Exchange2003MBtoMEU.vbs.
'Globals/Constants
Const ADS_PROPERTY_APPEND = 3
Dim UserDN
Dim remoteSMTPAddress
Dim remoteSMTPAddress
Dim remoteLegacyDN
Dim domainController
Dim csvMode
csvMode = FALSE
Dim csvFileName
Dim lastADLookupFailed
Class UserInfo
public OnPremiseEmailAddress
public CloudEmailAddress
public CloudLegacyDN
public LegacyDN
public ProxyAddresses
public Mail
public MailboxGUID
public DistinguishedName
Public Sub Class_Initialize()
Set ProxyAddresses = CreateObject("Scripting.Dictionary")
End Sub
End Class
'Command Line Parameters
If WScript.Arguments.Count = 0 Then
'No parameters passed
WScript.Echo("No parameters were passed.")
ShowHelp()
ElseIf StrComp(WScript.Arguments(0), "-c", vbTextCompare) = 0 And WScript.Arguments.Count = 2 Then
WScript.Echo("Missing DC Name.")
ShowHelp()
ElseIf StrComp(WScript.Arguments(0), "-c", vbTextCompare) = 0 Then
'CSV Mode
csvFileName = WScript.Arguments(1)
domainController = WScript.Arguments(2)
csvMode = TRUE
WScript.Echo("CSV mode detected. Filename: " & WScript.Arguments(1) & vbCrLf)
ElseIf wscript.Arguments.Count <> 4 Then
'Invalid Arguments
WScript.Echo WScript.Arguments.Count
Call ShowHelp()
Else
'Manual Mode
UserDN = wscript.Arguments(0)
remoteSMTPAddress = wscript.Arguments(1)
remoteLegacyDN = wscript.Arguments(2)
domainController = wscript.Arguments(3)
End If
Main()
'Main entry point
Sub Main
'Check for CSV Mode
If csvMode = TRUE Then
UserInfoArray = GetUserInfoFromCSVFile()
Else
WScript.Echo "Manual Mode Detected" & vbCrLf
Set info = New UserInfo
info.CloudEmailAddress = remoteSMTPAddress
info.DistinguishedName = UserDN
info.CloudLegacyDN = remoteLegacyDN
ProcessSingleUser(info)
End If
End Sub
'Process a single user (manual mode)
Sub ProcessSingleUser(ByRef UserInfo)
userADSIPath = "LDAP://" & domainController & "/" & UserInfo.DistinguishedName
WScript.Echo "Processing user " & userADSIPath
Set MyUser = GetObject(userADSIPath)
proxyCounter = 1
For Each address in MyUser.Get("proxyAddresses")
UserInfo.ProxyAddresses.Add proxyCounter, address
proxyCounter = proxyCounter + 1
Next
Next
UserInfo.OnPremiseEmailAddress = GetPrimarySMTPAddress(UserInfo.ProxyAddresses)
UserInfo.Mail = MyUser.Get("mail")
UserInfo.MailboxGUID = MyUser.Get("msExchMailboxGUID")
UserInfo.LegacyDN = MyUser.Get("legacyExchangeDN")
ProcessMailbox(UserInfo)
End Sub
'Populate user info from CSV data
Function GetUserInfoFromCSVFile()
CSVInfo = ReadCSVFile()
For i = 0 To (UBound(CSVInfo)-1)
lastADLookupFailed = false
Set info = New UserInfo
info.CloudLegacyDN = Split(CSVInfo(i+1), ",")(0)
info.CloudEmailAddress = Split(CSVInfo(i+1), ",")(1)
info.OnPremiseEmailAddress = Split(CSVInfo(i+1), ",")(2)
WScript.Echo "Processing user " & info.OnPremiseEmailAddress
WScript.Echo "Calling LookupADInformationFromSMTPAddress"
LookupADInformationFromSMTPAddress(info)
If lastADLookupFailed = false Then
WScript.Echo "Calling ProcessMailbox"
ProcessMailbox(info)
End If
set info = nothing
Next
End Function
'Populate user info from AD
Sub LookupADInformationFromSMTPAddress(ByRef info)
'Lookup the rest of the info in AD using the SMTP address
Set objRootDSE = GetObject("LDAP://RootDSE")
strDomain = objRootDSE.Get("DefaultNamingContext")
Set objRootDSE = nothing
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand = CreateObject("ADODB.Command")
BaseDN = "<LDAP://" & domainController & "/" & strDomain & ">"
adFilter = "(&(proxyAddresses=SMTP:" & info.OnPremiseEmailAddress & "))"
Attributes = "distinguishedName,msExchMailboxGUID,mail,proxyAddresses,legacyExchangeDN"
Query = BaseDN & ";" & adFilter & ";" & Attributes & ";subtree"
objCommand.CommandText = Query
Set objCommand.ActiveConnection = objConnection
On Error Resume Next
Set objRecordSet = objCommand.Execute
'Handle any errors that result from the query
If Err.Number <> 0 Then
WScript.Echo "Error encountered on query " & Query & ". Skipping user."
lastADLookupFailed = true
return
End If
'Handle zero or ambiguous search results
If objRecordSet.RecordCount = 0 Then
WScript.Echo "No users found for address " & info.OnPremiseEmailAddress
lastADLookupFailed = true
return
ElseIf objRecordSet.RecordCount > 1 Then
WScript.Echo "Ambiguous search results for email address " & info.OnPremiseEmailAddress
lastADLookupFailed = true
return
ElseIf Not objRecordSet.EOF Then
info.LegacyDN = objRecordSet.Fields("legacyExchangeDN").Value
info.Mail = objRecordSet.Fields("mail").Value
info.MailboxGUID = objRecordSet.Fields("msExchMailboxGUID").Value
proxyCounter = 1
For Each address in objRecordSet.Fields("proxyAddresses").Value
info.ProxyAddresses.Add proxyCounter, address
proxyCounter = proxyCounter + 1
Next
info.DistinguishedName = objRecordSet.Fields("distinguishedName").Value
objRecordSet.MoveNext
objRecordSet.MoveNext
End If
objConnection = nothing
objCommand = nothing
objRecordSet = nothing
On Error Goto 0
End Sub
'Populate data from the CSV file
Function ReadCSVFile()
'Open file
Set objFS = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFS.OpenTextFile(csvFileName, 1, false, -1)
'Loop through each line, putting each line of the CSV file into an array to be returned to the caller
counter = 0
Dim CSVArray()
Do While NOT objTextFile.AtEndOfStream
ReDim Preserve CSVArray(counter)
CSVArray(counter) = objTextFile.ReadLine
counter = counter + 1
Loop
'Close and return
objTextFile.Close
Set objTextFile = nothing
Set objFS = nothing
ReadCSVFile = CSVArray
End Function
'Process the migration
Sub ProcessMailbox(User)
'Get user properties
userADSIPath = "LDAP://" & domainController & "/" & User.DistinguishedName
Set MyUser = GetObject(userADSIPath)
'Add x.500 address to list of existing proxies
existingLegDnFound = FALSE
newLegDnFound = FALSE
'Loop through each address in User.ProxyAddresses
For i = 1 To User.ProxyAddresses.Count
If StrComp(address, "x500:" & User.LegacyDN, vbTextCompare) = 0 Then
WScript.Echo "x500 proxy " & User.LegacyDN & " already exists"
existingLegDNFound = true
End If
If StrComp(address, "x500:" & User.CloudLegacyDN, vbTextCompare) = 0 Then
WScript.Echo "x500 proxy " & User.CloudLegacyDN & " already exists"
newLegDnFound = true
End If
Next
'Add existing leg DN to proxy list
If existingLegDnFound = FALSE Then
WScript.Echo "Adding existing legacy DN " & User.LegacyDN & " to proxy addresses"
User.ProxyAddresses.Add (User.ProxyAddresses.Count+1),("x500:" & User.LegacyDN)
End If
'Add new leg DN to proxy list
If newLegDnFound = FALSE Then
'Add new leg DN to proxy addresses
WScript.Echo "Adding new legacy DN " & User.CloudLegacyDN & " to existing proxy addresses"
User.ProxyAddresses.Add (User.ProxyAddresses.Count+1),("x500:" & User.CloudLegacyDN)
End If
'Dump out new list of addresses
WScript.Echo "Original proxy addresses updated count: " & User.ProxyAddresses.Count
For i = 1 to User.ProxyAddresses.Count
WScript.Echo " proxyAddress " & i & ": " & User.ProxyAddresses(i)
Next
'Delete the Mailbox
WScript.Echo "Opening " & userADSIPath & " as CDOEXM::IMailboxStore object"
Set Mailbox = MyUser
Wscript.Echo "Deleting Mailbox"
On Error Resume Next
Mailbox.DeleteMailbox
'Handle any errors deleting the mailbox
If Err.Number <> 0 Then
WScript.Echo "Error " & Err.number & ". Skipping User." & vbCrLf & "Description: "
WScript.Echo "Error " & Err.number & ". Skipping User." & vbCrLf & "Description: "
& Err.Description & vbCrLf
Exit Sub
End If
On Error Goto 0
'Save and continue
WScript.Echo "Saving Changes"
MyUser.SetInfo
WScript.Echo "Refeshing ADSI Cache"
MyUser.GetInfo
Set Mailbox = nothing
'Mail Enable the User
WScript.Echo "Opening " & userADSIPath & " as CDOEXM::IMailRecipient"
Set MailUser = MyUser
WScript.Echo "Mail Enabling user using targetAddress " & User.CloudEmailAddress
MailUser.MailEnable User.CloudEmailAddress
WScript.Echo "Disabling Recipient Update Service for user"
MyUser.PutEx ADS_PROPERTY_APPEND, "msExchPoliciesExcluded", Array("{26491CFC-9E50-4857-861B-0CB8DF22B5D7}")
WScript.Echo "Saving Changes"
MyUser.SetInfo
WScript.Echo "Refreshing ADSI Cache"
MyUser.GetInfo
'Add Legacy DN back on to the user
WScript.Echo "Writing legacyExchangeDN as " & User.LegacyDN
MyUser.Put "legacyExchangeDN", User.LegacyDN
'Add old proxies list back on to the MEU
WScript.Echo "Writing proxyAddresses back to the user"
For j=1 To User.ProxyAddresses.Count
MyUser.PutEx ADS_PROPERTY_APPEND, "proxyAddresses", Array(User.ProxyAddresses(j))
MyUser.SetInfo
MyUser.GetInfo
Next
'Add mail attribute back on to the MEU
WScript.Echo "Writing mail attribute as " & User.Mail
MyUser.Put "mail", User.Mail
'Add msExchMailboxGUID back on to the MEU
WScript.Echo "Converting mailbox GUID to writable format"
Dim mbxGUIDByteArray
Call ConvertHexStringToByteArray(OctetToHexString(User.MailboxGUID), mbxGUIDByteArray)
WScript.Echo "Writing property msExchMailboxGUID to user object with value " &
OctetToHexString(User.MailboxGUID)
MyUser.Put "msExchMailboxGUID", mbxGUIDByteArray
WScript.Echo "Saving Changes"
MyUser.SetInfo
WScript.Echo "Migration Complete!" & vbCrLf
End Sub
'Returns the primary SMTP address of a user
Function GetPrimarySMTPAddress(Addresses)
For Each address in Addresses
If Left(address, 4) = "SMTP" Then GetPrimarySMTPAddress = address
Next
End Function
'Converts Hex string to byte array for writing to AD
Sub ConvertHexStringToByteArray(ByVal strHexString, ByRef pByteArray)
Set FSO = CreateObject("Scripting.FileSystemObject")
Set Stream = CreateObject("ADODB.Stream")
Temp = FSO.GetTempName()
Set TS = FSO.CreateTextFile(Temp)
For i = 1 To (Len (strHexString) -1) Step 2
TS.Write Chr("&h" & Mid (strHexString, i, 2))
Next
TS.Close
Stream.Type = 1
Stream.Open
Stream.LoadFromFile Temp
pByteArray = Stream.Read
Stream.Close
FSO.DeleteFile Temp
Set Stream = nothing
Set FSO = Nothing
Set FSO = Nothing
End Sub
'Converts raw bytes from AD GUID to readable string
Function OctetToHexString (arrbytOctet)
OctetToHexStr = ""
For k = 1 To Lenb (arrbytOctet)
OctetToHexString = OctetToHexString & Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
Next
End Function
Sub ShowHelp()
WScript.Echo("This script runs in two modes, CSV Mode and Manual Mode." & vbCrLf & "CSV Mode
allows you to specify a CSV file from which to pull usernames." & vbCrLf& "Manual mode allows you to
run the script against a single user.")
WSCript.Echo("Both modes require you to specify the name of a DC to use in the local domain." & vbCrLf
& "To run the script in CSV Mode, use the following syntax:")
WScript.Echo(" cscript Exchange2003MBtoMEU.vbs -c x:\csv\csvfilename.csv dc.domain.com")
WScript.Echo("To run the script in Manual Mode, you must specify the users AD Distinguished Name, Remote
SMTP Address, Remote Legacy Exchange DN, and Domain Controller Name.")
WSCript.Echo(" cscript Exchange2003MBtoMEU.vbs " & chr(34) &
"CN=UserName,CN=Users,DC=domain,DC=com" & chr(34) & " " & chr(34) & "user@cloudaddress.com"
& chr(34) & " " & chr(34) & "/o=Cloud Org/ou=Cloud Site/ou=Recipients/cn=CloudUser" &
chr(34) & " dc.domain.com")
WScript.Quit
End Sub
IMPORTANT
To enable off-boarding from Office 365 to Exchange 2003, you have to replace the value of
msExchMailboxGuid on the MEU with the Guid from the cloud-based mailbox. To obtain the Guids for the
mailboxes in your cloud organization and save them to a CSV file, run the following PowerShell command:
This command extracts the primary SMTP address and Guid for all cloud mailboxes into the guid.csv
file, and then saves this file to the current directory.
Instead of using the input CSV file to convert a batch of mailboxes, you can run the Exchange2003MBtoMEU.vbs
script in manual mode to convert one mailbox at a time. To do this, you will need to provide the following input
parameters:
The distinguished name (DN )of the on-premises mailbox.
The primary SMTP address of the cloud mailbox.
The Exchange Legacy DN for the cloud mailbox.
A domain controller name in your Exchange 2003 organization.
For example:
.\ExportO365UserInfo.ps1 .\MigrationBatch1.csv
This example assumes that the script and input CSV file are located in the same directory.
2. Copy Exchange2003MBtoMEU.vbs and Cloud.csv to the same directory in your on-premises organization.
3. In your on-premises organization, run the following command:
For example:
cscript Exchange2003MBtoMEU.vbs -c .\Cloud.csv DC1.contoso.com
To run the script in manual mode, enter the following command. Use spaces between each value.
cscript Exchange2003MBtoMEU.vbs "<DN of on-premises mailbox>" "<Primary SMTP of cloud mailbox>" "
<ExchangeLegacyDN of cloud mailbox>" <FQDN of on-premises domain controller>
For example:
4. Verify that the new MEUs have been created. In Active Directory Users and Computers, do the following:
5. Click Action > Find.
6. Click the Exchange tab.
7. Select Show only Exchange recipients, and then select Users with external email address.
8. Click Find Now.
The mailboxes that were converted to MEUs are listed under **Search results**.
5. Use Active Directory Users and Computers, ADSI Edit, or Ldp.exe to verify that the following MEU properties
are populated with the correct information.
legacyExchangeDN
mail
msExchMailboxGuid*
proxyAddresses
targetAddress
* As previously explained, the Exchange2003MBtoMEU.vbs script retains the msExchMailboxGuid value
from the on-premises mailbox. To enable off-boarding from Office 365 to Exchange 2003, you have to
replace the value for the msExchMailboxGuid property on the MEU with the Guid from the cloud-based
mailbox.
What you need to know about migrating your IMAP
mailboxes to Office 365
3/29/2019 • 5 minutes to read • Edit Online
You can migrate the contents of user mailboxes from your source email system to Office 365. Use the Internet
Message Access Protocol (IMAP ) to migrate email when:
Your source email system supports IMAP.
If this option won't work for you, see Ways to migrate email to Office 365 for other options.
For Windows PowerShell steps, see Use PowerShell to perform an IMAP migration to Office 365.
Things to consider
Here are a few limitations to be aware of:
You can only migrate items in a user's inbox or other mail folders. This type of migration doesn't migrate
contacts, calendar items, or tasks.
You can migrate a maximum of 500,000 items from a user's mailbox (emails are migrated from newest to
oldest).
The biggest email you can migrate is 35 MB.
If you limited the connections to your source email system, it's a good idea to increase them to improve
migration performance. Common connection limits include client/server total connections, per-user
connections, and IP address connections on either the server or the firewall.
Ready to start?
To finish an email migration successfully, it's a good idea to be comfortable doing these tasks:
You create a list of mailboxes to migrate in Excel. You add your users' email addresses, usernames, and
passwords to this file.
You use step-by-step wizards in Office 365 to configure and start the migration process.
After the mail has been migrated, you change your organization's MX record to point to Office 365 when
the migration is complete. Your MX record is how other mail systems find the location of your email
system. Changing your MX record allows other mail systems to begin to send email directly to the new
mailboxes in Office 365. To learn how to update your MX record, see Create DNS records at any DNS
hosting provider for Office 365 as well.
If you're comfortable with what's involved in migrating mailboxes to Office 365, you're ready to get started. The
first step is to determine which source email system you're migrating from:
Gmail
This procedure uses the Exchange admin center steps for an IMAP migration.
Some other IMAP enabled email system
This procedure uses the Exchange admin center steps for an IMAP migration.
IMAP migration in the Admin center
Use PowerShell to perform an IMAP migration to Office 365
See also
Tips for optimizing IMAP migrations
Learn more about setting up your IMAP server connection
Migrate G Suite mailboxes to Office 365
3/6/2019 • 14 minutes to read • Edit Online
Migrate your IMAP mailboxes to Office 365 gives you an overview of the migration process. Read it first and
when you're familiar with the contents of that article, return to this topic to learn how to migrate mailboxes from G
Suite (formerly known as Google Apps) Gmail to Office 365. You must be a global admin in Office 365 to
complete IMAP migration steps.
Looking for Windows PowerShell commands? See User PowerShell to perform an IMAP migration to Office 365.
Want to migrate other types of IMAP mailboxes? See Migrate other types of IMAP mailboxes to Office 365 .
Migration from G Suite mailboxes using the Office 365 admin center
You can use the setup wizard in the Office 365 admin center for an IMAP migration. See IMAP migration in the
Office 365 admin center for instructions.
IMPORTANT: IMAP migration will only migrate emails, not calendar and contact information. Users can import
their own email, contacts, and other mailbox information to Office 365. See Migrate email and contacts to Office
365 to learn how.
Before Office 365 can connect to Gmail or G Suites, all the account owners need to create an app password to
access their account. This is because Google considers Outlook to be a less secure app and will not allow a
connection to it with a password alone. For instructions, see Prepare your G Suite account for connecting to
Outlook and Office 365. You'll also need to make sure your G Suite users can turn on 2-step verification.
Gmail Migration tasks
The following list contains the migration tasks given in the order in which you should complete them.
Step 1: Verify you own your domain
In this task, you'll first verify to Office 365 that you own the domain you used for your G Suite accounts.
NOTE
Another option is to use the your company name.onmicrosoft.com domain that is included with your Office 365
subscription instead of using your own custom domain. In that case, you can just add users as described in Add users
individually or in bulk to Office 365 - Admin Help and omit this task. Most people, however, prefer to use their own domain.
Domain verification is a task you will go through as you setup Office 365. During the setup Office 365 setup
wizard provides you with a TXT record you will add at your domain host provider. See Add a domain to Office 365
for the steps to complete in Office 365 admin center, and choose a domain registrar from the two following
options to see how to complete add the TXT record that your DNS host provider.
Your current DNS host provider is Google: If you purchased your domain from Google and they are the
DNS hosting provider, follow these instructions: Create DNS records when your domain is managed by
Google (Go Daddy).
You purchased your domain from another domain registrar: If you purchased your domain from a
different company, we provide instructions for many popular domain hosting providers.
Step 2: Add users to Office 365
You can add your users either one at a time, or several users at a time. When you add users you also add licenses
to them. Each user has to have a mailbox on Office 365 before you can migrate email to it. Each user also needs a
license that includes an Exchange Online plan to use his or her mailbox.
IMPORTANT
At this point you have verified that you own the domain and created your G Suite users and mailboxes in Office 365 with
your custom domain. Close the wizard at this step. Do not proceed to Set up domain, until your Gmail mailboxes are
migrated to Office 365. You'll finish the setup steps in task 7, Step 6: Update your DNS records to route Gmail directly to
Office 365.
3. Select each user to identify each user's email address. Write down the address.
4. Sign in to the Office 365 admin center, and go to Users > Active users. Keep an eye on the username
column. You'll use this information in a minute. Keep the Office 365 admin center window open, too.
5. Start Excel.
6. Use the following screenshot as a template to create the migration file in Excel. Start with the headings in
row 1. Make sure they match the picture exactly and don't contain spaces. The exact heading names are:
EmailAddress in cell A1.
UserName in cell B1.
Password in cell C1.
7. Next enter the email address, username, and app password for each mailbox you want to migrate. Enter one
mailbox per row.
Column A is the email address of the Office 365 mailbox. This is what's shown in the username column in
Users > Active users in the Office 365 admin center.
Column B is the sign-in name for the user's Gmail mailbox—for example, alberta@contoso.com.
Column C is the app password for the user's Gmail mailbox. Creating the app password is described in
Migration from G Suite mailboxes using the Office 365 admin center.
8. Save the file as a CSV file type, and then close Excel.
TIP
It's a good idea to create a test migration batch with a small number of mailboxes to first test the process. > Use migration
files with the same number of rows, and run the batches at similar times during the day. Then compare the total running
time for each test batch. This helps you estimate how long it could take to migrate all your mailboxes, how large each
migration batch should be, and how many simultaneous connections to the source email system you should use to balance
migration speed and internet bandwidth.
1. In the Office 365 admin center, navigate to Admin centers > Exchange.
7. Click Next.
8. On the Set the migration endpoint page, select the migration endpoint that you created in the previous
step, and click Next.
9. On the IMAP migration configuration page, accept the default values, and click Next.
10. On the Move configuration page, type the name (no spaces or special characters) of the migration batch
in the box—for example, Test5-migration. The default migration batch name that's displayed is the name of
the migration file that you specified. The migration batch name is displayed in the list on the migration
dashboard after you create the migration batch.
You can also enter the names of the folders you want to exclude from migration. For example, Shared, Junk
Email, and Deleted. Click Add to add them to the excluded list. You can also click Edit to change a
folder name and Delete to delete the folder name.
NOTE
If you have large user mailboxes and the status shows Syncing for a long time, you may be experiencing bandwidth limits
set by Google. For more information, see Bandwidth limits and Sync limits. You can try to unlock the Gmail user or use
alternative method to migrate the users. For more information, see Use network upload to import your organization PST
files to Office 365 and Third-party tools for Office 365 migrations.
4. For each DNS record type that you need to add, choose What do I fix?, and follow the instructions to add
the records for Office 365 services.
5. After you've added all the records, you'll see a message that your domain is set up correctly: Contoso.com
is set up correctly. No action is required.
It can take up to 72 hours for the email systems of your customers and partners to recognize the changed MX
record. Wait at least 72 hours before you proceed to stopping synchronization with Gmail.
Step 7: Stop synchronization with Gmail
During the last task, you updated the MX record for your domain. Now it's time to verify that all email is being
routed to Office 365. After verification, you can delete the migration batch and stop the synchronization between
Gmail and Office 365. Before you take this step:
Make sure that your users are using Office 365 exclusively for email. After you delete the migration batch,
email that is sent to Gmail mailboxes isn't copied to Office 365 This means your users can't get that email,
so make sure that all users are on the new system.
Let the migration batch run for at least 72 hours before you delete it. This makes the following two things
more likely:
Your Gmail mailboxes and Office 365 mailboxes have synchronized at least once (they synchronize
once a day).
The email systems of your customers and partners have recognized the changes to your MX records
and are now properly sending email to your Office 365 mailboxes.
When you delete the migration batch, the migration service cleans up any records related to the migration batch
and removes it from the migration dashboard.
Delete a migration batch
1. In the Exchange admin center, go to Recipients > Migration.
2. On the migration dashboard, select the batch, and then click Delete.
How do you know this worked?
In the Exchange admin center, navigate to Recipients > Migration. Verify that the migration batch no longer
is listed on the migration dashboard.
Step 8: Users migrate their calendar and contacts
After your migrate their email, users can import their Gmail calendar and contacts to Outlook:
Import contacts to Outlook
Import Google Calendar to Outlook
Leave us a comment
Were these steps helpful? If so, please let us know at the bottom of this topic. If they weren't, and you're still
having trouble migrating your email, tell us about it and we'll use your feedback to double-check our steps.
Related Topics
IMAP migration in the Office 365 admin center
Migrate your IMAP mailboxes to Office 365
Ways to migrate email to Office 365
Tips for optimizing IMAP migrations
Migrate other types of IMAP mailboxes to Office 365
3/6/2019 • 18 minutes to read • Edit Online
As part of the process of deploying Office 365, you can choose to migrate the contents of user mailboxes from an
Internet Mail Access Protocol (IMAP ) email service to Office 365.
Looking for Windows PowerShell commands for general IMAP migrations? See Use PowerShell to perform an
IMAP migration to Office 365.
Here are the tasks to do when you're ready to get started with migrating your IMAP mailboxes.
Step 1: Find the full name of your current email server
Office 365 needs the name of the source email system, sometimes referred to as a server, from which you want to
migrate mailboxes. There are many ways to get the name of your email system. The easiest way is by using an
email client that's connected to your email system. In this task, we describe how to get the name of the system by
using Outlook Web App . If your email client isn't described here, contact support for your source email system.
Get the name of your source email system using TE102821288
1. In Outlook Web App, on the toolbar click Settings > Options > Mail > Accounts > POP and IMAP.
Below your account information, you'll see a link that says Settings for POP and IMAP access. Your
IMAP server's name is listed under IMAP setting.
See Use POP or IMAP to connect to Office 365 for business or Microsoft Exchange accounts for more
information on IMAP connections in Office 365.
Step 2: Create the list of mailboxes to migrate
The steps followed to create the list of mailboxes to migrate depend on how you access the mailboxes. You need
access to user mailboxes before you can migrate them to Office 365. Here are two ways in which you can gain
access to the mailboxes:
You either know the passwords to each user's mailbox, or you reset the passwords to new passwords that
you do know. Follow the steps in Create the list of user mailboxes when you know the user passwords, or
you'll reset the passwords .
Your source email system lets you use mailbox admin credentials to access user mailboxes, which means
you don't need to know the passwords or reset them. Follow the steps in Create a list of user mailboxes
using admin credentials to access them to learn how to access user mailboxes.
Create the list of user mailboxes when you know the user passwords, or you'll reset the passwords
For this task, you create a migration file that contains a list of mailboxes to migrate to Office 365. We use Excel in
the instructions because it's the easiest way to create the migration file. You can use Excel 2013, Excel 2010, or
Excel 2007.
When you create the migration file, you must know the password of each mailbox to be migrated. We're
assuming you don't know user passwords, so you'll probably need to assign temporary passwords (by resetting
the passwords) to all mailboxes during the migration.
You don't have to migrate all mailboxes at once. You can do them in batches at your convenience. You can include
up to 50,000 mailboxes (one row for each user) in your migration file, which can be as large as 10 MB.
For more information, see CSV files for IMAP migration batches.
1. Go to your source email system (the one you're migrating from), and navigate to the list of mailboxes you
want to migrate.
We'd give you the exact steps if we could, but there are so many different email systems out there that you
need to find this out on your own. When you find the list of mailboxes, keep this window open.
2. Go to the Office 365 admin center.
3. Navigate to Users > Active users. Keep an eye on the username column. You'll use this information in a
minute. Keep the Office 365 admin center open, too.
4. Start Excel.
5. Use the following screenshot as a template to create the migration file in Excel. Start with the headings in
row 1. Make sure they match the picture exactly and don't contain spaces. The exact heading names are:
EmailAddress in cell A1.
UserName in cell B1.
Password in cell C1.
6. Next, enter the email address, username, and password for each mailbox you want to migrate. Enter one
mailbox per row:
Column A is the email address of the Office 365 mailbox. This is what is shown in the username column
under Users > Active users in the Office 365 admin center.
Column B is the sign-in name—for example, alberta, or often, alberta@contoso.com—for the user's
mailbox on the source email system.
NOTE
A lot of email systems use the entire email address as the sign-in name. Note also, if you are using the same domain
in Office 365 and your source email system, the columns A and B can be identical.
If you don't know the users' passwords, you'll need to reset them to passwords that you do know, and then
enter those passwords in the migration file. This is inconvenient for users, but there's no way around this
unless your source email system supports using superuser credentials.
If you want users to have access to the source email system, you can distribute new passwords to the
source email system after the migration is finished. We'll deal with getting the new passwords distributed
after the migration is finished.
7. Reset the passwords, and note the new passwords in your migration file. The exact steps will depend on
your source email system. You can probably find the option to reset a password when you view the user's
email account.
8. Save the file as a CSV file type, and close Excel.
4. Start Excel.
5. Use the following screenshot as a template to create the migration file in Excel. Start with the headings in
row 1. Make sure they match the screenshot exactly and don't contain spaces. The exact heading names
are:
EmailAddress in cell A1.
UserName in cell B1.
Password in cell C1.
6. Next, enter the email address, username, and password for each mailbox you want to migrate. Enter one
mailbox per row.
Column A is the email address of the user's Office 365 mailbox. This is what's shown in the username
column under Users > Active users in the Office 365 admin center.
Column B is the combination of the mailbox admin name and username that's specific to your source
email system. See Format mailbox admin credentials for different IMAP servers for formatting
instructions.
Column C is the password for the mailbox admin account.
7. Save the file as a CSV file type, and then close Excel.
In the migration file, each cell in the UserName column consists of two combined names: the username of the
person whose email is being migrated, and the username of the mailbox admin account. The supported format
for mailbox admin credentials is different depending on your source email system. Here are the formats for
several types of source email systems.
Microsoft Exchange
If you're migrating email from the IMAP implementation for Exchange, use the format
Domain/Admin_UserName/User_UserName for the UserName attribute in the migration file. Let's say
you're migrating email from Exchange for Alberta Greene, Bobby Overby, Irwin Hume, Katrina Hernandez, and
Mathew Slattery. You have a mailbox admin account, where the username is mailadmin and the password is
**P@ssw0rd**. Here's what your migration file would look like:
Dovecot
Source email systems such as a Dovecot IMAP server that support Simple Authentication and Security Layer
(SASL ), use the format User_UserName*Admin_UserName. Let's say you're migrating email from a Dovecot
IMAP server using the mailbox admin credentials mailadmin and **P@ssw0rd**. Here's what your migration
file would look like:
Mirapoint
If you're migrating email from Mirapoint Message Server, use the format
**#user@domain#Admin_UserName#**. Let's say you're migrating email using the mailbox admin credentials
mailadmin and **P@ssw0rd**. Here's what your migration file would look like:
TIP
We recommend that you create a test migration batch with a small number of mailboxes to first test the process. > Use
migration files with the same number of rows, and run the batches at similar times during the day. Then compare the total
running time for each test batch. This comparison helps you estimate how long it could take to migrate all your mailboxes,
how large each migration batch should be, and how many simultaneous connections to the source email system you should
use to balance migration speed and internet bandwidth.
6. Click Next.
7. On the IMAP migration configuration page, click Next.
8. On this page, select the migration endpoint that you created in Step 3: Connect Office 365 to your email
system.
9. On the Move configuration page, type the name (no spaces or special characters) of the migration batch,
for example, Test5-migration, and then click Next.
The default migration batch name that's displayed is the name of the migration file that you specified. The
migration batch name is displayed in the list on the migration dashboard after you create the migration
batch.
You can also optionally enter the names of the folders you want to exclude from migrating, for example
Shared, Junk Email, and Deleted. Click New to add them to the excluded list. You can also click Edit to
change a folder name and Delete to delete a folder name.
IMPORTANT
If you're migrating email from Microsoft Exchange Server, we recommend that you exclude public folders from the
migration. If you don't, the contents of the public folders are copied to the Office 365 mailbox of every user in the
migration file.
See also
Migrate your IMAP mailboxes to Office 365
Ways to migrate email to Office 365
Tips for optimizing IMAP migrations
IMAP migration in the Office 365 admin center
3/4/2019 • 3 minutes to read • Edit Online
After you've added your users to Office 365, you can use Internet Message Access Protocol (IMAP ) to migrate
email for those users from their IMAP -enabled email servers.
In the Office 365 admin center, go to Setup > Data migration to start migrating IMAP enabled emails. The
email migrations page is pre-configured for migrations from Gmail, Outlook, Hotmail and Yahoo. You can also
enter your own IMAP server name and connection parameters to migrate from an email service that is not listed.
IMPORTANT
Before you can use an IMAP migration for your users, they must have been first added to your Office 365 tenant. For
instructions, see Add users to Office 365 for business.
Before you migrate, read What you need to know about migrating your IMAP mailboxes to Office 365.
To perform an IMAP migration by using the Exchange admin center (EAC ), see Migrate other types of IMAP
mailboxes to Office 365.
To migrate Exchange mail to Office 365, see Use express migration to migrate Exchange mailboxes to Office 365
IMPORTANT
If you're migrating email from Gmail, you need to ask your users to create an app password you will have to use
instead of their account password. If you're migrating email from Outlook.com or Hotmail.com, you need to
ask your users to set up two-step verification and obtain an app password. You will use their app password instead
of their account password when you establish a connection between Outlook.com or Hotmail.com and Office 365.
After you choose a provider, the Select users to start migrating email messages page will list all of your
users with the source email pre-filled in.
IMPORTANT
If you're migrating email from Google Apps where you own the domain, you need to ask your users to create an
app password you will have to use instead of their account password.
3. Click Save to test the connection. Once the connection is verified, the Email Migration Status page will
list all your added users with the email address that you provided.
4. This and the following steps apply for both a listed email provider or "Other":
Check the box next to the users whose email you want to migrate, and then fill in the email alias, and the
password (app password if you are migrating mail from Gmail or Google apps).
5. Choose Start Migration after you have entered the required information.
To migrate your email by using Internet Message Access Protocol (IMAP ) migration, Office 365 needs to know the
name and connection settings of your IMAP server.
When you undertake an Internet Message Access Protocol (IMAP ) migration from an on-premises Exchange
Server to Office 365, you have a few choices for optimizing the migration performance.
NOTE
If you decide to use user credentials in the CSV file, consider globally changing users' passwords, and then
preventing users from changing their password on their on-premises account before you migrate their mailboxes. If
users change their password before their mailbox is migrated to the cloud-based mailbox, the migration will fail. If
they change their password after the mailbox is migrated, new email sent to their mailbox on the IMAP server won't
be migrated to their Office 365 mailbox.
Don't delete mailboxes or change their SMTP addresses during migration: The migration system
will report an error when it can't find a mailbox that's been migrated. Be sure to complete the migration
and delete the migration batch before you delete or change the SMTP address of an Office 365 or on-
premises mailbox that's been migrated.
Communicate with your users: Let users know ahead of time that you'll be migrating the content of their
on-premises mailboxes to your Office 365 organization. Consider the following:
Tell users that email messages larger than 35 MB won't be migrated. Ask users to save very large
messages and attachments to their local computer or to a removable USB drive.
Ask users to delete old or unnecessary email messages from their on-premises mailboxes before
migration. This helps reduce the amount of data that has to be migrated and can help reduce the
overall migration time. Or you can clean up their mailboxes yourself.
Suggest that users back up their Inboxes.
Tell users which folders won't be migrated, if applicable.
Folders with a forward slash ( / ) in the folder name aren't migrated. If users want to migrate folders
that contain forward slashes in their names, they have to rename the folders or replace the forward
slashes with a different character, such as an underscore character ( _ ) or a dash ( - ).
CSV files for IMAP migration batches
3/4/2019 • 5 minutes to read • Edit Online
The comma-separated values (CSV ) file that you use to migrate the contents of users' mailboxes in an IMAP
migration contains a row for each user. Each row contains information about the user's Office 365 mailbox and
IMAP mailbox, and Office 365 uses this information to process the migration.
Required attributes
Here are the required attributes for each user:
EmailAddress specifies the user ID for the user's Office 365 mailbox.
UserName specifies the user logon name for the user's mailbox on the IMAP server. You can use either the
username or domain\username format. For example, hollyh or contoso\hollyh .
Password is the password for the user's account in the IMAP messaging system.
The migration will fail if any one of these attributes isn't included in the header row of the CSV file. Also, be sure to
type the attributes exactly as they're shown. Attributes can't contain spaces. They must be a single word. For
example, Email Address is invalid. You must use EmailAddress.
EmailAddress,UserName,Password
terrya@contoso.edu,contoso\terry.adams,1091990
annb@contoso.edu,contoso\ann.beebe,2111991
paulc@contoso.edu,contoso\paul.cannon,3281986
The first row, or header row, of the CSV file lists the names of the attributes, or fields, specified in the rows that
follow. Each attribute name is separated by a comma.
Each row under the header row represents one user and supplies the information that will be used to migrate the
user's mailbox. The attribute values in each row must be in the same order as the attribute names in the header
row. Each attribute value is separated by a comma.
Use any text editor, or an application like Microsoft Excel, to create the CSV file. Save the file as a .csv or .txt file.
TIP
If the CSV file contains non-ASCII or special characters, save the CSV file with UTF-8 or other Unicode encoding. Depending
on the application, saving the CSV file with UTF-8 or other Unicode encoding might be easier when the system locale of the
computer matches the language used in the CSV file.
TIP
One strategy is to create Office 365 mailboxes and migrate email for the same group of users. For example, if you import
100 new users to your Office 365 organization, create a migration batch for those same 100 users. This is an effective way to
organize and manage your migration from an on-premises messaging system to Office 365.
TIP
If you use this option, prevent users from changing the passwords of their on-premises accounts. If users change
their passwords after the initial migration, subsequent synchronizations between the mailboxes on the IMAP server
and Office 365 mailboxes will fail.
Use super-user or administrator credentials: This requires that you use an account in your IMAP
messaging system that has the necessary rights to access all user mailboxes. In the CSV file, you use the
credentials for this account for each row. To learn whether your IMAP server supports this approach and
how to enable it, see the documentation for your IMAP server.
NOTE
It's a good idea to use administrator credentials because it doesn't affect or inconvenience users. For example, it
won't matter if users change their passwords after the initial migration.
NOTE
When you submit a new migration request, the CSV file is uploaded to the Microsoft datacenter over a Secure Sockets Layer
(SSL) connection. The information from the CSV file is encrypted and stored on the Microsoft Exchange servers at the
Microsoft datacenter.
The following sections explain how to format the administrator credentials in the CSV file that you use to migrate
email from different types of IMAP servers.
Microsoft Exchange
If you're migrating email from the IMAP implementation for Microsoft Exchange, use the format
Domain/Admin_UserName/User_UserName for the UserName attribute in the CSV file. Let's say you're
migrating email from Exchange for Terry Adams, Ann Beebe, and Paul Cannon. You have a mail administrator
account, where the username is mailadmin and the password is P@ssw0rd. Here's what your CSV file would look
like:
EmailAddress,UserName,Password
terrya@contoso.edu,contoso-students/mailadmin/terry.adams,P@ssw0rd
annb@contoso.edu,contoso-students/mailadmin/ann.beebe,P@ssw0rd
paulc@contoso.edu,contoso-students/mailadmin/paul.cannon,P@ssw0rd
Dovecot
For IMAP servers that support Simple Authentication and Security Layer (SASL ), such as a Dovecot IMAP server,
use the format User_UserName*Admin_UserName, where the asterisk ( * ) is a configurable separator
character. Let's say you're migrating those same users' email from a Dovecot IMAP server using the administrator
credentials mailadmin and P@ssw0rd. Here's what your CSV file would look like:
EmailAddress,UserName,Password
terrya@contoso.edu,terry.adams*mailadmin,P@ssw0rd
annb@contoso.edu,ann.beebe*mailadmin,P@ssw0rd
paulc@contoso.edu,paul.cannon*mailadmin,P@ssw0rd
Mirapoint
If you're migrating email from Mirapoint Message Server, use the format **#user@domain#Admin_UserName#**
for the administrator credentials. To migrate email from Mirapoint using the administrator credentials mailadmin
and P@ssw0rd, your CSV file would look like this:
EmailAddress,UserName,Password
terrya@contoso.edu,#terry.adams@contoso-students.edu#mailadmin#,P@ssw0rd
annb@contoso.edu,#ann.beebe@contoso-students.edu#mailadmin#,P@ssw0rd
paulc@contoso.edu,#paul.cannon@contoso-students.edu#mailadmin#,P@ssw0rd
EmailAddress,UserName,Password,UserRoot
terrya@contoso.edu,mailadmin,P@ssw0rd,/users/terry.adams
annb@contoso.edu,mailadmin,P@ssw0rd,/users/ann.beebe
paulc@contoso.edu,mailadmin,P@ssw0rd,/users/paul.cannon
Prepare your Gmail or G Suite account for
connecting to Outlook and Office 365
3/4/2019 • 3 minutes to read • Edit Online
Before you connect to your Gmail account from Outlook on the web, or add a Gmail account to Outlook, you
need to prepare your Gmail account. You need to turn on 2-step verification for Gmail and then create an app
password that Office 365 will use with your Gmail address to make the connection.
You will also have to do this if your admin is planning to migrate your Gmail or G Suite Gmail to Office 365.
IMPORTANT
The 16-character app password is displayed with spaces so it is easier to read. When you enter it to the app you
want to connect, ignore the spaces and enter it as an unbroken string of 16 characters.
7. Now you're ready to add your Gmail account to Outlook. When you're prompted for a password, youenter
this app password for your Gmail account. Don't enter your Gmail password. For instructions on adding
your Gmail account to Outlook, see these articles:
Add an email account to Outlook
Connect email accounts in Outlook on the web (Office 365)
Optionally revoke the app password
If you need the Gmail connection for a brief time only, for example for an IMAP mailbox migration that your
admin is running, you can later revoke the App password.
To revoke the app password code
1. Sign in to you Gmail account
2. Select Google apps > My Account.
3. On the My Account page choose Sign-in & security.
4. Under the Password & sign-in method, choose the arrow next to the App passwords, and provide your
password if asked.
5. On the App passwords page, select REVOKE next to the app password you want to revoke.
Related Topics
Migrate email and contacts to Office 365
Ways to migrate multiple email accounts to Office 365
Migrating your Outlook.com account to Office 365
3/4/2019 • 3 minutes to read • Edit Online
If you are migrating your Outlook.com or Hotmail.com account to Office 365, you'll need to enable two-step
verification (also known as two-factor authentication).
Two-step verification helps protect you by making it more difficult for someone else to sign in to your email
account. It uses two different forms of identity: your password, and a contact method. Even if someone else finds
your password, they'll be stopped if they don't have access to your other devices or accounts.
You set up two-step verification with an email address, phone number, or authenticator app. When you sign in on a
new device or from a new location, we'll send you a security code that you enter on the sign-in page as a second
form of authentication in addition to your password.
After you have setup two-step verification, you can also obtain an app password that you will have to use in order
to use Internet Message Access Protocol (IMAP ) migration to copy email from your Outlook.com or Hotmail.com
account to your Office 365 for business account. If your Office 365 admin is moving email messages from your
Outlook.com or Hotmail.com account to Office 365 on your behalf, you'll need to give him your app password.
If you use a Windows Phone 8 (or earlier) you need to replace the password you use to sign in to your
email with the app password.
IMPORTANT
Even though the page indicates this is for Windows Phone 8 (or earlier), this list contains the app password your
admin needs to migrate you hotmail.com or outlook.com email to Office 365 for business. You will need this app
password even if you set up two-step verification by using an Android or iPhone.
This is also the app password you or your admin will use to migrate your hotmail.com or outlook.com email
to Office 365 for business.
6. On your mobile device, download the Microsoft Authenticator from your app store.
Choose on of the links take you to the Microsoft Authenticator for Windows Phone, Android or iOS.
7. Open the Microsoft Authenticator app on your mobile device, and choose +. Scan the code on the Set up
an authenticator app page.
8. In step 4 on the Set up an authenticator app page, type the 6-digit code that's displayed on your mobile
device (for example, 555111; you don't need to include any spaces).
You don't need to memorize this password; it changes constantly and a new ones are sent to you via the
Microsoft Authenticator app. This is why it's so secure. Whenever you sign in to your email account from a
new device or location, look at your Microsoft Authenticator app and sign in using latest app password
that's been sent to you instead of using your old static password.
9. You'll get a message that two-step verification is turned on. Print your new recovery code (this isn't your
app password). If you ever need to recover access to this account, this recovery code will help. It's a good
idea to keep it tucked away in a safe place.
10. Choose Next.
Enable 2-step verification for your Google apps users
3/4/2019 • 2 minutes to read • Edit Online
If you want to migrate email for your google app users to Office 365, the users need to create an app password
that you will use together with their google apps password to connect to their Gmail. Before they can create an
app password, you will have to allow them to turn on 2-step verification in the Google Admin console.
4. Your users can now turn on 2-step verification and create an app password as described here: Prepare your
Gmail account for connecting to Outlook and Office 365.
How to migrate mailboxes from one Office 365
tenant to another
3/29/2019 • 12 minutes to read • Edit Online
This article explains how to migrate mailboxes and service settings from one Office 365 tenant to another Office
365 tenant in a business-merger scenario. If you have more than 500 users to migrate or a large amount of
SharePoint data to migrate, it's a good idea to work with an Office 365 partner.
The scenario in this article is based on two fictional companies - Contoso.com and Fabrikam.com - using two
separate Office 365 tenants. Contoso has purchased Fabrikam and is moving the Fabrikam users and data to the
contoso.com Office 365 tenant.
Performing this step now will allow the DNS record time to propagate as it can take up to 72 hours. Final
validation will occur later in the process.
Migration scheduling
To schedule the migration:
1. Create master list of user mailboxes you want to migrate.
2. Create mailbox mapping .CSV file for the third-party migration tool you are using. This mapping file will be
used by the migration tool to match the source mailbox with the target tenant mailbox when migration
occurs. We recommend that you use the *.onmicrosoft.com 'initial' domain for mapping the source accounts
since the custom email domain will be constantly changing.
Verify your MX and DNS changes if necessary. Nslookup or a service like MxToolbox can be used to verify MX and
DNS changes.
Source tenant preparation
The primary email domain, fabrikam.com, must be removed from all objects in the source tenant before the
domain can be moved to the target tenant.
1. If you had also set up your domain with a SharePoint Online public website, then before you can remove the
domain, you first have to set the website's URL back to the initial domain.
2. Remove all Lync licenses from the users in the source tenant using Lync admin portal. This will remove the
Lync Sip address connected to Fabrikam.com.
3. Reset default email addresses on Office 365 source mailboxes to the initial domain
(fabrikam.onmicrosoft.com).
4. Reset default email addresses on all Distribution Lists, Rooms and Resources to the initial domain
(fabrikam.onmicrosoft.com) in source tenant.
5. Remove all secondary email (proxy addresses) from user objects that are still using @fabrikam.com.
6. Set default domain in source tenant to fabrikam.onmicrosoft.com routing domain (in the admin portal, click
your company name in the upper right corner).
7. Use Windows PowerShell command Get-MsolUser -DomainName Fabrikam.com to retrieve a list of all
objects that are still using the domain and blocking removal.
8. For common domain removal issues, see You get an error message when you try to remove a domain from
Office 365.
Target tenant preparation
Complete the verification of the Fabrikam.com domain in the contoso.com tenant. You may have to wait one hour
after removing the domain from the old tenant.
1. Configure auto-discover CNAME (internal/External) optional.
2. If you are using AD FS, configure the new domain in target tenant for AD FS.
3. Begin mailbox activation in the contoso.com tenant > Assign licenses to all of the new user accounts.
4. Set the Fabrikam.com email domain as the primary address on the new users. This can be done by
selecting/editing multiple unlicensed users in the portal or by using Windows PowerShell.
5. If you are not using the password hash sync feature, pass-through authentication or AD FS, set password on
all mailboxes in the target (Contoso) tenant. If you are not using a common password, notify users of the
new password.
6. Once mailboxes are licensed and active, transition the mail routing. Point the Fabrikam MX record to Office
365 target (Contoso) tenant. When the MX TTL expires, mail will begin to flow into the new empty
mailboxes. If you are using an MX backup service, you can release the email to the new mailboxes.
7. Perform verification testing of mail flow to/from new mailboxes in the target tenant.
8. If you are using Exchange Online Protection (EOP ): In the target tenant recreate mail flow rules (also known
as transport rules), connectors, white/black lists etc. from source tenant.
Begin migration
To minimize downtime and user inconvenience, determine the best method for migration.
Migration for 500 users or less: Migrate Mail Calendar and contact data to target tenant mailboxes. Limit
mail migration by date if possible; for example, the last 6 months of data.
Migration for more than 500 users: Use a multi-pass approach where you migrate contacts, calendars and
only 1 week of email for all users, then on succeeding days or weeks, do multiple passes to fill in the
mailboxes with older email data.
Start your mail migration via the third party migration tool.
1. Monitor migration progress with the tools provided by the vendor. Send out periodic progress reports
during migration to management and migration team.
2. Do second or third pass migrations, optional after all migrations are complete.
At the end of migration, Outlook 2007 and 2010 will sync the entire mailbox for each user, consuming considerable
bandwidth depending on how much data you migrated into each mailbox. Outlook 2013 will only cache 12 months
of data by default. This setting can be configured to more or less data, for example, only 3 months of data, which
can lighten bandwidth usage.
Post migration: Cleanup
User may receive NDRs when replying to migrated email messages. The Outlook nickname cache needs to be
cleared. See How to reset the nickname and the automatic completion caches in Outlook. Alternatively, add the old
legacy DN as an x.500 proxy address to all users.
Copy all Office 365 accounts with a specific proxy address into a CSV file
##########################################################################
# Script: showproxies.ps1
# Copies all accounts in Office 365 that contain/don't contain a specific
# proxyaddress to a .CSV file (addresses.csv)
#
# Change the following variable to the proxy address string you want to find:
# $proxyaddr = "onmicrosoft.com"
################################################################################
$proxyaddr = "onmicrosoft.com"
# Create an object to hold the results
$addresses = @()
# Get every mailbox in the Exchange Organisation
$Mailboxes = Get-Mailbox -ResultSize Unlimited
# Loop through the mailboxes
ForEach ($mbx in $Mailboxes) {
# Loop through every address assigned to the mailbox
Foreach ($address in $mbx.EmailAddresses) {
# If it contains XXX, Record it
if ($address.ToString().ToLower().contains($proxyaddr)) {
# This is an email address. Add it to the list
$obj = "" | Select-Object Alias,EmailAddress
$obj.Alias = $mbx.Alias
$obj.EmailAddress = $address.ToString() #.SubString(10)
$addresses += $obj
}
}
}
# Export the final object to a csv in the working directory
When you are planning to migrate email from IBM Lotus Notes to Office 365, use the Microsoft Online Notes
Inspector (MONTI) application to evaluate how much data needs to be migrated from a customer's Lotus Notes
environment to Office 365.
Here's what MONTI does:
It processes mail files to determine the total database size, document count (calendar, contacts, groups, mail,
and tasks), and size by days.
It processes Mail-In Databases to determine the total database size, and Size by Days.
It posts results under the People, Mail-In Databases, and Logs views. You can create these reports manually
or on a scheduled basis.
Download the MONTI application and accompanying documentation from the Microsoft Download Center.
The documentation describes how to deploy, configure, and run the MONTI application in a customer's Domino
environment.
Add an SSL certificate to Exchange 2013
3/6/2019 • 3 minutes to read • Edit Online
Some services, such as Outlook Anywhere, Cutover migration to Office 365, and Exchange ActiveSync, require
certificates to be configured on your Exchange 2013 server. This article shows you how to configure an SSL
certificate from a third-party certificate authority (CA).
Some services, such as Outlook Anywhere, Cutover migration to Office 365, and Exchange ActiveSync, require
certificates to be configured on your Exchange 2010 server. This article shows you how to configure an SSL
certificate from a third-party certificate authority (CA).
4. In the New Exchange certificate wizard, specify a name for this certificate, and then choose Next.
5. In the Domain Scope page, specify the root domain for all subdomains in the Root domain field. If you
want to request a wildcard, select Enable wildcard certificate. If you don't want to request a wildcard
certificate, you will specify each domain you want to add to the certificate on the next page. Choose Next.
6. On the Exchange Configuration page for each service in the list shown, verify that the external or internal
server names that users will use to connect to the Exchange server are correct. For example:
If you configured your internal and external URLs to be the same, Outlook Web App (when accessed from
the internet) and Outlook Web App (when accessed from the intranet) should show owa.contoso.com.
Offline Address Book (OAB ) (when accessed from the internet) and OAB (when accessed from the intranet)
should show mail.contoso.com.
If you configured the internal URLs to be internal.contoso.com, Outlook Web App (when accessed from the
internet) should show owa.contoso.com, and Outlook Web App (when accessed from the intranet) should
show internal.contoso.com.
7. These domains will be used to create the SSL certificate request. Choose Next.
8. On the Certificate Domains page, add any additional domains you want included on the SSL certificate.
Select the domain that you want to be the common name for the certificate > Set as common name. For
example, contoso.com. Choose Next.
9. On the Organization and Location page, provide information about your organization. This information
will be included with the SSL certificate.
Specify the network location where you want this certificate request to be saved. Choose Next.
10. On the Certificate Configuration page, review the summary information, choose New to create the
certificate, and then choose Finish on the Completion page.
4. On the Complete Pending Request page, specify the path to the SSL certificate file you received from
your CA > Complete.
5. On the Completion page, choose Finish.
6. To assign services to this certificate, on the EMC, select the Exchange server, and then select the certificate in
the Exchange Certificates tab.
In the Actions pane, choose Assign Services to Certificate.
7. On the Select Servers page of the Assign Services to Certificate wizard, select the name of the server to
which you're adding the certificate > Next.
8. On the Select Services page, select the services you want to assign to this certificate. At a minimum, you
should select SMTP and IIS. Choose Next.
9. On the Assign Services page, choose Assign.
If you receive the warning Overwrite the existing default SMTP certificate?, choose Yes > Finish.
Add an SSL certificate to Exchange 2007
3/6/2019 • 2 minutes to read • Edit Online
Some services, such as Outlook Anywhere, Cutover migration to Office 365, and Exchange ActiveSync, require
certificates to be configured on your Microsoft Exchange Server 2007 server. This article shows you how to
configure an SSL certificate from a third-party certificate authority (CA).
New-ExchangeCertificate -DomainName
"owa.servername.contoso.com","mail.servername.contoso.com","autodiscover.servername.contoso.com","sts.se
rvername,contoso.com","oos.servername.contoso.com","mail12.servername.contoso.com","edge.servername.cont
oso.com" -FriendlyName "Exchange 2007 Certificate" -GenerateRequest:$true -KeySize 2048 -Path
"C:\certlocation" -PrivateKeyExportable $true -SubjectName "c=us, o=ContosoCorporation,
cn=servername,contoso.com"
In the command example above, servername is the name of your server, contoso.com is an example of a
domain name, and certlocation is a file path to the location where you want to store the request once it is
generated. Replace all these placeholders with the information that appropriate for yourMicrosoft Exchange
Server 2007.
In the DomainName parameter, add the domain names for the certificate request. For example, if you
configured your internal and external URLs to be the same, the domain name for Outlook Web App (when
accessed from the internet) and Outlook Web App (when accessed from the intranet) should look like owa.
servername.contoso.com.
Use the SubjectName parameter to specify the Subject Name on the resulting certificate. This field is used
by DNS -aware services and binds a certificate to a particular domain name.
You must specify the GenerateRequest parameter as $true . Otherwise, you will create a self-signed
certificate.
3. After you run the above command, a certificate request is saved in the file location you specified by using
the Path parameter.
The New-ExchangeCertificate command also creates a Thumbprint output parameter that you use when
you submit the request to a third-party certificate authority in the next step.
Import-ExchangeCertificate C:\filepath
The filepath parameter above specifies the location where you saved the certificate file that was provided by
the third-party CA.
When you run this command, it creates a Thumbprint output parameter that you use to enable to certificate
in the next step.
To enable the certificate
1. To enable the certificate, you use the Enable-ExchangeCertificate command. On the command line, type:
The Thumbprint parameter specifies the one you received as output when you ran the Import-
ExchangeCertificate command.
In the Services parameter, specify the services you want to assign to this certificate. At a minimum, you
should specify SMTP and IIS.
2. If you receive the warning Overwrite the existing default SMTP certificate?, type in A (yes for all).
See also
Blog article on adding an SSL to Exchange Server 2007
Enable your Gmail account for IMAP
3/6/2019 • 2 minutes to read • Edit Online
Internet Message Access Protocol (IMAP ) is a protocol that allows you to download messages from a mail
provider's servers, such as those for Gmail, onto your computer so you can use Microsoft Outlook to view and edit
your email, even when aren't connected to the internet.
There are many paths to migrate data from an on-premises email organization to Microsoft Office 365. When
planning a migration to Office 365, a common question is about how to improve the performance of data
migration and optimize migration velocity.
NOTE
The performance information listed in this topic doesn't apply to Office 365 service for dedicated subscription plans. For
more information about Dedicated Plans, see Office 365 Dedicated Plans Service Descriptions.
Internet Message Access Protocol You can use the Exchange admin center Migrate your IMAP mailboxes to Office
(IMAP) migration or Exchange Online PowerShell to 365
migrate the contents of users'
mailboxes from an IMAP messaging
system to their Office 365 mailboxes.
This includes migrating your mailboxes
from other hosted email services, such
as Gmail or Yahoo Mail.
Cutover migration Using a cutover migration, you migrate Cutover migration to Office 365
all on-premises mailboxes to Office 365
over a few days. Use cutover migration
if you plan to move your entire email
organization to Office 365 and manage
user accounts in Office 365. You can
migrate a maximum of 2,000 mailboxes
from your on-premises Exchange
organization to Office 365 using a
cutover migration. The recommended
number of mailboxes, however, is 150.
Performance suffers with numbers
higher than that. The mail contacts and
distribution groups in your on-premises
Exchange organization are also
migrated.
MIGRATION METHOD DESCRIPTION RESOURCES
Staged migration You use a staged migration if you plan What you need to know about a staged
to eventually migrate all your email migration to Office 365
organization's mailboxes to Office 365.
Using a staged migration, you migrate
batches of on-premises mailboxes to
Office 365 over the course of a few
weeks or months.
Third-party migration There are many tools available from Here are some third-party migration
third parties. They use distinctive tools and partners that can assist with
protocols and approaches to conduct Exchange migrations from third-party
email migrations from email platforms platforms:
like IBM Lotus Notes and Novell
GroupWise. Binary Tree: Provider of cross-platform
messaging migration and coexistence
software, with products that provide for
the analysis of and the coexistence and
migration between on-premises and
online enterprise messaging and
collaboration environments based on
IBM Lotus Notes and Domino and
Exchange and SharePoint.
IMPORTANT
Because of differences in how migrations are performed and when they're performed, your actual migration velocity may
vary.
WORKLOAD NOTES
Onboarding (Migrating to O365) Microsoft offers data migration capability and tools for
customers to use to migrate their data from Exchange Server
on-premises to Exchange Online (M365). There are a number
of methods for migrating mailboxes and mailbox data,
starting with Cutover migrations and Staged migrations,
which are based on merge and sync moves, and which are
described earlier in this article. The other main migration
method involves hybrid moves, which is currently the most
common method. You can decide exactly when you'd like to
migrate to Microsoft 365, based on your business needs.
When mailboxes are migrated within Microsoft 365 data centers, every mailbox move or bulk-mailbox move
requires time for the operation to complete. There are a number of factors, such as Microsoft 365 service activity,
that can affect exactly how much time. The service is designed to throttle discretionary workloads like mailbox
moves, to ensure that the service runs optimally for all users. You can still expect mailbox moves to be processed,
however, depending on the service's discretionary resource availability. More details about resource throttling can
be found in this blog post.
Estimated migration times
To help you plan your migration, the following tables present guidelines about when to expect bulk mailbox
migrations or individual migrations to complete. These estimates are based on a data analysis of previous
customer migrations. Because every environment is unique, your exact migration velocity may vary.
Mailbox migration duration based on mailbox size profiles:
1. Onboarding / PSTImport
MAILBOX SIZE (GB) 50TH PERCENTILE DURATION (DAYS) 90TH PERCENTILE DURATION (DAYS)
<1 1 7
1 - 10 1 7
10 - 50 3 14
50 - 100 3 30
100 - 200 8 45
MAILBOX SIZE (GB) 50TH PERCENTILE DURATION (DAYS) 90TH PERCENTILE DURATION (DAYS)
<1 1 7
1 - 10 1 10
10 - 50 3 30
50 - 100 15 45
100 - 200 30 60
Migration duration to complete 90% of mailbox moves based on tenant size profiles:
TENANT SIZE (NUMBER OF MAILBOXES) DURATION (DAYS) MAY TAKE UP TO THIS MANY DAYS
< 1,000 5 14
1,000 - 5,000 10 30
5,000 - 10,000 20 45
TENANT SIZE (NUMBER OF MAILBOXES) DURATION (DAYS) MAY TAKE UP TO THIS MANY DAYS
10,000 - 50,000 30 60
50,000 - 100,000 45 90
Note that some outlier mailboxes would take longer to complete based on the mailbox profile. Also, if a tenant has
larger mailboxes on average, this can also contribute to the extended duration of migration.
Data source The device or service that hosts the Gmail limits how much data can be
data to be migrated. Many limitations extracted during a specific period of
might apply to the data source because time.
of hardware specifications, end-user
workload, and back-end maintenance
tasks.
Data type and density Because of the unique nature of a One 4-GB mailbox with 400 items, each
customer's business, the type and mix with 10 megabytes (MB) of
of mail items within mailboxes vary attachments, will migrate faster than
greatly. one 4-GB mailbox with 100,000 smaller
items.
Migration server Many migration solutions use a "jump Customers often use a low-
box" type of migration server or performance virtual machine to host
workstation to complete the migration. the MRSProxy service for hybrid
deployments or for client PC non-
hybrid migrations.
Migration engine The data migration engine responsible MRSProxy service has its own
for pulling data from the source server capabilities and limitations.
converts data, if necessary. The engine
then transmits the data over the
network and injects the data into the
Office 365 mailbox. mailbox.
On-premises network appliances The end-to-end network performance Firewall configuration and specifications
—from the data source to Exchange on the on-premises organization.
Online client access servers—affects
migration performance.
Office 365 service Office 365 has built-in support and The user-throttling policy has default
features to manage the migration settings and limits the overall maximum
workload. data transfer rate.
Network capacity The amount of time it takes to migrate Identify your available network capacity
mailboxes to Office 365 is determined and determine the maximum upload
by the available and maximum capacity capacity.
of your network. Contact your ISP to confirm your
allocated bandwidth and to get details
about restrictions, such as the total
amount of data that can be transferred
in a specific period of time.
Use tools to evaluate your actual
network capacity. Make sure you test
the end-to-end flow of data from your
on-premises data source to the
Microsoft datacenter gateway servers.
Identify other loads on your network
(for example, backup utilities and
scheduled maintenance) that can affect
your network capacity.
Network stability A fast network doesn't always result in Network hardware and driver issues
fast migrations. If the network isn't often cause network stability problems.
stable, data transfer takes longer Work with your hardware vendors to
because of error correction. Depending understand your network devices and
on the migration type, error correction apply the vendor's latest recommended
can significantly affect migration drivers and software updates.
performance.
Network delays Intrusion detection functionality Evaluate network delays to all potential
configured on a network firewall often Microsoft datacenters to help ensure
causes significant network delays and that the result is consistent. (This also
affects migration performance. helps ensure a consistent experience for
Migrating data to Office 365 mailboxes end users.) Work with your ISP to
relies on your internet connection. address internet-related issues.
Internet delays affect overall migration Add IP addresses for Microsoft
performance. datacenter servers to your allow list, or
Also, users in the same company might bypass all migration-related traffic from
have cloud mailboxes that reside in your network firewall. For more
datacenters in different geographical information about the Office 365 IP
locations. Depending on the customer's ranges, see Office 365 URLs and IP
ISP, migration performance may vary. address ranges.
For a deeper analysis of migrations within your environment, check out our move analysis blog post. The post
includes a script to help you analyze move requests.
NOTE
The three types of Office 365 throttling don't affect all migration methods.
6/30/2017 00:03:58 [CY4PR19MB0056] Relinquishing job because of large delays due to unfavorable server health
or budget limitations with a request throttling state 'StalledDueToTarget_DiskLatency'.
System performance Data extraction is an intensive task. The Monitor system performance during a
source system needs to have sufficient pilot migration test. If the system is
resources, such as CPU time and busy, we recommend avoiding an
memory, to provide optimal migration aggressive migration schedule for the
performance. During migration, the specific system because of potential
source system is often close to full migration slowness and service
capacity in terms of the regular end- availability issues. If possible, enhance
user workload. If system resources are the source system performance by
inadequate, the additional workload adding hardware resources and reduce
that results from migration can affect the load on the system by moving tasks
end users. and users to other servers that aren't
involved in the migration.
Back-end tasks Other back-end tasks that are running Review other system tasks that might
during migration time. Because it's a be running during migration. We
best practice to perform migration after recommend that you perform data
business hours, it's common that migration when no other resource-
migrations conflict with maintenance intensive tasks are running.
tasks—such as data backup—running Note: For customers using on-premises
on your on-premises servers. Exchange, the common back-end tasks
are backup solutions and Exchange
store maintenance.
CHECKLIST DESCRIPTION BEST PRACTICES
Throttling policy It's a common practice to protect email Verify what throttling policy is deployed
systems with a throttling policy that for your email system. For example,
sets a specific limit on how fast and how Google Mail limits how much data can
much data can be extracted from the be extracted in a certain time period.
system during a certain amount of
time. Depending on the version, Exchange
has policies that restrict IMAP access to
the on-premises mail server (used by
IMAP migrations) and RPC over HTTP
Protocol access (used by cutover
Exchange migrations and staged
Exchange migrations).
NOTE
If your data source doesn't have sufficient resources to handle all the connections, we recommend avoiding high
concurrency. Start with a small concurrency value, for example, 10. Increase this number while monitoring the data source
performance to avoid end-user access issues.
Factor 4: Network
Verification tests
Depending on the migration method, you can try the following verification tests:
IMAP migrations: Prepopulate a source mailbox with sample data. Then from the internet (outside your
on-premises network), connect to the source mailbox by using a standard IMAP email client such as
Microsoft Outlook, and then measure network performance by determining how long it takes to download
all the data from the source mailbox. The throughput should be similar to what customers can get by using
the IMAP migration tool in Office 365, given that there are no other constraints.
Cutover and staged Exchange migrations: Prepopulate a source mailbox with sample data. Then, from
the internet (outside of your on-premises network), connect to the source mailbox with Outlook by using
RPC over HTTP Protocol. Make sure that you're connecting by using cache mode. Measure network
performance by checking how long it takes to synchronize all data from the source mailbox. The throughput
should be similar to what customers can get by using the simple Exchange migration tools in Office 365,
given that there are no other constraints.
There is some overhead during an actual IMAP, cutover, or staged Exchange migration. The actual throughput,
however, should be similar to the results of these verification tests.
Factor 5: Office 365 service
Office 365 resource health-based throttling affects migrations using the native Office 365 simple migration tools.
See the Office 365 resource health-based throttling section.
System performance Data extraction is an intensive task. The Monitor system performance during a
source system must have sufficient pilot migration test. If the system is
resources, such as CPU time and busy, we recommend avoiding an
memory, to provide optimal migration aggressive migration schedule for the
performance. During migration, the specific system because of potential
source system is often close to full migration slowness and service
capacity in terms of the regular end- availability issues. If possible, enhance
user workload. If system resources are the source system performance by
inadequate, the additional workload adding hardware resources and by
that results from migration can affect reducing the load on the system. The
end users. system load can be reduced by moving
tasks and users to other servers that
aren't part of the migration.
Back-end tasks Other back-end tasks usually run Review other system tasks that are
during migration time. Because it's a running during migration. We
best practice to perform migration after recommend that you create a clean
business hours, it's common that time window just for data migration,
migrations conflict with other when there are no other resource-
maintenance tasks running on your on- heavy tasks.
premises servers, such as data backup.
For Exchange on-premises customers,
the common tasks are backup
solutions. For more information, see
Exchange Store Maintenance.
CHECKLIST DESCRIPTION BEST PRACTICES
Throttling policy It's a common practice to protect email Verify what throttling policy is deployed
systems with a throttling policy, which for your email system. For example,
sets a specific limit on how fast and how Google Mail limits how much data can
much data can be extracted from the be extracted in a certain time period.
system within a certain amount of time
and by using a specific migration Depending on the version, Exchange
method. has policies that restrict IMAP access to
the on-premises mail server (used by
IMAP migrations) and RPC over HTTP
Protocol access (used by cutover
Exchange migrations and staged
Exchange migrations).
NOTE
Some third-party migration solutions are hosted on the internet as cloud-based services and don't require an on-premises
migration server.
Note that the client and service process times are similar, but solution A takes a lot more RPC operations to
migrate data. Because each operation consumes client-latency time and server-process time, solution A is much
slower to migrate the same amount of data compared to Solution B and to Outlook.
Factor 4: Network
Best practice
For third-party migration solutions that use the RPC over HTTP Protocol, here's a good way to measure potential
migration performance:
1. From the migration server, connect to the Office 365 mailbox with Outlook by using RPC over HTTP
Protocol. Make sure that you aren't connecting by using cache mode.
2. Import a large .pst file with sample data to the Office 365 mailbox.
3. Measure migration performance by timing how long it takes to upload the .pst file. The migration
throughput should be similar to what customers can get from a third-party migration tool that uses RPC
over HTTP Protocol, given no other constraints. There's overhead during an actual migration, so the
throughput might be slightly different.
Factor 5: Office 365 service
Office 365 resource health-based throttling affects migrations using third-party migration tools. See Office 365
resource health-based throttling for more details.
Assign Exchange permissions to migrate mailboxes to
Office 365
3/4/2019 • 5 minutes to read • Edit Online
When you migrate on-premises Exchange mailboxes to Office 365, certain permissions to access and, in some
cases, modify those mailboxes, are required. The user account used to connect to your on-premises Exchange
organization during the migration needs those permissions. Known as the migration administrator, the user
account is used to create a migration endpoint to your on-premises organization.
The migration administrator must have the necessary administrative privileges in your on-premises Exchange
organization to successfully create a migration endpoint. Those same administrative privileges are required if the
migration administrator wants to create a migration batch if your organization has no migration endpoints. The
following list shows the administrative privileges required for the migration administrator account to migrate
mailboxes to Office 365 by using the different types of migration:
Staged Exchange migration
For a staged migration, the migration administrator account must be:
A member of the Domain Admins group in Active Directory Domain Services (AD DS ) in the on-
premises organization.
or
Assigned the FullAccess permission for each on-premises mailbox AND the WriteProperty
permission to modify the TargetAddress property on the on-premises user account.
or
Assigned the Receive As permission on the on-premises mailbox database that stores the user
mailboxes AND the WriteProperty permission to modify the TargetAddress property for the on-
premises user account.
Cutover Exchange migration
For a cutover migration, the migration administrator account must be:
A member of the Domain Admins group in Active Directory Domain Services (AD DS ) in the on-
premises organization.
or
Assigned the FullAccess permission for each on-premises mailbox.
or
Assigned the Receive As permission on the on-premises mailbox database that stores the user
mailboxes.
Internet Message Access Protocol 4 (IMAP4) migration
For an IMAP4 migration, the comma-separated value (.csv) file for the migration batch must contain:
The username and password for each mailbox that you want to migrate.
or
The username and password for an account in your IMAP4 messaging system that has the
necessary administrative privileges to access all user mailboxes. To learn whether your IMAP4 server
supports this approach and how to enable it, see the documentation for your IMAP4 server.
You can use Exchange Online PowerShell in your on-premises organization to quickly assign the necessary
permissions to migrate mailboxes to Office 365.
NOTE
Because Exchange Server 2003 doesn't support Exchange Online PowerShell, you have to use Active Directory Users and
Computers to assign the FullAccess permission and Exchange Server Manager to assign the Receive As permission. For more
information, see How to assign service account access to all mailboxes in Exchange Server 2003.
For information about migrating mailboxes to Office 365 by using different migration types, see Ways to migrate
multiple email accounts to Office 365.
Add-MailboxPermission -Identity "Terry Adams" -User migadmin -AccessRights FullAccess -InheritanceType all
Example 2
FullAccess permission for all members of the distribution group MigrationBatch1 is assigned to the migration
administrator account.
Example 3
FullAccess permission for all mailboxes that have the value of MigBatch2 for CustomAttribute10 is assigned to the
migration administrator.
Example 4
FullAccess permission to all user mailboxes in the on-premises organization is assigned to the migration
administrator account.
For detailed syntax and parameter information, see the following topics:
add-MailboxPermission
Filterable Properties for the -Filter Parameter
How do you know the assignment of permission worked?
Run one of the following commands to verify you successfully assigned FullAccess permission to the migration
administrator account in each example.
Add-ADPermission -Identity "Rainer Witte" -User migadmin -AccessRights WriteProperty -Properties TargetAddress
Example 2
WriteProperty permission to modify the TargetAddress property for all members of the distribution group
StagedBatch1 is assigned to the migration administrator account.
Example 3
WriteProperty permission to modify the TargetAddress property for all user accounts that have the value of
StagedMigration for CustomAttribute15 is assigned to the migration administrator account.
Example 4
WriteProperty permission to modify the TargetAddress property for user mailboxes in the on-premises
organization is assigned to the migration administrator account.
For detailed syntax and parameter information, see the following topics:
add-ADPermission
Filterable Properties for the -Filter Parameter
How do you know the assignment of permission worked?
Verify you successfully assigned the WriteProperty permission to the administrator account, Run one of the
following commands to confirm the permission was given to modify the TargetAddress property by using the
command in each example.
You can use the Migration dashboard in the Office 365 Exchange admin center (EAC ) to manage mailbox
migration to Office 365 using a cutover or staged Exchange migration. You can also use the Migration dashboard
to migrate the contents of users' mailboxes from an on-premises IMAP server to existing Office 365 mailboxes.
The Migration dashboard displays statistics about the overall migration in addition to statistics about a specific
migration batch. You can create, start, stop, pause, and edit migration batches.
FIELD DESCRIPTION
Total mailboxes The total number of mailboxes from all current migration
batches.
Synced mailboxes The number of mailboxes from all migration batches that were
successfully migrated.
FIELD DESCRIPTION
Finalized mailboxes The number of mailboxes from all migration batches that have
been finalized. Finalization occurs only when you use remote
move migrations to migrate mailboxes between your on-
premises Exchange organization and Office 365 in an
Exchange hybrid deployment. Mailboxes can be finalized after
the initial synchronization is successfully completed. For more
information about finalizations in remote move migrations,
see Complete-MigrationBatch.
Failed mailboxes The number of mailboxes from all migration batches for which
migration failed.
Migration batches
Migration batches that are created are listed in the migration queue. The following columns display information
about each migration batch.
COLUMN DESCRIPTION
Name The name of the migration batch that was defined when it
was created.
Status The status of the migration batch. The following is a list of the
different status states for migration batches, along with what
you can do with migration batches in each of these states:
Stopped: The migration batch has been created, but it hasn't
been started. In this state, you can start, edit, or delete it.
Syncing: The migration batch has been started, and
mailboxes in the migration batch are being actively migrated.
When a migration batch is in this state, you can stop it.
**Stopping:**Immediately after you run Stop-MigrationBatch
cmdlet.
Stopped: The migration batch is stopped, and no more
mailboxes from the batch are being migrated. When a
migration batch is in this state, you can restart it.
**Starting:**Immediately after you run Start-MigrationBatch
cmdlet.
**Completing:**Immediately after you run Complete-
MigrationBatch cmdlet.
**Removing:**Immediately after you run Remove-
MigrationBatch cmdlet.
Synced: The migration batch has completed, and no
mailboxes are being actively migrated. A migration batch in
this state may contain errors if mailboxes weren't migrated.
For cutover Exchange migrations and IMAP migrations with
this status, on-premises mailboxes and the corresponding
Office 365 mailboxes are synchronized every 24 hours during
incremental synchronization.
**Completed:**The migration batch is complete.
Synced with errors: The migration batch has completed, but
some mailboxes failed migration. Mailboxes that were
successfully migrated in migration batches with errors are still
synchronized every 24 hours during incremental
synchronization.
Failed The number of mailboxes in the migration batch for which the
migration failed. You can display information about specific
mailboxes that have migration errors. For more information,
see Migration users status report.
IMPORTANT
Migration batches with a status of Synced that have no administrator-initiated activity (for example, no administrator has
stopped and restarted a migration batch or edited a migration batch) for the last 60 days will be stopped. All batches with
Stopped or Failed status will be removed after 90 days. All batches with Completed status will be removed after 60 days.
The Migration dashboard contains a set of commands that you can use to manage migration batches. After you
create a migration batch, you can select it, and then click one of the following commands. If a migration batch is in
a status state that isn't supported by a command, the command is either dimmed or not displayed because it's
unavailable.
COMMAND DESCRIPTION
Start Start a migration batch that's been created. After the batch is
started, the status is changed to Syncing.
Delete Delete a migration batch after you verify that all mailboxes in
the migration batch have been successfully migrated. Verify
also that mail is being routed directly to cloud-based
mailboxes after you've configured your MX record to point to
Office 365. When you delete a migration batch, Office 365
cleans up any records related to the migration batch and
removes it from the list.
FIELD DESCRIPTION
Synced mailboxes The number of mailboxes out of the total number in the
migration batch that have successfully completed initial
synchronization. This field is updated during the migration.
View details Click View details to display status information for each
mailbox in the migration batch. For more information, see
Migration users status report.
Created by The email address of the Office 365 administrator who created
the migration batch.
Create time The date and time when the migration batch was created.
Start time The date and time when the migration batch was started.
Initial sync time The date and time when the migration batch completed initial
synchronization.
Initial sync duration The amount of time it took to complete the initial
synchronization for all mailboxes in the migration batch.
Last sync time The last time the migration batch was restarted or the last
time that incremental synchronization was performed for the
batch. As previously stated, incremental synchronization
occurs every 24 hours for IMAP migrations and cutover
Exchange migrations.
Associated endpoint The name of the migration endpoint being used by the
migration batch. You can click View details to view the
migration endpoint settings. You can also edit the settings if
none of the migration batches using the endpoint are
currently running.
Migration users status report
3/29/2019 • 5 minutes to read • Edit Online
You can use the Migration dashboard in the Exchange administration center (EAC ) to display the migration status
information for all users in a migration batch. You can also display detailed migration information for each user in
a migration batch. This information, also called migration user statistics, can help you troubleshoot issues that
might prevent the migration of a user's mailbox or mailbox items. You can display this migration status
information for migration batches that are currently running, that have been stopped, or that are complete.
You can also use Exchange Online PowerShell to display migration user statistics. For more information, see:
Get-MigrationUser
Get-MigrationUserStatistics
The name of the migration batch and the following commands are displayed at the top of the window.
COMMAND DESCRIPTION
Delete Delete the selected user from the list of migration users.
Status The user's migration status. See the status descriptions in the
table in the next section.
Items Synced The number of items in the user's on-premises mailbox that
were successfully migrated to the Office 365 mailbox.
Items Skipped The number of items in the user's on-premises mailbox that
weren't migrated to the Office 365 mailbox.
FIELD DESCRIPTION
Status Identifies the specific point in the migration process for each
mail object in the migration batch. This status is more specific
than the high-level status summary displayed in the list of
migration users. The following list describes each status state.
• Queued: The object is in a migration batch that is running,
but the migration of the object hasn't started yet. Objects
typically have a status of Queued when all of the connections
in the migration endpoint associated with the migration batch
are being used.
• Provisioning: The migration process has started for the
mail object, but it isn't provisioned yet.
• Provision updating: The mail object has been provisioned,
but not all the object's properties were migrated. For example,
after a distribution group has been migrated, this state occurs
when members of the group haven't been migrated yet or
there's a problem migrating a user who is a member of the
group. In this case, the status indicates the migration process
can't update the group membership because not all group
members have been migrated.
• Synced: The migration process successfully provisioned the
Office 365 mailbox and completed the initial synchronization
where all mailbox items were copied to the cloud-based
mailbox. For cutover Exchange migrations and IMAP
migrations, this status can also indicate that incremental
synchronization completed successfully.
• Failed: The provisioning or the initial synchronization of the
mail object failed. If an Office 365 mailbox is successfully
created for a user, but the migration of mailbox items fails, the
status for the user will be Failed.
FIELD DESCRIPTION
Skipped item details Click Skipped item details to display information about each
item that was skipped for the selected user. The following
information about each skipped item is displayed:
• Date: The time stamp of the mailbox item.
• Subject: The subject line of the message.
• Kind: The type of error that caused the item to be skipped.
• Folder name: The folder where the skipped item is located.
Data migrated The total amount of data (in bytes and megabytes (MB)) for
the mailbox items that have been migrated to the Office 365
mailbox. This number includes items migrated in both the
initial and incremental synchronizations. This field doesn't
have a value for IMAP migrations.
Migration rate The average transfer rate (in bytes or MB per minute) of data
copied to the Office 365 mailbox. This field doesn't have a
value for IMAP migrations.
Error If the migration for the user failed, this field displays a
description of the error. This error description is also included
in the Migration Errors report.
Report Click Download the report for this user to open or save a
detailed migration report that contains diagnostic information
about the migration status of the user. You or Microsoft
Support can use the information in this report to
troubleshoot failed migrations.
Last successful sync date The last time that any new items in the on-premises mailbox
were copied to the cloud-based mailbox.
Click More details to display the following additional information about the selected migration user.
FIELD DESCRIPTION
Queued duration The length of time the user had a status of Queued.
In-progress duration The length of time the user was actively being migrated.
Synced duration The length of time the migration user had a status of Synced.
Stalled duration The length of time the migration process was stalled for the
user.
Migration phases
To help you understand the migration status states described in the previous sections, it's helpful to be familiar
with the phases of the migration process. The following table describes these phases and indicates whether the
phase is included in each type of migration.
CUTOVER EXCHANGE STAGED EXCHANGE
MIGRATION PHASE MIGRATION MIGRATION IMAP MIGRATION
Provisioning: The migration Yes (includes distribution Yes (includes mail contacts) No
process creates the new groups and mail contacts)
Office 365 mailbox.
Initial synchronization: Yes (includes calendar times Yes (includes calendar times Yes
After Office 365 mailboxes and contacts) and contacts)
are provisioned, the
migration process migrates
mailbox items to the newly
provisioned cloud-based
mailboxes.
You can use a comma-separated values (CSV ) file to bulk migrate a large number of user mailboxes. You can
specify a CSV file when you use the Exchange admin center (EAC ) or the New -MigrationBatch cmdlet in Exchange
Online PowerShell to create a migration batch. Using a CSV to specify multiple users to migrate in a migration
batch is supported in the following migration scenarios:
Onboarding and offboarding in Office 365
Onboarding remote move migration: In an Exchange hybrid deployment, you can move
mailboxes from an on-premises Exchange organization to Office 365. This is also known as an
onboarding remote move migration because you onboard mailboxes to Office 365.
Offboarding remote move migration: You can also perform an offboarding remote move
migration, where you migrate Office 365 mailboxes to your on-premises Exchange organization.
NOTE
Both onboarding and offboarding remote move migrations are initiated from your Office 365 organization.
Staged Exchange migration: You can also migrate a subset of mailboxes from an on-premises
Exchange organization to Office 365. This is another type of onboarding migration. You can migrate
only Exchange 2003 and Exchange 2007 mailboxes using a staged Exchange migration. Migrating
Exchange 2010 and Exchange 2013 mailboxes isn't supported using a staged migration. Prior to
running a staged migration, you have to use directory synchronization or some other method to
provision mail users in your Office 365 organization.
IMAP migration: This onboarding migration type migrates mailbox data from an IMAP server
(including Exchange) to Office 365. For an IMAP migration, you must provision mailboxes in Office
365 before you can migrate mailbox data.
NOTE
A cutover Exchange migration doesn't support a using a CSV file because all on-premises user mailboxes are migrated to
Office 365 in a single batch.
The following sections describe the supported attributes for the header row of a CSV file for each migration type.
Each section includes a table that lists each supported attribute, whether it's required, an example of a value to use
for the attribute, and a description.
NOTE
In the following sections, source environment denotes the current location of a user mailbox or a database. Target
environment denotes the location that the mailbox will be migrated to or the database that the mailbox will be moved to.
EmailAddress Required SMTP address for the user Specifies the email address
for the mail-enabled user (or
a mailbox if you're retrying
the migration) in Office 365
that corresponds to the on-
premises user mailbox that
will be migrated. Mail-
enabled users are created in
Office 365 as a result of
directory synchronization or
another provisioning
process. The email address of
the mail-enabled user must
match the
WindowsEmailAddress
property for the
corresponding on-premises
mailbox.
IMAP migrations
A CSV file for an IMAP migration batch can have maximum of 50,000 rows. But it's a good idea to migrate users in
several smaller batches. For more information about IMAP migrations, see the following topics:
Migrate your IMAP mailboxes to Office 365
CSV files for IMAP migration batches
The following table describes the supported attributes for a CSV file for an IMAP migration.
EmailAddress Required SMTP address for the user. Specifies the user ID for the
user's Office 365 mailbox
UserName Required String that identifies the user Specifies the logon name for
on the IMAP messaging the user's account in the
system, in a format IMAP messaging system (the
supported by the IMAP source environment). In
server. addition to the username,
you can use the credentials
of an account that has been
assigned the necessary
permissions to access
mailboxes on the IMAP
server. For more information,
see CSV files for IMAP
migration batches.
Attribute values in the CSV file override the values for the migration
batch
Attribute values in the CSV file override the value of the corresponding parameter when that same parameter is
used when creating a migration batch with the EAC or Exchange Online PowerShell. If you want the migration
batch value to be applied to a user, you would leave that cell blank in the CSV file. This lets you mix and match
certain attribute values for selected users in one migration batch.
In this example, let's say you create a batch for an onboarding remote move migration in a hybrid deployment to
move archive mailboxes to Office 365 with the following New -MigrationBatch command.
New-MigrationBatch -Name OnBoarding1 -SourceEndpoint RemoteEndpoint1 -TargetDeliveryDomain cloud.contoso.com -
CSVData ([System.IO.File]::ReadAllBytes("C:\Users\Administrator\Desktop\OnBoarding1.csv")) -ArchiveOnly:$true -
AutoStart
But you also want to move the primary mailboxes for selected users, so a portion of the OnBoarding1.csv file for
this migration batch would look like this:
EmailAddress,MailboxType
user1@contoso.com,
user2@contoso.com,
user3@cloud.contoso.com,PrimaryAndArchive
user4@cloud.contoso.com,PrimaryAndArchive
...
Because the value for mailbox type in the CSV file overrides the values for the MailboxType parameter in the
command to create the batch, only the archive mailbox for user1 and user2 is migrated to Office 365. But the
primary and archive mailboxes for user3 and user4 are moved to Office 365.
Collaboration in Exchange Online
3/4/2019 • 3 minutes to read • Edit Online
Office 365 and Exchange Online provides several features that can help your end users easily collaborate in email.
Each of these features, described in the following sections, has a different user experience and feature set and
should be used based on what your users need to accomplish and what your organization can provide.
This topic compares these collaboration features to help you decide which features to offer your users.
Public folders
Public folders are designed for shared access and provide an easy and effective way to collect, organize, and share
information with other people in your workgroup or organization.
Public folders organize content in a deep hierarchy that's easy to browse. Users discover interesting and relevant
content by browsing through branches of the hierarchy that are relevant to them. Users always see the full
hierarchy in their Outlook folder view. Public folders are a great technology for distribution group archiving. A
public folder can be mail-enabled and added as a member of the distribution group. Email sent to the distribution
group is automatically added to the public folder for later reference. Public folders also provide simple document
sharing and don't require SharePoint to be installed in your organization. Finally, end users can use public folders
with the following supported Outlook clients: Outlook 2010 or later and Outlook on the web (formerly known as
Outlook Web App), but with some limitations.
To learn more, see Public folders in Office 365 and Exchange Online.
Shared mailboxes
A shared mailbox is a mailbox that multiple designated users can access to read and send email messages and to
share a common calendar. Shared mailboxes can provide a generic email address (such as info@contoso.com or
sales@contoso.com) that customers can use to inquire about your company. If the shared mailbox has the Send As
permission assigned when a delegated user responds to the email message, it can appear as though the mailbox
(for example, sales@contoso.com) is responding, not the actual user.
To learn more, see Shared Mailboxes.
Groups
Groups (also called distribution groups) are a collection of two or more recipients that appears in the shared
address book. When an email message is sent to a group, it's received by all members of the group. Distribution
groups can be organized by a particular discussion subject (such as "Dog Lovers") or by users who share a
common work structure that requires them to communicate frequently.
To learn more, see Recipients in Exchange Online.
Type of group With the proper permissions, Delegates working on behalf Users who need to send
everyone in your of a virtual identity, and they email to a group of
organization can access and can respond to email as that recipients with a common
search public folders. Public shared mailbox identity. interest or characteristic.
folders are ideal for Example:
maintaining history or support@tailspintoys.com
distribution group
conversations.
Access Accessible by anyone in your Users can be granted Full For distribution groups,
organization. Access and/or Send As members must be manually
permissions. If granted Full added. For dynamic
Access permissions, users distribution groups,
must also add the shared members are added based
mailbox to their Outlook on filtering criteria.
profile to access the shared
mailbox.
Email arrives in user's No. Email arrives in the No. Email arrives in the Yes. Email arrives in the
personal Inbox? public folder. Inbox of the shared mailbox. Inbox of a distribution group
member.
Supported clients Outlook 2010 or later Outlook 2010 or later Outlook 2010 or later
Outlook on the web Outlook on the web Outlook on the web
Public folders in Office 365 and Exchange Online
3/28/2019 • 7 minutes to read • Edit Online
Public folders are designed for shared access and provide an easy and effective way to collect, organize, and share
information with other people in your workgroup or organization. Public folders help organize content in a deep
hierarchy that's easy to browse. Users will see the full hierarchy in Outlook, which makes it easy for them to
browse for the content they're interested in.
NOTE
Public folders are available in the following Outlook clients: Outlook Web App for Exchange, Outlook 2007, Outlook 2010,
Outlook 2013, and Outlook for Mac.
Public folders can also be used as an archiving method for distribution groups. When you mail-enable a public
folder and add it as a member of the distribution group, email sent to the group is automatically added to the
public folder for later reference.
Public folders aren't designed for the following purposes:
Data archiving. Users who have mailbox limits sometimes use public folders instead of mailboxes to
archive data. This practice isn't recommended because it affects storage in public folders and undermines
the goal of mailbox limits. Instead, we recommend that you use In-Place Archiving as your archiving
solution.
Document sharing and collaboration. Public folders don't provide versioning or other document
management features, such as controlled check-in and check-out functionality and automatic notifications
of content changes. Instead, we recommend that you use SharePoint Online as your documentation sharing
solution.
For more information about public folders and other collaboration methods in Office 365 and Exchange Online,
see Collaboration in Exchange Online.
For a list of frequently asked questions regarding public folders in Office 365 and Exchange Online, see FAQ:
Public folders.
For more information about public folder quotas in Office 365 and Exchange Online, see the service description
topics Sharing and Collaboration and Exchange Online Limits.
For a list of public folder management tasks, see Public folder procedures in Office 365 and Exchange Online.
For more information about the public folder limits in Office 365 and Exchange Online, see Exchange Online
Limits.
Looking for the Exchange Server version of this topic? See Public Folders.
NOTE
The hierarchy doesn't store information about email addresses for mail-enabled public folders. Email addresses are stored in
the directory.
Hierarchy synchronization
The public folder hierarchy synchronization process uses Incremental Change Synchronization (ICS ), which
provides a mechanism to monitor and synchronize changes to an Exchange store hierarchy or content. The
changes include creating, modifying, and deleting folders and messages. When users are connected to and using
content mailboxes, synchronization occurs every 15 minutes. If no users are connected to content mailbox,
synchronization will be triggered less often (every 24 hours).If a write operation such as a creating a folder is
performed on the primary hierarchy, synchronization is triggered immediately (synchronously) to the content
mailbox.
IMPORTANT
Because there's only one writeable copy of the hierarchy, folder creation is proxied to the hierarchy mailbox by the content
mailbox users are connected to.
Considerations
Although there are many advantages to using public folders in Office 365 and Exchange Online, there are some
things to consider before implementing them in your organization:
Outlook Web App is supported, but with limitations. You can add and remove favorite public folders and
perform item-level operations such as creating, editing, deleting posts, and replying to posts. However, you
can't create or delete public folders from Outlook Web App.
Although a full text search of public folder content is available, public folder content isn't searchable across
public folders and the content isn't indexed by Exchange Search.
You must use Exchange Online supported Outlook client or later to access public folders in Office 365 and
Exchange Online.
Use batch migration to migrate legacy public folders to Office 365 and Exchange Online
Use batch migration to migrate Exchange 2013 public folders to Exchange Online
Configure legacy on-premises public folders for a hybrid deployment
Configure Exchange Server public folders for a hybrid deployment
Configure Exchange Online public folders for a hybrid deployment
Set up public folders in a new organization
Accessing public folders with Outlook 2016 for Mac
Create a public folder mailbox
Create a public folder
Recover a deleted public folder mailbox
Use favorite public folders in Outlook on the web
Mail-enable or mail-disable a public folder
Update the public folder hierarchy
Remove a public folder
View statistics for public folders and public folder items
Use batch migration to migrate legacy public folders
to Office 365 and Exchange Online
3/29/2019 • 25 minutes to read • Edit Online
Summary: Use these procedures to move your Exchange 2010 public folders to Office 365.
This topic describes how to migrate your public folders in a cutover or staged migration from Update Rollup 8 for
Exchange Server 2010 Service Pack 3 (SP3) to Office 365 or Exchange Online.
This topic refers to the Exchange 2010 SP3 RU8 server as the legacy Exchange server. Also, the steps in this topic
apply to both Exchange Online and Office 365. The terms may be used interchangeably in this topic.
NOTE
The batch migration method described in this article is the only supported method for migrating legacy public folders to
Office 365 and Exchange Online. The old serial migration method for migrating public folders is no longer supported by
Microsoft.
We recommend that you don't use Outlook's PST export feature to migrate public folders to Office 365 or
Exchange Online. Office 365 and Exchange online public folder mailbox growth is managed using an auto-split
feature that splits the public folder mailbox when it exceeds size quotas. Auto-split can't handle the sudden growth
of public folder mailboxes when you use PST export to migrate your public folders and you may have to wait for
up to two weeks for auto-split to move the data from the primary mailbox. We recommend that you use the
cmdlet-based instructions in this document to migrate public folders to Office 365 and Exchange Online.
However, if you elect to migrate public folders using PST export, see the section Migrate Public Folders to Office
365 by using Outlook PST export later in this topic.
You'll perform the migration using the *-MigrationBatch cmdlets, in addition to the following PowerShell scripts:
Export-PublicFolderStatistics.ps1 : This script creates the folder name-to-folder size mapping file. You'll
run this script on the legacy Exchange server.
: This support file is used by the
Export-PublicFolderStatistics.psd1 Export-PublicFolderStatistics.ps1
script and should be downloaded to the same location.
PublicFolderToMailboxMapGenerator.ps1: This script creates the public folder-to-mailbox mapping file by
using the output from the Export-PublicFolderStatistics.ps1 script. You'll run this script on the legacy
Exchange server.
PublicFolderToMailboxMapGenerator.strings.psd1 : This support file is used by the
PublicFolderToMailboxMapGenerator.ps1 script and should be downloaded to the same location.
Create-PublicFolderMailboxesForMigration.ps1 : This script creates the target public folder mailboxes for the
migration. In addition, this script calculates the number of mailboxes necessary to handle the estimated
user load, based on the guidelines for the number of user logons per public folder mailbox recommended
in Limits for Public Folders.
: This support file is used by the Create-
Create-PublicFolderMailboxesForMigration.strings.psd1
PublicFolderMailboxesForMigration.ps1 script and should be downloaded to the same location.
: This script synchronizes mail-enabled public folder objects between your local
Sync-MailPublicFolders.ps1
Exchange deployment and Office 365. You'll run this script on the legacy Exchange server.
SyncMailPublicFolders.strings.psd1: This is a support file used by the Sync-MailPublicFolders.ps1 script
and should be copied to the same location as the preceding scripts.
Step 1: Download the migration scripts provides details about where to download these scripts. Make sure all
scripts are downloaded to the same location.
For additional management tasks related to public folders, see Public Folder Procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
SyncMailPublicFolders.strings.psd1
4. Save the scripts to the same location you did for step 2. For example, C:\PFScripts.
If the name of a public folder contains a backslash ( \ ) or a forward slash ( / ), the public folders might be
created in the parent public folder when migration occurs. Before you migrate, we recommend that you
rename any public folders that have a backslash or a forward slash in the name.
In Exchange 2010, to locate public folders that have a backslash in the name, run the following command:
Get-PublicFolderStatistics -ResultSize Unlimited | Where {($_.Name -like "*\*") -or ($_.Name -like
"*/*") } | Format-List Name,Identity
2. If any public folders are returned, you can rename them by running the following command:
Set-PublicFolder -Identity <public folder identity> -Name <new public folder name>
3. Make sure there isn't a previous record of a successful migration. If there is, you'll need to set that value to
$false . If the value is set to $true , the migration request will fail.
Cau t i on
After resetting these properties, you need to wait for Exchange to detect the new settings. This may take up
to two hours to complete.
5. For verification purposes at the end of migration, we recommend that you first run the following Exchange
Management Shell commands on the legacy Exchange server to take snapshots of your current public
folder deployment.
Run the following command to take a snapshot of the original source folder structure.
Run the following command to take a snapshot of public folder statistics such as item count, size, and
owner.
Save the information from the preceding commands for comparison at the end of the migration.
6. If you are using Microsoft Azure Active Directory Connect (Azure AD Connect) to synchronize your on-
premises directories with Azure Active Directory, you need to do the following (if you are not using Azure
AD Connect, you can skip this step):
a. On an on-premises computer, open Microsoft Azure Active Directory Connect, and then select
Configure.
b. On the Additional tasks screen, select Customize synchronization options, and then click Next.
c. On the Connect to Azure AD screen, enter the appropriate credentials, and then click Next. Once
connected, keep clicking Next until you are on the Optional Features screen.
d. Make sure that Exchange Mail Public Folders is not selected. If it isn't selected, you can continue to the
next section, Prerequisite steps in Office 365 or Exchange Online. If it is selected, click to clear the check box,
and then click Next.
NOTE
If you don't see Exchange Mail Public Folders as an option on the Optional Features screen, you can exit
Microsoft Azure Active Directory Connect and proceed to the next section, Prerequisite steps in Office 365 or
Exchange Online.
7. After you have cleared the Exchange Mail Public Folders selection, keep clicking Next until you are on
the Ready to configure screen, and then click Configure.
For detailed syntax and parameter information, see the following topics:
New -AcceptedDomain
Get-PublicFolder
Get-PublicFolderDatabase
Set-PublicFolder
get-PublicFolderStatistics
Get-PublicFolderClientPermission
Get-OrganizationConfig
Set-OrganizationConfig
Prerequisite steps in Office 365 or Exchange Online
1. Make sure there are no existing public folder migration requests. If there are, clear them or your own
migration request will fail. This step isn't required in all cases; it's only required if you think there may be an
existing migration request in the pipeline.
An existing migration request can be one of two types: batch migration or serial migration. The commands
for detecting requests for each type and for removing requests of each type are as follows.
IMPORTANT
Before removing a migration request, it is important to understand why there was an existing one. Running the
following commands will determine when a previous request was made and help you diagnose any problems that
may have occurred. You may need to communicate with other administrators in your organization to determine why
the change was made.
The following example will discover any existing serial migration requests.
The following example removes any existing public folder serial migration requests.
Get-PublicFolderMigrationRequest | Remove-PublicFolderMigrationRequest
The following example will discover any existing batch migration requests.
The following example removes any existing public folder batch migration requests.
2. Make sure no public folders or public folder mailboxes exist in Office 365.
IMPORTANT
If you do see public folders in Office 365 or Exchange Online, it is important to determine why they are there and who in
your organization started a public folder hierarchy before removing the public folders and public folder mailboxes.
1. In Office 365 or Exchange Online PowerShell, run the following command to see if any public folders
mailboxes exist.
Get-Mailbox -PublicFolder
2. If the command didn't return any public folder mailboxes, continue to Step 3: Generate the .csv files. If the
command returned any public folders mailboxes, run the following command to see if any public folders
exist:
Get-PublicFolder
3. If you have any public folders in Office 365 or Exchange Online, run the following PowerShell command to
remove them. Make sure you've saved any information that was in the public folders in Office 365. All
information contained in the public folders will be permanently deleted when you remove the public
folders.
4. After the public folders are removed, run the following commands to remove all public folder mailboxes.
$hierarchyMailboxGuid = $(Get-OrganizationConfig).RootPublicFolderMailbox.HierarchyMailboxGuid
Get-Mailbox -PublicFolder:$true | Where-Object {$_.ExchangeGuid -ne $hierarchyMailboxGuid} | Remove-
Mailbox -PublicFolder -Confirm:$false
Get-Mailbox -PublicFolder:$true | Where-Object {$_.ExchangeGuid -eq $hierarchyMailboxGuid} | Remove-
Mailbox -PublicFolder -Confirm:$false
For detailed syntax and parameter information, see the following topics:
Get-MigrationBatch
Get-PublicFolderMigrationRequest
Remove-PublicFolderMigrationRequest
Get-Mailbox
Get-PublicFolder
get-MailPublicFolder
Disable-MailPublicFolder
remove-PublicFolder
Remove-Mailbox
FQDN of source server equals the fully qualified domain name of the Mailbox server where the
public folder hierarchy is hosted.
Folder to size map path equals the file name and path on a network shared folder where you want
the .csv file saved. Later in this topic, you'll need to use the Exchange Online PowerShell to access
this file. If you specify only the file name, the file will be generated in the current PowerShell
directory on the local computer.
If necessary, remove any mail-enabled system folders from the script output before proceeding.
2. Run the PublicFolderToMailboxMapGenerator.ps1 script to create the public folder-to-mailbox mapping file.
This file is used to calculate the correct number of public folder mailboxes in Exchange Online.
Before you run the script, use the following command to check the current public folder limits in
your Exchange Online tenant. Then, note the current quota values for public folders.
Before you start the migration batch, delete public folder content to reduce the size of the content to
2 GB or less.
Before you start the migration batch, split the public folder into multiple public folders that are each
2 GB or less.
NOTE
If the public folder is larger than 30 GB, and if it isn't feasible to delete content or split it into multiple public
folders, we recommend that you don't move your public folders to Exchange Online.
Folder to size map path equals the file path of the .csv file that you created when you ran the
Export-PublicFolderStatistics.ps1 script.
Folder to mailbox map path equals the file name and path of the folder-to-mailbox .csv file that you
create in this step. If you specify only the file name, the file is generated in the current PowerShell
directory on the local computer.
NOTE
After the scripts are run and the .csv files are generated, any new public folders or updates to existing public folders will not
be collected.
Mapping.csv is the file generated by the PublicFoldertoMailboxMapGenerator.ps1 script in Step 3. The estimated
number of simultaneous user connections browsing a public folder hierarchy is usually less than the total number
of users in an organization.
Credential is your Office 365 username and password. CsvSummaryFile is the file path to where you would
like to log, in .CSV format, synchronization operations and errors.
NOTE
We recommend that you first simulate the actions that the script would take before actually executing it, which you
can do by running the script with a -WhatIf parameter.
2. On the legacy Exchange server, get the following information that's needed to run the migration request:
a. Find the LegacyExchangeDN of the user's account who is a member of the Public Folder Administrator
role. This will be the same user whose credentials you need in step 3 of this procedure.
b. Find the LegacyExchangeDN of any Mailbox server that has a public folder database.
c. Find the FQDN of the Outlook Anywhere host name. If you have multiple instances of Outlook
Anywhere, we recommend that you select the instance that is either closest to the migration endpoint or
the one that is closest to the public folder replicas in the legacy Exchange organization. The following
command will find all instances of Outlook Anywhere:
3. In Office 365 PowerShell, run the following commands to pass the information that was returned in the
previous step to variables that will then be used in the migration request.
a. Pass the credential of a user who has administrative permissions on the legacy Exchange server into the
variable $Source_Credential . The migration request that's run in Exchange Online will use this credential
to gain access to your legacy Exchange servers to copy the content over.
b. Use the ExchangeLegacyDN of the migration user on the legacy Exchange server that you found in step 2a
and pass it into the variable $Source_RemoteMailboxLegacyDN .
c. Use the ExchangeLegacyDN of the public folder server that you found in step 2b above and pass it into
the variable $Source_RemotePublicFolderServerLegacyDN .
d. Use the External Host Name of Outlook Anywhere that you found in step 2c above and pass it into the
variable $Source_OutlookAnywhereExternalHostName .
4. Finally, in Exchange Online PowerShell, run the following commands to create the migration request.
NOTE
The authentication method in the following Exchange Management Shell example needs to match your Outlook
Anywhere settings, otherwise the command will fail.
$PfEndpoint = New-MigrationEndpoint -PublicFolder -Name PublicFolderEndpoint -RPCProxyServer
$Source_OutlookAnywhereExternalHostName -Credentials $Source_Credential -SourceMailboxLegacyDN
$Source_RemoteMailboxLegacyDN -PublicFolderDatabaseServerLegacyDN
$Source_RemotePublicFolderServerLegacyDN -Authentication Basic
[byte[]]$bytes = Get-Content -Encoding Byte <folder_mapping.csv>
New-MigrationBatch -Name PublicFolderMigration -CSVData $bytes -SourceEndpoint $PfEndpoint.Identity -
NotificationEmails <email addresses for migration notifications>
Where the <folder_mapping.csv> file is the file that was generated in Step 3: Generate the .csv files.
5. Start the migration using the following command:
Start-MigrationBatch PublicFolderMigration
While batch migrations need to be created using the New-MigrationBatch cmdlet in the Exchange Management
Shell, the progress and completion of the migration can be viewed and managed in the EAC. Because the New-
MigrationBatch cmdlet initiates a mailbox migration request for each public folder mailbox, you can view the
status of these requests using the mailbox migration page. You can get to the mailbox migration page, and create
migration reports that can be emailed to you, by doing the following:
1. Log into Exchange Online and open the EAC.
2. Navigate to Mailbox > Migration.
3. Select the migration request that was just created and then click View Details in the Details pane.
For detailed syntax and parameter information, see the following topics:
Get-Mailbox
Get-ExchangeServer
Get-OutlookAnywhere
New -PublicFolderMigrationRequest
Get-PublicFolderDatabase
Get-PublicFolderMigrationRequest
Get-PublicFolderMigrationRequestStatistics
Step 6: Lock down the public folders on the legacy Exchange server for
final migration (downtime required)
Until this point in the migration process, users have been able to access public folders. The next steps will log
users off from the legacy public folders and lock the folders while the migration completes its final
synchronization. Users won't be able to access public folders during this process. Also, any mail sent to mail-
enabled public folders will be queued and won't be delivered until the public folder migration is complete.
Before you run the PublicFoldersLockedForMigration command as described below, make sure that all jobs are in
the Synced state. You can do this by running the Get-PublicFolderMailboxMigrationRequest command. Continue
with this step only after you've verified that all jobs are in the Synced state.
On the legacy Exchange server, run the following command to lock the legacy public folders for finalization.
Set-OrganizationConfig -PublicFoldersLockedForMigration:$true
For detailed syntax and parameter information, see set-OrganizationConfig.
If your organization has multiple public folder databases, you'll need to wait until public folder replication is
complete to confirm that all public folder databases have picked up the PublicFoldersLockedForMigration flag and
any pending changes users recently made to folders have converged across the organization. This may take
several hours.
Complete-MigrationBatch PublicFolderMigration
When you complete the migration, Exchange will perform a final synchronization between the legacy Exchange
server and Exchange Online. If the final synchronization is successful, the public folders in Exchange Online will be
unlocked and the status of the migration batch will changed to Completed. It is common for the migration batch
to take a few hours before its status changes from Synced to Completing, at which point the final
synchronization will begin.
If you've configured a hybrid deployment between your on-premises Exchange servers and Office 365, you need
to run the following command in Exchange Online PowerShell after migration is complete:
2. Log on to Outlook 2010 or later with the test user identified in the previous step, and then perform the
following public folder tests:
View the hierarchy.
Check permissions.
Create and delete public folders.
Post content to and delete content from a public folder.
3. If you run into any issues, see Roll back the migration later in this topic. If the public folder content and
hierarchy is acceptable and functions as expected, continue to the next step.
4. On the legacy Exchange server, run the following command to indicate that the public folder migration is
complete:
Set-OrganizationConfig -PublicFolderMigrationComplete:$true
5. After you've verified that migration is complete, run the following command in Exchange Online
PowerShell to make sure that the PublicFoldersEnabled parameter on Set-OrganizationConfig is set to
Local :
For detailed syntax and parameter information, see the following topics:
Set-Mailbox
Get-Mailbox
set-OrganizationConfig
2. In Exchange Online PowerShell, run the following command to take a snapshot of the public folder
statistics such as item count, size, and owner.
3. In Exchange Online PowerShell, run the following command to take a snapshot of the permissions.
IMPORTANT
Since all of your mailboxes have been migrated to Office 365 prior to the public folder migration, we strongly recommend
that you route the traffic through Office 365 (decentralized mail flow) instead of centralized mail flow through your on-
premises environment. If you choose to keep mail flow centralized, it could cause delivery issues to your public folders, since
you've removed the public folder mailbox databases from your on-premises organization.
For details about how to remove public folder databases from Exchange 2010 servers, see Remove Public
Folder Databases.
If you roll your migration back to the legacy Exchange servers, you will lose any email that was sent to mail-
enabled public folders or content that was posted to public folders after the migration. To save this content, you
need to export the public folder content to a .pst file and then import it to the legacy public folders when the
rollback is complete.
1. On the legacy Exchange server, run the following command to unlock the legacy Exchange public folders.
This process may take several hours.
Set-OrganizationConfig -PublicFoldersLockedForMigration:$False
2. In Exchange Online PowerShell, run the following commands to remove all Exchange Online public folders.
$hierarchyMailboxGuid = $(Get-OrganizationConfig).RootPublicFolderMailbox.HierarchyMailboxGuid
Get-Mailbox -PublicFolder:$true | Where-Object {$_.ExchangeGuid -ne $hierarchyMailboxGuid} | Remove-
Mailbox -PublicFolder -Confirm:$false -Force
Get-Mailbox -PublicFolder:$true | Where-Object {$_.ExchangeGuid -eq $hierarchyMailboxGuid} | Remove-
Mailbox -PublicFolder -Confirm:$false -Force
3. On the legacy Exchange server, run the following command to set the PublicFolderMigrationComplete flag
to $false .
Set-OrganizationConfig -PublicFolderMigrationComplete:$False
If you've already started a PST migration and have run into an issue where the primary mailbox is full, you have
two options for recovering the PST migration: > Wait for the auto-split to move the data from the primary
mailbox. This may take up to two weeks. However, all the public folders in a completely filled public folder mailbox
won't be able to receive new content until the auto-split completes. > Create a public folder mailbox and then use
the [New-PublicFolder] cmdlet with the Mailbox parameter to create the remaining public folders in the
secondary public folder mailbox. This example creates a new public folder named PF201 in the secondary public
folder mailbox.
Use batch migration to migrate Exchange 2013 public
folders to Exchange Online
3/6/2019 • 26 minutes to read • Edit Online
Summary: This article tells you how to move modern public folders from Exchange 2013 to Office 365.
Migrating your Exchange 2013 public folders to Exchange Online requires Exchange Server 2013 CU15 or later
running in your on-premises environment.
NOTE
If you have both Exchange 2013 and Exchange 2016 public folders in your organization, and you want to move them all to
Exchange Online, use the Exchange 2016 version of this article to plan and execute your migration. Your Exchange 2013
servers will still need to have CU15 or later installed.
NOTE
If your current public folder quotas in Exchange Online are less than 25 GB, you can use the Set-OrganizationConfig
cmdlet to increase them with the DefaultPublicFolderIssueWarningQuota and DefaultPublicFolderProhibitPostQuota
parameters.
In Office 365 and Exchange Online, you can create a maximum of 1000 public folder mailboxes.
If you intend to migrate users to Office 365, you should complete your user migration prior to migrating
your public folders. For more information, see Ways to migrate multiple email accounts to Office 365.
MRS Proxy needs to be enabled on at least one Exchange server, a server that is also hosting public folder
mailboxes. See Enable the MRS Proxy Endpoint for Remote Moves for details.
To perform the migration procedures in this article, you can't use the Exchange admin center (EAC ). Instead,
you need to use the Exchange Management Shell on your Exchange 2013 servers. In Exchange Online, you
need to use Exchange Online PowerShell. For more information, see Connect to Exchange Online
PowerShell.
Migrating deleted items and deleted folders from Exchange 2013 to Exchange Online is supported. Before
you begin your migration, we recommend that you review all deleted folders and folder items and
permanently delete anything you won't need in Exchange Online. Note that once something is permanently
deleted, it can't be recovered.
You can use the following commands to list deleted public folders present in the Exchange dumpster (in
your Exchange on-premises environment):
To permanently delete a specific folder, use the following command (this example uses a folder named
'Calendar2'):
You must use a single migration batch to migrate all of your public folder data. Exchange allows creating
only one migration batch at a time. If you attempt to create more than one migration batch simultaneously,
the result will be an error.
Before you begin, please read this article in its entirety. For some steps there is downtime required. During
this downtime, public folders will not be accessible by anyone.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Example:
NOTE
If you're expecting your mail-enabled public folders in Exchange Online to receive external emails from the internet,
you have to disable Directory Based Edge Blocking (DBEB) in Exchange Online and Exchange Online Protection (EOP).
See Use Directory Based Edge Blocking to reject messages sent to invalid recipients for more information.
2. If the name of a public folder contains a backslash \ or a forward slash /, it may not get migrated to its
designated mailbox during the migration process. Before you migrate, rename any such folders to remove
these characters.
a. To locate public folders that have a backslash in the name, run the following command:
Get-PublicFolder -Recurse -ResultSize Unlimited | Where {$_.Name -like "*\*" -or $_.Name -like
"*/*"} | Format-List Name, Identity, EntryId
b. If any public folders are returned, you can rename them by running the following command:
Set-PublicFolder -Identity "<public folder EntryId>" -Name "<new public folder name>"
3. Take the following steps to confirm there isn't a record of a previous, successful migration in your
organization. If there is, you need to set that value to $false .
Before changing the values, please confirm that the previous migration attempt can be discarded so that
you don't accidentally perform a second migration.
a. Run the following command to check for any previous migrations, and the status of those
migrations:
NOTE
If either the PublicFoldersLockedforMigration or PublicFolderMigrationComplete parameters are
$true , it means you have migrated legacy public folders at some point. Make sure any legacy public folder
databases have been decommissioned before you continue to step 3b.
b. If any of the above is returned with a value set to $true , make them $false by running:
Set-OrganizationConfig -PublicFoldersLockedforMigration:$false -
PublicFolderMigrationComplete:$false -PublicFolderMailboxesLockedForNewConnections:$false -
PublicFolderMailboxesMigrationComplete:$false
4. For the purpose of verifying the success of the migration upon its completion, we recommend that you run
the following commands on all appropriate Exchange 2013 servers. This will take snapshots of your current
public folder deployment that you can later use to compare with your newly migrated public folders.
NOTE
Depending on the size of your Exchange organization, it could take some time for these commands to run.
Run the following command to take a snapshot of the original source folder structure.
Run the following command to take a snapshot of public folder statistics such as item count, size, and
owner.
Run the following command to take a snapshot of your mail-enabled public folders:
Save the files generated from the preceding commands in a safe place in order to make a comparison at
the end of the migration.
5. If you are using Microsoft Azure Active Directory Connect (Azure AD Connect) to synchronize your on-
premises directories with Azure Active Directory, you must take the following actions (if you are not using
Azure AD Connect, you can skip this step):
a. On an on-premises computer, open Microsoft Azure Active Directory Connect, and then select
Configure.
b. On the Additional tasks screen, select Customize synchronization options, and then click Next.
c. On the Connect to Azure AD screen, enter the appropriate credentials, and then click Next. Once
connected, keep clicking Next until you are on the Optional Features screen.
d. Make sure that Exchange Mail Public Folders is not selected. If it isn't selected, you can continue
to the next section, Prerequisite steps in Exchange Online. If it is selected, click to clear the check box,
and then click Next.
NOTE
If you don't see Exchange Mail Public Folders as an option on the Optional Features screen, you can exit
Microsoft Azure Active Directory Connect and proceed to the next section, Prerequisite steps in Exchange
Online.
e. After you have cleared the Exchange Mail Public Folders selection, keep clicking Next until you
are on the Ready to configure screen, and then click Configure.
Prerequisite steps in Exchange Online
In Exchange Online PowerShell, do the following:
1. Make sure there are no existing public folder migration requests. If there are, clear them or your own
migration request will fail. This step is only required if you think there may be an existing migration request
in the pipeline (one that has failed or that you wish to abort).
An existing migration request can be one of two types: batch migration or serial migration. The commands
for detecting, and removing, each type of request are as follows.
The following example will discover any existing serial migration requests:
Get-PublicFolderMigrationRequest | Get-PublicFolderMigrationRequestStatistics
The following example removes any existing public folder serial migration requests:
Get-PublicFolderMigrationRequest | Remove-PublicFolderMigrationRequest
The following example will discover any existing batch migration requests:
The following example removes any existing public folder batch migration requests:
2. You need to have the migration feature PAW enabled for your Office 365 tenant. You can check this by
running the following command in Exchange Online PowerShell:
Get-MigrationConfig
If the output under Features has PAW, then the feature is enabled and you can continue to the next step.
If PAW is not yet enabled for your tenant, it could be because you have some existing migration batches,
either public folder batches or user batches. These batches could be in any state, including Completed. If
this is the case, please complete and remove any migration batches until no records are returned when you
run Get-MigrationBatch . Once all the existing batches are removed, PAW should get enabled automatically.
Note that the change may not reflect in Get-MigrationConfig immediately, but that is okay. In the case of
user migrations, you can continue creating new batches once this step is completed.
3. Make sure there aren't any existing public folders or public folder mailboxes in Exchange Online. If you do
discover public folders in Exchange Online after following the steps below, it's important to determine why
they are there and who in your organization started a public folder hierarchy before you begin removing
any public folders and public folder mailboxes.
a. In Office 365 or Exchange Online PowerShell, run the following command to see if any public
folders mailboxes exist.
Get-Mailbox -PublicFolder
b. If the command doesn't return any public folder mailboxes, continue to Step 3: Generate the .csv
files. If the command does return any public folders mailboxes, run the following command to see if
any public folders exist:
Get-PublicFolder -Recurse
c. If you do have any public folders in Office 365 or Exchange Online, run the following PowerShell
command to remove them (after confirming that they are not needed). Make sure that you've saved
any information within these public folders before deleting them, because all information will be
permanently deleted when you remove the public folders.
d. After the public folders are removed, run the following commands to remove all public folder
mailboxes:
$hierarchyMailboxGuid = $(Get-OrganizationConfig).RootPublicFolderMailbox.HierarchyMailboxGuid
Get-Mailbox -PublicFolder | Where-Object {$_.ExchangeGuid -ne $hierarchyMailboxGuid} | Remove-
Mailbox -PublicFolder -Confirm:$false -Force
Get-Mailbox -PublicFolder | Where-Object {$_.ExchangeGuid -eq $hierarchyMailboxGuid} | Remove-
Mailbox -PublicFolder -Confirm:$false -Force
Get-Mailbox -PublicFolder -SoftDeletedMailbox | Remove-Mailbox -PublicFolder -
PermanentlyDelete:$true
Example:
.\Export-ModernPublicFolderStatistics.ps1 stats.csv
2. Run the ModernPublicFolderToMailboxMapGenerator.ps1 script to create a .csv file that maps source public
folders to public folder mailboxes in your Exchange Online destination. This file is used to calculate the
correct number of public folder mailboxes in Exchange Online.
NOTE
The file generated by ModernPublicFolderToMailboxMapGenerator.ps1 will not contain the name of every public
folder in your organization. It will contain references to the parent folders of larger folder trees, or the names of
folders which themselves are significantly large. You can think of this file as an "exception" file used to make sure
certain folder trees and larger folders get placed into specific public folder mailboxes. It is normal to not see every
one of your public folders in this file. Child folders of any folder listed in this mapping file will also be migrated to the
same public folder mailbox as their parent folder (unless explicitly mentioned on another line within the mapping file
that directs them to a different public folder mailbox).
<Maximum mailbox size in bytes> is the maximum amount of data you want to migrate into any
single public folder mailbox in Exchange Online. The maximum size of this field is currently 50 GB,
but we recommend you use a smaller size, such as 50% of maximum size, to allow for future growth.
<Maximum mailbox recoverable items size in bytes> is the recoverable items quota on your
Exchange Online mailboxes. The maximum size of public folder mailboxes In Exchange Online is
currently 50 GB. We recommend setting RecoverableItemsQuota `_ to 15 GB or less.
<Folder-to-size map path> is the file path of the .csv file you created when you ran the
Export-ModernPublicFolderStatistics.ps1 script.
<Folder-to-mailbox map path> is the file path of the folder-to-mailbox .csv file that you are creating
in this step. If you only specify a file name, the file will be generated in the current PowerShell
directory on the local computer.
Example:
NOTE
We don't support migrating public folders to Exchange Online if the number of unique public folder
mailboxes in Exchange Online is more than 100.
You're prompted for your Exchange Online administrative username and password.
CsvSummaryFile is the file path to where you want your log file of synchronization operations and
errors located. The log will be in .csv format.
2. On the Exchange 2013 server, find the MRS proxy endpoint server and make note of it. You will need this
information to run the migration request. Save this information for step 3b below.
3. In Exchange Online PowerShell, run the following commands to pass credential information and the MRS
information from the previous step to cmdlet variables that will be used in the migration request.
a. Pass the credential of a user who has administrator permissions in the Exchange 2013 on-premises
environment into the variable $Source_Credential . The migration request that you run in Exchange
Online will use this credential to gain access to your on-premises Exchange 2013 servers to copy the
public folder content over to Exchange Online.
b. Take the MRS Proxy Server information from the Exchange 2013 environment that you found in
step 2 above and pass it into the variable:
4. In Exchange Online PowerShell, run the following commands to create the public folder migration endpoint
and the public folder migration request:
NOTE
Separate multiple email addresses with commas.
Where folder_mapping.csv is the map file that was generated in Step 3: Create the .csv files. Be sure to
provide the full file path. If the map file was moved for any reason, be sure to use the new location.
5. Finally, start the migration using the following command in Exchange Online PowerShell:
Start-MigrationBatch PublicFolderMigration
While batch migrations need to be created using the New -MigrationBatch cmdlet in Exchange Online PowerShell,
the progress and completion of the migration can be viewed and managed in the EAC or by running the Get-
MigrationBatch cmdlet. The New -MigrationBatch cmdlet initiates a mailbox migration request for each public
folder mailbox, and you can view the status of these requests using the mailbox migration page.
To go to the mailbox migration page:
1. Log on to Exchange Online and open the EAC.
2. Navigate to Recipients, and then select Migration.
3. Select the migration request that was just created and then, on the Details pane, select View Details.
Before moving on to Step 6: Lock down the public folders on the Exchange 2013 server, verify that all data has
been copied and that there are no errors in the migration. Once you have confirmed that the batch has moved to
the state of Synced, run the commands mentioned in Step 2: Prepare for the migration, in the final step under
Prerequisite steps in the on-premises Exchange 2013 server environment, to take a snapshot of the public
folders on-premises. Once these commands have run, you can proceed to the next step. Note that these
commands could take a while to complete depending on the number of folders you have.
NOTE
If you are not able to access the -PublicFolderMailboxesLockedForNewConnections parameter, it could be because your
Active Directory was not prepared during the CU upgrade, as we advised above in What do you need to know before you
begin? See Prepare Active Directory and Domains for more information. > Also note that any users who need access to
public folders should be migrated first, before you migrate the public folders themselves.
If your organization has public folder mailboxes on multiple Exchange 2013 servers, you'll need to wait until AD
replication is complete. Once complete, you can confirm that all public folder mailboxes have picked up the
PublicFolderMailboxesLockedForNewConnections flag, and that any pending changes users recently made to their
public folders have converged across the organization. All of this could take several hours.
Run the following On-Premises to ensure the public folders are locked:
Get-PublicFolder \
Expected outout, if public folders are locked, is:
[PS ] C:>Get-PublicFolder
Couldn't find the public folder mailbox. + CategoryInfo : NotSpecified: (:) [Get-PublicFolder],
ObjectNotFoundException
Complete-MigrationBatch PublicFolderMigration
When you run this command, Exchange will do a final synchronization between your Exchange on-premises
organization and Exchange Online. During this period, the status of the migration batch will change from Synced
to Completing, and then finally to Completed. If the final synchronization is successful, the public folders in
Exchange Online will be unlocked.
It is common for the migration batch to take a few hours before its status changes from Synced to Completing,
at which point the final synchronization will begin.
Make sure that your test users have necessary permissions to create public folders.
2. Log on to Outlook with the test user you designated in the previous step, and then take the following public
folder tests. Note that it may take 15 to 30 minutes for changes to take effect. Once Outlook is aware of the
changes, it might prompt you to restart a couple of times.
a. View the hierarchy.
b. Check permissions.
c. Create some public folders and then delete them.
d. Post content to, and delete content from, a public folder.
If you run into any issues and determine that you're not ready to switch your organization's public folders
entirely to Exchange Online, see Roll back a public folder migration from Exchange 2013 to Exchange
Online.
3. Run the following command in Exchange Online PowerShell to unlock your public folders in Exchange
Online. After you run the command, it may take approximately 15 to 30 minutes for the changes to take
effect. After Outlook becomes aware of the changes, it might prompt your users to restart the program
several times.
.\SetMailPublicFolderExternalAddress.ps1 -ExecutionSummaryFile:mepf_summary.csv
2. If your testing is successful, in your on-premises environment, run the following command to indicate that
the public folder migration is complete:
2. In Exchange Online PowerShell, run the following command to take a snapshot of the public folder
statistics, including item count, size, and owner:
3. In Exchange Online PowerShell, run the following command to take a snapshot of the permissions:
4. In Exchange Online PowerShell, run the following command to take a snapshot of the mail-enabled public
folders:
Some public folder migrations will fail if some public folder mailboxes are not serving the public folder
hierarchy. This means that the IsExcludedFromServingHierarchy parameter on one or more mailboxes is set
to $true . To avoid this, set all mailboxes in Exchange Online to serve the hierarchy.
Send As and Send on Behalf permissions don't get migrated to Exchange Online. If this happens with
your migration, use the following commands in your on-premises environment to note who has these
permissions.
To see which public folders have Send As permissions on-premises:
To add Send As permission to a mail-enabled public folder in Exchange Online, in Exchange Online
PowerShell type:
Add-RecipientPermission -Identity <mail-enabled public folder primary SMTP address> -Trustee <name of
user to be assigned permission> -AccessRights SendAs
Example:
To add Send on Behalf permission to a mail-enabled public folder in Exchange Online, in Exchange Online
PowerShell type:
Example:
Exchange Online does not support more than 10,000 subfolders, which is why migrations of more than
10,000 folders will fail. We are currently developing a script to unblock such configurations. In the
meantime, we suggest waiting to migrate your public folders.
Migration jobs are not making progress or are stalled. This can happen if there are too many jobs running
in parallel, causing jobs to fail with intermittent errors. You can reduce the number of concurrent jobs by
modifying MaxConcurrentMigrations and MaxConcurrentIncrementalSyncs to a smaller number. Use the
following example to set these values:
Migration jobs fail with the error "Error: Dumpster of the Dumpster folder." If you see this error, it should be
resolved if you stop the batch and then restart it.
Migration jobs fail and generate a "Request was quarantined because of the following error: The given key
was not present in the dictionary" error message. This happens when a corrupted item is present in a folder
that migration jobs cannot copy. To work around this issue:
1. Stop the migration batch.
2. Identify the folder containing the bad item. The migration report should include references to the
folder that was being copied when the error occurred.
3. In your on-premises environment, move the affected folder to the primary public folder mailbox. You
can use the New-PublicFolderMoveRequest cmdlet to move folders.
4. Wait for the folder move to complete. After it is completed, remove the move request. Then, restart
the migration batch.
Summary: Follow these steps to return your public folder infrastructure to its pre-migration state in your
Exchange Server on-premises organization.
If you run into issues with your public folder migration to Exchange Online, or for any other reason need to
reactivate your Exchange Server public folders, follow the steps below.
Set-OrganizationConfig -PublicFolderMailboxesLockedForNewConnections:$false -
PublicFolderMailboxesMigrationComplete:$false -PublicFoldersEnabled Local
2. In your Exchange on-premises environment, revert the ExternalEmailAddress of any mail-enabled public
folder that was updated by SetMailPublicFolderExternalAddress.ps1 (the script used in Step 8: Test and
unlock public folders in Exchange Online of Use batch migration to migrate Exchange Server public folders
to Exchange Online). You can refer to the summary file created by the script to identify the ones that were
modified, or use the file OnPrem_MEPF.xml file generated earlier in the same batch migriont process to get
the original properties for all mail-enabled public folders.
3. In Exchange Online PowerShell, run the following commands to remove all Exchange Online public folders
and mailboxes:
4. Run the following command in your Exchange Online environment to redirect public folder traffic back to
on-premises (Exchange Server):
5. See Configure Exchange Server public folders for a hybrid deployment for instructions on reconfiguring
access to your on-premises public folders, so your Exchange Online users can access them.
Migrate your public folders to Office 365 Groups
3/4/2019 • 8 minutes to read • Edit Online
Summary: Why you should or shouldn't migrate your Exchange public folders to Office 365 Groups.
This article provides a comparison of public folders and Office 365 Groups, and how one or the other might be the
best solution for your organization. Public folders have been around as long as Exchange, whereas Groups were
introduced more recently. If you want to migrate some or all of your public folders to Groups, this article describes
how the process works, and provides links to the articles that walk you through the process, step by step.
NOTE
When you finish migrating a mail-enabled public folder to a particular group in Office 365, all the emails addressed to the
public folder will at that point be received by the group.
Summary: How to move your Exchange Online public folders to Office 365 Groups.
Through a process known as batch migration, you can move some or all of your Exchange Online public folders to
Office 365 Groups. Groups is a new collaboration offering from Microsoft that offers certain advantages over
public folders. See Migrate your public folders to Office 365 Groups for an overview of the differences between
public folders and Groups, and reasons why your organization may or may not benefit from switching to Groups.
This article contains the step-by-step procedures for performing the actual batch migration of your Exchange
Online public folders.
NOTE
Make sure to save all scripts and files to the same location.
AddMembersToGroups.ps1. This script adds members and owners to Office 365 Groups based on
permission entries in the source public folders.
AddMembersToGroups.strings.psd1. This support file is used by the script AddMembersToGroups.ps1 .
LockAndSavePublicFolderProperties.ps1. This script makes public folders read-only to prevent any
modifications, and it transfers the mail-related public folder properties (provided the public folders are mail-
enabled) to the target groups, which will re-route emails from the public folders to the target groups. This
script also backs up the permission entries and the mail properties before modifying them.
LockAndSavePublicFolderProperties.strings.psd1: This support file is used by the script
LockAndSavePublicFolderProperties.ps1 .
WriteLog.ps1. This script enables the preceding three scripts to write logs.
RetryScriptBlock.ps1. This script enables the AddMembersToGroups , LockAndSavePublicFolderProperties , and
UnlockAndRestorePublicFolderProperties scripts to retry certain actions in the event of transient errors.
If the output under Features lists PAW, then the feature is enabled and you can continue to Step 3: Create
the .csv file.
If PAW is not yet enabled for your tenant, it could be because you have some existing migration batches,
either public folder batches or user batches. These batches could be in any state, including Completed. If this
is the case, please complete and remove any existing migration batches until no records are returned when
you run Get-MigrationBatch . Once all existing batches are removed, PAW should get enabled automatically.
Note that the change may not reflect in Get-MigrationConfig immediately, which is okay. Once this step is
completed, you can continue creating new batches of user migrations.
An example .csv:
"FolderPath","TargetGroupMailbox"
"\Sales","sales@contoso.onmicrosoft.com"
"\Sales\EMEA","emeasales@contoso.onmicrosoft.com"
Note that a mail folder and a calendar folder can be merged into a single group in Office 365. However, any other
scenario of multiple public folders merging into one group isn't supported within a single migration batch. If you
do need to map multiple public folders to the same Office 365 group, you can accomplish this by running different
migration batches, which should be executed consecutively, one after another. You can have up to 500 entries in
each migration batch.
One public folder should be migrated to only one group in one migration batch.
2. Start the migration by running the following command in Exchange Online PowerShell. Note that this step
is necessary only if the -AutoStart parameter was not used while creating the batch above in step 1.
Start-MigrationBatch PublicFolderToGroupMigration
While batch migrations need to be created using the New-MigrationBatch cmdlet in Exchange Online PowerShell,
the progress of the migration can be viewed and managed in Exchange admin center. You can also view the
progress of the migration by running the Get-MigrationBatch and Get-MigrationUser cmdlets. The
New-MigrationBatch cmdlet initiates a migration user for each Office 365 group mailbox, and you can view the
status of these requests using the mailbox migration page.
To view the mailbox migration page:
1. In Exchange Online, open Exchange admin center.
2. Navigate to Recipients, and then select Migration.
3. Select the migration request that was just created and then, on the Details pane, select View Details.
When the batch status is Completed, you can move on to Step 5: Add members to Office 365 groups from public
folders.
Once users have been added to a group in Office 365, they can begin using it.
Step 6: Lock down the public folders (public folder downtime required)
When the majority of the data in your public folders has migrated to Office 365 Groups, you can run the script
LockAndSavePublicFolderProperties.ps1 to make the public folders read-only. This step ensures that no new data is
added to public folders before the migration completes.
NOTE
If there are mail-enabled public folders (MEPFs) among the public folders being migrated, this step will copy some properties
of MEPFs, such as SMTP addresses, to the corresponding group in Office 365 and then mail-disable the public folder. Because
the migrating MEPFs will be mail-disabled after the execution of this script, you will start seeing emails sent to MEPFs instead
being received in the corresponding groups. For more details, see Migration scripts later in this article.
Next, create a new batch with the same .csv file by running the following command. In this command:
CSVData is the .csv file created above in Step 3: Create the .csv file. Be sure to provide the full path to this
file. If the file was moved for any reason, be sure to verify and use the new location.
NotificationEmails is an optional parameter that can be used to set email addresses that will receive
notifications about the status and progress of the migration.
AutoStart is an optional parameter which, when used, starts the migration batch as soon as it is created.
After the new batch is created, start the migration by running the following command in Exchange Online
PowerShell. Note that this step is only necessary if the -AutoStart parameter was not used in the preceding
command.
Start-MigrationBatch PublicFolderToGroupMigration
After you have finished this step (the batch status is Completed), verify that all data has been copied to Office 365
Groups. At that point, provided you are satisfied with the Groups experience, you can begin deleting the migrated
public folders from your Exchange Online environment.
IMPORTANT
While there are supported procedures for rolling back your migration and returning to public folders, this isn't possible after
the source public folders have been deleted. See How do I roll back to public folders from Office 365 Groups? for more
information.
Known issues
The following known issues can occur during a typical public folders to Office 365 Groups migration.
The script that transfers SMTP address from mail-enabled public folders to Office 365 Group only adds the
addresses as secondary email addresses in Exchange Online. Because of this, if you have Exchange Online
Protection (EOP ) or Centralized Mail Flow setup in your environment, will have issues sending email to the
groups (to the secondary email addresses) post-migration.
If the .csv mapping file has an entry with invalid public folder path, the migration batch displays as
Completed without throwing an error, and no further data is copied.
Migration scripts
For your reference, this section provides in-depth descriptions for three of the migration scripts and the tasks they
execute in your Exchange environment. You can download all of the scripts and supporting files from this location.
AddMembersToGroups.ps1
This script will read the permissions of the public folders being migrated and then add members and owners to
Office 365 Groups as follows:
Users with the following permission roles will be added as members to a group in Office 365. Permission
roles: Owner, PublishingEditor, Editor, PublishingAuthor, Author
In addition to the above, users with the following minimum access rights will also be added as members to
a group in Office 365. Access rights: ReadItems, CreateItems, FolderVisible, EditOwnedItems,
DeleteOwnedItems
Users with access right "Owner" will be added as owners to a group and users with other eligible access
rights will be added as members.
Security groups cannot be added as members to groups in Office 365. Therefore they will be expanded, and
then the individual users will be added as members or owners to the groups based on the access rights of
the security group.
When users in security groups that have access rights over a public folder have themselves explicit
permissions over the same public folder, explicit permissions will be given preference. For example, consider
a case in which a security group called "SG1" has members User1 and User2. Permission entries for the
public folder "PF1" are as follows:
SG1: Author in PF1
User1: Owner in PF1
In this case, User1 will be added as an owner to the group in Office 365.
When the default permission of a public folder being migrated is 'Author' or above, the script will suggest
setting the corresponding group's privacy setting as 'Public'.
This script can be run even after the lock-down of public folders, with parameter ArePublicFoldersLocked set to
$true . In this scenario, the script will read permissions from the back up file created during lock-down.
LockAndSavePublicFolderProperties.ps1
This script makes the public folders being migrated read-only. When mail-enabled public folders are migrated,
they will first be mail-disabled and their SMTP addresses will be added to the respective groups in Office 365.
Then the permission entries will be modified to make them read-only. A back up of the mail properties of mail-
enabled public folders, as well as the permission entries of all the public folders, will be copied, before performing
any modification on them.
If there are multiple migration batches, a separate backup directory should be used with each mapping .csv file.
The following mail properties will be stored, along with respective mail-enabled public folders and Office 365
groups:
PrimarySMTPAddress
EmailAddresses
ExternalEmailAddress
EmailAddressPolicyEnabled
GrantSendOnBehalfTo
SendAs Trustee list
The above mail properties will be stored in a .csv file, which can be used in the roll back process (if you want to
return to using public folders, see How do I roll back to public folders from Office 365 Groups? for more
information). A snapshot of the mail-enabled public folders' properties will also be stored in a file called
PfMailProperties.csv. This file is not necessary for the roll back process, but can still be used for your reference.
The following mail properties will be migrated to target group as part of the lock down:
PrimarySMTPAddress
EmailAddresses
SendAs Trustee list
GrantSendOnBehalfTo
The script ensures that the PrimarySMTPAddress and EmailAddresses of migrating mail-enabled public folders
will be added as secondary SMTP addresses of the corresponding groups in Office 365. Also, SendAs and
SendOnBehalfTo permissions of users on mail-enabled public folders will be given equivalent permission in the
corresponding target groups.
Access rights allowed
Only the following access rights will be allowed for users to ensure that the public folders are made read-only for
all users. These are stored in ListOfAccessRightsAllowed.
ReadItems
CreateSubfolders
FolderContact
FolderVisible
The permission entries will be modified as follows:
1.
BEFORE LOCK DOWN AFTER LOCK DOWN
None None
AvailabilityOnly AvailabilityOnly
LimitedDetails LimitedDetails
Contributor FolderVisible
2. Access rights for users without read permissions will be left untouched, and they will continue to be blocked
from read rights.
3. For users with custom roles, all the access rights that are not in ListOfAccessRightsAllowed will be
removed. In the event that the users don't have any access rights from the allowed list after filtering, these
users' access right will be set to 'None'.
There might be an interruption in sending emails to mail-enabled public folders during the time between when the
folders are mail-disabled and their SMTP addresses are added to Office 365 Groups.
UnlockAndRestorePublicFolderProperties.ps1
This script will re-assign permissions back to public folders, based on the back up file taken during public folder
lock-down. This script will also mail-enable public folders that had been mail-disabled, after it removes the folders'
SMTP addresses from their respective groups in Office 365. There might be slight downtime during this process.
Be aware that any items added to the groups in Office 365, or any edit operations performed in the groups, are not
copied back to your public folders. Therefore there will be data loss, assuming new data was added while the public
folder was a group.
Note also that it's not possible to restore a subset of public folders, which means all of the public folders there were
migrated should be restored.
The corresponding groups in Office 365 won't be deleted as part of the roll back process. You'll have to clean or
delete those groups manually.
Configure legacy on-premises public folders for a
hybrid deployment
3/4/2019 • 8 minutes to read • Edit Online
Summary: Use the steps in this article to synchronize public folders between Office 365 and your Exchange
Server 2010 on-premises deployment.
In a hybrid deployment, your users can be in Exchange Online , on-premises, or both, and your public folders are
either in Exchange Online or on-premises. Public folders can reside in only one place, so you must decide whether
your public folders will be in Exchange Online or on-premises. They can't be in both locations. Public folder
mailboxes are synchronized to Exchange Online by the Directory Synchronization service. However, mail-enabled
public folders aren't synchronized across premises.
This topic describes how to synchronize mail-enabled public folders if your users are in Office 365 and your
Exchange Server 2010 SP3 public folders are on-premises. However, an Office 365 user who is not represented by
a MailUser object on-premises (local to the target public folder hierarchy) won't be able to access legacy or
modern on-premises public folders.
NOTE
This topic refers to the Exchange Server 2010 SP3 servers as the legacy Exchange server.
You will sync your mail-enabled public folders by using the following scripts, which are initiated by a Windows
task that runs in the on-premises environment:
Sync-MailPublicFolders.ps1 : This script synchronizes mail-enabled public folder objects from your local
Exchange on-premises deployment with Office 365. It uses the local Exchange on-premises deployment as
master to determine what changes need to be applied to O365. The script will create, update, or delete mail-
enabled public folder objects on O365 Active Directory based on what exists in the local on-premises
Exchange deployment.
SyncMailPublicFolders.strings.psd1 : This is a support file used by the preceding synchronization script and
should be copied to the same location as the preceding script.
When you complete this procedure your on-premises and Office 365 users will be able to access the same on-
premises public folder infrastructure.
On-Premises Exchange 2010 Hybrid not applicable Hybrid not applicable Supported
Public Folders
ON-PREMISES EXCHANGE 2010 ON-PREMISES EXCHANGE 2013 EXCHANGE ONLINE USER
USER MAILBOX USER MAILBOX MAILBOX
On-Premises Exchange 2013 Hybrid not applicable Hybrid not applicable Supported
Public Folders
NOTE
Outlook 2016 does not support accessing Exchange 2007 legacy public folders. If you have users who are using Outlook
2016, you must move your public folders to a more recent version of Exchange Server. More information about Outlook
2016 and Office 2016 compatibility with Exchange 2007 and earlier versions can be found in this article.
NOTE
This server doesn't have to be part of the Client Access load balancing. For more information, see Understanding
Load Balancing in Exchange 2010.
NOTE
We recommend that the only mailbox that you add to this database is the proxy mailbox that you'll create in step 3.
No other mailboxes should be created on this mailbox database.
3. Create a proxy mailbox within the new mailbox database, and hide the mailbox from the address book. The
SMTP of this mailbox will be returned by AutoDiscover as the DefaultPublicFolderMailbox SMTP, so that
by resolving this SMTP the client can reach the legacy exchange server for public folder access.
4. For Exchange 2010, enable AutoDiscover to return the proxy public folder mailboxes.
5. Repeat the preceding steps for every public folder server in your organization.
2. Save the files to the local computer on which you'll be running PowerShell. For example, C:\PFScripts.
NOTE
Synchronized mail-enabled public folders will appear as mail contact objects for mail flow purposes and will not be viewable
in the Exchange admin center. See the Get-MailPublicFolder command. To recreate the SendAs permissions in the cloud, use
the Add-RecipientPermission command.
On the legacy Exchange server, run the following command to synchronize mail-enabled public folders from your
local on-premises Active Directory to O365.
```
Sync-MailPublicFolders.ps1 -Credential (Get-Credential) -CsvSummaryFile "<sync_summary.csv>"
```
Where you're prompted for your Office 365 username and password, and <sync_summary.csv> is the path to
where you would like to log synchronization operations and errors, in .csv format.
NOTE
Before running the script, we recommend that you first simulate the actions that the script would take in your environment
by running it as described above with the WhatIf parameter. > We also recommend that you run this script daily to
synchronize your mail-enabled public folders.
You must wait until ActiveDirectory synchronization has completed to see the changes. This process can take up to
3 hours to complete. If you don't want to wait for the recurring synchronizations that occur every three hours, you
can force directory synchronization at any time. For detailed steps to do force directory synchronization, see
Method 1: Manually verify that the service is started and that the admin account can sign in . Office 365 randomly
selects one of the public folder mailboxes that's supplied in this command.
IMPORTANT
An Office 365 user who is not represented by a MailUser object on-premises (local to the target public folder hierarchy)
won't be able to access legacy or Exchange 2013 on-premises public folders. See the Knowledge Base article Exchange Online
users can't access legacy on-premises public folders for a solution.
Summary: Instructions for enabling Exchange Online users to access on-premises public folders in your
Exchange Server environment.
In a hybrid deployment, your users can be in Exchange Online, on-premises, or both, and your public folders are
either in Exchange Online or on-premises. Sometimes your online users may need to access public folders in your
Exchange Server on-premises environment. Similarly, Exchange Server users may need to access public folders in
Office 365 or Exchange Online.
NOTE
If you have Exchange 2010 public folders, see Configure legacy on-premises public folders for a hybrid deployment.
This article describes how to enable your Exchange Online/Office 365 users to access public folders in Exchange
Server. To enable on-premises Exchange Server users to access public folders in Exchange Online, see Configure
Exchange Online public folders for a hybrid deployment.
An Exchange Online/Office 365 user must be represented by a MailUser object in the Exchange on-premises
environment in order to access Exchange Server public folders. This MailUser object must also be local to the
target Exchange Server public folder hierarchy. If you have Office 365 users who aren't currently represented on-
premises by MailUser objects, refer to Microsoft Knowledge Base article 3106618 "Exchange Online users can't
access legacy on-premises public folders" to create matching on-premises entities.
5. You must synchronize the Active Directory container where your public folder mailboxes are stored (such
as the Users container) with the AAD Connect tool. Otherwise your public folder mailbox objects won't be
synchronized with Exchange Online.
SyncMailPublicFolders.strings.psd1
2. Save the files to the local computer on which you'll be running PowerShell. For example, C:\PFScripts.
NOTE
Synchronized mail-enabled public folders will appear as mail contact objects for mail flow purposes and will not be viewable
in the EExchange admin center. See the Get-MailPublicFolder command. To recreate the SendAs permissions in the cloud, use
the Add-RecipientPermission command.
1. On Exchange Server, run the following command to synchronize mail-enabled public folders from your
local on-premises Active Directory to O365.
Where Credential is your Office 365 username and password, and CsvSummaryFile is the path to where
you would like to log synchronization operations and errors, in .csv format.
NOTE
Before running the script, we recommend that you first simulate the actions that the script would take in your environment
by running it as described above with the -WhatIf parameter. > We also recommend that you run this script daily to
synchronize your mail-enabled public folders.
NOTE
You must wait until ActiveDirectory synchronization has completed to see the changes. This process can take up to 3 hours
to complete. If you don't want to wait for the recurring synchronizations that occur every three hours, you can force
directory synchronization at any time. For detailed steps to do force directory synchronization, see Force directory
synchronization.
Summary: Instructions for enabling on-premises Exchange Server users to access public folders in Exchange
Online.
In a hybrid deployment, your users can be in Exchange Online, on-premises, or both, and your public folders are
either in Exchange Online or on-premises. Sometimes your online users may need to access public folders in your
Exchange Server on-premises environment. Similarly, Exchange Server users may need to access public folders in
Office 365 or Exchange Online.
This article describes how to enable users in your Exchange Server on-premises environment to access Exchange
Online/Office 365 public folders. To enable Exchange Online/Office 365 users to access on-premises Exchange
Server public folders, see Configure Exchange Server public folders for a hybrid deployment.
NOTE
If you have Exchange 2010 public folders, see Configure legacy on-premises public folders for a hybrid deployment.
ImportPublicFolderMailboxes.strings.psd1
Sync-MailPublicFoldersCloudToOnprem.ps1
Sync-MailPublicFoldersCloudToOnprem.strings.psd1
2. Save the files to the local computer on which you'll be running PowerShell. For example, C:\PFScripts.
NOTE
Synchronized mail-enabled public folders will appear as mail contact objects for mail flow purposes and will not be viewable
in the Exchange admin center. See the Get-MailPublicFolder command. To recreate the SendAs permissions in the cloud, use
the Add-RecipientPermission command.
On Exchange Server, run the following command to synchronize mail-enabled public folders from Exchange
Online/Office 365 to your local on-premises Active Directory.
```
Sync-MailPublicFoldersCloudToOnprem.ps1 -Credential (Get-Credential)
```
NOTE
We recommend that you run this script daily to synchronize your mail-enabled public folders.
NOTE
We recommend that you run this script daily to import your public folder mailbox objects because whenever public
folder mailboxes reach their threshold capacity, they automatically split into multiple new mailboxes. Therefore, you
always want to ensure you have imported the most recent public folder mailboxes from the cloud.
2. Enable the Exchange 2013 on-premises organization to access the Exchange Online public folders.
NOTE
You must wait until ActiveDirectory synchronization has completed to see the changes. This process can take up to 3
hours to complete. If you don't want to wait for the recurring synchronizations that occur every three hours, you can
force directory synchronization at any time. For detailed steps to do force directory synchronization, see Force
directory synchronization.
Summary: How to set up public folders, including assigning permissions to them in the EAC.
This topic shows you how to get public folders configured and running in a new organization or in an organization
that has never previously had public folders.
NOTE
For more information about the storage quotas and limits for public folders, see the following topics: > For public folders in
Office 365, see Exchange Online Limits. > For public folders in on-premises Exchange Server, see Limits for public folders.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Summary: The most recent supported Exchange topologies that allow users to access public folders with Outlook
2016 for Mac.
Users of Outlook 2016 for Mac can now access public folders in Exchange Online in a number of different
topologies.
NOTE
The scenarios shown in the following table assume that the April 2016 update for Outlook 2016 for Mac has been applied
to all clients.
The following articles describe how to deploy public folders in your Exchange organization in a co-existence or
hybrid topology. As long as your Outlook 2016 for Mac clients have installed the April 2016 update, they will be
able to access public folders in the configurations detailed in these articles:
Configure legacy public folders where user mailboxes are on Exchange 2013 servers
Configure Exchange 2013 public folders for a hybrid deployment
Configure Exchange Online public folders for a hybrid deployment
Create a public folder mailbox
3/4/2019 • 2 minutes to read • Edit Online
Before you can create a public folder, you must first create a public folder mailbox. Public folder mailboxes contain
the hierarchy information plus the content for public folders. The first public folder mailbox you create will be the
primary hierarchy mailbox, which contains the only writable copy of the hierarchy. Any additional public folder
mailboxes you create will be secondary mailboxes, which contain a read-only copy of the hierarchy.
NOTE
For more information about the storage quotas and limits for public folders, see the following topics:
For public folders in Office 365, see Exchange Online Limits.
For public folders in on-premises Exchange Server, see Limits for public folders.
For additional management tasks related to public folders in Exchange Server, see Public Folder Procedures.
For additional management tasks related to public folders in Exchange Online, see Public folder procedures in
Office 365 and Exchange Online.
This example creates a secondary public folder mailbox. The only difference between creating the primary
hierarchy mailbox and a secondary hierarchy mailbox is that the primary mailbox is the first one created in the
organization. You can create additional public folder mailboxes for load balancing purposes.
Public folders are designed for shared access and provide an easy and effective way to collect, organize, and share
information with other people in your workgroup or organization.
By default, a public folder inherits the settings of its parent folder, including the permissions settings.
NOTE
For more information about the storage quotas and limits for public folders, see the following topics:
For public folders in Office 365, see Exchange Online Limits.
For public folders in on-premises Exchange Server, see Limits for public folders.
IMPORTANT
Don't use a backslash ( \ ) in the name when creating a public folder.
5. In the Path box, verify the path to the public folder. If this isn't the desired path, click Cancel and follow
Step 2 of this procedure.
6. Click Save.
IMPORTANT
Don't use a backslash (\) in the name when creating a public folder.
Get-PublicFolder -Recurse
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Recover a deleted public folder mailbox
3/4/2019 • 2 minutes to read • Edit Online
Summary: This article describes how to recover a public folder mailbox in Office 365 that was previously soft-
deleted, meaning the mailbox retention period has not yet elapsed and the recycle bin has not been purged.
You can delete public folder mailboxes either in the EAC or through the Remove-Mailbox -PublicFolder cmdlet. To
delete a primary mailbox, all other mailboxes must be deleted first. After a mailbox is deleted it will no longer be
visible in the EAC.
Deleted Public Folder mailboxes are recoverable for a period of up to 90 days.
NOTE
For deleted public folder mailboxes that contain folders, the folders will be automatically recovered along with the mailbox
that contains them when you use one of the following procedures to recover the mailbox.
Undo-SoftDeletedMailbox -PublicFolder
Undo-SoftDeletedMailbox -PublicFolder
3. Type the following for each secondary public folder mailbox that you want to restore (once per mailbox).
Undo-SoftDeletedMailbox -PublicFolder
You will be able to distinguish primary from secondary public folder mailboxes by the information in the
Type field.
2. Type the following for each secondary public folder mailbox that you want to restore (once per mailbox).
Undo-SoftDeletedMailbox -PublicFolder
NOTE
If a primary public folder has been deleted from an organization, any secondary mailbox associated with it can't be restored.
Use favorite public folders in Outlook on the web
3/4/2019 • 2 minutes to read • Edit Online
In the Outlook client, users in your organization can add public folders to their Favorites folders. Then, depending
on your organization's policies, they can use Outlook on the web to add those same public folders to their Favorites
and perform certain functions in Outlook on the web that they use in the Outlook client.
NOTE
For more information about creating and configuring public folders, users in your organization can see Create a public folder
in Outlook.
1. In Outlook, go to the Folders view. Click the three dots on the Navigation Bar, and the click Folders.
Users with Outlook 2010 clients can click Folders at the bottom of the Navigation Pane.
2. If necessary, scroll to the Public Folders node in the Navigation Pane. Click to expand the All Public
Folders folder.
3. Right-click the public folder that you want to add to Favorites, then select Add to Favorites....
NOTE
By default, the Favorites folder is directly beneath the All Public Folders folder in the Navigation Bar.
4. In the Add to Favorites dialog, you have the option to rename the folder for your Favorites only. Click
Add to add the folder to Favorites.
IMPORTANT
There are several types of public folders. In order for users to be able to work with a favorite public folder in Outlook on the
web, the public folder must be of type Mail and Post items, Calendar items, or Contact items.
Add favorite public folders in Outlook on the web
In order for users to access their Outlook favorite public folders, they must also add them to their Favorites in
Outlook on the web. The Outlook client does not automatically sync public folders with Outlook on the web.
To add a public folder in Outlook on the web, right-click Folders, and then choose Add public folder to
Favorites. Locate the folder and click Add.
Your users can now use Outlook on the web to perform the following tasks in their favorite Calendar, Contact, or
Mail and Post public folders:
Create items in the public folders
Retrieve items
Update items
Delete items
See also
Create a public folder in Outlook
Mail-enable or mail-disable a public folder
3/29/2019 • 3 minutes to read • Edit Online
Public folders are designed for shared access and provide an easy and effective way to collect, organize, and share
information with other people in your workgroup or organization. Mail-enabling a public folder allows users to
post to the public folder by sending an email message to it. When a public folder is mail-enabled additional
settings become available for the public folder in the Exchange admin center (EAC ), such as email addresses and
mail quotas. In Exchange Online PowerShell, before a public folder is mail-enabled, you use the Set-PublicFolder
cmdlet to manage all of its settings. After the public folder is mail-enabled, you use the Set-PublicFolder and the
Set-MailPublicFolder cmdlets to manage the settings.
If you want users on the internet to send mail to a mail-enabled public folder, you need to set addition permissions
using the Add-PublicFolderClientPermission cmdlet.
For additional management tasks related to managing public folders, see Public Folder Procedures.
For additional management tasks related to public folders, see Public folder procedures in Office 365 and
Exchange Online.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
This example mail-enables the public folder Reports under the Marketing public folder, but hides the folder from
address lists.
If you want external users to send mail to this public folder, make sure you follow the steps in Allow anonymous
users to send email to a mail-enabled public folder.
For detailed syntax and parameter information, see Enable-MailPublicFolder.
You only need to update the public folder hierarchy if you want to manually invoke the hierarchy synchronizer and
the mailbox assistant. Both these are invoked at least once every 24 hours for each public folder mailbox in the
organization. The hierarchy synchronizer is invoked every 15 minutes if any users are logged on to a secondary
mailbox through Microsoft Outlook or a Microsoft Exchange Web Services client.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
This example updates all public folder mailboxes and suppresses the command's output.
You may need to remove public folders that are no longer being used in your organization. To help determine
which public folders should be removed, see View statistics for public folders and public folder items.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
This example tests the previous command without making any modifications.
This example removes the public folder Marketing and all its subfolders because the command runs recursively.
This topic explains how to retrieve statistics about a public folder, such as the display name, creation time, last user
modified time, last user access, and item size. You can use this information to make decisions about deleting or
retaining public folders.
NOTE
In the Exchange admin center (EAC), you can view some of the quota and usage information for public folders by navigating
to Public Folders > Edit > Mailbox usage. However, this information is incomplete, and we recommend that you use
Exchange Online PowerShell to view public folder statistics.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
NOTE
The value for the Identity parameter must include the path to the public folder. For example, if the public folder Marketing
existed under the parent folder Business, you would provide the following value: \Business\Marketing
This example returns additional information about the items within the public folder Pamphlets, such as subject,
last modification time, creation time, attachments, message size, and the type of item. It also includes a piped
command to format the list.
Summary: About shared mailboxes in Exchange Online, and how to create them.
Shared mailboxes makes it easy for a group of people in your company to monitor and send email from a common
account, such as info@contoso.com or support@contoso.com. When a person in the group replies to a message
sent to the shared mailbox, the email looks like it was sent by the shared mailbox, not from the individual user.
IMPORTANT
If you're using Office 365 for business, you should create your shared mailbox in the Office 365 admin center. See Create
shared mailboxes in Office 365.
If your organization uses a hybrid Exchange environment, you should use the on-premises Exchange admin center
(EAC ) to create and manage shared mailboxes. To learn more about shared mailboxes, see Shared Mailboxes.
NOTE
The Full Access permission allows a user to open the mailbox as well as create and modify items in it. The Send As
permission allows anyone other than the mailbox owner to send email from this shared mailbox. Both permissions are
required for successful shared mailbox operation.
4. Click Save to save your changes and create the shared mailbox.
Use the EAC to edit shared mailbox delegation
1. Go to Recipients > Shared > Edit .
2. Click Mailbox delegation
3. To grant or remove Full Access and Send As permissions, click Add or Remove and then select the
users you want to grant permissions to.
NOTE
The Full Access permission allows a user to open the mailbox as well as create and modify items in it. The Send As
permission allows anyone other than the mailbox owner to send email from this shared mailbox. Both permissions are
required for successful shared mailbox operation.
NOTE
This example assumes that you've already created the security group MarketingSG and that security group is mail-enabled.
See Manage mail-enabled security groups.
New-Mailbox -Shared -Name "Sales Department" -DisplayName "Sales Department" -Alias Sales | Set-Mailbox -
GrantSendOnBehalfTo MarketingSG | Add-MailboxPermission -User MarketingSG -AccessRights FullAccess -
InheritanceType All
More information
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts
for the Exchange admin center.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Address books in Exchange Online
3/4/2019 • 2 minutes to read • Edit Online
Exchange Online uses address books to organize and store email address information for recipients in the
organization. The topics that will help you learn about and configure email addresses and address books in
Exchange Online are described in the following table.
Address book policies The global address list (GAL) is the Address book policies in Exchange
master list of all recipients in your Online
Exchange Online organization. Address
book policies (ABPs) provide a simpler
mechanism for GAL segmentation in
organizations that require multiple
GALs. An ABP defines a GAL, an offline
address book (OAB), a room list, and
one or more address lists. You can then
assign the ABP to users.
Hierarchical address books The hierarchical address book (HAB) Hierarchical address books
presents recipients in the GAL by using
your organization's unique business
structure (for example, seniority or
management hierarchy), which provides
an efficient method for locating internal
recipients.
Offline address books An offline address book (OAB) is a Offline address books in Exchange
collection of address lists that can be Online
downloaded and used in Outlook by
users that are disconnected from the
Exchange Online organization.
Note: Email address policies are available in Exchange Online, but only for Office 365 groups. For more
information, see Choose the domain to use when creating Office 365 Groups.
For help with everyday email tasks, such as organizing your contacts in Outlook, check the Office 365 Learning
Center. You can find help including:
Add an email contact
Import your contacts
Create a contact group
Send an email message to a contact group
Address book policies in Exchange Online
3/4/2019 • 3 minutes to read • Edit Online
Address book policies (ABPs) lets admins segment users into specific groups to provide customized views of the
organization's global address list (GAL ). The goal of an ABP is to provide a simpler mechanism for GAL
segmentation (also known as GAL segregation) in organizations that require multiple GALs.
An ABP contains these elements:
One GAL. For more information about GALs, see Default address lists in Exchange Online.
One offline address book (OAB ). For more information about OABs, see Offline address books in
Exchange Online.
One room list. Note that this room list is a custom address list that specifies rooms (contains the filter
RecipientDisplayType -eq 'ConferenceRoomMailbox' ). It's not a room finder that you create with the
RoomList switch on the New-DistributionGroup or Set-DistributionGroup cmdlet. For more
information, see Create and manage room mailboxes in Exchange Online.
One or more address lists. For more information about address lists, see Custom Address Lists in
Exchange Online.
For procedures involving ABPs, see Address book policy procedures in Exchange Online.
Notes:
ABPs create only a virtual separation of users from a directory perspective, not a legal separation.
Implementing an ABP is a multi-step process that requires planning. For more information, see Scenario:
Deploying Address Book Policies.
ABP example
In the following diagram, Fabrikam and Tailspin Toys share the same Exchange Online organization and the same
CEO. The CEO is the only employee common to both companies.
Address book policies (ABPs) allow you to segment users into specific groups to give them customized global
address lists (GALs) in Outlook and Outlook on the web (formerly known as Outlook Web App). For more
information about ABPs, see Address book policies in Exchange Online.
ABP routing creates the virtual organizations within a single Exchange Online organization. Your virtual
organization is determined by the global address list (GAL ) you reside in. When ABP routing is turned on, users
that are assigned to different GALs appear as external recipients and won't be able to view each other's contact
cards.
In Exchange Online, you can only turn on ABP routing in Exchange Online PowerShell.
Looking for the Exchange Server version of this topic? See Install and Configure the Address Book Policy Routing
Agent.
Have a user that's assigned an ABP send an email message to an user that's assigned a different ABP, and
verify that the sender's email address doesn't resolve to their display name.
Create an address book policy in Exchange Online
3/4/2019 • 2 minutes to read • Edit Online
Address book policies (ABPs) allow you to segment users into specific groups to give them customized global
address lists (GALs) in Outlook and Outlook on the web (formerly known as Outlook Web App). For more
information about ABPs, see Address book policies in Exchange Online.
In Exchange Online, you can only create ABPs in Exchange Online PowerShell.
An ABP requires one global address list (GAL ), one offline address book (OAB ), one room list, and one or more
address lists. To view the available objects, use the Get-GlobalAddressList, Get-OfflineAddressBook, and Get-
AddressList cmdlets.
Note: The room list that's required for an ABP is an address list that specifies rooms (contains the filter
RecipientDisplayType -eq 'ConferenceRoomMailbox' ). It's not a room finder distribution group that you create with
the RoomList switch on the New-DistributionGroup or Set-DistributionGroup cmdlets.
New-AddressBookPolicy -Name "<Unique Name>" -GlobalAddressList "<GAL>" -OfflineAddressBook "<OAB>" -RoomList "
<RoomList>" -AddressLists "<AddressList1>","<AddressList2>"...
Get-AddressBookPolicy
Replace <ABPName> with the name of the ABP, and run the following command to verify the property
values:
Address book policies (ABPs) allow you to segment users into specific groups to give them customized global
address lists (GALs) in Outlook and Outlook on the web (formerly known as Outlook Web App). For more
information about ABPs, see Address book policies in Exchange Online.
Users aren't automatically assigned an ABP when you create mailboxes. If you don't assign an ABP to a mailbox,
the GAL for your entire organization is visible to the user in Outlook and Outlook on the web.
To identify your virtual organizations for ABPs, we recommend that you use the CustomAttribute1 to
CustomAttribute15 attributes on mailboxes, contacts, and groups, because these attributes are the most widely
available and manageable for all recipient types. For more information, see Scenario: Deploying Address Book
Policies.
To assign ABPs to mailboxes, you select the ABP in Exchange admin center (EAC ), or specify the ABP in Exchange
Online PowerShell.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
This example assigns the ABP named All Fabrikam to the mailbox joe@fabrikam.com.
Filter mailboxes by attributes: This method uses the unique filterable attribute that defines the virtual
organization (for example, the CustomAttribute1 through CustomAttribute15 attribute value).
The syntax uses the following two commands (one to identify the mailboxes, and the other to apply the
ABP to the mailboxes):
This example assigns the ABP named All Fabrikam to all mailbox users whose CustomAttribute15 value is
FAB .
Use a list of specific mailboxes: This method requires a text file to identify the mailboxes. Values that
don't contain spaces (for example, the user account) work best. The text file must contain one user account
on each line like this:
akol@contoso.com
tjohnston@contoso.com
kakers@contoso.com
The syntax uses the following two commands (one to identify the user accounts, and the other to apply the
policy to those users):
This example assigns the ABP policy named All Fabrikam to the mailboxes specified in the file C:\My
Documents\Fabrikam.txt.
For detailed syntax and parameter information, see Set-Mailbox and Get-Mailbox.
How do you know this worked?
To verify that you've successfully applied an ABP to a mailbox, use any of the following steps:
In the EAC, go to Recipients > Mailboxes, select the mailbox, and click Edit . In the properties of the
mailbox window that opens, click Mailbox features, and verify the ABP in the Address book policy field.
In Exchange Online PowerShell, replace <MailboxIdentity> with the name, alias, email address, or account
name of the mailbox, and run the following command to verify the value of the AddressBookPolicy
property:
In Exchange Online PowerShell, run the following command to verify the value of the AddressBookPolicy
property:
More information
To remove the ABP assignment from a mailbox, you select the value [No Policy] in the EAC, or use the value
$null for the AddressBookPolicy parameter in Exchange Online PowerShell.
Change the settings of an address book policy
3/4/2019 • 2 minutes to read • Edit Online
Address book policies (ABPs) allow you to segment users into specific groups to give them customized global
address lists (GALs) in Outlook and Outlook on the web (formerly known as Outlook Web App). For more
information about ABPs, see Address book policies in Exchange Online.
After you create an ABP, you can view or modify the name and the assigned address lists: the global address list
(GAL ), offline address book (OAB ), room list, and other address lists.
In Exchange Online, you can only modify ABPs in Exchange Online PowerShell.
For additional management tasks related to ABPs, see Address book policy procedures in Exchange Online.
The Name, GlobalAddressList, OfflineAddressBook, and RoomList parameters all take single values, so the
value you specify replaces the existing value.
This example modifies the ABP named "All Fabrikam ABP" by replacing the OAB with the specified OAB.
The AddressLists parameter takes multiple values, so you need to decide whether you want to replace the
existing address lists in the ABP, or add and remove address lists without affecting the other address lists in
the ABP.
This example replaces the existing address lists in the ABP named Government Agency A with the specified
address lists.
To add address lists to an ABP, you need to specify the new address lists and any existing address lists that
you want to keep.
This example adds the address list named Contoso-Chicago to the ABP named ABP Contoso, which is
already configured to use the address list named Contoso-Seattle.
To remove address lists from an ABP, you need to specify the existing address lists that you want to keep,
and omit the address lists that you want to remove.
For example, the ABP named ABP Fabrikam uses the address lists named Fabrikam-HR and Fabrikam-
Finance. To remove the Fabrikam-HR address list, specify only the Fabrikam-Finance address list.
Address book policies (ABPs) allow you to segment users into specific groups to give them customized global
address lists (GALs) in Outlook and Outlook on the web (formerly known as Outlook Web App). For more
information about ABPs, see Address book policies in Exchange Online.
You can only remove ABPs from your Exchange Online organization using Exchange Online PowerShell, and only
if the ABP isn't assigned to a mailbox (active mailboxes or soft-deleted mailboxes that are still recoverable).
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
2. To see if the ABP is assigned to an active mailbox, replace <ABPDistinguishedName> with the DN of the
ABP and run the following command:
To remove the ABP assignment from any active mailboxes that you find, replace <ABPDistinguishedName>
with the DN of the ABP and run the following commands:
To remove the ABP assignment from any soft-deleted mailboxes that you find, replace
<ABPDistinguishedName> with the DN of the ABP and run the following commands:
Note: If you don't assign an ABP to a mailbox, the GAL for your entire organization will be visible to the user in
Outlook and Outlook on the web. Instead of using the value $null , you can specify the name of a different ABP
(enclosed in quotation marks if the name contains spaces).
Step 2: Remove the ABP
To remove an ABP, use this syntax:
Get-AddressBookPolicy
Replace <ABPName> with the name of the ABP, and run the following command to confirm that an error
is returned:
An address list is a collection of mail-enabled recipient objects in Exchange Online. Address lists are based on
recipient filters. You can filter by recipient type (for example, mailboxes and mail contacts), recipient properties (for
example, Company or State or Province), or both. Address lists aren't static; they're updated dynamically. When you
create or modify recipients in your organization, they're automatically added to the appropriate address lists. These
are the different types of address lists that are available:
Global address lists (GALs): The built-in GAL that's automatically created by Exchange Online includes
every mail-enabled object in the organization. You can create additional GALs to separate users by
organization or location, but a user can only see and use one GAL.
Address lists: Address lists are subsets of recipients that are grouped together in one list, which makes them
easier to find by users. Exchange Online comes with several built-in address lists, and you can create more
based on you organization's needs.
Offline address books (OABs): OABs contain address lists and GALs. OABs are used by Outlook clients in
cached Exchange mode to provide local access to address lists and GALs for recipient look-ups. For more
information, see [Offline address books in Exchange Online].
Users in your organization use address lists and the GAL to find recipients for email messages. Here's an example
of what address lists look like in Outlook 2016:
For procedures related to address lists, see Address list procedures in Exchange Online.
Notes:
By default, the Address List role isn't assigned to any role groups in Exchange Online. To use any cmdlets or
features that require the Address List role, you need to add the role to a role group. For more information,
see Modify role groups.
Precanned recipient filters or custom recipient filters identify the recipients that are included in address lists
and GALs. For more information, see Recipient filters for address lists in Exchange Online PowerShell.
You can hide recipients from all address lists and GALs. For more information, see Hide recipients from
address lists.
All Contacts Address list Includes all mail contacts in {Alias -ne $null -and
the organization. To learn (ObjectCategory -like
'person' -and
more about mail contacts, ObjectClass -eq
see Recipients in Exchange 'contact')}
Online.
All Distribution Lists Address list Includes all distribution {Alias -ne $null -and
groups, mail-enabled ObjectCategory -like
'group'}
security groups, and
dynamic distribution groups
in the organization. To learn
more about mail-enabled
groups, see Recipients in
Exchange Online.
NAME TYPE DESCRIPTION RECIPIENT FILTER USED
All Rooms Address list Includes all room mailboxes. {Alias -ne $null -and
Equipment mailboxes aren't (RecipientDisplayType -eq
'ConferenceRoomMailbox' -or
included. To learn more RecipientDisplayType -eq
about room and equipment 'SyncedConferenceRoomMailbox')}
(resource) mailboxes, see
Recipients in Exchange
Online.
All Users Address list Includes all user mailboxes, {((Alias -ne $null) -and
linked mailboxes, remote (((((((ObjectCategory -like
'person') -and (ObjectClass -
mailboxes (Office 365 eq 'user') -and (-
mailboxes), shared not(Database -ne $null)) -and
mailboxes, room mailboxes, (-not(ServerLegacyDN -ne
$null)))) -or
equipment mailboxes, and (((ObjectCategory -like
mail users in the 'person') -and (ObjectClass -
organization. To learn more eq 'user') -and (((Database -
ne $null) -or (ServerLegacyDN
about these recipient types, -ne $null))))))) -and (-
see Recipients in Exchange not(RecipientTypeDetailsValue
Online. -eq 'GroupMailbox')))))}
Default Global Address List GAL Includes all mail-enabled {((Alias -ne $null) -and
recipient objects in the (((ObjectClass -eq 'user') -or
(ObjectClass -eq 'contact') -or
organization (users, contacts, (ObjectClass -eq
groups, dynamic distribution 'msExchSystemMailbox') -or
groups, and public folders. (ObjectClass -eq
'msExchDynamicDistributionList')
-or (ObjectClass -eq 'group') -
or (ObjectClass -eq
'publicFolder'))))}
Public Folders Address list Includes all mail-enabled {Alias -ne $null -and
public folders in your ObjectCategory -like
'publicFolder'}
organization. Access
permissions determine who
can view and use public
folders. For more
information about public
folders, see Public folders in
Office 365 and Exchange
Online.
An address list is a collection of mail-enabled recipient objects in Exchange Online. Address lists are based on
recipient filters. For more information about address lists, see Address lists in Exchange Online.
For additional management tasks related to manage address lists, see Address list procedures in Exchange Online.
Looking for the Exchange Server version of this topic? See Create an Address List.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
New-AddressList -Name "Oregon and Washington" -RecipientFilter {((RecipientType -eq 'UserMailbox') -and
((StateOrProvince -eq 'Washington') -or (StateOrProvince -eq 'Oregon')))}
This example creates the child address list Building 34 Meeting Rooms in the All Rooms parent container, using
built-in conditions.
New-AddressList -Name "Building 34 Meeting Rooms" -Container "\All Rooms" -IncludedRecipients Resources -
ConditionalCustomAttribute1 "Building 34"
This example returns the members of the address list named Southeast Offices.
This example exports the results to the file C:\My Documents\Southeast Offices Export.csv.
$AL = Get-AddressList -Identity "Southeast Offices"; Get-Recipient -ResultSize unlimited -
RecipientPreviewFilter $AL.RecipientFilter | select Name,PrimarySmtpAddress,HiddenFromAddressListsEnabled |
Export-Csv -NoTypeInformation -Path "C:\My Documents\Southeast Offices Export.csv"
$Before = Get-User -Filter {((RecipientType -eq 'UserMailbox') -and ((StateOrProvince -eq 'Oregon') -or
(StateOrProvince -eq 'Washington')))} -ResultSize Unlimited
2. Change the required property to a temporary value. For example, change the StateOrProvince values
from Oregon to OR , and Washington to WA :
$Before | where {$_.StateOrProvince -eq 'Oregon'} | foreach {Set-User $_.Identity -StateOrProvince OR}
3. Find those same users again by using the temporary property values. For example:
$After = Get-User -Filter {((RecipientType -eq 'UserMailbox') -and ((StateOrProvince -eq 'OR') -or
(StateOrProvince -eq 'WA')))} -ResultSize Unlimited
4. Change the temporary value back to the required value. For example, change the StateOrProvince values
from OR to Oregon , and WA to Washington :
$After | where {$_.StateOrProvince -eq 'OR'} | foreach {Set-User $_.Identity -StateOrProvince Oregon}
Notes:
Title, department and address properties require the Get-User and Set-User cmdlets. CustomAttribute1
through CustomAttribute15 properties require the Get-Mailbox and Set-Mailbox cmdlets. For more
information about what properties are available on which cmdlet, see the following topics:
Set-User
Set-Mailbox
If a only small number of users don't appear in the address list, you can modify the required property value
for each user. For example:
1. Set a temporary property value for the user:
Set-AddressList -Identity <AddressListIdentity> [-Name <Name>] [<Precanned recipient filter | Custom recipient
filter>] [-RecipientContainer <OrganizationalUnit>]
When you modify the Conditional parameter values, you can use the following syntax to add or remove values
without affecting other existing values: @{Add="<Value1>","<Value2>"...; Remove="<Value1>","<Value2>"...} .
This example modifies the existing address list named Southeast Offices by adding the State or province value
TX (Texas) to the precanned recipient filter.
This example removes the address list Sales Department, which doesn't contain child address lists.
Get-AddressList
DynamicDistributionGroup
Mailbox
MailContact
MailPublicFolder
MailUser
UnifiedGroup
This example hides the distribution group named Internal Affairs from address lists.
Note: To make the recipient visible in address lists again, use the value $false for the
HiddenFromAddressListsEnabled parameter.
How do you know this worked?
You can verify that you've successfully hidden a recipient from address lists by using any of the following
procedures:
In the EAC, select the recipient, click Edit ( ) and verify the hide from address lists setting is selected.
In Exchange Online PowerShell, run the following command and verify the recipient is listed:
Open the GAL in Outlook or Outlook on the web (formerly known as Outlook Web App), and verify the
recipient isn't visible.
Recipient filters for address lists in Exchange Online
PowerShell
3/4/2019 • 2 minutes to read • Edit Online
Recipient filters identify the recipients that are included in address lists and GALs. There are two basic options:
precanned recipient filters and custom recipient filters. These are basically the same recipient filtering
options that are used by dynamic distribution groups and email address policies.
Precanned recipient filters
Uses the required IncludedRecipient parameter with the AllRecipients value or one or more of the
following values: MailboxUsers , MailContacts , MailGroups , MailUsers , or Resources . You can
specify multiple values separated by commas.
You can also use any of the optional Conditional filter parameters: ConditionalCompany,
ConditionalCustomAttribute[1to15 ], ConditionalDepartment, and ConditionalStateOrProvince.
You specify multiple values for a Conditional parameter by using the syntax "<Value1>","<Value2>"... .
Multiple values of the same property implies the or operator. For example, "Department equals Sales or
Marketing or Finance".
Custom recipient filters: Uses the required RecipientFilter parameter with an OPATH filter.
The basic OPATH filter syntax is
{<Property1> -<Operator> '<Value1>' <Property2> -<Operator> '<Value2>'...} .
Braces { } are required around the whole OPATH filter.
Hyphens ( - ) are required before all operators. Here are some of the most frequently used
operators:
and , or , and not .
eq and ne (equals and does not equal; not case-sensitive).
lt and gt (less than and greater than).
like and notlike (string contains and does not contain; requires at least one wildcard in the string.
For example, {Department -like 'Sales*'} .
Use parentheses to group <Property> -<Operator> '<Value>' statements together in complex filters.
For example,
{(Department -like 'Sales*' -or Department -like 'Marketing*') -and (Company -eq 'Contoso' -or
Company -eq 'Fabrikam')}
. Exchange stores the filter in the RecipientFilter property with each individual statement enclosed
in parentheses, but you don't need to enter them that way.
For more information about address lists, see Address lists in Exchange Online.
For address list procedures that use recipient filters, see Address list procedures in Exchange Online.
Remove a global address list in Exchange Online
3/4/2019 • 2 minutes to read • Edit Online
The built-in global address list (GAL ) that's automatically created by Exchange Online includes every mail-enabled
object in the organization. You can create additional GALs to separate users by organization or location, but a user
can only see and use one GAL. For more information about address lists, see Address lists in Exchange Online.
You can use the procedures in this topic to remove any custom GALs that you've created. You can't remove:
The GAL named Default Offline Address Book, which is the built-in GAL that's available in Exchange Online,
and the only GAL that has the IsDefaultGlobalAddressList property value True .
A GAL that's defined in an offline address book (OAB ). For OAB procedures, see Offline address book
procedures.
For additional GAL management tasks, see Address list procedures in Exchange Online.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Get-GlobalAddressList
Configure global address list properties in Exchange
Online
3/4/2019 • 2 minutes to read • Edit Online
The built-in global address list (GAL ) that's automatically created by Exchange Online includes every mail-enabled
object in the organization. You can create additional GALs to separate users by organization or location, but a user
can only see and use one GAL. For more information about address lists, see Address lists in Exchange Online.
The same settings to configure a GAL are available as when you created the GAL. For more information, see
Create a global address list in Exchange Online. For additional GAL management tasks, see Address list
procedures in Exchange Online.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Set-GlobalAddressList -Identity <GALIdentity>] [-Name <Name>] [<Precanned recipient filter | Custom recipient
filter>]
When you modify the precanned Conditional parameter values, you can use the following syntax to add or remove
values without affecting other existing values: @{Add="<Value1>","<Value2>"...; Remove="<Value1>","<Value2>"...} .
This example modifies the existing GAL named Contoso GAL by adding the Company value Fabrikam to the
precanned recipient filter.
The built-in global address list (GAL ) that's automatically created by Exchange Online includes every mail-enabled
object in the organization. You can create additional GALs to separate users by organization or location, but a user
can only see and use one GAL. For more information about address lists, see Address lists in Exchange Online.
If your organization uses address book policies (ABPs), you'll need to create additional GALs. To learn more, see
Address book policies in Exchange Online.
For additional GAL management tasks, see Address list procedures in Exchange Online.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
New-GlobalAddressList -Name "<GAL Name>" [<Precanned recipient filter | Custom recipient filter>]
The hierarchical address book (HAB ) allows users to look for recipients in their address book using an
organizational hierarchy. Normally, users are limited to the default global address list (GAL ) and its recipient
properties and the structure of the GAL often doesn't reflect the management or seniority relationships of
recipients in your organization. Being able to customize an HAB that maps to your organization's unique business
structure provides your users with an efficient method for locating internal recipients.
You can provide an additional level of hierarchical structure by using the SeniorityIndex parameter. When creating
an HAB, use the SeniorityIndex parameter to rank individual recipients or organizational groups by seniority within
these organizational tiers. This ranking specifies the order in which the recipients or groups are displayed in the
HAB. For example, in the preceding example, the SeniorityIndex parameter for the recipients in the Corporate
Office division is set to the following:
100 for David Hamilton
50 for Rajesh M. Patel
25 for Amy Alberts
NOTE
If the SeniorityIndex parameter isn't set or is equal for two or more users, the HAB sorting order uses the
PhoneticDisplayName parameter value to list the users in ascending alphabetical order. If the PhoneticDisplayName
parameter value isn't set, the HAB defaults to the DisplayName parameter value and lists the users in ascending alphabetical
order.
The hierarchical address book (HAB ) allows users to look for recipients in their address book using an
organizational hierarchy. For more information, see Hierarchical address books.
The cmdlets and parameters that you use to configure a HAB are described in the following table:
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Note: If you don't use the Alias parameter when you create a distribution group, the value of the Name parameter
is used with spaces removed.
For detailed syntax and parameter information, see New -DistributionGroup.
Step 2: Use Exchange Online PowerShell to specify the root organization for the HAB
This example specifies the distribution group named "Contoso,Ltd" from the previous step as the root organization
for the HAB.
Set-OrganizationConfig -HierarchicalAddressBookRoot "Contoso,Ltd"
Step 3: Use Exchange Online PowerShell to designate distribution groups as hierarchical groups
The following examples designate the groups that we previously created as hierarchical groups:
This example adds the groups named Human Resources, Accounting Group, and Administration Group as
members of Corporate Office.
An offline address book (OAB ) is a downloadable address list collection that Outlook users can access while
disconnected from Exchange Online. Admins can decide which address lists are made available to users who work
offline.
Offline address books are generated every 8 hours.
For more information about address lists in Exchange Online, see Address lists.
For OAB procedures, see Offline address book procedures.
Looking for the Exchange Server version of this topic? See Offline Address Books in Exchange Server.
An offline address book (OAB ) is a downloadable address list collection that Outlook users can access while
disconnected from Exchange Online. An OAB allows Outlook users to access the information within the specified
address lists while disconnected from Exchange Online. Admins can decide which address lists are made available
to users who work offline.
For additional management tasks related to OABs, see Offline address book procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
You can use Exchange Online PowerShell to add or remove an address list from an offline address book (OAB ). By
default, there is an OAB named the Default Offline Address Book that contains the global address list (GAL ). OABs
are generated based on the address lists that they contain. To create custom OABs that users can download, you
can add or remove address lists from OABs.
For additional management tasks related to OABs, see Offline address book procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Use Exchange Online PowerShell to add and remove address lists from
offline address books
When you modify the address lists that are configured in an OAB, the values that you specify will replace any
address lists in the OAB. To add address lists to the OAB, specify the current address lists plus the ones you want to
add. To remove address lists from the OAB, specify the current address lists minus the ones you want to remove.
In this example, the OAB named Marketing OAB is already configured with Address List 1 and Address List 2. To
keeps those address lists and add Address List 3, run the following command:
Set-OfflineAddressBook -Identity "Marketing OAB" -Address Lists "Address List1","Address List 2","Address List
3"
Similarly, to keep the OAB configured with Address List 1 and Address 2, but remove Address List 3, run the
following command:
Set-OfflineAddressBook -Identity "Marketing OAB" -AddressLists "Address List 1","Address List 2"
By default, the automatically-created OAB named Default Offline Address Book is the default OAB. You can set any
OAB in your Exchange Online organization as the default OAB. The default OAB is used by:
Mailboxes without an address book policy (ABP ) assigned, or where the assigned ABP policy has no OAB
defined (by default, there are no ABPs).
Mailboxes without an OAB assigned (by default, all mailboxes).
If you delete the default OAB, Exchange Online doesn't automatically assign another OAB as the default. You need
to manually designate another OAB as the default.
For additional management tasks related to OABs, see Offline address book procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
If you use multiple offline address books (OABs) in your organization, you have different options for assigning the
OAB to users:
Per mailbox: You can use the Set-Mailbox cmdlet in Exchange Online PowerShell to assign the OAB to a
mailbox. You can also assign the OAB to a filtered list of mailboxes.
Per address book policy: You can assign an address book policy (ABP ) to a user, and the ABP specifies the
OAB. If you assign an ABP to a user that already has an OAB assigned to their mailbox, the OAB that's
assigned to the mailbox will take precedence. For more information, see Assign an address book policy to
mail users.
For additional management tasks related to OABs, see Offline address book procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
This example assigns the OAB named Contoso Executives to the mailbox laura@contoso.com.
This example assigns the OAB named Contoso US to a filtered list of mailboxes. This first command identifies the
mailboxes. The second command assigns the OAB to the identified mailboxes.
$USContoso = Get-User -ResultSize Unlimited -Filter {RecipientType -eq "UserMailbox" -and Company -eq
"Contoso" -and CountryOrRegion -eq "US"}
$USContoso | foreach {Set-Mailbox $_.Identity -OfflineAddressBook "Contoso United States"}
This topic explains how to remove an offline address book (OAB ) from Exchange Online. If you remove the default
OAB, you must assign a different OAB as the default OAB. For instructions about how to change the default OAB,
see Change the default offline address book.
For additional management tasks related to OABs, see Offline address book procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Get-OfflineAddressBook
Sharing in Exchange Online
3/6/2019 • 2 minutes to read • Edit Online
You may need to coordinate schedules with people in different organizations or with friends and family members
so that you can work together on projects or plan social events. With Office 365, administrators can set up different
levels of calendar access in Exchange Online to allow businesses to collaborate with other businesses and to let
users share their schedules with others. Business-to-business calendar sharing is set up by creating organization
relationships. User-to-user calendar sharing is set up by applying sharing policies.
Share calendars with another Office 365 Organization relationships None, ready to configure
organization
Share an Office 365 user's calendar with Sharing policies None, ready to configure
another internet user
Share an Office 365 user's calendar with Sharing policies The on-premises Exchange
an Exchange on-premises user administrator has to set up an
authentication relationship with the
cloud (also known as "federation") and
must meet minimum software
requirements
Sharing documentation
The following table contains links to topics that will help you learn about and manage sharing in Exchange Online.
TOPIC DESCRIPTION
Organization relationships in Exchange Online Learn more about the one-to-one relationships between
organizations that enable calendar free/busy sharing.
Sharing policies in Exchange Online Learn more about the person-to-person policies that enable
calendar sharing.
Organization relationships in Exchange Online
3/4/2019 • 2 minutes to read • Edit Online
Set up an organization relationship to share calendar information with an external business partner. Office 365
admins can set up an organization relationship with another Office 365 organization or with an Exchange on-
premises organization. If you want to share calendars with an on-premises Exchange organization, the on-
premises Exchange administrator has to set up an authentication relationship with the cloud (also known as
"federation") and must meet minimum software requirements.
An organization relationship is a one-to-one relationship between businesses to allow users in each organization
to view calendar availability information. When you set up the organization relationship, you are setting up your
side of the relationship and specifying the level of information that the users in the external organization can view.
The external organization may set up the same or different settings on their side. For example, if Contoso creates
an organization relationship with Tailspin Toys, the users at Tailspin Toys will be able to schedule meetings with the
users at Contoso by adding their email address to the meeting invitation. The availability of the invited Contoso
user would display to the Tailspin Toys user. However, before Contoso can also see availability for users at Tailspin
Toys, their administrator needs to set up an organization relationship with Contoso.
There are three of levels of access that you can specify:
No access
Access to availability (free/busy) time only
Access to free/busy, including time, subject, and location
NOTE
If users don't want to share their free/busy information with others, they can change their permissions entry in Outlook. To
do this, users go to the Calendar Properties > Permissions tab, select one or more users/groups, and select any of the
Permissions options.
To completely hide their calendar, they can remove the user/group from the list of those with which the calendar is shared.
Their free/busy information won't be seen by internal or external users, even if an organization relationship exists. The
permissions set by the user will apply.
The following topics will help you configure and manage organization relationships:
Create an organization relationship in Exchange Online
Modify an organization relationship in Exchange Online
Remove an organization relationship in Exchange Online
Create an organization relationship in Exchange
Online
3/4/2019 • 2 minutes to read • Edit Online
Set up an organization relationship to share calendar information with an external business partner. Office 365
admins can set up an organization relationship with another Office 365 organization or with an Exchange on-
premises organization.
If you're not sure which domains Contoso has set up for cloud-based authentication, you can run this command to
automatically find the configuration information. The Get-FederationInformation cmdlet is used to find the right
information, which is then passed to the New-OrganizationRelationship cmdlet.
For detailed syntax and parameter information, see Get-FederationInformation and New -
OrganizationRelationship.
If you're setting up an organization relationship with an on-premises Exchange organization, you may want to
provide the connection settings. This example creates an organization relationship with Fourth Coffee and specifies
the connection settings to use. The following conditions apply:
The organization relationship is established with the domain fourthcoffee.com.
The Exchange Web Services application URL is mail.fourthcoffee.com.
The Autodiscover URL is https://mail.fourthcoffee.com/autodiscover/autodiscover.svc/wssecurity.
Free/busy access is enabled.
Fourth Coffee sees free/busy information with the time.
Get-OrganizationRelationship | format-list
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Modify an organization relationship in Exchange
Online
3/4/2019 • 2 minutes to read • Edit Online
An organization relationship lets users in your Office 365 organization share calendar free/busy information with
other Office 365 or on-premises Exchange organizations. You may want to change the settings of an organization
relationship, such as changing the name, temporarily disabling calendar sharing, changing the access level, or
changing which security groups will share calendars.
To learn more about organization relationships, see Organization relationships in Exchange Online.
Use the Exchange admin center to disable free/busy sharing for the
organization relationship
1. From the Office 365 admin center go to Admin > Exchange.
2. Go to organization > sharing.
3. In the list view, under Organization Sharing, select the organization relationship Contoso, and then click
Edit .
4. In organization relationship click sharing.
5. Clear the Enable calendar free/busy information sharing check box to disable free/busy sharing. The
free/busy access level and security group buttons will also be disabled.
6. Click save to update the organization relationship.
Use the Exchange admin center to change the free/busy access level
for the organization relationship
1. From the Office 365 admin center go to Admin > Exchange.
2. Go to organization > sharing.
3. In list view, under Organization Sharing, select the organization relationship Contoso, and then click Edit
.
4. In organization relationship, click sharing
5. Select Calendar free/busy information with time only.
6. Click save to update the organization relationship.
This example enables calendar availability information access for the organization relationship
WoodgroveBank and sets the access level to AvailabilityOnly (calendar free/busy information with time
only).
For detailed syntax and parameter information, see Get-OrganizationRelationship and Set-
OrganizationRelationship.
Get-OrganizationRelationship | format-list
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Remove an organization relationship in Exchange
Online
3/4/2019 • 2 minutes to read • Edit Online
An organization relationship lets users in your Office 365 organization share calendar free/busy information with
other Office 365 or on-premises Exchange organizations. You can remove an organization relationship to disable
calendar sharing with the other organization.
To learn more about organization relationships, see Organization relationships in Exchange Online.
Get-OrganizationRelationship | Format-List
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Sharing policies in Exchange Online
3/4/2019 • 2 minutes to read • Edit Online
People in your organization may want to share calendars with individual business associates, friends, or family
members. Sharing policies control how your users share their calendars with people outside your organization.
The sharing policy that an admin applies to the user's mailbox determines what level of access a user can share and
with whom. If you don't change anything, then all users can invite anyone with an email address to view their
calendar. You may decide to apply a more restrictive policy.
An admin defines the rules that make up a sharing policy. You can specify the domains that users can share with,
and the following levels of access to calendars:
Free/busy information with time only
Free/busy information with time, subject, and location
Free/busy information, including time, subject, location, and title
After you create a new sharing policy, you have to apply that policy to mailboxes before it takes effect. Sharing
policies are applied to individual user's mailboxes. An admin can also disable a user's sharing policy to prevent
external access to calendars.
Users share their calendar by sending an email invitation to the external user. Outlook 2010 or later or Outlook
Web App can send this type of invitation. The calendar can be opened through a URL link, or can be accessed as an
additional calendar folder if the external user has Outlook 2010 or later or is using Outlook Web App.
These topics will help you learn how to manage sharing policies for your Office 365 organization:
Create a sharing policy in Exchange Online
Apply a sharing policy to mailboxes in Exchange Online
Modify, disable, or remove a sharing policy in Exchange Online
Create a sharing policy in Exchange Online
3/4/2019 • 2 minutes to read • Edit Online
Create a new Sharing Policy to change how people in your organization share calendars with individual business
associates, friends, or family members. Sharing policies control how your users share their calendars with people
outside your organization. By default, all users can invite anyone with an email address to view their calendar. After
you create a new sharing policy, you have to apply that policy to mailboxes before it takes effect. To apply a specific
sharing policy to users, see Apply a sharing policy to mailboxes in Exchange Online.
This example creates the sharing policy ContosoWoodgrove for two different domains (contoso.com and
woodgrovebank.com) with different sharing settings configured for each domain. The policy is disabled.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Apply a sharing policy to mailboxes in Exchange
Online
3/4/2019 • 2 minutes to read • Edit Online
Sharing policies control how your users share their calendars with people outside your organization. The sharing
policy that an admin applies to the user's mailbox determines what level of access a user can share and with
whom. If you don't change anything, then all users can invite anyone with an email address to view their calendar.
If you create a new sharing policy, you have to apply that policy to mailboxes before it takes effect. Sharing policies
are applied to individual user's mailboxes. An admin can also disable a user's sharing policy to prevent external
access to calendars.
This example finds all user mailboxes in the Marketing department and then applies the sharing policy Contoso
Marketing.
This example shows all mailboxes that have the sharing policy Contoso applied, and it sorts the users into a table
that displays only their aliases and email addresses.
For detailed syntax and parameter information, see Set-Mailbox and Get-Mailbox.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Modify, disable, or remove a sharing policy in
Exchange Online
3/4/2019 • 2 minutes to read • Edit Online
Sharing policies control how your users share their calendars with people outside your organization. You may want
to change some sharing policy properties, such as changing sharing rules, changing the free/busy access level,
temporarily disabling a sharing policy, or removing a sharing policy entirely.
For details about how to create a sharing policy, see Create a sharing policy in Exchange Online
Use the Exchange admin center to set a sharing policy as the default
sharing policy
1. From the Office 365 admin center dashboard, go to Admin > Exchange.
2. Go to organization > sharing.
3. Under Individual Sharing, select a sharing a policy, and then click Edit .
4. In sharing policy, select the Make this policy my default sharing policy check box.
5. Click save to update the sharing policy.
IMPORTANT
Before you remove a sharing policy, the sharing policy must be removed from all user mailboxes.
1. From the Office 365 admin center dashboard, go to Admin > Exchange.
2. Go to organization > sharing.
3. Under Individual Sharing, select a sharing a policy, and then click Delete .
4. In the warning, click yes to delete the sharing policy.
This example adds a second domain to the sharing policy Contoso. When you're adding a domain to an
existing policy, you must include any previously included domains.
This example sets the sharing policy Contoso as the default sharing policy.
The first example removes the sharing policy Contoso. The second example removes the sharing policy
Contoso and suppresses the confirmation that you want to remove the policy.
For detailed syntax and parameter information, see Set-SharingPolicy and Remove-SharingPolicy.
Voice mail in Exchange Online: Unified Messaging
3/29/2019 • 12 minutes to read • Edit Online
NOTE
Cloud Voicemail takes the place of Exchange Unified Messaging (UM) in providing voice messaging functionality for Skype for
Business 2019 voice users who have mailboxes on Exchange Server 2019 or Exchange Online, and for Skype for Business
Online voice users. For more information please check Plan Cloud Voicemail service.
Unified Messaging (UM ) enables users to use voice mail features, including Outlook Voice Access and Call
Answering Rules. UM combines voice messaging and email messaging into one mailbox that can be accessed from
many different devices. Users can read or listen to their messages from their email Inbox or by using Outlook Voice
Access from any telephone. You have control over how users place outgoing calls, and the experience callers have
when they call in to your organization.
Today, messaging administrators in organizations frequently manage the voice mail and email systems for their
organizations as separate systems. Voice mail and email messages are located in separate mailboxes that are
hosted on separate servers. Users can access messages through the desktop for email and through the telephone
for voice mail.
UM in Office 365 makes it possible for online administrators to combine voice messaging and email messaging
into one mailbox so their users can read or listen to their voice mail messages in their Inbox or by using Outlook
Voice Access from any telephone. UM uses a user's mailbox to store both email and voice mail messages.
NOTE
Exchange Online UM support for third-party PBX systems via direct connections from customer operated SBCs will
end in July 2018. Please see the Exchange team blog Discontinuation of support for Session Border Controllers in
Exchange Online Unified Messaging for more information.
Built-in UM administrative roles: The set of UM -specific administrative roles for managing UM and voice
mail features includes the following:
UM Mailboxes
UM Prompts
Unified Messaging
Incoming fax support: UM provides built-in incoming fax support for users who have a UM -enabled
mailbox. They can receive fax messages through calls placed to their extension number.
Customers who require a fax solution will have to deploy a fax partner solution. Fax partner solutions are
available from several fax partners. The fax partner solutions are designed to be tightly integrated with
Exchange and enable UM -enabled users to receive incoming fax messages. You can find a fax partner
solution by visiting Microsoft Pinpoint for Fax Partners.
Support for multiple languages: All available language packs contain support for the Text-to-Speech
(TTS ) engine and the prerecorded prompts for a specified language and ASR support. However, only some
language packs contain support for Voice Mail Preview.
Auto attendant: An auto attendant is a set of voice prompts that gives external and internal users access to
the voice mail system. Users can use the telephone keypad or speech inputs to move through the auto
attendant menu, place a call to a user, or locate a user in your organization and then place a call to them. An
auto attendant gives the administrator the ability to:
Create a customized menu for external users.
Define informational greetings, business hours greetings, and non-business hours greetings.
Define holiday schedules.
Describe how to search the organization's directory.
Describe how to connect to a user's extension so that external callers can call users by specifying their
extension.
Describe how to search the organization's directory so that external callers can search the directory
and call a specific user.
Enable external users to call the operator.
NOTE
Exchange Online UM support for third-party PBX systems via direct connections from customer operated SBCs will end in
July 2018. Please see the Exchange team blog Discontinuation of support for Session Border Controllers in Exchange Online
Unified Messaging for more information.
When you plan to use UM in Office 365, you need to consider design and other issues that may affect your ability
to reach your organizational goals when you configure UM. Generally, the simpler the UM setup is, the easier UM
is to configure and maintain. As a general rule, create as few UM components like UM dial plans, auto attendants,
and UM mailbox policies as you need to support your business and organizational goals. Large enterprises with
complex network and telephony environments, multiple business units, or other complexities will require more
planning than smaller organizations with relatively straightforward UM needs.
You need to consider and evaluate many areas to be able to successfully deploy UM. You need to understand the
different aspects of UM and each component and feature so that you can plan your UM infrastructure and
deployment appropriately. Allocating time to plan and work through these issues will help prevent problems when
you deploy UM in your organization. The following are some of the areas that you should consider and evaluate
when planning for UM in your organization:
The needs of your organization.
The security requirements in your organization.
Your existing telephony, circuit-switched network, and voice mail system.
Your current packet-switched IP network design. This includes your local area network (LAN ) and WAN
connectivity points and devices.
The number of users that you'll have to support.
Whether you'll be integrating UM with Lync Server to enable Enterprise Voice in Office 365.
The placement of VoIP gateways, telephony equipment, and SBCs.
The storage requirements for voice mail users.
When you install Unified Messaging (UM ), a common set of default audio files used for the voice mail system and
for menu prompts, greetings, and informational announcements is installed. Although you can create a fully
functional UM auto attendant or dial plan that uses only the default audio prompts, these prompts are too generic
to serve as an acceptable public interface for many companies. This topic discusses the system and menu prompts,
greetings, and informational announcements that are used by UM dial plans and auto attendants and how they're
used when callers access the voice mail system.
The following table summarizes the prompts and greetings used with UM auto attendants.
Audio prompts for UM auto attendants
Business hours menu prompts By default, business hours menu prompts are enabled and a
system prompt is played. However, you can use a customized
greeting file that you create.
Non-business hours menu prompts By default, non-business hours menu prompts are enabled
and a system prompt is played. However, you can use a
customized greeting file that you create.
Business hours greeting By default, a business hours greeting is enabled and a system
prompt is played. However, you can use a customized greeting
file that you create. This is also known as a welcome greeting.
PROMPTS AND GREETINGS DESCRIPTION
System prompts
Unified Messaging uses a set of default audio prompts for Outlook Voice Access, dial plans, and auto attendants.
Hundreds of system prompts for each language are available. Unified Messaging plays the audio files for these
system prompts to callers when they access the voice mail system. The following are some examples of these
system prompts:
"Please enter your PIN."
"To access your mailbox, enter your extension."
"To contact someone, press the # key."
"Spell the name of the person you are calling, last name first."
"To reach a specific person, just tell me the name."
Cau t i on
Welcome greeting "Welcome, you are connected to "Welcome to Outlook Voice Access for
Microsoft Exchange." Woodgrove Bank."
Informational announcement By default, an informational "By using this system you agree to
announcement isn't configured. adhere to all corporate policies when
you are accessing this system."
When you are customizing and configuring greetings and announcements, make sure the language setting
configured on the UM dial plan is the same as the language of the custom prompts you create. If not, a caller may
hear a message or greeting in one language and another message or greeting in a different language.
Business hours greeting "Welcome to the Microsoft Exchange "Thank you for calling Woodgrove
auto attendant." Bank."
Non-business hours greeting No default non-business hours greeting "You have reached Woodgrove Bank
is played until you configure the after business hours. Our business
business hours for the auto attendant. hours are from 8:00 A.M. until 5:00
However, the business hours greeting is P.M., Monday through Friday."
played for callers during all times of the
day.
Business hours main menu prompt No default business hours main menu "For technical support, press or say 1.
prompt will be played until you For corporate offices and
configure key mappings on the auto administration, press or say 2. For sales,
attendant. press or say 3."
Non-business hours main menu prompt No default non-business hours main "Your call is very important to us.
menu prompt will be played until you However, you have reached Woodgrove
configure key mappings and the Bank after business hours. If you want
business hours schedule on the auto to leave a message, please press or say
attendant. 1, and we will return your call as soon
as possible."
As with UM dial plans, make sure the language setting configured on the UM auto attendant is the same as the
language of the custom greetings you create and is set to the same language as the UM dial plan. If not, a caller
may hear a message or greeting in one language and another message or greeting in a different language.
This example sets the default language on a UM dial plan named MyUMDialPlan to Japanese.
This example sets the default language on a UM dial plan named MyUMDialPlan to Australian English.
You can configure the default prompt language setting on a Unified Messaging (UM ) auto attendant. The language
setting available on a UM auto attendant enables you to configure the default prompt language on the auto
attendant. When you're using the default system prompts for the auto attendant, this is the language that the caller
hears when the auto attendant answers the incoming call. This setting doesn't affect custom prompts that are
configured on an auto attendant.
Use the EAC to configure the default language setting
1. In the EAC, navigate to Unified Messaging > UM dial plans.
2. In the list view, select the UM dial plan you want to modify, and then on the toolbar, clickEdit .
3. On the UM dial plan page, under UM Auto Attendants, select the UM auto attendant you want to
change, and then click Edit .
4. On the General page, under Language for automated voice interface, select the required language from
the drop-down list.
5. Click Save to accept your changes.
Use Exchange Online PowerShell to configure the default language setting
This example sets the default language on the UM auto attendant MyUMAutoAttendant to English (Great Britain).
This example sets the default language on the UM auto attendant MyUMAutoAttendant to German.
You can use Exchange Online PowerShell to enable the recording of custom prompts and greetings for Unified
Messaging (UM ) dial plans and auto attendants using the telephone user interface (TUI). This can be useful when
you want to change a custom greeting or announcement by using the EAC or Exchange Online PowerShell, or
when there's an emergency such as an organization closure because of severe weather. When you're changing a
custom greeting or announcement on a UM auto attendant, you must enable TUI prompt recording on the dial
plan that the UM auto attendant is linked to.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
IMPORTANT
Allow only those administrators who are managing prompts and greetings access to the extension number and PIN
for the user account. Use this user account only for managing prompts over the telephone.
5. Create and save a .wav or .wma file to use for a custom greeting for the UM dial plan or auto attendant.
NOTE
MP3 files can't be used for custom prompts.
6. Use the EAC or Exchange Online PowerShell to configure the dial plan to use the custom welcome greeting
or configure the auto attendant to use the business or non-business hours greeting. For details about
configuring a dial plan, see Enable a customized greeting for Outlook Voice Access users. For details about
configuring an auto attendant, see Enable a customized business hours greeting or Enable a customized
non-business hours greeting.
7. Run the following cmdlet:
NOTE
Before you can enable the recording of a custom prompt or greeting, you must sign in to the mailbox that's set up for
recording prompts. After you record the new prompt or greeting, you must sign out and then sign back in before you can
hear the new prompt or greeting when you use the TUI.
To successfully deploy Unified Messaging (UM ), you must have a good understanding of basic telephony concepts
and telephony components. After you understand telephony basics, you can integrate UM into an Exchange
organization. Basic concepts and components include the following:
Circuit-switched and packet-switched networks
Private Branch eXchange (PBX)
IP PBX
Voice over Internet Protocol (VoIP )
VoIP gateways
In an on-premises, hybrid, or Office 365 environment, connecting and configuring the required telephony
components is the most complex and important step in successfully deploying UM, with or without Lync Server
Enterprise Voice. You'll need to connect and configure VoIP gateways, advanced VoIP gateways, PBXs, IP PBXs,
and session border controllers (SBCs) for a traditional telephony network and connect to a telephony network if
you'll be using Microsoft Lync Server and UM.
Planning and deploying a new deployment of UM or upgrading a legacy voice mail system can pose challenges for
organizations. It requires significant knowledge about VoIP gateways, PBXs, IP PBXs, Microsoft Lync Server, and
Unified Messaging. Depending on your technical experience with Exchange and voice mail systems, you might
want to obtain the assistance of a Unified Messaging specialist. An Exchange Unified Messaging specialist will help
make sure that there's a smooth transition from a legacy or third-party voice mail system to Exchange Unified
Messaging.
NOTE
Exchange Online UM support for third-party PBX systems via direct connections from customer operated SBCs has ended in
July 2018. Please see the Exchange team blog Discontinuation of support for Session Border Controllers in Exchange Online
Unified Messaging for more information.
When you're integrating Unified Messaging and Lync Server in an on-premises or hybrid deployment, missed call
notifications aren't available to users who have a mailbox located on Exchange 2007 or Exchange 2010 Mailbox
servers. A missed call notification is generated when a user disconnects before the call is sent to a Mailbox server.
Telephony advisor for Exchange 2013
2/28/2019 • 10 minutes to read • Edit Online
Unified Messaging (UM ) requires that you integrate Microsoft Exchange with the existing telephony system for
your organization. A successful deployment requires you to make a careful analysis of your existing telephony
infrastructure and to perform the correct planning steps to deploy Unified Messaging.
The planning phase can be a significant challenge to Exchange administrators who have little or no experience with
a telephony network. To help address this challenge, see the following section Resources to help with your UM
deployment.
The other sections in this topic cover the supported VoIP gateways for Unified Messaging, how to determine
whether your PBX is supported using a specific VoIP gateway model or manufacturer, whether your IP PBX is
supported using a direct SIP connection, and supported session border controllers (SBCs) for Exchange Online
UM.
NOTE
Exchange Online UM support for third-party PBX systems via direct connections from customer operated SBCs will
end in July 2018. Please see the Exchange team blog Discontinuation of support for session border controllers in
Exchange Online unified messaging for more information.
Before you engage a Unified Messaging specialist, you should be able to answer key questions that they'll ask.
Having the answers to the following questions will help make the conversation between you and the UM specialist
productive:
How many existing telephone or voice mail users, or both, are in your organization?
How many users do you intend to provide with Unified Messaging?
Which PBX or PBXs do you intend to use for integration with Unified Messaging?
How many PBXs does your organization have? Specify the vendors, types (circuit- or IP -based), models,
and firmware versions.
Are the PBXs networked, and are they centralized or located in multiple locations?
What voice mail system or systems does your organization currently use? Specify the vendors, types,
models, and firmware versions.
How are the voice mail systems integrated into your PBXs (Analog, T1/E1, PRI, Digital set emulation, VoIP,
other)?
Are you currently using voice networking?
What type of fax system or systems does your organization use, and does the fax system or systems
support inbound fax routing to Exchange?
Does your organization use automated attendants?
Do you need support for phone-only users, that is, users who won't have email access?
Sonus SBC 1000/2000 2.2.1 or later TDM Signaling (ISDN): AT&T 4ESS/5ESS,
Nortel DMS- 100, Euro ISDN (ETSI 300-
102), QSIG, NTT InsNet (Japan), ANSI
National ISDN-2 (NI-2)
TDM Signaling (CAS): T1 CAS (E&M,
Loop start); E1 CAS (R2)
Intercom DMG1008LSW
Analog connectivity using SMDI serial
protocol
NEC 2400 IMX Release 5200 Dec. 92 1b or CAS (w/ MCI serial protocol)
later versions
Supported IP PBXs
IP PBXs are also supported by Unified Messaging. The following table shows the IP PBXs that are supported
using a direct SIP connection to Unified Messaging.
IP PBXs supported when using a direct SIP connection
This page provides links to configuration notes that have been created and tested by Microsoft or a VoIP gateway
partner. When Microsoft or a partner deploys Unified Messaging with a new VoIP gateway and PBX or IP PBX
configuration, the prerequisites and configuration settings are documented. This information is used to create a
configuration note.
Each PBX configuration note contains information about how to deploy Unified Messaging with a specific
telephony configuration, and includes the manufacturer, model, and firmware version for the VoIP gateways, IP
PBXs, or PBXs. In addition, each PBX configuration note includes other information, such as:
Contributors in authoring the configuration note.
Detailed prerequisites, including the following:
Features that have to be enabled or disabled on the PBX.
Specialized hardware that has to be installed.
Whether a VoIP gateway is required.
Features that must be present on the VoIP gateway, if one is needed.
Specific cabling requirements between an IP gateway and a PBX.
A list of Unified Messaging features that may not be available with a given telephony configuration.
To find out more about the Microsoft Unified Communications Open Interoperability Program for enterprise
telephony infrastructure, including finding qualified SIP PSTN gateways and IP PBXs and the process telephony
infrastructure vendors can use to join and participate in the program, see Microsoft Unified Communications
Open Interoperability Program.
Aastra MD110 MX1 TSW R2A Analog - Serial Dialogic DMG1008LSW Dialogic
(formerly (aka BC13) MD110
Ericsson MD110)
Alcatel
Avaya
Merlin Magix Release 1.5 v.6.0 Analog - In-Band AudioCodes MP-11x FXO AudioCodes
DTMF
Cisco
Inter-Tel
Intecom
PBX SOFTWARE GATEWAY CONFIGURATION
PBX MODEL RELEASE PROTOCOL VENDOR GATEWAY MODEL AUTHOR
Mitel
NEC
Electra Elite 192 SP034V4.5 Analog - In-Band AudioCodes MP-11x FXO AudioCodes
DTMF
NeXspan
Nortel
PBX SOFTWARE GATEWAY CONFIGURATION
PBX MODEL RELEASE PROTOCOL VENDOR GATEWAY MODEL AUTHOR
Panasonic
Rolm
ShoreTel
Siemens
PBX SOFTWARE GATEWAY CONFIGURATION
PBX MODEL RELEASE PROTOCOL VENDOR GATEWAY MODEL AUTHOR
HiCom 150E Rel. 2.2 Analog - In-Band AudioCodes MP-11x FXO AudioCodes
DTMF
HiPath 4000 Ver 3.0 SMR5 Analog - In-Band AudioCodes MP-11x FXO AudioCodes
SMP4 DTMF
Sonus
Tadiran
Toshiba
Session border controllers (SBCs) enable you to connect your on-premises telephony network to a Microsoft
datacenter over a dedicated public WAN connection. An SBC sits on the edge of your on-premises IP network and
connects to a second SBC in a Microsoft datacenter.
SBCs require the use of digital certificates to encrypt all traffic between your on-premises organization and the
Microsoft datacenter. You must obtain a digital certificate for the network border element, such as a session border
controller, that you're using to communicate with Exchange hybrid and online deployments. Digital certificates
establish trust between your on-premises organization and the Microsoft datacenter and enable mutual Transport
Layer Security (mutual TLS ). After this trust is established, the network border elements at your on-premises
organization and at the Microsoft datacenter exchange session keys, and use these keys to encrypt the subsequent
data traffic.
In hybrid or online deployments, a UM IP gateway represents an SBC. The subject common name in the
certificate must match the fully qualified domain name (FQDN ) value in the Address box on the UM IP gateway
that you create. For example, if you specify the FQDN address sbcexternal.contoso.com on your UM IP gateway,
make sure that the subject name and subject alternative name in the certificate contain the same value:
sbcexternal.contoso.com. The name that you use is case-sensitive, so make sure the case is the same on both the
certificate and the UM IP gateway. If you're using an Acme Packet SBC and the common name doesn't match the
UM IP gateway's FQDN, the call will be rejected with a 403 error.
NOTE
Because SBCs are designed to sit on the network edge, they also function as a firewall. If you set up an SBC behind your
organization's firewall, it can cause configuration problems and is unsupported for connecting to Office 365.
NOTE
Exchange Online UM support for third-party PBX systems via direct connections from customer operated SBCs will end in
July 2018. Please see the Exchange team blog Discontinuation of support for session border controllers in Exchange Online
unified messaging for more information.
Acme Packet Net-Net 3820 or 4500 Contact the hardware Dedicated SBC
vendor for up to date
instructions on how to set
up their device.
VENDOR MODEL CONFIGURATION NOTES COMMENTS
AudioCodes Mediant 1000B MSBG Contact the hardware SBC and IP gateway
vendor for up to date
instructions on how to set
up their device.
NET VX1200 & VX1800 Contact the hardware SBC option for a VoIP
vendor for up to date gateway product
instructions on how to set
up their device.
After you've deployed all the required telephony equipment for your organization, including your VoIP gateways,
IP PBXs, and SIP -enabled PBXs or Microsoft Lync Server, you need to create all the Unified Messaging (UM )
components that will enable your telephony devices to communicate with servers in your organization.
UM components
The UM components enable the integration of Unified Messaging into your directory structure and your existing
telephony infrastructure. Your directory stores all the components and settings for UM. Each UM component is
necessary to support Unified Messaging. Some UM components are created to represent a telephony hardware
device. Others are created to represent a telephony dial plan for an organization or to support a specific feature of
Unified Messaging.
There's a tightly integrated and interconnected relationship between the UM components and the features
available in Unified Messaging. To successfully plan and deploy Unified Messaging in your organization, you need
to fully understand the relationship between each UM component and the others.
For more information about the UM components, see:
UM dial plans [ONP ]
UM IP gateways
UM hunt groups
Automatically answer and route incoming calls
For more information about setting up voice mail for users, see:
UM mailbox policies
Voice mail for users
UM dial plans [ONP]
2/28/2019 • 11 minutes to read • Edit Online
Unified Messaging (UM ) dial plans are the main component of Unified Messaging and are required to successfully
deploy Unified Messaging voice mail on your network. The following sections discuss UM dial plans and how
they're used in a UM deployment.
IMPORTANT
Each time you create a UM dial plan, a default UM mailbox policy is also created. The UM mailbox policy is named <Dial Plan
Name> Default Policy. This UM mailbox policy can be deleted or configured differently.
When you create the first UM IP gateway and specify a UM dial plan at the time you create it, a default UM hunt
group is also created. Creating these components enables the Exchange servers to receive calls from a VoIP
gateway, IP PBX, or SBC and then process those incoming calls for users who are associated with the UM dial plan.
In on-premises or hybrid deployments, when a call comes in to the VoIP gateway, IP PBX, or SBC, it forwards the
call to a Client Access server. The Client Access server then forwards the call to a Mailbox server and the Mailbox
server tries to match the extension number of the user to the associated UM dial plan.
VoIP security
Exchange servers communicate with VoIP gateways, IP PBXs, and other Exchange computers in either Unsecured,
SIP secured, or Secured mode, depending on how the UM dial plan is configured. In on-premises and hybrid
deployments, Client Access and Mailbox servers can operate in any mode configured on a dial plan because the
servers listen on TCP port 5060 for Unsecured requests and TCP port 5061 for Secured requests at the same time
if they're configured to start in dual mode. Client Access and Mailbox servers answer all incoming calls for all UM
dial plans, but these dial plans can have different VoIP security settings.
In on-premises and hybrid deployments, by default, when you create a UM dial plan, it will communicate in
Unsecured mode, and the Client Access and Mailbox servers will send and receive data from VoIP gateways, IP
PBXs, and SBCs without using encryption. In Unsecured mode, neither the Realtime Transport Protocol (RTP )
media channel nor the SIP signaling information is encrypted. You can use the Get-UMDialPlan cmdlet in
Exchange Online PowerShell to determine the security setting for a specific UM dial plan.
In on-premises and hybrid deployments, you can configure a Client Access and Mailbox server to use mutual
Transport Layer Security (mutual TLS ) to encrypt the SIP and RTP traffic sent and received from other devices and
servers. When you configure the dial plan to use SIP secured mode, only the SIP signaling traffic will be encrypted,
and the RTP media channels will still use TCP, which isn't encrypted. However, when you configure the dial plan to
use Secured mode, both the SIP signaling traffic and the RTP media channels are encrypted. An encrypted
signaling media channel that uses Secure Realtime Transport Protocol (SRTP ) also uses mutual TLS to encrypt the
VoIP data.
You can configure the VoIP security mode either when you're creating a new dial plan or after you've created a dial
plan using the EAC or the Set-UMDialPlan cmdlet in Exchange Online PowerShell. When you configure the UM
dial plan to use SIP secured or Secured mode, Client Access and Mailbox servers will encrypt the SIP signaling
traffic or the RTP media channels or both. However, to be able to send encrypted data to and from Exchange
servers, you must correctly configure the UM dial plan, and VoIP devices such as VoIP gateways, IP PBXs, and
SBCs must support mutual TLS.
A Unified Messaging (UM ) dial plan contains configuration information related to your
telephony network. A UM dial plan establishes a link from the telephone extension number of a
user enabled for voice mail to their mailbox. When you create a UM dial plan, you can configure
the number of digits in the extension numbers, the Uniform Resource Identifier (URI) type, and
the Voice over IP (VoIP ) security setting for the dial plan.
Each time you create a UM dial plan, a UM mailbox policy is also created. The UM mailbox policy
is named <DialPlanName> Default Policy.
For additional management tasks related to UM dial plans, see UM Dial Plan Procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange
Online Protection..
Extension length (digits): Enter the number of digits for the dial plan. The number of
digits for extension numbers is based on the telephony dial plan created on a Private
Branch eXchange (PBX) or IP PBX. For example, if a user associated with a telephony dial
plan dials a four-digit extension to call another user in the same telephony dial plan, you
select 4 as the number of digits in the extension.
This is a required box that has a value range from 1 through 20. The typical extension
length is from 3 through 7. If your existing telephony environment includes extension
numbers, you must specify a number of digits that matches the number of digits in those
extensions.
When you create a Session Initiation Protocol (SIP ) or an E.164 dial plan and associate a
UM -enabled user with the dial plan, you must still input an extension number to be used
by the user. This number is used by Outlook Voice Access users when they access their
mailbox.
Dial plan type: A Uniform Resource Identifier (URI) is a string of characters that
identifies or names a resource. The main purpose of this identification is to enable VoIP
devices to communicate with other devices over a network using specific protocols. URIs
are defined in schemes that define a specific syntax and format and the protocols for the
call. In simple terms, this format is passed from the IP PBX or PBX. After you create a UM
dial plan, you won't be able to change the URI type without deleting the dial plan, and then
re-creating the dial plan to include the correct URI type. You can select one of the
following URI types for the dial plan:
Telephone extension: This is the most common URI type. The calling and called party
information from the VoIP gateway or IP Private Branch eXchange (PBX) is listed in one
of the following formats: Tel:512345 or 512345@<IP address>. This is the default URI
type for dial plans.
SIP URI: Use this URI type if you must have a Session Initiation Protocol (SIP ) URI dial
plan such as an IP PBX that supports SIP routing or if you're integrating Microsoft Office
Communications Server 2007 R2 or Microsoft Lync Server and Unified Messaging. The
calling and called party information from the VoIP gateway. IP PBX, or Communications
Server 2007 R2 or Lync Server is listed as a SIP address in the following format: sip:
<username>@<domain or _IP address _>:Port.
E.164: E.164 is an international numbering plan for public telephone systems in which
each assigned number contains a country code, a national destination code, and a
subscriber number. The calling and called party information sent from the VoIP gateway
or IP PBX is listed in the following format: Tel:+14255550123.
Cau t i on
After you create a dial plan, you will be unable to change the URI type without deleting the
dial plan, and then re-creating the dial plan to include the correct URI type.
VoIP security mode: Use this drop-down list to select the VoIP security setting for the
UM dial plan. You can select one of the following security settings for the dial plan:
Unsecured: By default, when you create a UM dial plan, it is set to not encrypt the SIP
signaling or RTP traffic. In unsecured mode, the Client Access and Mailbox servers
associated the UM dial plan send and receive data from VoIP gateways, IP PBXs, SBCs
and other Client Access and Mailbox servers using no encryption. In unsecured mode,
neither the Realtime Transport Protocol (RTP ) media channel nor the SIP signaling
information is encrypted.
SIP secured: When you select SIP secured, only the SIP signaling traffic is encrypted,
and the RTP media channels still use TCP, which isn't encrypted. With SIP secured, Mutual
Transport Layer Security (TLS ) is used to encrypt the SIP signaling traffic and VoIP data.
Secured: When you select Secured, both the SIP signaling traffic and the RTP media
channels are encrypted. Both the secure signaling media channel that uses Secure
Realtime Transport Protocol (SRTP ) and the SIP signaling traffic use mutual TLS to
encrypt the VoIP data.
Audio language: Use this list to specify the default language to be used by Outlook Voice
Access users. This setting doesn't apply to the language setting on a UM auto attendant.
You can set the language for Outlook Voice Access to be the same as or different from the
language that's used on a UM auto attendant. When a user places a call to a user who is
linked with a dial plan, the audio language is the default language that the voice-recorded
operator uses. The system prompts that callers hear are played in the same language. The
language that is chosen on the UM dial plan is used to read email, voice mail, and calendar
items; to say the user's name if a personal greeting hasn't been recorded; to transcribe a
voice message using the Voice Mail Preview feature; and to enable Automatic Speech
Recognition (ASR ) to work correctly.
Country/Region code: Use this box to type the country/region code number to be used
for outgoing calls. This number will precede the telephone number that's dialed. This box
accepts from 1 through 4 digits. For example, in the United States, the country/region
code is 1. In the United Kingdom, it's 44.
3. Click Save.
This example creates a new UM dial plan named MyUMDialPlan that uses five-digit extension
numbers and supports SIP URIs.
After you create a Unified Messaging (UM ) dial plan, you can view and configure a variety of settings. For example,
you can configure the level of Voice over IP (VoIP ) security, the audio codec, and dialing restrictions. The settings
that you configure on the UM dial plan affect all users who are linked with the dial plan through a UM mailbox
policy.
For additional management tasks related to UM dial plans, see UM Dial Plan Procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Extension length (digits): This is the number of digits in the extension numbers for users who are
associated with this dial plan. For example, if a user associated with a dial plan dials a 4-digit extension to
call another user in the same dial plan, select 4 as the number of digits in the extension.
The number of digits for extension numbers is based on the telephony dial plan created on an IP PBX or
PBX. This is a required field that has a value range from 1 through 20. The typical extension length is from 3
through 7 digits. If your existing telephony environment includes extension numbers, you must specify a
number of digits that matches the number of digits in those extensions when you create the UM dial plan.
Dial plan type: A Uniform Resource Identifier (URI) is a string of characters that identifies or names a
resource. The main purpose of this identification is to enable VoIP devices and PBXs to communicate with
other devices over a network using specific protocols. URIs are defined in schemes that define a specific
syntax and format and the protocols for the call. In simple terms, this format is passed from the IP PBX or
PBX and the type of dial plan you create must match that format. After you create a UM dial plan, you won't
be able to change the dial plan type without deleting the dial plan, and then re-creating the correct type of
dial plan. You can select one of the following dial plan types:
Telephone extension: This is the most common dial plan type. The calling and called party information
from the VoIP gateway or IP Private Branch eXchange (PBX) is listed in one of the following formats:
Tel:512345 or 512345@<IP address>. This is the default type for dial plans.
SIP URI: Use this dial plan type if you must have a Session Initiation Protocol (SIP ) URI dial plan such as
an IP PBX that supports SIP routing, a SIP -enabled PBX, or if you're integrating Microsoft Office
Communications Server 2007 R2 or Microsoft Lync Server and Unified Messaging. The calling and called
party information from the VoIP gateway. IP PBX, SIP -enabled PBX, or Communications Server 2007 R2 or
Lync Server is listed as a SIP address in the following format: sip:<username>@<domain or IP
address>:Port.
E.164: E.164 is an international numbering plan for public telephone systems in which each assigned
number contains a country code, a national destination code, and a subscriber number. The calling and
called party information sent from the VoIP gateway and PBX or IP PBX is listed in the following format:
Tel:+14255550123.
NOTE
After you create a dial plan, you won't be able to change the dial plan type without deleting the dial plan, and then
re-creating the correct type of dial plan.
VoIP security mode: Use this drop-down list to select the VoIP security setting for the UM dial plan. You
can select one of the following security settings for the dial plan:
Unsecured: By default, when you create a UM dial plan, it's set to not encrypt the SIP signaling or RTP
traffic. In Unsecured mode, the Exchange servers associated with the UM dial plan send and receive data
from VoIP gateways, IP PBXs, SBCs, and other Exchange servers using no encryption. In Unsecured mode,
neither the Realtime Transport Protocol (RTP ) media channel nor the SIP signaling information is
encrypted.
SIP secured: When you select SIP secured, only the SIP signaling traffic is encrypted, and the RTP media
channels still use TCP, which isn't encrypted. With SIP secured, mutual Transport Layer Security (TLS ) is
used to encrypt the SIP signaling traffic and VoIP data.
Secured: When you select Secured, both the SIP signaling traffic and the RTP media channels are
encrypted. Both the secure signaling media channel that uses Secure Realtime Transport Protocol (SRTP )
and the SIP signaling traffic use mutual TLS to encrypt the VoIP data.
5. Dial codes: Use this page to configure the dial codes for a UM dial plan. Several dial code settings can be
configured on the dial plan. These include incoming and outgoing calling options. You can configure the
following:
Dial codes for outgoing calls: Use these settings to specify the dialing codes for outgoing calls that can be
made by UM -enabled users. These outgoing calls are calls that are placed using Outlook Voice Access or
from a voice mail message.
Outside line access code: Use this field to type the number or numbers used to access an outside
telephone number for outgoing external calls. This number will precede the telephone number dialed. This
is also called a trunk access code. This field accepts from 1 through 16 digits. For many organizations, this
number is 9. By default, this field isn't populated.
Frequently, this setting is used in telephony environments where a PBX or IP PBX is located onsite or
maintained in an organization. It may not have to be configured if your organization's telephony
environment is maintained by an external business or vendor.
International access code: Use this field to type the number code used to access international telephone
numbers for outgoing calls. This number will precede the telephone number dialed. By default, this field isn't
populated. This field accepts from 1 through 4 digits. For example, the international access code for the
United States is 011. For Europe, it's 00.
National number prefix: Use this field to type the number code used to dial telephone numbers that are
out of an area code but within the country/region. This number will precede the telephone number dialed.
By default, this field isn't populated. This field accepts from 1 through 4 digits. For example, 0 is used in
Europe, and 1 is used in North America.
Country/Region code: Use this field to type the country/region code number used for outgoing calls. This
number will precede the telephone number dialed. By default, this field isn't populated. This field accepts
from 1 through 4 digits. For example, in the United States, the country/region code is 1. In the United
Kingdom, it's 44.
Number formats for dialing between UM dial plans: Use these settings to configure calls between
users in separate dial plans when they place calls between the dial plans.
Country/Region number format: Use this field to specify how a user's telephone number should be
dialed by the Exchange servers when users are in a different dial plan that has the same country code. This
is used by auto attendants and when an Outlook Voice Access user searches and tries to call the user in the
directory.
This entry consists of a number prefix and a variable number of characters (for example, 020 xxxxxxx).To
determine the telephone number, Unified Messaging will append the last x digits from the telephone
number specified in the directory to the prefix specified.
International number format: Use this field to specify how a user's telephone number should be dialed
by Unified Messaging when the users are in different dial plans that have different country codes. This is
used by an auto attendant and when an Outlook Voice Access user searches and tries to call the user in the
directory.
This entry consists of a number prefix and a variable number of characters (for example, 4420 xxxxxxx). To
determine the telephone number, Unified Messaging will append the last x digits from the telephone
number specified in the directory to the prefix specified.
Number formats for incoming calls within the same dial plan: Use this field to add or remove a
number format for incoming calls that are placed between users in the same dial plan. This field accepts
both numbers and the letter "x" as a wild card character. No other letters can be used in this field.
For incoming calls within the same dial plan add a number format. For example, to add a number format for
5-digit extensions, enter, 142570xxxxx and click Add . To remove a number format, click Remove .
6. Outlook Voice Access: Use this page to configure Outlook Voice Access settings for the UM dial plan.
Outlook Voice Access enables users to access their individual mailboxes to retrieve email, voice messages,
contacts, and calendaring information using a telephone. You can view or configure the following:
Welcome greeting: This display-only field shows the name of the sound file that will be used for the
welcome greeting.
Default greeting: The welcome greeting is used when an Outlook Voice Access user or another caller calls
the Outlook Voice Access number and does a directory search. This audio file is the default greeting for a
UM dial plan. However, you may want to change this welcome greeting and provide another welcome
greeting specific to your company, such as, "Welcome to Outlook Voice Access for Contoso, Ltd."
If you decide to customize this greeting, you must first record the customized greeting, save it as a .wav file,
and then configure the dial plan to use this customized greeting. The file name and path must not exceed
255 characters.
You can add a customized greeting by clicking Change, and then clicking Browse to select a previously
recorded custom greeting and specify the audio file (.wav) to use for the welcome greeting. If you don't
specify an audio file, Outlook Voice Access users will hear a default welcome greeting that says, "Welcome,
you are connected to Microsoft Exchange."
Informational announcement: When enabled, this optional recording plays immediately after the
business or non-business hours welcome greeting. An informational announcement may state the
organization's security polices for accessing the system, for example, "When you gain access to our system
using Outlook Voice Access, you have agreed to the terms of our business agreement and all security
policies for our organization apply. Access to our system is monitored and gaining illegal access will be
prosecuted." An informational announcement can also provide information that's required for compliance
with company policy, for example, "Calls may be monitored for training purposes." If it's important that
callers hear the whole informational announcement, it can be marked as uninterruptible.
By default, there's no informational announcement configured on UM dial plans. To enable an informational
announcement and use a custom audio file specific to your organization, click Change and then click
Browse.
Allow announcement to be interrupted: Select this check box to enable the Outlook Voice Access user
to interrupt the informational announcement. You should do this if you have long informational
announcements. Outlook Voice Access users may become frustrated if the informational announcement is
long and they can't interrupt it to access the options provided by the UM dial plan.
Outlook Voice Access numbers: Use this field to add a telephone or extension number or a SIP URI that
an Outlook Voice Access user will call to access the voice mail system using Outlook Voice Access. In most
cases, you enter an extension number or an external telephone number. However, because this field accepts
all alphanumeric characters, a SIP URI can be used if you're using an IP PBX, Office Communications
Server 2007 R2, or Microsoft Lync Server.
By default, when a dial plan is created, no Outlook Voice Access numbers are defined. To enable Outlook
Voice Access users to call into Outlook Voice Access, you must configure at least one telephone number. The
number of alphanumeric characters can't exceed 20.
When you configure this number on the dial plan, this number will be displayed in Microsoft Office Outlook
2007 or later versions and Outlook Web App for voice mail options.
To add a new Outlook Voice Access number, enter the number in the box and click Add . To remove an
Outlook Voice Access number, click Remove .
7. Settings: Use this page to configure dial plan settings for Unified Messaging. When you configure settings on
this page, you can control how Outlook Voice Access users and external callers calling into an auto attendant
linked to the dial plan locate users in your organization, the audio codec that is used for voice mail messages,
the number of sign-in failures, and time-out values. You can configure the following:
Primary way to search for names: Use this list to select the primary way that callers can locate a user
when they dial in to the system.
By default, Last First is selected. This means that when users are searching for a user in the directory, they
will enter the user's last name first and then the first name.
When an Outlook Voice Access user calls in to an Outlook Voice Access number to access their mailbox, a
caller calls in to an Outlook Voice Access number to perform a directory search, or a caller calls in to an auto
attendant linked to a UM dial plan, they can search for a user in the directory by spelling their name or alias.
You must select one of the supported methods to be able to use the dial-by-name primary method. The
following methods are supported:
Last First (default)
First Last
SMTP address
Secondary way to search for names: Use this list to select the secondary way that callers can locate a
user when they dial in to the system.
By default, SMTP address is selected. This means that when users search for a user in the directory, they
will enter the user's email alias or SMTP address.
When an Outlook Voice Access user calls in to an Outlook Voice Access number to access their mailbox, a
caller calls in to an Outlook Voice Access number to perform a directory search, or a caller calls in to an auto
attendant linked to a UM dial plan, they can search for a user in the directory by spelling their name or alias.
When you select one of these options, callers can use the primary way to search for names or the secondary
way to search for names to locate users in the directory.
You aren't required to select one of the four methods that are supported. However, if you don't select a
secondary way to search for users, callers will be given only one way to search for a user. The following
options are available:
Last First
First Last
SMTP address (default)
None
Audio codec: Use this list to select the audio codec that will be used by the dial plan. When a caller places a
call to a user who is associated with the dial plan and leaves a voice message, Unified Messaging uses the
audio codec that you select from this list to record voice messages that will be sent to voice mail-enabled
users. The following audio codecs are supported:
MP3 (default)
WMA (Windows Media Audio)
G711 (Pulse Code Modulation (PCM ) Linear)
GSM (Group System Mobile 06.10)
By default, the MP3 format is selected. The MP3 format is a common audio file format that's used to greatly
reduce the size of the audio file and is most commonly used by personal audio devices or MP3 players.
MP3 is a cross-platform type of audio codec and is used for compatibility with many mobile phone and
devices and various computer operating systems.
WMA is used because it's highly compressed and has high-quality format properties. G.711 PCM Linear is
a telephone-quality audio codec format that's the least compressed and has the lowest-quality format. GSM
06.10 is an audio codec format that's used by mobile phone vendors and is the standard for digital mobile
phone services.
If you're concerned about users' disk quotas, select WMA as the audio codec. Voice files saved in .wma
format are approximately half the size of the same voice recording made using one of the other audio
codecs.
Operator extension: Use this text box to enter the telephone number or an extension number for the dial
plan's operator. This is different than an operator extension that is configured on a UM auto attendant.
However, you can put in the same phone or extension number for both types of operators.
You can configure this setting to transfer calls to an auto attendant if one is configured, to a human operator,
to external telephone numbers, or to extension numbers.
When a caller who is using the telephone keypad presses 0, or says "reception" or "operator," or the
Number of input failures before disconnecting threshold is exceeded, the caller is transferred to the
telephone or extension number that you specify in this text box.
This telephone number can be a number external to the organization or an internal telephone extension
number. For example, if the extension number for the receptionist or operator is 81964 and your
organization has only one dial plan, enter 81964.
By default, this setting is blank. If you don't enter a number in this text box, the ability to transfer calls to the
operator is disabled and callers are politely disconnected because there's no one to answer the call.
We recommend that you populate this text box with a telephone number that transfers callers to an
operator if they can't locate a specific user in the directory.
Number of sign-in failures before disconnecting: Use this text box to enter the number of sequential
unsuccessful logon attempts allowed before a caller is disconnected.
The value of this setting can be from 1 through 20. Setting this value too low can frustrate users. For most
organizations, this value should be set to the default of three attempts.
Timeouts and retries: These settings apply to Outlook Voice Access users and external callers that dial into
a UM auto attendant.
Maximum call duration (minutes): Use this text box to enter the maximum number of minutes that an
incoming call can be connected to the system without being transferred to a valid extension number before
the call is ended. For most organizations, this value should be set to the default of 30 minutes.
This setting applies to all kinds of calls. This includes incoming Outlook Voice Access calls, voice calls
internal to your organization, and voice and incoming fax calls external to your organization.
The value of this setting can be from 10 through 120. Setting this value too low can cause incoming calls to
be disconnected before they are completed. For example, if your organization receives many large fax
messages, you may want to consider increasing this value from the default so that all the pages for fax
messages are received.
Maximum recording duration (minutes): Use this text box to enter the maximum number of minutes
allowed for each voice recording when a caller leaves a voice mail message. For most organizations, this
value should be set to the default of 20 minutes.
The value of this setting can be from 1 through 100. Setting this value too low can cause long voice
messages to be disconnected before they are completed. Setting this value too high lets users save lengthy
voice messages in their Inboxes.
This setting is important if you have implemented strict disk quotas for users. This value must be less than
the value set for the Maximum call duration (minutes) setting.
Recording idle time out (seconds): Use this text box to enter the number of seconds of silence that the
system allows when a voice message is being recorded before the call is ended. For most organizations, this
value should be set to the default of 5 seconds.
The value of this setting can be from 2 through 10. Setting this value too low can cause the system to
disconnect callers before they are finished leaving their voice messages. Setting this value too high allows
lengthy silences in voice messages.
Number of input failures before disconnecting: Use this text box to configure the number of times that
callers can enter incorrect menu choices before they are disconnected. For most organizations, this value
should be set to the default of three attempts. This is an important setting for speech-enabled UM dial
plans.
Examples of incorrect data include when a caller requests an extension number that isn't found in the
system, the system can't locate the user's extension number to transfer the call, or the caller presses a menu
option that isn't valid.
The value of this setting can be from 1 through 20. Setting this value too low may prematurely disconnect
the caller.
Audio language: Use this list to specify the default language to be used by Outlook Voice Access users.
This setting doesn't apply to the language setting on a UM auto attendant. You can set the language for
Outlook Voice Access to be the same as or different from the language that's used on a UM auto attendant.
When a user places a call to a user who is linked with a dial plan, the audio language is the default language
that the voice-recorded operator uses. The system prompts that callers hear are played in the same
language. The language that is chosen on the UM dial plan is used to read email, voice mail, and calendar
items; to say the user's name if a personal greeting hasn't been recorded; to transcribe a voice message
using the Voice Mail Preview feature; and to enable Automatic Speech Recognition (ASR ) to work correctly.
For on-premises deployments, adding other languages lets Outlook Voice Access use a language other than
U.S. English. For example, if an Outlook Voice Access user calls in using an Outlook Voice Access number
from a desk telephone, the user is greeted with a prerecorded operator's voice in English. Even if the same
user selects a different language, such as French, in Outlook Web App, the menus are still read in U.S.
English. For the user to be able to hear the prerecorded operator menus in French, you must install the
appropriate language pack.
NOTE
For Exchange Online, all languages are available.
8. Dialing rules: Use this page to specify dialing rules for in-country/region and international calls placed by UM -
enabled users. Each entry defined on the dialing rule determines the types of calls that users within a specific
dialing rule group can make. After you use the Dialing rules page to configure dialing rules, you must
configure the UM dial plan, a UM mailbox policy, or a UM auto attendant to use the appropriate dialing rule.
After you configure the UM mailbox policy to use a dialing rule group, the dialing restrictions configured apply
to all UM -enabled users who are associated with the UM mailbox policy. For example, you can configure a
dialing rule group that doesn't require users who are associated with the dial plan to dial an outside line access
code when they place a call to an in-country/region telephone number. You can configure the following:
In-country/region dialing rules: Use this box to add, remove, or edit in-country/region dialing rule
groups used by UM mailbox policies. To create a dialing rule, click Add . To edit an existing dialing rule,
click Edit . To remove a dialing rule, click Remove . When you create a dialing rule, add the following
information on the New dialing rule page:
Dialing rule name: Use this text box to enter the name for the dialing rule you are creating. You can use
the same name to collect several rules in a group and then enable or disable them under Dialing
authorization. The name can be up to 32 characters long.
Number pattern to transform (number mask): Use this text box to enter the number pattern to
transform before dialing, for example 91425xxxxxxx. If a user enters a number that matches this pattern, UM
will transform the number dialed into a dialed number before placing the call. You can only enter numbers
and the wildcard character, "x".
Dialed number: Use this text box to enter the number you want to dial that matches the number pattern
you set in the Number pattern to transform (number mask). The dialed number is used to determine
the actual dial string sent to the VoIP gateway or IP PBX. This number can be different from the number
obtained by Unified Messaging for the outgoing call. However, your PBX or IP PBX can also be configured
to omit the area code for local calls and can be configured for private voice numbering plans. Any wildcard
characters ( x) in the dial string are replaced with the digits from the original number that were matched by
the number mask on the dialing rule. An example of a valid dialed number is 9 xxxxxxx. This field can contain
only numbers and the character x.
Comment: Use this text box to put in a comment or description for the dialing rule that you're adding or
modifying. By default, this text box is blank.
NOTE
If you are integrating with Office Communications Server 2007 R2 or Microsoft Lync Server, you'll probably find it
unnecessary to configure dialing rules or dialing rule groups in Unified Messaging. Office Communications Server
2007 R2 and Lync Server are designed to perform call routing and number translation for users in your organization,
and will also do this when the calls are made on behalf of users.
International rules: Use this text box to add, remove, or edit international dialing rule groups used by UM
mailbox policies.
Dialing rule name: Use this text box to enter the name for the dialing rule you are creating. You can use
the same name to collect several rules in a group and then enable or disable them under Dialing
authorization. The name can be up to 32 characters long.
Number pattern to transform (number mask): Use this text box to enter the number pattern to
transform before dialing, for example 91425xxxxxxx. If a user enters a number that matches this pattern, UM
will transform the number dialed into a dialed number before placing the call. You can only enter numbers
and the wildcard character, "x".
Dialed number: Use this text box to enter the number you want to dial that matches the number pattern
you set in Number pattern to transform (number mask). The dialed number is used to determine the
actual dial string sent to the VoIP gateway or IP PBX. This number can be different from the number
obtained by Unified Messaging for the outgoing call. However, your PBX or IP PBX can also be configured
to omit the area code for local calls and can be configured for private voice numbering plans. Any wildcard
characters ( x) in the dial string are replaced with the digits from the original number that were matched by
the number mask on the dialing rule. An example of a valid dialed number is 9 xxxxxxx. This field can contain
only numbers and the character x.
Comment: Use this text box to put in a comment or description for the dialing rule that you're adding or
modifying. By default, this text box is blank.
NOTE
For on-premises deployments, if you are integrating with Office Communications Server 2007 R2 or Microsoft Lync
Server, you'll probably find it unnecessary to configure dialing rules or dialing rule groups in Unified Messaging. Office
Communications Server 2007 R2 or Lync Server are designed to perform call routing and number translation for
users in your organization, and will also do this when the calls are made on behalf of users.
9. Dialing authorization: Use this page to select dialing rules for callers who call in to an Outlook Voice Access
number configured on a UM dial plan. You can restrict the type of calls placed by callers when an
unauthenticated user or an Outlook Voice Access user calls in to an Outlook Voice Access number configured
on a dial plan by configuring dialing rule groups and dialing restrictions. You can configure the following:
Calls in the same UM dial plan: Select this check box to let users who call in to an Outlook Voice Access
number configured on a dial plan place or transfer calls to an extension number associated with a UM -
enabled user who is within the same dial plan. By default, this setting is enabled.
When you disable this setting, users who call in to the Outlook Voice Access number won't be able to place
or transfer calls to any users who aren't UM -enabled, to other extension numbers, or to UM -enabled users
who are associated with the same dial plan. This is because the Allow calls to any extension setting is
disabled by default.
Allow calls to any extension: When this setting is disabled, users who call in to an Outlook Voice Access
number on the dial plan can't place calls to users who aren't UM -enabled or to other extension numbers not
associated with a UM -enabled user. However, they can place a call or transfer a call to extension numbers
associated with UM -enabled users. This is because the Calls in the same UM dial plan setting is enabled
by default. The Allow calls to any extension setting is disabled by default.
NOTE
To avoid attempted fraud and other potential threats to your UM environment, follow the guidance in the blog post
Is your Exchange Unified Messaging protected against telecommunication fraud?
When this setting is enabled, users who call in to an Outlook Voice Access number configured on the dial
plan can place calls to users who aren't UM -enabled, to other extension numbers not associated with a UM -
enabled user, and to UM -enabled users. This is because the Calls in the same UM dial plan setting is
enabled by default.
You can enable this setting in an environment where not all users have been UM -enabled. This setting is
also useful when you want to allow users who call in to a Outlook Voice Access number configured on a dial
plan to call extension numbers that aren't associated.
Authorized in-country/region dialing rule groups: Use this section to add or remove allowed in-
country/region dialing rules. By default, there are no in-country/region dialing rules configured on UM dial
plans.
In-country/region dialing rule groups are used to allow or restrict the telephone numbers within a country
or region that any user who has dialed in to the subscriber access number can dial. This helps prevent
unnecessary or unauthorized telephone calls and charges.
To add in-country/region dialing rules, you must first create the appropriate in-country/region dialing rule
on the dial plan, and then add the appropriate dialing rule entries on the dialing rule. After you create the
required dialing rules on the dial plan, you must then add the dialing rule to the list of dialing authorizations
on the Dialing authorization page on the dial plan.
In-country/region dialing rule groups can be used to allow or restrict access to telephone numbers within a
country or region. This is applied to all users who have called in to an Outlook Voice Access number.
Authorized international dialing rule groups: Use this section to add or remove allowed international
dialing rules. By default, there are no international dialing rules configured on UM dial plans.
International dialing rules are used to allow or restrict the telephone numbers outside a country or region
that any user who has dialed in to the Outlook Voice Access number can dial. This helps prevent
unnecessary or unauthorized telephone calls and charges.
To add international dialing rule groups, you must first create the appropriate international dialing rules on
the dial plan, and then add the appropriate dialing rule entries. After you create the required dialing rules on
the dial plan, you must then add the dialing rule to the list of dialing authorizations on the Dialing
authorization page on the dial plan.
International dialing rule groups can be used to allow or restrict access to telephone numbers outside a
country or region. This is applied to all users who have called in to an Outlook Voice Access number.
10. Transfer & search: Use this page to configure the UM dial plan features. Several features can be configured on
the UM dial plan. These include transferring calls, sending voice messages, and searching for users. You can
configure the following:
Allow callers to: Use these settings to determine how users who call in to an Outlook Voice Access
number can contact users. You can configure the following:
Transfer to users: Select this check box to enable Outlook Voice Access users to transfer calls to users. By
default, this option is enabled. This lets users associated with the dial plan transfer calls to users in the same
UM dial plan. After you select this check box, you can set the group of users callers can search for by
selecting the appropriate option under the Allow callers to search for users by name or alias section on
this page.
If you disable this option, Outlook Voice Access won't allow callers to be transferred to any users in the dial
plan.
Leave voice messages without ringing a user's phone: Select this check box to enable callers to send
voice messages to users. By default, this option is enabled. This lets Outlook Voice Access users who are
associated with the dial plan send voice messages to users in the same UM dial plan. After you select this
check box, you can set the group of users callers can search for by selecting the appropriate option under
the Allow callers to search for users by name or alias section on this page.
If you disable this option, Outlook Voice Access won't invite callers to send a voice message during a system
prompt.
Allow callers to search for users by name or alias: Use these options to determine a grouping of users
that can be searched. By default, the In this dial plan only option is selected. However, you can change the
grouping of users. Choose from the following options:
In this dial plan only: Use this option to allow callers who connect to Outlook Voice Access to locate and
contact users who are within the dial plan that they are a member of.
In the entire organization: Use this option to allow callers who connect to Outlook Voice Access to locate
and contact anyone who is listed in the entire organization. This includes all users who are mailbox-enabled
or UM -enabled users in all dial plans.
Only on this auto attendant: Use this list to allow Outlook Voice Access users to connect to a UM auto
attendant and then potentially connect to another auto attendant you have configured. You must create this
auto attendant to allow callers to be transferred to another auto attendant that's specified.
Only for this extension: Use this option to allow Outlook Voice Access users to connect to an extension
number that you specify in the field for this option. This field accepts only numeric digits. The number of
digits that you define in this field must match the number of digits configured on the dial plan associated
with the auto attendant.
Information to include for users with the same name: Use this field to select how the dial plan
differentiates between users who have the same or similar names. When a caller is prompted to enter letters
or say the person's name to find a particular user in the organization, sometimes more than one name
matches the caller's input. If there are two users with the same name, UM will use one of the following ways
to add additional information to the user's name. For example, if you select Department, when an Outlook
Voice Access user calls in to Outlook Voice Access and searches for a user and there are duplicate or similar
names in the directory, the caller will hear the user's name and department, for example:
1. System: "Welcome to Outlook Voice Access. Please enter your PIN and press the pound key."
2. Caller inputs their PIN followed by the # key.
3. System: "Please say voice mail, email, calendar, personal contacts, directory, or personal options."
4. Caller: "Directory"
5. System: "Directory search. Please note, for the following tasks the system requires you to use your
telephone keypad rather than speaking. Use the keypad to spell the name of the person you're trying
to find, last name first, or to spell the first part of their email address, press the pound key twice, if
you know the extension, press the pound key."
6. Caller uses the key pad and inputs "smithtony" and presses the # key.
7. System: "For Tony Smith, research, press 1. For Tony Smith, administration, press 2. For Tony Smith,
technical support, press 3."
8. Caller presses the appropriate key on the keypad and the call is transferred to the user.
By default, all UM auto attendants associated with this dial plan inherit this setting. However, you can
change this setting on each UM auto attendant you create.
Select one of the following methods for providing callers with more information to help them locate the
correct user in the organization:
None: No additional information is given when matches are listed. By default, this method is selected.
Title: The voice mail system includes each user's title when matches are listed.
Department: The voice mail system includes each user's department when matches are listed.
Location: The voice mail system includes each user's location when matches are listed.
Prompt for alias: The voice mail system prompts the caller for the user's alias.
11. After you configure the required settings, click Save to save your changes.
This example configures a UM dial plan named MyDialPlan to use a welcome greeting.
This example configures a UM dial plan named MyDialPlan with dialing rules.
$csv=import-csv "C:\MyInCountryGroups.csv"
Set-UMDialPlan -Identity MyDialPlan -ConfiguredInCountryGroups $csv
Set-UMDialPlan -Identity MyDialPlan -AllowedInCountryGroups "local, long distance"
Get-UMDialplan
This example displays a formatted list of all of the settings on a UM dial plan named MyUMDialPlan .
Unified Messaging can use one of four codecs for creating voice mail messages: MP3, Windows Media Audio
(WMA), Group System Mobile (GSM ) 06.10, and G.711 Pulse Code Modulation (PCM ) Linear. By default, when
you create a Unified Messaging (UM ) dial plan, the UM dial plan uses the MP3 audio codec to record voice
messages. The MP3 audio format is a popular audio format that is used across multiple operating systems, email
clients, and MP3 players. After the UM dial plan is created, you can configure the UM dial plan to use one of the
other audio formats including the WMA, GSM 06.10, or G.711 PCM Linear audio codecs. To listen to the voice
message, a mobile phone or computer must have a compatible audio software application installed.
For additional tasks related to UM dial plans, see UM Dial Plan Procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to change the audio codec on a Unified Messaging dial
plan
1. In the EAC, navigate to Unified Messaging > UM dial plans.
2. In the list view, select the UM dial plan you want to modify, and then click Edit .
3. On the UM dial plan page, click Configure.
4. In Settings, under Audio codec, use the drop-down list to select one the following:
MP3
WMA
GSM
G711
5. Click Save.
This example sets the audio codec on a UM dial plan named MyUMDialPlan to WMA.
You can specify the maximum number of minutes that an incoming call can be connected to the system without
being transferred to a valid extension number before the call is ended. For most organizations, this value should be
set to the default: 30 minutes. This setting applies to all calls, including incoming Outlook Voice Access calls, voice
calls internal to your organization, voice calls into Unified Messaging (UM ) auto attendants, and fax calls placed
from outside your organization.
This value can be set to a number from 10 through 120. Setting this value too low can cause incoming calls to be
disconnected before they're completed. For example, if your organization receives many large fax messages, you
may want to consider increasing this value from the default so that all the pages of fax messages are received.
For additional tasks related to UM dial plans, see UM Dial Plan Procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can specify the maximum number of minutes allowed for each voice recording when a caller leaves a voice
mail message. This value can be set to a number from 1 through 100. For most organizations, this value should be
set to the default of 20 minutes. Setting this value too low can cause long voice messages to be disconnected
before they're completed. Setting this value too high lets users save lengthy voice messages in their Inboxes.
This setting is important if you've implemented strict disk quotas for users. It must be set to a lower value than the
one set for Maximum call duration (minutes).
For additional tasks related to UM dial plans, see UM Dial Plan Procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can specify the number of seconds of silence that the system allows when a voice message is being recorded
before the call is ended. For most organizations, this value should be set to the default of 5 seconds.
This value can be set from 2 through 10. Setting this value too low can cause the system to disconnect callers
before they've finished leaving their voice messages. Setting this value too high allows lengthy silences in voice
messages.
For additional management tasks related to UM dial plans, see UM Dial Plan Procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can enable Voice over IP (VoIP ) security for a Unified Messaging (UM ) dial plan. By default, when a UM dial
plan is created, it will use Unsecured mode or no encryption. Exchange servers can answer calls for single or
multiple UM dial plans and can answer calls for dial plans that have different VoIP security settings. In Office 365
and Exchange Online Secured mode is required and can't be disabled.
When you configure a UM dial plan to use Session Initiation Protocol (SIP ) secured or Secured mode, the
Exchange servers that answer calls for the UM dial plan will encrypt the SIP signaling traffic (for SIP secured
mode) or both the Realtime Transport Protocol (RTP ) media channels and the SIP signaling traffic (for Secured
mode).
IMPORTANT
For on-premises and hybrid deployments, when you configure the SipTCPListeningPort, SipTLSListeningPort, or the
UMStartUpMode on a Client Access server running the Microsoft Exchange Unified Messaging Call Router service or a
Mailbox server running the Microsoft Exchange Unified Messaging service, you will need to configure the Windows Firewall
rules correctly to allow SIP and RTP network traffic.
For additional management tasks related to UM dial plans, see UM Dial Plan Procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
This example configures a UM dial plan named MySecureDialPlan to encrypt SIP but not encrypt RTP traffic.
This example configures a UM dial plan named MySecureDialPlan to not encrypt SIP and RTP traffic.
You can configure a Unified Messaging (UM ) dial plan to specify the information that is provided for callers when
users have the same or similar names. UM uses this setting to differentiate between users who have the same or
similar names and provide this information to callers. When a caller or an Outlook Voice Access user is prompted
to enter letters to find a particular user, sometimes more than one name matches the caller's input. You can use one
of the available options for providing the caller with more information to help them locate the user they're trying
to reach.
You can set this setting on both UM dial plans and UM auto attendants. When a UM auto attendant is created, it
inherits this setting from the dial plan associated with the auto attendant. By default, this setting isn't configured for
dial plans, so no additional information will be given to callers to help them locate the correct user.
NOTE
For the information that will be included for users with similar names to work correctly, you must provide the title,
department, and location information for the recipients in your Microsoft Exchange organization.
For additional management tasks related to UM dial plans, see UM Dial Plan Procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to configure a UM dial plan for users with similar names
1. In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the UM dial plan you
want to change, and then click Edit .
2. On the UM dial plan page, click Configure > Transfer & search, and under Information to include for
users with the same name, select one of the following options:
Title: The dial plan includes each user's title when it finds two or more users with similar names.
Department: The dial plan includes each user's department when it finds two or more users with similar
names.
Location: The dial plan includes each user's location when it finds two or more users with similar names.
None: The dial plan won't include any additional information when users have similar names. Although this
is the default setting, we recommend that you include one of the available options for callers. If you don't,
callers won't be able to tell the difference between two or more users with similar names.
Prompt For alias: The dial plan prompts the caller for the user's alias. An alias is the part of the user's email
or SMTP address that is before the at (@) symbol.
3. Click Save.
This example sets the information to include with users with similar names to department on a UM dial plan
named MyDialPlan .
This example sets the information to include with users with similar names to location on a UM dial plan named
MyDialPlan .
You can delete an existing Unified Messaging (UM ) dial plan. When you delete the UM dial plan, it will no longer
be available for UM IP gateways, UM mailbox policies, and UM hunt groups. You can't delete a UM dial plan if it's
referenced by or associated with UM mailbox policies, UM auto attendants, UM IP gateways, or UM hunt groups.
For additional management tasks related to UM dial plans, see UM Dial Plan Procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
A Unified Messaging (UM ) IP gateway represents a physical Voice over IP (VoIP ) gateway, IP Private Branch
eXchange (PBX), or session border controller (SBC ) hardware device. Before a VoIP gateway, IP PBX, or SBC can
be used to answer incoming calls and send outgoing calls for voice mail users, a UM IP gateway must be created
in the directory service.
Overview of UM IP gateways
Traditionally, gateway is a term that describes a physical device that connects two incompatible networks. With
Exchange Unified Messaging and other unified messaging solutions, the VoIP gateway is used to translate
between the Public Switched Telephone Network (PSTN )/Time Division Multiplex (TDM ) or circuit-switched
based telephony network and an IP or packet-switched data network. An IP PBX also translates between the
PSTN network and a packet-switched network, so when an IP PBX is used, a VoIP gateway isn't required. A VoIP
gateway is only required if you are connecting a legacy PBX hardware device to your UM deployment.
NOTE
A packet-switched network is a network in which packets (messages or fragments of messages) are individually routed
between devices such as routers, switches, VoIP gateway, IP PBXs and SBCs. This contrasts with a circuit-switched network
that sets up a dedicated connection between the two nodes for their exclusive use for the duration of the communication.
Exchange Unified Messaging relies on the ability of the VoIP gateway to translate TDM or telephony circuit-
switched based protocols, such as Integrated Services Digital Network (ISDN ) or QSIG, from a PBX to protocols
based on VoIP or IP, such as Session Initiation Protocol (SIP ), Realtime Transport Protocol (RTP ), or T.38 for real-
time facsimile transport.
IP PBXs are also used when connecting a circuit-switched telephony network to a data or packet-switched
network. They are also used to translate circuit-switched protocols to protocols based on VoIP or IP, such as SIP,
RTP, and Secure RTPC (SRTP ).
Session Border Controllers (SBCs) are somewhat different than VoIP gateways and IP PBXs. Instead of
connecting a circuit-switched network to a packet-switched network, they're used to connect two data networks
over a public network like the internet or over a private WAN connection. In Unified Messaging, SBCs are used in
a hybrid deployment of UM in which UM uses some components that are located on-premises and others, such as
mailboxes, that are located in the cloud.
VoIP device configurations
Although there are many types and manufacturers of PBXs, VoIP gateways, IP PBXs, and SBCs, there are basically
three types of VoIP device configurations:
IP PBX: A single device that translates between the PSTN/TDM or circuit-switched based telephony
network and an IP or packet-switched data network
PBX (legacy) and a VoIP gateway: Two separate components that together translate between the
PSTN/TDM or circuit-switched telephony network and an IP or packet-switched data network
SBC: Single or multiple devices that connect two types of IP -based networks such as a LAN and a
datacenter.
To support Unified Messaging, one or both types of IP/VoIP device configurations are used when connecting a
telephony network infrastructure to a data network infrastructure or connecting an on-premises deployment with
a UM deployment in the cloud.
UM IP gateways
The UM IP gateway contains one or more UM hunt groups and configuration settings. UM hunt groups are used
to link a UM IP gateway to a UM dial plan. The combination of the UM IP gateway and a UM hunt group
establishes a link between a VoIP gateway, IP PBX, or SBC and a UM dial plan. By creating multiple UM hunt
groups, you can associate a single UM IP gateway with multiple UM dial plans.
After you create a UM IP gateway, the Exchange servers linked to the UM IP gateway will send a SIP OPTIONS
request to the VoIP gateway, IP PBX, or SBC to ensure that the device is responsive. If the VoIP gateway, IP PBX,
or SBC doesn't respond to the request, an Exchange server will log an event with ID 1400 stating that the request
failed. If this happens, make sure that the VoIP gateway, IP PBX, or SBC is available and online and that the
Unified Messaging configuration is correct.
A Mailbox server communicates only with VoIP gateways, IP PBXs, or SBCs listed as trusted SIP peers. In some
cases, if two VoIP gateways, IP PBXs, or SBCs are configured to use the same IP address, an event with ID 1175
will be logged. Unified Messaging protects against unauthorized requests by retrieving the internal URL of the
Unified Messaging Web services virtual directory and then uses the URL to build the list of FQDNs for the trusted
SIP peers. When two FQDNs are resolved to the same IP address, this event is logged.
NOTE
The maximum number of UM IP gateways per dial plan is 200. If you create more than 200 the UM service won't start.
Create a UM IP gateway
Manage a UM IP gateway
Enable a UM IP gateway
Disable a UM IP gateway
Configure a fully qualified domain name
Configure the IP address
Configure the listening port
Delete a UM IP gateway
Create a UM IP gateway
2/28/2019 • 4 minutes to read • Edit Online
When you create a Unified Messaging (UM ) IP gateway, you enable Exchange servers to connect to a new Voice
over IP (VoIP ) gateway, a Private Branch eXchange (PBX) enabled for Session Initiation Protocol (SIP ), an IP
PBX, or a session border controller (SBC ). Immediately after you create a UM IP gateway, you should create a
new UM hunt group and then associate the UM hunt group with the UM IP gateway. You can associate the UM
IP gateway with one or more UM dial plans by creating one or more UM hunt groups.
For additional management tasks related to UM IP gateways, see UM IP gateway procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online
Protection..
If you use an FQDN, you must also make sure that you've correctly configured a DNS host record for the
VoIP gateway so that the host name will be correctly resolved to an IP address. Also, if you use an FQDN
instead of an IP address, and the DNS configuration for the UM IP gateway is changed, you must disable
and then enable the UM IP gateway to make sure that configuration information for the UM IP gateway is
updated correctly.
UM dial plan: Click Browse to select the UM dial plan that you want to associate with the UM IP
gateway. When you select a UM dial plan to associate with a UM IP gateway, a default UM hunt group is
also created and associated with the UM dial plan that you selected. If you don't select a UM dial plan, you
must manually create a UM hunt group and then associate that UM hunt group with the UM IP gateway
that you create.
3. Click Save.
This example creates a UM IP gateway named MyUMIPGateway that enables Exchange servers to start accepting
calls from a VoIP gateway, a PBX enabled for SIP, an IP PBX, or an SBC that has an FQDN of
MyUMIPGateway.contoso.com and listens on port 5061.
This example creates a UM IP gateway named yUMIPGateway and prevents the UM IP gateway from accepting
incoming calls or sending outgoing calls, sets an IPv6 address, and allows the UM IP gateway to use IPv4 and
IPV6 addresses.
After you create a Unified Messaging (UM ) IP gateway, you can view or configure a variety of settings. For
example, you can configure the IP address or a fully qualified domain name (FQDN ), configure outgoing call
settings, and enable or disable Message Waiting Indicator.
For additional management tasks related to UM IP gateways, see UM IP gateway procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
This example prevents the UM IP gateway named MyUMIPGateway from accepting incoming calls and prevents
outgoing calls.
This example enables the UM IP gateway to function as a VoIP gateway simulator and can be used with the Test-
UMConnectivity cmdlet.
IMPORTANT
There is a period of latency before all changes that you make to the configuration of a UM IP gateway replicate to all
Exchange servers in the same UM dial plan as the UM IP gateway.
This example prevents the UM IP gateway named MyUMIPGateway from accepting incoming calls and prevents
outgoing calls, sets an IPv6 address, and allows the UM IP gateway to use IPv4 and IPV6 addresses.
Get-UMIPGateway |Format-List
This example displays all the UM IP gateways including VoIP gateway simulators in the Active Directory forest.
By default, when a Unified Messaging (UM ) IP gateway is created, its status is set to enabled. However, you might
need to disable the UM IP gateway to take it offline and not allow it to take incoming or outgoing calls. After you
create a UM IP gateway, you can control its operation and functionality by setting its status variable to enabled or
disabled.
For additional management tasks related to UM IP gateways, see UM IP gateway procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
By default, when you create a Unified Messaging (UM ) IP gateway, the status of the UM IP gateway is enabled.
After the UM IP gateway is created, you can disable the operation of the gateway by setting its status to disabled.
After you disable the UM IP gateway, the Voice over IP (VoIP ) gateway, IP Private Branch eXchange (PBX), or
session border controller (SBC ) that it's configured to use can no longer process incoming Unified Messaging calls.
For additional management tasks related to UM IP gateways, see UM IP gateway procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
This example disables a UM IP gateway named yUMIPGateway and disconnects all current calls immediately.
You can configure a Unified Messaging (UM ) IP gateway with either an IP address or a fully qualified domain
name (FQDN ). When you create a UM IP gateway, you must define the IP address or the FQDN configured on the
VoIP gateway, IP PBX, or session border controller (SBC ) that you're using. You can change the IP address or
FQDN after the UM IP gateway is created.
If you create a UM IP gateway using an FQDN, you must create the appropriate HOST (A) records in your DNS
forward lookup zone. If you create a UM IP gateway using an FQDN, and the DNS configuration for the UM IP
gateway is changed, you must disable and then enable the UM IP gateway to make sure that its configuration
information is updated correctly.
If you want to use mutual Transport Layer Security (mutual TLS ) between a UM IP gateway and a dial plan
operating in either SIP secured or Secured mode, you must configure the UM IP gateway with an FQDN. You
must also configure it to listen on port 5061 and verify that the VoIP gateway, IP PBX, or SBC has also been
configured to listen for mutual TLS requests on port 5061. To configure a UM IP gateway, run the following
command: Set-UMIPGateway -Identity MyUMIPGateway -Port 5061 .
For additional management tasks related to UM IP gateways, see UM IP gateway procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
This example configures a UM IP gateway named MySBC with an FQDN of sbc.contoso.com and listens for SIP
requests on TCP port 5061.
Before you create a Unified Messaging (UM ) IP gateway, you must first set the IP address or the fully qualified
domain name (FQDN ) on the VoIP gateway, IP PBX, or session border controller (SBC ) that you're using. Then,
when you create the UM IP gateway, you set the IP address or FQDN. You can change the IP address or FQDN
later.
You can configure the IP address or FQDN using either the EAC or Exchange Online PowerShell. In the EAC, the
Address box on the UM IP gateway page can accept an IPv4 IP address, an IPv6 address, or an FQDN. You can
also use the Address parameter on the Set-UMIPGateway cmdlet in Exchange Online PowerShell to set an IPv4
IP address, an IPv6 address, or an FQDN. If you create a UM IP gateway using an FQDN, you must create the
appropriate HOST A records in your DNS forward lookup zone. If the DNS configuration for the UM IP gateway
is changed, you must disable and then enable the UM IP gateway to make sure that its configuration information is
updated correctly.
For additional management tasks related to UM IP gateways, see UM IP gateway procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
IMPORTANT
If you use an FQDN instead of an IP address on the UM IP gateway, verify that the correct DNS records have been created.
Use Exchange Online PowerShell to configure the IP address on a UM
IP gateway
This example configures a UM IP gateway named MyUMIPGateway with an IP address of 10.10.10.1.
This example configures a UM IP gateway named MyUMIPGateway with an IP address of 10.10.10.10 and listens for
SIP requests on TCP port 5061.
This example prevents the UM IP gateway named MyUMIPGateway from accepting incoming and outgoing calls, sets
an IPv6 address, and allows the UM IP gateway to use IPv4 and IPV6 addresses.
You can configure the TCP port that's used to listen for Session Initiation Protocol (SIP ) requests on a Unified
Messaging (UM ) IP gateway. By default, when you create a UM IP gateway, the TCP SIP listening port number is
set to 5060. The TCP SIP listening port can't be configured or changed by using the EAC. You must configure the
TCP SIP listening port number by using the Set-UMIPGateway cmdlet.
You may have to configure the TCP listening port number to 5061 if you want to:
Set the VoIP security setting on a UM dial plan to SIP Secured.
Set the VoIP security setting on a UM dial plan to Secured.
Integrate with Microsoft Office Communications Server 2007 R2 or Microsoft Lync Server.
Use mutual Transport Layer Security (mutual TLS ) to encrypt network data between Exchange servers and
a VoIP gateway, Private Branch eXchange (PBX) enabled for SIP, IP PBX, or session border controller (SBC ).
If you want to use mutual TLS between a UM IP gateway and a dial plan operating in either SIP Secured or
Secured mode, when you create the UM IP gateway you must configure it with a fully qualified domain name
(FQDN ) and then use Exchange Online PowerShell to configure the UM IP gateway to listen on TCP port 5061.
You must also verify that any VoIP gateways, PBXs enabled for SIP, IP PBXs, and SBCs have also been configured
to listen for mutual TLS requests on port 5061.
IMPORTANT
When you create a UM IP gateway using an FQDN, you must create the appropriate HOST (A) records in your DNS forward
lookup zone. If you create a UM IP gateway using an FQDN, and the DNS configuration for the UM IP gateway is changed,
you must disable and then enable the UM IP gateway to make sure that the UM IP gateway's configuration information is
updated correctly.
When you delete a Unified Messaging (UM ) IP gateway, Exchange servers can no longer accept incoming calls
from the Voice over IP (VoIP ) gateway, Session Initiation Protocol (SIP )-enabled Private Branch eXchange (PBX),
IP PBX, or session border controller (SBC ) associated with the UM IP gateway.
IMPORTANT
You should delete a UM IP gateway only when you fully understand the implications of disabling communication with a VoIP
gateway, IP PBX, or SBC.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
A telephony hunt group provides a way to distribute telephone calls from a single number to multiple extensions
or telephone numbers. In Unified Messaging (UM ), a UM hunt group is a logical representation of a telephony
hunt group, and it links a UM IP gateway to a UM dial plan.
Looking for management tasks related to Unified Messaging hunt groups? See UM hunt group procedures.
A Unified Messaging (UM ) hunt group is a logical representation of a Private Branch eXchange (PBX) or IP PBX
hunt group. A UM hunt group acts as a connection or link between a UM IP gateway and a UM dial plan.
NOTE
If you associate a UM dial plan with the UM IP gateway when you create a UM IP gateway, a UM hunt group will also be
created.
NOTE
If you want to change the settings for a UM hunt group, you must delete the hunt group and then create another hunt
group that has the appropriate settings.
For additional management tasks related to UM hunt groups, see UM hunt group procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
This example creates a UM hunt group named MyUMHuntGroup that has multiple pilot identifiers.
When you view the properties for a Unified Messaging (UM ) hunt group, you can view the properties associated
with a single UM hunt group or with all UM hunt groups associated with a single UM IP gateway. If neither
parameter is specified, all UM hunt groups will be returned. You can't use the EAC to view UM hunt group
properties; you must use Exchange Online PowerShell.
After a UM hunt group has been created, the configured settings can't be changed. If you want to change a
configuration setting such as the pilot identifier on a UM hunt group, you must delete the existing UM hunt group
and create a new UM hunt group that has the correct settings.
For additional tasks related to UM hunt groups, see UM hunt group procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Get-UMHuntGroup
This example displays the details of a UM hunt group named MyUMHuntGroup in a formatted list.
After you delete a Unified Messaging (UM ) hunt group, the UM IP gateway associated with the UM hunt group
will no longer service or answer incoming calls. If deleting the UM hunt group leaves the UM IP gateway without
any remaining configured hunt groups, the UM IP gateway can't handle or process UM calls.
For additional tasks related to UM hunt groups, see UM hunt group procedures.
Cau t i on
If you want to change the UM hunt group settings, you must delete the hunt group and then create another hunt
group that has the appropriate settings.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Microsoft Exchange Unified Messaging (UM ) enables you to create a single or multiple UM auto attendants,
depending on the needs of your organization. Unlike other Unified Messaging components, such as UM dial plans
and UM IP gateways, you aren't required to create UM auto attendants. However, auto attendants help internal
and external callers locate users or departments that exist in an organization and transfer calls to them. This topic
discusses the UM auto attendant feature found in Unified Messaging.
Auto attendants
In telephony or Unified Messaging environments, an automated attendant or auto attendant menu system
transfers callers to the extension of a user or department without the intervention of a receptionist or an operator.
In many auto attendant systems, a receptionist or operator can be reached by pressing or saying zero. The
automated attendant is a feature in most modern Private Branch eXchanges (PBXs), IP PBXs, and Unified
Messaging solutions.
Some auto attendant systems use message-only information menus and voice menus so an organization can
provide business hours, directions to the premises, information about job opportunities, and answers to other
frequently asked questions. After the message plays, callers are forwarded to the receptionist or operator, or they
can return to the main menu.
In more complex auto attendant systems, the menu system can be used to search for other auto attendant menus,
locate a user in the system, or transfer to another outside telephone line. The menu system can also be used to let
the caller interact with the system in certain situations, such as when a student enrolls for a college class or checks
a grade, or when you activate a credit card over the telephone.
Although auto attendants can be very useful, if they aren't designed and configured correctly, they can confuse and
frustrate callers. For example, specifically in large organizations, when auto attendants aren't designed correctly,
callers can be led through a lengthy series of questions and menu prompts before they are finally transferred to a
person to answer their questions.
UM auto attendants
Unified Messaging enables you to create one or more UM auto attendants depending on the needs of your
organization. UM auto attendants can be used to create a voice menu system for an organization that lets external
and internal callers move through the UM auto attendant menu system to locate and place or transfer calls to
company users or departments in an organization.
When anonymous or unauthenticated users call an external business telephone number, or when internal callers
call a defined extension number, they are presented with a series of voice prompts that help them place a call to a
user or locate a user in the organization and then place a call to that user. The UM auto attendant is a series of
voice prompts or .wav files that callers hear instead of a human operator when they call an organization that has
Unified Messaging. The UM auto attendant lets callers move through the menu system, place calls, or locate users
by using dual tone multi-frequency (DTMF ) or voice inputs. However, for Automatic Speech Recognition (ASR ) or
voice inputs to be used, you must enable ASR on the UM auto attendant.
A UM auto attendant has the following features:
It provides corporate or informational greetings.
It provides custom corporate menus. You can customize these menus to have more than one level.
It provides a directory search function that enables a caller to search the organization's directory for a name.
It enables a caller to connect to the telephone of, or leave a message for, members of the organization.
There is no limit to the number of UM auto attendants you can create. Each Unified Messaging auto attendant can
support an unlimited number of extensions. A UM auto attendant can reference one, and only one, UM dial plan.
UM auto attendants can also reference or link to other UM auto attendants.
An incoming call received from an external telephone number or an internal telephone extension is passed
between Exchange servers, and then sent to a UM auto attendant. The UM auto attendant is configured by the
administrator to use prerecorded voice (.wav) files that are played over the telephone to the caller and that enable
the caller to move through the Unified Messaging menu system. You can customize all the .wav files used when
you configure a UM auto attendant to meet the needs of your organization.
TIP
In Exchange UM, authenticated and non-authenticated Outlook Voice Access users can't search for users in the directory
using speech inputs in any language. However, callers that call into an auto attendant can use speech inputs in multiple
languages to navigate auto attendant menus and search for users in the directory.
In Unified Messaging (UM ), callers can use dual tone multi-frequency (DTMF ), also referred to as touchtone, and
voice inputs to interact with the system. The methods that callers can use depend on how the UM dial plans and
auto attendants are configured.
The DTMF interface enables callers to use the telephone keypad to locate users and navigate the UM voice mail
menu system when they call an Outlook Voice Access number configured on a dial plan or when they call a
telephone number configured on an auto attendant. This topic discusses the DTMF interface and how it's used by
callers to locate users and to navigate the UM voice mail menu system.
DTMF overview
DTMF requires a caller to press a key on the telephone keypad that corresponds to a Unified Messaging menu
option or to input a user's name or email alias by using the letters on the keys to spell the name or alias. Callers
might use DTMF because Automatic Speech Recognition (ASR ) hasn't been enabled or because they tried to use
voice commands and failed. In either case, DTMF inputs are used to navigate menus and search for users.
By default, in UM, DTMF inputs are used on dial plans and are the default caller interface for UM auto attendants.
Callers can use DTMF inputs for:
Dial plan dial-in access by using Outlook Voice Access.
Dial plan directory lookups and searches to locate users.
Auto attendants that aren't speech-enabled.
Auto attendants that are speech-enabled that do or don't have a DTMF fallback auto attendant configured.
DTMF fallback auto attendants (not speech-enabled).
DTMF maps
In an Exchange organization, an attribute named msExchUMDtmfMap is associated with each user created in the
directory. Unified Messaging uses this attribute to map the user's first name, last name, and email alias to a set of
numbers. This mapping is referred to as a DTMF map. A DTMF map enables a caller to enter the digits on the
telephone keypad that correspond to the letters of the user's name or email alias. This attribute contains the values
needed to create a DTMF map for the user's first name followed by the last name, for the user's last name followed
by the first name, and for the user's email alias.
The following table shows the DTMF map values that would be stored in Active Directory on the
msExchUMDtmfMap attribute for a UM -enabled user named Tony Smith with an alias of tsmith@contoso.com.
DTMF values stored for a UM -enabled user named Tony Smith
firstNameLastName:866976484 tonysmith
lastNameFirstName:764848669 smithtony
emailAddress:876484 tsmith
Names and email aliases may contain other characters that aren't alphanumeric, such as commas, hyphens,
underscores, or periods. Characters such as these won't be used in a DTMF map for a user. For example, if the
email alias for Tony Smith is tony-smith@contoso.com, the DTMF map value would be 866976484, and the
hyphen wouldn't be included. However, if a user's email alias contains a number or numbers, for example,
tonysmith123@contoso.com, the numbers would be used in the DTMF map that's created. The DTMF map for
tonysmith123 would be 866976484123.
A DTMF map must exist for a user for callers to be able to enter the user's name or email alias. However, not all
users will have a DTMF map associated with their user account.
DTMF maps for users who aren't enabled for Unified Messaging
Users, including mailbox-enabled users, aren't enabled for Unified Messaging by default. The
msExchUMDtmfMap attribute is populated with the values needed for DTMF maps for users who haven't been
enabled for UM. By default, the following DTMF maps are created for all users when a mailbox is created for them:
1. emailAddress
2. firstNameLastName
3. lastNameFirstName
If a user doesn't have DTMF map values defined for their account, callers won't be able to contact the user when
they press a telephone key from a UM auto attendant menu or perform a directory search. Also, UM -enabled users
won't be able to send messages or transfer calls to users who don't have a DTMF map unless they can use
Automatic Speech Recognition (ASR ). To enable callers to transfer calls or contact users who aren't UM -enabled by
using the telephone keypad, you need to create the necessary values for the DTMF map for those users. You can
use the Set-User cmdlet with the -CreateDtmfMap parameter to create and update a single user's DTMF map or
update a DTMF map for a user if the name of the user was changed after a DTMF map was created. Optionally, you
can create a PowerShell script by using this cmdlet to update the DTMF map values for multiple users.
For more information about the Set-User cmdlet, see Set-User.
DTMF maps for users who are enabled for Unified Messaging
By default, a DTMF map is created for a user when they're enabled for Unified Messaging. This makes it possible
for calls to be transferred to the UM -enabled user from external callers, from users who aren't enabled for UM, and
from other UM -enabled users who use the telephone keypad to spell the user's name or email alias.
After the DTMF map values have been created for a UM -enabled user, callers can use the directory search feature.
Callers use directory search when they use the telephone keypad in the following situations:
To identify or search for a user when they call in to an Outlook Voice Access number.
To locate or transfer calls to a UM -enabled user when they call in to a UM auto attendant.
For more information about how to enable a user for Unified Messaging, see Enable a user for voice mail.
Sometimes a user's first name, last name, or email alias changes after the user is enabled for UM. The user's DTMF
map values aren't updated automatically. If a caller enters the user's new name or email alias and the user's DTMF
map hasn't been updated to reflect the change to the name or email alias, the caller won't be able to locate the user
in the directory, send a message to the user, or transfer calls to the user. If you have to update a user's DTMF map
after the user has been enabled for UM, you can use the Set-User cmdlet with the -CreateDtmfMap parameter.
You can also create PowerShell script using this cmdlet if you want to update the DTMF maps for multiple UM -
enabled users.
Cau t i on
We recommend that you don't manually change the DTMF values for users by using a tool such as ADSI Edit
because it might result in inconsistent configurations or other errors. We recommend that you use only the Set-
UMService cmdlet or the Set-User cmdlet to create or update DTMF maps for users.
In addition to allowing users access to voice mail, Unified Messaging (UM ) allows you to create one or more UM
auto attendants depending on the needs of your organization. UM auto attendants can be used to create a voice
menu system for an organization that lets external and internal callers locate, place, or transfer calls to company
users or departments in an organization.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
Auto attendants
In telephony or Unified Messaging environments, an automated attendant or auto attendant menu system
transfers callers to the extension of a user or department without the intervention of a receptionist or an operator.
In many auto attendant systems, a receptionist or operator can be reached by pressing or saying zero. Some auto
attendant systems use message-only information menus and voice menus so an organization can provide business
hours, directions to the premises, information about job opportunities, and answers to other frequently asked
questions. After the message plays, callers are forwarded to the receptionist or operator, or they can return to the
main menu.
Although auto attendants can be very useful, if they aren't designed and configured correctly, they can confuse and
frustrate callers. For example, especially in large organizations, when auto attendants aren't designed correctly,
callers can be led through a lengthy series of questions and menu prompts before they're finally transferred to a
person to answer their questions.
NOTE
You should also set the time zone on the attendant.
4. Decide whether you want standard system-generated business and non-business hours greetings or to
create custom recordings for them.
If you want to use custom greetings, plan and record your business and non-business hour greetings to play
to callers during business and non-business hours. If you need to, you can also create a custom
informational announcement greeting. For example, for your business hours greeting you could use
"Welcome to Contoso. For English, press or say 1, for Spanish, press or say 2." For your non-business hours
greeting, you could record the following script: "Welcome to Contoso. Our office is currently closed. We will
be open on Monday at 8:00 am."
5. Plan your auto attendant structure based on your business needs. For example, one organization may be a
multinational business with offices in both Germany and the UK, and thus need an auto attendant structure
based on multiple languages. Another organization might have its corporate office at one site, Sales located
at another site, and Customer Service located at a third site, and thus need an auto attendant that directly
relates to the structure of the organization.
6. Decide if you'll need DTMF fallback auto attendants or other auto attendants to use when auto attendant
voice commands don't work.
7. Plan the menu navigation for business hours and non-business hours. For each auto attendant, including
DTMF auto attendants, you'll need to plan and configure menu prompts and menu navigation entries. You'll
need to do this for both business and non-business hours.
8. The following is an example of a worksheet you could use to plan non-business hours menu navigation.
9. Using your menu navigation plan, record prompts that inform callers what they can do. For example,
depending on the auto attendant structure for the non-business hours menu navigation shown in the table,
you might record the following script: "To leave a message for Sales, press one. For our business hours,
press two. For our address, press three."
10. Determine how callers will access your organization. Consider how they will search for and contact users in
your organization. Also consider how to transfer callers, including how they'll get to a live person or
organization representative, and whether callers will access an operator during business and non-business
hours.
11. Determine what calls you'll allow callers to make when they're using a specific auto attendant. For example,
whether you want to allow callers to make calls to users in a single dial plan, to any extension, or whether
you'll allow them to make calls outside your organization.
12. After you've planned your auto attendant settings, greetings and menu navigation, and created audio files
that contain your recorded greetings, menu navigation prompts, and menu navigation responses, you're
ready to create and configure your auto attendant. Here's how:
Create a UM auto attendant
Manage a UM auto attendant
13. If you've created the auto attendant structure and settings, enable the UM auto attendant so it can start
accepting calls.
Create a UM auto attendant
2/28/2019 • 4 minutes to read • Edit Online
After you create a Unified Messaging (UM ) auto attendant, incoming calls to an external telephone number
that a human operator would ordinarily answer are answered by the auto attendant. Unlike with other Unified
Messaging components, such as UM dial plans and UM IP gateways, you aren't required to create UM auto
attendants. However, auto attendants help internal and external callers locate users or departments that exist in
an organization and transfer calls to them.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online
Protection..
You can configure an extension number or multiple extension numbers on a Unified Messaging (UM ) auto
attendant. When you add an extension number to a UM auto attendant, that number can be used by callers to call
into the auto attendant. Also, you may have to add extension numbers because there is more than one extension
number that callers can use to access an auto attendant. By default, no extension numbers are configured when
you create an auto attendant.
You can create a new auto attendant without setting up an extension number for the auto attendant. You can also
associate more than one telephone or extension number with a single auto attendant. You can either add the
extension numbers when you create the UM auto attendant or add them after you configure the auto attendant.
The number of digits in the extension number you configured on the UM auto attendant must match the number
of digits for an extension number that's configured on the UM dial plan associated with the UM auto attendant.
NOTE
You can also add a Session Initiation Protocol (SIP) address instead of adding an extension number. A SIP address is used by
some IP Private Branch eXchanges (PBXs) and Office Communications Server 2007 R2 or Microsoft Lync Server.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
When you configure business hours for a Unified Messaging (UM ) auto attendant, you define the hours of the day
that your organization is open, and the business hours greetings and menu prompts callers will hear when they
call an extension number that's configured on the auto attendant. If a caller reaches the auto attendant during
hours that are outside the business hours you define, the caller will hear the non-business hours prompts and
greetings.
Several default schedule options are available in the EAC. For example, most businesses are open from 8:00 A.M.
to 5:00 P.M., Monday through Friday. Sometimes the default options won't fit your needs and you'll want to
customize the schedule. If your business hours vary from the schedules defined by the system, you can define a
customized schedule for the auto attendant.
By default, the UM auto attendant will play the business hours prompts and greetings regardless of the time of
day callers dial in to the auto attendant.
NOTE
When you set the schedule for business and non-business hours on a UM auto attendant, make sure the time zone is
configured correctly.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can define the dates and times your organization will be closed for holidays and other occasions. Between the
start dates and the end dates you specify, callers who reach the Unified Messaging (UM ) auto attendant will hear a
holiday greeting you specify when you configure the holiday schedule. After the caller hears the holiday greeting
you've specified, the non-business hours greeting and menu prompts will be played for the caller.
You can also create a holiday schedule within an existing holiday schedule. When you create multiple holiday
schedules, Unified Messaging lets you overlap your scheduled holiday times. For example, you can define a holiday
schedule from December 15th through December 31st when your organization will be closed for construction, and
you can define another holiday schedule from December 24th through December 26th. When callers call in to the
auto attendant from December 15th through December 23rd and from December 27th through December 31st,
they'll be presented with the holiday greeting that you've specified for this schedule. For example, "We are
currently closed for construction." When callers call in to the auto attendant from December 24th through
December 26th, they'll be presented with another holiday greeting, such as "We are currently closed for business
so that our employees can enjoy the holidays with their families."
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can enter the name of your business in the Business name box on a UM auto attendant. By default, no
business name is entered. If you enter a business name, a default greeting prompt with the business name will be
played to callers when they call in to the Unified Messaging (UM ) auto attendant.
For additional tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can specify the location of a business on a Unified Messaging (UM ) auto attendant so that the location will be
played for callers. By default, no business location is entered.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
By default, the Unified Messaging (UM ) auto attendant uses the time zone of the Mailbox server on which it's
created. However, there are situations where you may have to change the time zone for a UM auto attendant to a
different time zone. For example, if you have two UM dial plans and each dial plan represents a different time zone,
you must configure one UM auto attendant to have the same time zone as the Mailbox server and the other UM
auto attendant to have a time zone that differs from the Mailbox server.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can enable a customized business hours greeting for a Unified Messaging (UM ) auto attendant. The business
hours greeting is the first thing callers hear when a UM auto attendant answers their call during business hours.
You'll probably want to customize the greeting.
Unified Messaging includes a default system prompt for use during business hours. Although the default system
prompt mustn't be replaced or changed, you may want to provide an customized greeting. You can create a
customized greeting in the .wav or .wma file format to be used when callers call in to a UM auto attendant during
business hours. For example, "You've reached Woodgrove Bank."
If you want to include the name of your organization or business as part of the default greeting, you can enter the
name in the Business name box on the UM auto attendant. For details, see Enter a business name.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
4. After you've located the file, click Open, and then click Save.
This example configures a UM auto attendant named MyUMAutoAttendant to have business hours configured to be
10:45 to 13:15 (Sunday), 09:00 to 17:00 (Monday), and 09:00 to 16:30 (Saturday) and holiday times and their
associated greetings configured to be " New Year " on January 2, 2013, and " Building Closed for Construction "
from April 24, 2013 through April 28, 2013.
This example configures a UM auto attendant named MyAutoAttendant and enables business hours key mappings
so that when callers press 1, they're forwarded to another UM auto attendant named SalesAutoAttendant . When
they press 2, they're forwarded to extension number 12345 for Support , and when they press 3, they're sent to
another auto attendant that plays an audio file.
You can customize the menu prompt to be used by a Unified Messaging (UM ) auto attendant during business
hours. After you create a UM auto attendant, a default system prompt ("Welcome to Unified Messaging") is used
as the menu prompt that callers hear after the business hours welcome greeting is played. Although the system
prompt mustn't be replaced or changed, you can customize the greetings and menu prompts that are used with
UM auto attendants. After you create a customized business hours menu prompt audio file, you must enable menu
navigation entries on the UM auto attendant for business hours.
If you only want to include the name of your organization or business as part of the default system prompt, you
can enter the name in the Business name box on the UM auto attendant. For details, see Enter a business name.
IMPORTANT
You must configure business hours on the auto attendant. For details, see Configure business hours.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
4. After you've located the file, click Open, and then click Save.
This example configures a UM auto attendant named MyUMAutoAttendant that has business hours configured to be
10:45 to 13:15 (Sunday), 09:00 to 17:00 (Monday), and 09:00 to 16:30 (Saturday) and holiday times and their
associated greetings configured to be " New Year " on January 2, 2013, and " Building Closed for Construction "
from April 24, 2013 through April 28, 2013.
This example configures a UM auto attendant named MyAutoAttendant and enables business hours navigation
menus so that when callers press 1, they're forwarded to another UM auto attendant named SalesAutoAttendant .
When they press 2, they're forwarded to extension number 12345 for Support , and when they press 3, they're
sent to another auto attendant that plays an audio file.
You can enable a customized non-business hours greeting for a Unified Messaging (UM ) auto attendant. The non-
business hours greeting is the first thing callers hear when a UM auto attendant answers their call during non-
business hours. You'll probably want to customize the greeting.
Unified Messaging includes a default system prompt for use during non-business hours. Although the default
system prompt mustn't be replaced or changed, you may want to provide an customized greeting. You can create a
customized greeting in the .wav or .wma file format to be used when callers call in to a UM auto attendant during
non-business hours. For example, "You've reached Woodgrove Bank after hours."
If you want to include the name of your organization or business as part of the default greeting, you can enter the
name in the Business name box on the UM auto attendant. For details, see Enter a business name.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
4. After you've located the file, click Open, and then click Save.
This example configures a UM auto attendant named MyUMAutoAttendant that has business hours configured to be
10:45 to 13:15 (Sunday), 09:00 to 17:00 (Monday), and 09:00 to 16:30 (Saturday) and holiday times and their
associated greetings configured to be " New Year " on January 2, 2013, and " Building Closed for Construction "
from April 24, 2013 through April 28, 2013.
This example configures a UM auto attendant named MyAutoAttendant and enables non-business hours key
mappings so that when callers press 1, they're forwarded to another UM auto attendant named
SalesAutoAttendant . When they press 2, they're forwarded to extension number 12345 for Support , and when
they press 3, they're sent to another auto attendant that plays an audio file.
You can customize the menu prompt to be used by a Unified Messaging (UM ) auto attendant outside business
hours. After you create a UM auto attendant, a default system prompt ("Welcome to Unified Messaging") is used
as the menu prompt that callers hear after the non-business hours welcome greeting is played. Although the
system prompt mustn't be replaced or changed, you can customize the greetings and menu prompts that are used
with UM auto attendants. After you create a customized non-business hours menu prompt audio file, you must
enable menu navigation entries on the UM auto attendant for non-business hours.
If you only want to include the name of your organization or business as part of the default system prompt, you
can enter the name in the Business name box on the UM auto attendant. For details, see Enter a business name.
IMPORTANT
You must configure business hours on the auto attendant. When you configure business hours, the non-business hours are
set automatically. For details, see Configure business hours.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
IMPORTANT
The file you use for the menu prompt must be a .wav or .wma file.
4. After you've located the file, click Open, and then click Save.
This example configures a UM auto attendant named MyAutoAttendant and enables non-business hours navigation
menus so that when callers press 1, they're forwarded to another UM auto attendant named SalesAutoAttendant .
When they press 2, they're forwarded to extension number 12345 for Support , and when they press 3, they're
sent to another UM auto attendant that plays an audio file.
You can enable an informational announcement for a Unified Messaging (UM ) auto attendant. When an
informational announcement is enabled, it will play immediately after the business or non-business hours greeting.
By default, an informational announcement isn't configured. To enable an informational announcement, create a
.wav or .wma file to be used as the informational announcement, and then configure the auto attendant to use this
sound file.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
IMPORTANT
The file you use for the greeting must be a .wav or .wma file.
4. After you've located the file, click Open, and then click Save.
Use Exchange Online PowerShell to enable an informational
announcement
This example enables an informational announcement that uses the MyInfoAnnouncement.wav file for the UM auto
attendant named MyUMAutoAttendant .
You can use the New menu navigation entry page to create single or multiple key mappings for business or
non-business hours main menu prompts for auto attendants. You can define the action that will be performed
when a key on the telephone keypad is pressed, for example, transferring the call to an extension number or
another auto attendant.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
This example sets key mappings defined in a comma-separated value (.csv) file. You must first create the .csv file
with the following headings and the correct entry: <key>,<description>,[<extension>],[<autoattendant name>],
[<promptfilenamepath>],[<asrphrase1;asrphrase2>],[<leavevoicemailfor>],[<transfertomailbox>]. The values in
brackets are optional. After creating the .csv file, import the .csv file using the Import-csv cmdlet.
This example exports key mappings from an existing UM auto attendant into a .csv file, and then imports the same
key mappings into another UM auto attendant. You could also export the key mappings to a .csv file, edit or modify
the key mappings in the .csv file, and then import those key mappings into another UM auto attendant.
You can enable business hours key mappings for a Unified Messaging (UM ) auto attendant. After you create a UM
auto attendant, a default system prompt will be used for the business hours main menu prompt greeting that
callers hear after the business hours welcome greeting is played. The default business hours main menu prompt
says, "Welcome to the Microsoft Exchange auto attendant." Because no key mappings are defined by default, no
menu options are available to callers, and they hear only the default main menu prompt.
When you configure key mappings, you define the options and the operations that will be performed if a caller
speaks a phrase while they're using a speech-enabled auto attendant or presses a key on the telephone keypad
while they're using an auto attendant that isn't speech-enabled.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can enable non-business hours key mappings for a Unified Messaging (UM ) auto attendant. After you create a
UM auto attendant, a default system prompt will be used for the non-business hours main menu prompt greeting
that callers hear after the non-business hours welcome greeting is played. The default non-business hours main
menu prompt says, "Welcome to the Microsoft Exchange after hours auto attendant." Because no key mappings
are defined by default, no menu options are available to callers and they hear only the default non-business hours
main menu prompt.
When you configure key mappings, you define the options and the operations that will be performed if a caller
speaks a phrase while they're using a speech-enabled auto attendant or presses a key on the telephone keypad
while they're using an auto attendant that isn't speech-enabled.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
After you create a Unified Messaging (UM ) auto attendant, you can view or configure a variety of settings. For
example, you can add, remove, and edit extension numbers associated with the auto attendant. You can also enable
or disable Automatic Speech Recognition (ASR ) for the auto attendant and change the greetings used for business
and non-business hours.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
NOTE
On a non-speech-enabled auto attendant, the system will tell the caller to use the key pad to input the user's name
(last name first) and then search for the user. If there are multiple people in the directory with the same name, the
caller is instructed to press the appropriate key to be transferred to the user. You could optionally create a DTMF
fallback auto attendant that uses only the key pad to enter a name or alias.
For these settings to be used, you must add the correct information to the user. For example, if you want the
auto attendant to use a title for two users with the same name, you must add this information to the user's
account. Select one of the following methods that provide more information to help the caller select the
correct user in the organization:
Inherit From dial plan: Select this option to have the auto attendant use the default setting from the dial
plan associated with the auto attendant.
Title: Select this option to have the auto attendant include each user's title when listing matches.
Department: Select this option to have the auto attendant include each user's department when listing
matches.
Location: Select this option to have the auto attendant include each user's location when listing matches.
None: Select this option to have no additional information given when listing matches.
Prompt for alias: Select this option to have the auto attendant prompt the caller for the user's alias.
8. Under Operator access, you can specify auto attendant operator settings including the following:
Operator extension: Use this box to type the extension number used to call an operator. This extension
number can connect the caller to a human operator or a UM -enabled mailbox, or can be configured to call
an external telephone number. By default, an operator extension isn't included in this box.
Allow transfer to operator during business hours: Select this check box to enable callers to be
transferred to a human operator during business hours by using the extension number that you configure
in the Operator extension box. By default, this option is disabled.
It's useful to enable this option so that when a caller is unsuccessful at using the menu prompts or directory
search to locate the required person during business hours, the caller can leave a voice message or connect
to a human operator. After you enable this option, you can configure the operator extension number on a
UM -enabled mailbox that's monitored. The caller can leave a voice message, or a human operator who has
the extension number can help the caller.
Allow transfer to operator during non-business hours: Select this check box to enable callers to be
transferred to a human operator after business hours by using the extension number that you configure in
the Operator extension box. By default, this option is disabled.
It's useful to enable this option so that when a caller is unsuccessful at using the menu prompts or directory
search to locate the required person after business hours, the caller can leave a voice message or connect to
a human operator. After you enable this option, you can configure the operator extension number
configured on a UM -enabled mailbox that's monitored. The caller can leave a voice message, or a human
operator who has the extension number can help the caller.
9. Use Dialing authorization to configure dialing rules for callers who call in to a UM auto attendant. You can
use these settings to control the extension numbers that can be reached from an auto attendant or control the
telephone numbers that can be dialed by callers that have dialed into the auto attendant. You can configure the
following:
Calls in the same UM dial plan: Select this check box to allow users who call in to an auto attendant to
place or transfer calls to an extension number associated with a UM -enabled user who is associated with
the same dial plan as the auto attendant. By default, this setting is enabled.
When you disable this setting, users who call in to an auto attendant can place or transfer calls to users who
aren't UM -enabled or to other extension numbers not associated with a UM -enabled user. Users can't
transfer calls to UM -enabled users who are associated with the same dial plan as the auto attendant. This is
because the Allow calls to any extension setting is enabled by default.
Allow calls to any extension: When this setting is disabled, users who call in to an auto attendant can't
place calls to users who aren't UM -enabled or to other extension numbers not associated with a UM -
enabled user. However, they can place calls or transfer calls to extension numbers associated with UM -
enabled users. This is because the Calls in the same UM dial plan setting is enabled by default. The
Allow calls to any extension setting is enabled by default.
When this setting is enabled, users who call in to an auto attendant can place calls to users who aren't UM -
enabled, to other extension numbers not associated with a UM -enabled user, and to UM -enabled users.
This is because the Calls within the same UM dial plan setting is enabled by default.
You can enable this setting in an environment where not all users have been UM -enabled. This setting is
also useful when you want to allow users who call in to a telephone number configured on an auto
attendant to call extension numbers not associated with a UM -enabled user.
Authorized in-country/region dialing rule groups: Use this section to add or remove allowed in-
country/region dialing rule groups. By default, there are no in-country/region dialing rule groups
configured on UM auto attendants.
In-country/region dialing rule groups are used to allow or restrict the telephone numbers within a country
or region that any user who has dialed in to the UM auto attendant can dial. This helps prevent unnecessary
or unauthorized telephone calls and charges.
To add in-country/region dialing rule groups, you must first create the appropriate in-country/region
dialing rule groups on the dial plan associated with the UM auto attendant, and then add the appropriate
dialing rule group.
In-country/region dialing rule groups can be used by Unified Messaging to allow or restrict access to
telephone numbers within a country or region. This is applied to any user who has called in to an auto
attendant. For more information about outdialing, see Allow users to make calls.
Authorized international dialing rule groups: Use this section to add or remove allowed international
dialing rule groups. By default, there are no international dialing rule groups configured on UM auto
attendants.
International dialing rule groups are used to allow or restrict the telephone numbers outside a country or
region that any user who has dialed in to the UM auto attendant can dial. This helps prevent unnecessary or
unauthorized telephone calls and charges.
To add international dialing rule groups, you must first create the appropriate international dialing rule
groups on the dial plan associated with the UM auto attendant. After you create the required dialing rule
groups on the dial plan, you must then add the dialing rule groups to the list of authorized dialing rule
groups on the UM auto attendant.
International dialing rule groups can be used by Unified Messaging to allow or restrict access to telephone
numbers outside a country or region. This is applied to any user who has called in to an auto attendant. For
more information about outdialing, see Allow users to make calls.
10. Click OK to create the new menu navigation.
11. On the UM Auto Attendant page, click Save to save your changes.
This example configures a UM auto attendant named MyUMAutoAttendant that has: Business hours configured as
10:45 to 13:15 (10:45 A.M. to 1:15 P.M.) on Sunday, 09:00 to 17:00 (9:00 A.M. to 5:00 P.M.) on Monday, and 09:00
to 16:30 (9:00 A.M. to 4:30 P.M.) on Saturday; holiday times and their associated greetings configured as "New
Year" on January 2, 2013; and "Building Closed for Construction" configured from April 24 through April 28,
2013.
Get-UMAutoAttendant | Format-List
You can configure a speech-enabled Unified Messaging (UM ) auto attendant that has a dual tone multi-frequency
(DTMF ) fallback auto attendant. A DTMF fallback auto attendant is used when the UM speech-enabled auto
attendant can't understand or recognize the speech inputs provided by a caller. If a DTMF fallback auto attendant
has been configured, the caller has to use DTMF inputs, also known as touchtone inputs, to navigate the auto
attendant menu system, spell a user's name, or use a custom menu prompt. If no DTMF fallback auto attendant has
been configured, and the maximum number of speech inputs is exceeded because the system didn't understand
what the caller said, the system will respond with this prompt: "Sorry, I couldn't help. Please call back later."
By default, an auto attendant isn't speech-enabled when you create it. After you speech-enable the auto attendant,
callers can use only voice commands to navigate the auto attendant menu system, and touchtone inputs can't be
used. Although it isn't required, we recommend that you configure a DTMF fallback auto attendant for each
speech-enabled auto attendant so callers can use touchtone inputs if the speech-enabled auto attendant doesn't
recognize or understand the words they say. We also recommend that you don't speech-enable a DTMF fallback
auto attendant.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
IMPORTANT
You must first speech-enable the auto attendant before you can browse for a DTMF fallback auto attendant you have set up.
By default, when a Unified Messaging (UM ) auto attendant is created, its status is set to disabled. After you create
the UM auto attendant, you can change its status to enable it to answer incoming calls.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
By default, when a Unified Messaging (UM ) auto attendant is created, its status is set to disabled. After you create
the UM auto attendant, you can change its status to control whether it can answer incoming calls. For example, you
might want to disable the UM auto attendant when you're recording or re-recording customized prompts and
messages.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
After you delete a Unified Messaging (UM ) auto attendant, the incoming calls that were answered by the UM auto
attendant must be answered by a human operator. A UM auto attendant can't be deleted if it's associated with a
UM dial plan as the default UM auto attendant.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can enable your Unified Messaging (UM ) auto attendant for Automatic Speech Recognition (ASR ). After you
speech-enable a UM auto attendant, callers can respond verbally to auto attendant prompts and move through the
menu system of the auto attendant. By default, an auto attendant isn't speech-enabled when you create it. After
you speech-enable the auto attendant, callers can use only voice commands to navigate the auto attendant menu
system, and touchtone inputs can't be used.
Although it isn't required, we recommend that you configure a dual tone multi-frequency (DTMF ) fallback auto
attendant for each speech-enabled auto attendant so callers can use touchtone inputs if the speech-enabled auto
attendant doesn't recognize or understand the words they say. If a DTMF fallback auto attendant is configured,
callers can use DTMF inputs, also known as touchtone inputs, to navigate the auto attendant menu system, spell a
user's name, or use a custom menu prompt. We don't recommend that you speech-enable a DTMF fallback auto
attendant.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can enable callers to transfer calls to users through an auto attendant, or prevent them from doing so. By
default this option is enabled, and lets callers transfer calls to UM -enabled users in the Unified Messaging (UM )
dial plan that's associated with the UM auto attendant.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
NOTE
If you clear this check box and also clear the Allow callers to leave voice messages for users check box, the Options for
searching the address book are disabled.
Use Exchange Online PowerShell to enable or prevent call transfers to
users from a UM auto attendant
This example prevents call transfers on a UM auto attendant named MyUMAutoAttendant .
You can enable callers to send voice messages to users from a Unified Messaging (UM ) auto attendant, or prevent
them from doing so. By default, this option is enabled and lets callers send voice messages to users in the UM dial
plan that's associated with the UM auto attendant. If you disable this option, the auto attendant won't invite callers
to send a voice message during a system prompt.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to enable callers to send voice messages or prevent them
from doing so
1. In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the UM dial plan you
want to change, and then click Edit .
2. On the UM Dial Plan page, under UM Auto Attendants, select the UM auto attendant you want to
manage, and then click Edit .
3. On the UM Auto Attendant page > Address book and operator access, under Options for contacting
users, select the check box next to Allow callers to leave voice messages for users to enable callers to
leave voice messages. To prevent callers from leaving voice messages, clear the check box.
4. Click Save.
NOTE
If you disable this option and also disable the Allow callers to dial users option, the Options for searching the address
book are also disabled.
Use Exchange Online PowerShell to enable callers to send voice
messages or prevent them from doing so
This example prevents callers who call in to a UM auto attendant named MyUMAutoAttendant from sending voice
messages.
This example enables callers who call in to a UM auto attendant named MyUMAutoAttendant to send voice
messages.
You can enable directory lookups so that callers who call in to a Unified Messaging (UM ) auto attendant can look
up names in the directory using their telephone keypad but not be able to search the directory using voice inputs.
This setting is enabled by default. If this setting is disabled, callers won't be able to search the directory for a
specific person using touchtone or voice commands.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
NOTE
Outlook Voice Access users can't use Automatic Speech Recognition (ASR) or speech inputs to locate users in the directory,
they can only use DTMF or touchtone inputs.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can specify the group of users that callers can contact when calling into a Unified Messaging (UM ) auto
attendant. By default, callers can contact users within the same dial plan that's associated with the UM auto
attendant. However, you can change the grouping of users to allow callers to transfer calls or send voice messages
to users who are located in the organization's address book or to a specific set of users.
For additional management tasks related to UM auto attendants, see Manage a UM auto attendant.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to configure the group of users that callers can contact
1. In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the UM dial plan you
want to change, and then click Edit .
2. On the UM Dial Plan page, under UM Auto Attendants, select the UM auto attendant you want to
configure, and then click Edit .
3. On the UM Auto Attendant page > Address book and operator access, under Options for searching
the address book, choose from the following options:
In this dial plan only: Select this option to allow callers who connect to the UM auto attendant to locate
and contact users who are in the dial plan associated with the UM auto attendant.
In the entire organization: Select this option to allow callers who connect to the UM auto attendant to
locate and contact anyone listed in the organization's address book. This includes all users who are mailbox-
enabled.
4. Click Save.
You can configure the method to use for users with similar names on an auto attendant's Address book and
operator access options, or you can leave the default setting on the auto attendant and configure this setting on
the dial plan associated with the auto attendant. By default, an auto attendant can disambiguate between two or
more users who have the same or similar names because the default setting on the auto attendant is Inherit from
dial plan.
NOTE
For the information that will be included for users with similar names to work correctly, you must provide the title,
department, and location information for the recipients in your Microsoft Exchange organization.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to configure a UM auto attendant for users with similar
names
1. In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the UM dial plan you
want to change, and then click Edit .
2. On the UM Dial Plan page, under UM Auto Attendants, select the UM auto attendant you want to
configure, and then click Edit .
3. On the UM Auto Attendant page, click Address book and operator access, and under Information to
include for users with the same name, select one of the following:
Title: The auto attendant will include each user's title when it lists matches.
Department: The auto attendant will include each user's department when it lists matches.
Location: The auto attendant will include each user's location when it lists matches.
None: The auto attendant won't include any additional information when it lists matches.
Prompt For alias: The auto attendant will prompt the caller for the user's alias.
Inherit from dial plan: The auto attendant will use the default setting from the dial plan associated with
the auto attendant.
4. Click Save.
This example sets the information to be included with users with similar names to the title of the users, enables
name lookups, and enables callers that dial into the auto attendant to press * to be presented with the Outlook
Voice Access welcome greeting for a UM auto attendant named MyUMAutoAttendant .
After you've connected your telephony network or integrated Microsoft Lync Server with Exchange Unified
Messaging (UM ) and created and configured the required UM components, you'll need to set up voice mail for
your users.
When you're enabling users for voice mail, you'll need to link the user to a UM mailbox policy. UM mailbox policies
are used to apply common settings to a group of UM - enabled users. These settings include PIN policies, outbound
calling restrictions, text to send with messages, and other related settings. You can either use a default UM mailbox
policy or create and customize a UM mailbox policy based on the needs of your organization.
Unified Messaging (UM ) mailbox policies are required when you enable users for Unified Messaging. You create
UM mailbox policies to apply a common set of policies or security settings to a collection of voice mail users'
mailboxes. UM mailbox policies are used to specify UM settings like the following:
PIN policies
Dialing restrictions
Other general UM mailbox policy properties
For example, you can create a UM mailbox policy to increase the level of PIN security by reducing the maximum
number of sign-in failures for a specific group of UM -enabled users, such as executives.
UM mailbox policies
At least one UM mailbox policy must have been created before you can enable users for Unified Messaging. You
can create additional UM mailbox policies to apply a common set of settings for groups of users.
You create UM mailbox policies by using Exchange Online PowerShell or the Exchange admin center (EAC ). By
default, a single UM mailbox policy is created every time you create a UM dial plan. The new UM mailbox policy is
automatically associated with the UM dial plan, and part of the dial plan name is included in the display name of
the UM mailbox policy. You can edit this default UM mailbox policy.
Multiple UM -enabled users can be linked to a single UM mailbox policy. However, the mailbox for each UM -
enabled user must be linked to a single UM mailbox policy. This lets you control PIN security settings such as the
minimum number of digits in a PIN or the maximum number of sign-in attempts for the UM -enabled users who
are associated with the UM mailbox policy. You can also control message text settings or dialing restrictions for the
same UM -enabled mailboxes.
UM mailbox policy procedures
2/28/2019 • 2 minutes to read • Edit Online
You can create a Unified Messaging (UM ) mailbox policy to apply a common set of UM policy settings,
such as PIN policy settings or dialing restrictions, to a collection of UM -enabled mailboxes. UM mailbox
policies link a UM -enabled user with a UM dial plan and apply a common set of policies or security
settings to a collection of UM -enabled mailboxes. UM mailbox policies are useful for applying and
standardizing UM configuration settings for UM -enabled users.
By default, when a UM dial plan is created, a UM mailbox policy is also created. You may have to create
additional UM mailbox policies or modify existing UM mailbox policies after you deploy Unified
Messaging in your organization.
For additional management tasks related to UM mailbox policies, see UM mailbox policy procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online
Protection..
After you create a Unified Messaging (UM ) mailbox policy, you can view and configure a variety of settings. For
example, you can configure UM features like Voice Mail Preview or Play on Phone and other security-related
options such as Protected Voice Mail and PIN policy settings.
For additional management tasks related to UM mailbox policies, see UM mailbox policy procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
NOTE
When you're integrating Unified Messaging and Lync Server on-premises, missed call notifications aren't available to
users who have a mailbox located on an Exchange 2007 or Exchange 2010 Mailbox server. A missed call notification
is generated when a user disconnects before the call is sent to Unified Messaging.
Typically, when a user misses an incoming call, the user receives two email messages: a message that
contains the voice message and a missed call notification message. By default, missed call notifications are
enabled when a UM mailbox policy is created.
Allow Play on Phone for voice mail: Select or clear this check box to enable or disable the Play on
Phone feature for users associated with the UM mailbox policy. This option is enabled by default and
allows users to play their voice messages over any phone, including an office or mobile phone.
Allow inbound faxes: Select or clear this check box to enable or disable inbound faxes for users
associated with the UM mailbox policy. By default, when you enable users for UM, their mailbox is able to
receive faxes. However, if this option is disabled on the UM dial plan, UM -enabled users associated with
the UM mailbox policy won't be able to receive faxes. The default setting on the UM mailbox policy is
disabled.
After you have enabled the Allow inbound faxes setting, you will need to specify the URI for the partner
fax server. If the UM mailbox policy is linked to a dial plan that can use TCP and TLS, you will need to enter
URIs for both TCP and TLS.
Help Microsoft improve voice mail preview: These options allow Microsoft to improve the quality of
Voice Mail Preview. You can enable the following settings:
Allow analysis of voice messages left by callers: Use this option to help improve the quality of Voice
Mail Preview in future releases of Microsoft Exchange by forwarding copies of voice messages to
Microsoft for analysis. You can't set this option if all voice messages are protected.
Tell callers that voice messages may be analyzed: Use this option to tell callers that the messages they
leave may be analyzed by Microsoft to improve the quality of Voice Mail Preview, and allow them to opt
out.
Use Message Text to configure message text settings for users who are associated with a UM mailbox
policy. For example, you can specify the email message text sent to users after they reset their UM PIN. You
can configure the following:
When a user is enabled for Unified Messaging: The text entered in this text box appears in the email
message sent to users when they are enabled for UM. When a recipient's mailbox is enabled for UM and
they are enabled for voice mail, an email message that welcomes the user to Unified Messaging is sent to
the user. This text box is limited to 512 characters and can contain simple HTML formatting. By default, no
text is defined in this text box.
This welcome message contains welcome text and the PIN information that the user will use to access the
UM or voice mail system. The text entered in this text box is included at the bottom of this welcome
message. You can use this text box to include information such as the voice mail technical support
telephone numbers or Outlook Voice Access numbers.
If text isn't entered in this text box, the default text generated by the UM or voice mail system is included in
the email message.
The text that you provide in this text box can be plain. It can also contain simple HTML formatting tags if
you want to emphasize text or add hyperlinks to other content.
Example 1: If you have any questions or suggestions about voice mail service, please call the help desk at
extension 4200.
Example 2: If you have any questions or suggestions about <b>voice mail service</b>, please call the
help desk at extension 4200 or visit our website at <a href="http://emp.contoso.com/itinfo/vmail"></a>.
When a user's Outlook Voice Access PIN is reset: The text entered in this text box is included in the
email message sent to UM -enabled users when their UM PIN is reset.
A PIN is reset by the UM or voice mail system if the number of failed sign-in attempts exceeds 10 (by
default) or if users reset their PIN using the UM features included with Microsoft Outlook, Outlook Web
App, or Outlook Voice Access from a telephone. You can use this text box to include information such as
security notices or other security-related information in the email message.
If text isn't entered in this text box, the default text generated by the UM system is included in the email
message.
This text box is limited to 512 characters. By default, no text is defined in this text box.
The text that you provide in this text box can be plain. It can also contain simple HTML formatting tags if
you want to emphasize text or add hyperlinks to other content.
When a user receives a voice message: The text entered in this text box is included in the email message
sent to users when they receive a voice message from an incoming caller. For example, this text can include
disclaimers that contain information about forwarding voice messages or system security policies that
describe the correct way to handle voice messages in your organization.
If text isn't entered in this text box, the default text generated by the system is included in the email
message. This text box is limited to 512 characters. By default, no text is defined in this text box.
The text that you provide in this text box can be plain. It can also contain simple HTML formatting tags if
you want to emphasize text or add hyperlinks to other content.
When a user receives a fax message: The text entered in this text box is included in the email message
sent to users when they receive an incoming fax message in their Inbox. You can use this text box to include
disclaimers that contain information about forwarding fax messages or other system security policies
about the correct way to handle fax messages in your organization.
If text isn't entered in this text box, the default text generated by the system is included in the email
message. This text box is limited to 512 characters. By default, no text is defined in this text box.
Use PIN Policies to configure PIN settings for users who are associated with a UM mailbox policy. UM
PINs enable users to access their Inboxes by using a telephone. By configuring settings on this page, you
can specify the minimum number of digits for a UM PIN or the number of failed sign-in attempts before
users are locked out of their UM mailbox.
Make sure that you plan carefully for the UM PIN policies that you implement in your environment. If you
don't plan and implement the appropriate UM PIN policies, you may introduce security threats and
mistakenly allow unauthorized access to your network. You can configure the following:
Minimum PIN length (digits): Use this text box to specify the minimum number of digits that a UM
user's PIN can contain. The default setting is six digits. The range is from 4 through 24 numeric digits. This
setting can't be disabled.
Increasing the number of digits required for a PIN increases the level of security for your UM system.
Decreasing the number of digits required for a PIN reduces the level of security for your network. The
fewer the digits that are required in a PIN, the easier it is for a potential attacker to guess a user's PIN.
If this setting is set too high, users might have problems remembering their PINs. However, if the setting is
too low, you risk unauthorized access to the UM system.
PIN recycle count: Use this setting to set the number of unique PINs that users must use before they can
reuse an old PIN. For most organizations, this value should be set to the default of 5, the number of PINs
that the system will remember. PIN history can't be disabled.
You can set this value from 1 through 20. Setting this value too high can frustrate users because it can be
difficult to memorize many PINs. Setting it too low may introduce a security threat to your network.
Allow common PIN patterns: Use this setting to set PIN complexity requirements for UM. These
complexity requirements are enforced on PIN changes or when new PINs are created.
If this option is disabled, sequential and repeated numbers and the suffix of the mailbox extension will be
rejected. If this option is enabled, only the suffix of the mailbox extension will be rejected.
As a security best practice, we recommend that you disable this setting. If this setting is disabled, user PINs
can't contain the following:
Sequential numbers, such as 123456 or 456789.
Repeated numbers, such as 111111 or 8888888.
Suffix of the mailbox extension.
Enforce PIN lifetime (days): Use this text box to configure the number of days until the UM -enabled
user's PIN expires. After the PIN expires, the user must create a new UM PIN. For most organizations, this
value should be set to the default of 60 days.
The value of this setting can be from 0 through 999. If it's set to 0, PINs never expire. Setting this value too
low can frustrate users because they are required to create and memorize new PINS too frequently.
Number of sign-in failures before PIN reset: Use this text box to enter the number of sequential
unsuccessful or failed sign-in attempts that can occur before the UM system automatically resets a user's
PIN. For most organizations, this value should be set to the default of 5 attempts.
The value of this setting can be from 0 through 999. If it's set to 0, this setting is disabled and the system
won't automatically reset users' PINs. Setting this value too low can frustrate users; setting it too high gives
malicious users more attempts to determine the PIN.
This setting must be set to a number lower than the number configured in the Number of sign-in
failures before lockout setting. This setting is designed to help prevent a brute force attack on user PINs.
Number of sign-in failures before lockout: Use this text box to enter the maximum number of
sequential unsuccessful or failed sign-in attempts before users are locked out of their mailboxes.
For example, if a user tries to sign in to the mailbox unsuccessfully five times, based on the Number of
sign-in failures before PIN reset setting, the system will reset the user's PIN. If the user tries to use the
new PIN five more times unsuccessfully, the system will again reset the PIN. If the user tries to use this
new PIN five more times unsuccessfully, the user is then locked out of the mailbox. After a user is locked
out, an administrator must manually reset or unlock the mailbox for the user.
This value can be set from 1 through 999. Setting this value too low can frustrate users; setting it too high
gives malicious users more attempts to determine the PIN. For most organizations, this value should be set
to the default of 15 attempts.
This number must be greater than the number set in the Number of sign-in failures before PIN reset
setting. This setting is designed to help prevent a brute force attack on user PINs.
Use Dialing authorization to configure dialing rules for UM -enabled users who are associated with this
UM mailbox policy.
You can use these settings to control the extension numbers that can be reached or the telephone numbers
that can be dialed by UM -enabled users who are associated with the UM mailbox policy. You can configure
the following:
Calls in the same UM dial plan: Select this check box to allow UM -enabled users who call in to a
subscriber access number configured on a dial plan and successfully sign in to their mailbox to place calls
or transfer to UM -enabled users who have extension numbers within the same dial plan. By default, this
setting is enabled.
When you disable this setting, UM -enabled users who call in to a subscriber access number configured on
a dial plan and successfully sign in to their mailbox can place calls or transfer calls to users who aren't UM -
enabled or to other extension numbers not associated with a UM -enabled user. However, they can't
transfer to UM -enabled users who are within the same dial plan. This is because the Calls to any
extension setting is enabled by default.
Calls to any extension: When this setting is enabled, users who call in to a subscriber access number
configured on a dial plan and successfully sign in to their mailbox can place calls to users who aren't UM -
enabled, to other extension numbers not associated with a UM -enabled user, and to UM -enabled users
within the same dial plan. This is because the Calls in the same UM dial plan setting is enabled by
default.
When this setting is disabled, users who call in to an Outlook Voice Access number configured on a dial
plan and successfully sign in to their mailbox can't place calls to users who aren't UM -enabled or to other
extension numbers not associated with a UM -enabled user. However, they can place calls or transfer calls
to extension numbers associated with UM -enabled users. This is because the Calls in the same UM dial
plan setting is enabled by default. The Calls to any extension setting is enabled by default.
You can enable this setting in an environment where not all users have been UM -enabled. This setting is
also useful when you want to allow users who call in to an Outlook Voice Access number configured on a
dial plan to call extension numbers not associated with a UM -enabled user.
Authorized in-country/region dialing rule groups: Use this section to add or remove allowed in-
country/region dialing rule groups. By default, there are no in-country/region dialing rule groups
configured on UM mailbox policies.
In-country/region dialing rule groups are used to allow or restrict the telephone numbers within a country
or region that Outlook Voice Access users can dial. This helps prevent unnecessary or unauthorized
telephone calls and charges.
To add in-country/region dialing rule groups, you must first create the appropriate in-country/region
dialing rule groups on the dial plan associated with the UM mailbox policy, and then add the appropriate
dialing rule entries on the dialing rule group. After you create the required dialing rule groups on the dial
plan, you must then add the dialing rule groups to the list of dialing restrictions under Dialing
authorization on the UM mailbox policy.
In-country/region dialing rule groups can be used to enable Unified Messaging to allow or restrict access
to telephone numbers within a country or region. This is applied to Outlook Voice Access users who have
called in to an Outlook Voice Access number.
Authorized international dialing rule groups: Use this section to add or remove allowed international
dialing rule groups. By default, there are no international dialing rule groups configured on UM mailbox
policies.
To add international dialing rule groups, you must first create the appropriate international dialing rule
groups on the dial plan associated with the UM mailbox policy, and then add the appropriate dialing rule
entries on the dialing rule group. After you create the required dialing rule groups, you must add the
dialing rule groups to the dialing restrictions on the UM mailbox policy.
International dialing rule groups can be used to enable Unified Messaging to allow or restrict access to
telephone numbers outside a country or region. This is applied to Outlook Voice Access users who have
called in to a Outlook Voice Access number.
International dialing rule groups are used to allow or restrict the telephone numbers outside a country or
region that Outlook Voice Access users can dial. This helps prevent unnecessary or unauthorized telephone
calls and charges.
Use Protected Voice Mail to configure the following settings:
Protect voice messages from unauthenticated callers: Select one of the following options from the
drop-down list to determine whether an incoming call answered by Unified Messaging will protect voice
messages. This setting applies to voice messages sent to UM -enabled users when they don't answer their
phone. This setting also applies to voice messages sent directly to UM -enabled users when the caller uses a
UM auto attendant. You can configure the following:
None: Use this setting to not have protection applied to any voice messages sent to UM -enabled users.
Private: Use this setting when you want to apply protection only to voice messages that have been marked
as private by the caller.
All: Use this setting when you want to apply protection to all voice messages, including those not marked
as private.
Protect voice messages from authenticated callers: Select one of the following options from the drop-
down list to determine whether an incoming call answered by Unified Messaging will protect voice
messages. This setting applies to voice messages sent to UM -enabled users when they don't answer their
phone. This setting also applies when callers sign in to their mailbox using Outlook Voice Access, and then
create and send a voice message. You can configure the following:
None: Use this setting to not have protection applied to any voice messages sent to UM -enabled users.
Private: Use this setting when you want to apply protection only to voice messages that have been marked
as private by the caller.
All: Use this setting when you want to apply protection to all voice messages, including those not marked
as private.
Require Play on Phone for protected voice messages: Select this check box if you want to force users
who receive protected voice messages to use the Play on Phone feature. Or, if the client software doesn't
support rights management, users must use Outlook Voice Access. The Play on Phone feature only applies
to clients using a version of Outlook that supports rights management. For Outlook 2007 and earlier
versions that don't support rights management, and for Outlook Web App clients, Outlook Voice Access is
the only way that users can listen to protected voice mail.
The default setting requires all users associated with the UM mailbox policy to use the Play on Phone
feature to listen to voice messages that are protected. By doing this, it prevents other people from hearing
the voice message from a media player over computer speakers or from a media player on a mobile phone.
Even if this is enabled, a UM -enabled user can still use Outlook Voice Access to hear the protected voice
mail.
This is especially useful when UM -enabled users use public computers, laptops in public places, or their
mobile phone's media player to listen to protected voice mail that can contain private information.
Allow voice responses to email and calendar items: Use this option to allow UM -enabled users to
send voice responses to protected voice mail messages. The default is enabled. If you disable this, if a UM -
enabled user receives a protected voice mail message, they will not be able to use Outlook Voice Access to
reply to email and calendar items.
Message to send to users who don't have Windows Rights Management support: Protected voice
mail can only be accessed by email clients that support Information Rights Management (IRM ), or if a UM -
enabled user uses Outlook Voice Access to access the protected voice mail message.
If a protected voice mail message is sent to an email client that doesn't support IRM, the text that you
include in this box will be sent to the user in an email message. This information should include instructions
about what to do to be able to receive the protected voice mail message.
This example selects the in-country or region groups and international groups from those configured on the UM
dial plan associated with the UM mailbox policy. UM -enabled users associated with this UM mailbox policy will be
able to place outbound calls according to the rules defined on these groups.
This example configures the text of voice messages sent to UM -enabled users and the text included in an email
message sent to a user who has been UM -enabled.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -UMEnabledText "You have been enabled for Unified Messaging."
-VoiceMailText "You have received a voice message from Microsoft Exchange Unified Messaging."
Get-UMMailboxPolicy | Format-List
This example returns the properties and values for a UM mailbox policy named MyUMMailboxPolicy .
When you delete a Unified Messaging (UM ) mailbox policy, the UM mailbox policy will no longer be available to
be associated with recipients who are being enabled for UM. You can't delete a UM mailbox policy if it's referenced
by any UM -enabled mailboxes, and you can't delete a UM dial plan if a UM mailbox policy is associated with it.
For additional management tasks related to UM mailbox policies, see UM mailbox policy procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
With Unified Messaging (UM ), users in an Exchange organization can receive all their email and voice messages in
one mailbox. The Unified Messaging functionality and voice mail features increase user productivity and enable
more flexible messaging throughout an organization.
When you're adding a user to your organization, you're given the option of creating a mailbox or connecting the
user to an existing mailbox. After the mailbox is created for the user or the user is connected to an existing
mailbox, you can enable the mailbox for Unified Messaging so the user can use the voice mail system and the
features included with voice mail. After the user is enabled for Unified Messaging, all email, voice mail, and fax
messages will be delivered to the user's mailbox. By using Microsoft Office Outlook 2007 or later versions,
Outlook Web App, a mobile phone enabled for Microsoft Exchange ActiveSync, or a regular or mobile phone,
users can access their email, voice messages, personal contacts, and calendaring information.
The mailbox of a UM -enabled user can be associated with only one UM dial plan. The UM -enabled user can be
assigned the following:
A single primary extension number, Session Initiation Protocol (SIP ) address, or E.164 address on a single
dial plan.
Multiple secondary extension numbers, SIP addresses, or E.164 addresses on a single dial plan.
Multiple primary extension numbers, SIP addresses, or E.164 addresses on two separate dial plans.
NOTE
Each extension number, SIP address, and E.164 number must be unique within a dial plan and the number of digits in the
dial plan will used for all users that are linked with the dial plan.
For example, a UM -enabled user travels frequently from New York to Tokyo. The user's mailbox is associated with
the New York dial plan and a single extension number is configured on the user's mailbox. A second extension
number is configured on the user's mailbox for the Tokyo dial plan. When callers dial either extension number and
leave a voice message for the user, the voice message will be delivered to the same UM -enabled mailbox.
This example enables Unified Messaging and voice mail on a mailbox for tonysmith@contoso.com, assigns the
user to a UM mailbox policy named MyUMMailboxPolicy , and sets the extension number, SIP address, and manually
sets the PIN for the user.
When you enable a user for Unified Messaging (UM ), a default set of properties are applied to the user, and
the user will be able to use the voice mail features included with Unified Messaging. After you enable a user
for voice mail, you have the option of adding a Session Initiation Protocol (SIP ) address for the user if they're
assigned to a UM mailbox policy that's linked to a SIP URI dial plan. Or, you can add an E.164 number for the
user if they're assigned to a UM mailbox policy that's linked to an E.164 dial plan. In both cases, the user must
still have an extension number configured.
An extension number is required for each user that's associated with a telephone extension, SIP Uniform
Resource Identifier (URI), or E.164 dial plan. The extension number must be the correct number of digits, as
specified in the UM dial plan for the UM mailbox policy.
NOTE
You must add, remove, or modify extension numbers for all UM-enabled users by using the EAC or Exchange Online
PowerShell, even if they're linked to a SIP URI or E.164 dial plan. To add, remove or modify SIP address or E.164
numbers for users, you'll need to use Exchange Online PowerShell because those options aren't available in the EAC.
For additional management tasks related to users who are enabled for voice mail, see Voice mail-enabled user
procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online
Protection..
When a user's mailbox is enabled for Unified Messaging (UM ) voice mail, an email message is sent that welcomes
the user to Unified Messaging. This message contains the PIN information the user will use to first access the voice
mail system.
You can customize the text that's sent in the welcome email message by adding text in the When a user is
enabled for Unified Messaging box on a UM mailbox policy. You can include such information as the UM
technical support telephone numbers or additional Outlook Voice Access numbers. After you add the text, it will be
included in the email message sent when users associated with the UM mailbox policy are enabled for Unified
Messaging.
NOTE
The custom text you add to the welcome message is limited to 512 characters, and it can include simple HTML text.
For additional management tasks related to UM mailbox policies, see UM mailbox policy procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to customize the text sent when a mailbox is enabled for
Unified Messaging
1. In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the UM dial plan you
want to change, and then click Edit .
2. On the UM Dial Plan page, under UM Mailbox Policies, select the UM mailbox policy you want to
manage, and then click Edit .
3. On the UM Mailbox Policy page > Message text, in the text box for When a user is enabled for
Unified Messaging, enter the text you want to include in the email message that's sent when users are
enabled for Unified Messaging voice mail.
4. Click Save.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -UMEnabledText "You've been enabled for Unified Messaging
voice mail. To access your Exchange mailbox, call your internal telephone extension number. From outside your
office, call 425-555-1234."
Manage voice mail settings for a user
2/28/2019 • 4 minutes to read • Edit Online
You can view or set the Unified Messaging (UM ) and voice mail features and configuration settings for a user
that's been enabled for UM and voice mail. For example, you can do the following:
Reset their Outlook Voice Access PIN.
Add a personal operator extension number.
Add other extension numbers.
Enable or disable Automatic Speech Recognition (ASR ).
Enable or disable Call Answering Rules.
Enable or disable access to their email or calendar.
NOTE
Some of the settings and features can only be configured by using Exchange Online PowerShell.
For additional management tasks related to users who are enabled for voice mail, see Voice mail-enabled user
procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
NOTE
For on-premises and hybrid deployments, when you're integrating Unified Messaging and Lync Server, missed call
notifications aren't available to users who have a mailbox located on an Exchange 2007 or Exchange 2010 Mailbox server. A
missed call notification is generated when a user disconnects before the call is sent to a Mailbox server.
This example prevents a user from accessing the calendar, but enables access to email when the user is using
Outlook Voice Access.
This example prevents a user from accessing the calendar and email when the user is using Outlook Voice Access.
Set-UMMailbox -Identity tony@contoso.com -TUIAccessToCalendarEnabled $false -TUIAccessToEmailEnabled $false
This example prevents a user from creating call answering rules, receiving incoming faxes, and using Outlook
Voice Access, but enables Automatic Speech Recognition (ASR ).
Get-UMMailbox | Format-List
IMPORTANT
When you're running Exchange 2007 and Exchange 2013 and the user's mailbox is located on an Exchange 2007 Mailbox
server, running the Get-UMMailbox cmdlet won't work correctly. To resolve the issue, run the Get-UMMailbox cmdlet from
an Exchange 2007 server or a computer running the Exchange 2007 administrative tools.
Assign a UM mailbox policy
2/28/2019 • 2 minutes to read • Edit Online
When you enable a user for Unified Messaging (UM ) and voice mail, you must select the UM mailbox policy that
will be associated with the user's mailbox. You can change the UM mailbox policy associated with the user's
mailbox after the user has been enabled for UM.
You create UM mailbox policies to apply a common set of policies or security settings to a collection of mailboxes
of UM -enabled users. You can use UM mailbox policies to apply settings such as the following:
PIN policies
Dialing restrictions
Other general UM mailbox policy properties
NOTE
A default UM mailbox policy is created every time you create a UM dial plan. You can delete the default UM mailbox policies
or create additional UM mailbox policies based on the needs of your organization.
For additional management tasks related to users who are enabled for voice mail, see Voice mail-enabled user
procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You may need to move a user who is enabled for Unified Messaging (UM ) to a different UM dial plan or change
the dial plan that's associated with the user. For example, you might want to move a UM -enabled user from a
Telephone Extension dial plan to a SIP URI dial plan.
To change the UM dial plan, you'll have to disable the user for Unified Messaging and then enable the user for
Unified Messaging on the new UM dial plan. This is because different dial plans may have different settings and
requirements, such as different extension lengths or different URI types. For example, SIP URI dial plans require a
SIP Resource Identifier to be assigned to each UM -enabled mailbox, but Telephone Extension dial plans don't. Also,
each UM mailbox contains references to both the UM dial plan and the UM mailbox policy. The UM mailbox policy,
in turn, contains references to the UM dial plan. If you change the primary proxy address for a UM -enabled user to
point to a different dial plan, the UM mailbox is in an inconsistent state.
For additional management tasks related to users who are enabled for voice mail, see Voice mail-enabled user
procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Step 3: Enable the user for Unified Messaging on the new UM dial plan
IMPORTANT
If you're moving users to an environment with Office Communications Server 2007 R2 or Lync Server, you must also include
a SIP Resource Identifier for the user when you enable them for UM. You must also select the UM mailbox policy that's
associated with a SIP dial plan.
You can enable or disable calls from users who aren't enabled for Unified Messaging (UM ). By default, Unified
Messaging allows incoming calls from unauthenticated callers through an auto attendant to be transferred to UM -
enabled users. With this option enabled, users from outside an organization can transfer calls to UM -enabled
users.
If this setting has been disabled for a UM -enabled user, the user's mailbox can still be located using a directory
search. However, if an external caller tries to transfer to the user, the system says, "I'm sorry, I am unable to transfer
the call to this user." The caller is then transferred to the operator, if an operator has been configured on the auto
attendant. If no operator has been configured on the auto attendant, the call is transferred to a dial plan operator, if
one has been configured. If no operator extension has been configured on the speech-enabled auto attendant, the
dual tone multi-frequency (DTMF ) fallback auto attendant, or the dial plan, the system responds by saying, "Sorry.
Neither the operator or the touchtone service are available."
For additional management tasks related to users who are enabled for voice mail, see Voice mail-enabled user
procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use Exchange Online PowerShell to enable calls from users who aren't
UM-enabled
This example allows Tony Smith to receive voice calls from callers who aren't UM -enabled.
You can enable or disable calls from users who aren't enabled for Unified Messaging (UM ). By default, Unified
Messaging allows incoming calls from unauthenticated callers through an auto attendant to be transferred to UM -
enabled users. With this setting enabled, users from outside an organization can transfer calls to UM -enabled
users.
If this setting has been disabled for a UM -enabled user, the user's mailbox can still be located using a directory
search. However, if an external caller tries to transfer to the user, the system says, "I'm sorry, I am unable to transfer
the call to this user." The caller is then transferred to the operator, if an operator has been configured on the auto
attendant. If no operator has been configured on the auto attendant, the call is transferred to a dial plan operator, if
one has been configured. If no operator extension has been configured on the speech-enabled auto attendant, the
dual tone multi-frequency (DTMF ) fallback auto attendant, or the dial plan, the system responds by saying, "Sorry.
Neither the operator nor the touchtone service are available."
For additional management tasks related to users who are enabled for voice mail, see Voice mail-enabled user
procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use Exchange Online PowerShell to disable calls from users who aren't
UM-enabled
This example prevents Tony Smith from receiving voice calls from callers who aren't UM -enabled.
You can allow UM -enabled users to receive voice mail messages from anonymous callers or prevent them from
doing so. By default, when users are enabled for Unified Messaging (UM ) and voice mail, they can receive calls that
are anonymous and don't contain caller ID information.
In most cases, calls received by Unified Messaging contain a caller ID that can be used to determine the source of
the incoming call. However, incoming calls may not include caller ID information for the following reasons:
Your organization's telephony equipment is configured not to include caller ID information.
The incoming call is from a mobile or external telephone.
The caller has disabled caller ID on their telephone.
Because the AnonymousCallersCanLeaveMessages parameter is enabled by default, a UM -enabled user can
receive a voice message even if caller ID information isn't included. If the AnonymousCallersCanLeaveMessages
option is disabled, and the UM -enabled user receives a call that doesn't include a caller ID, the call will be identified
as anonymous, and the UM -enabled user won't receive a voice message.
For additional management tasks related to users who are enabled for voice mail, see Voice mail-enabled user
procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can include additional text in the email message that's sent when a voice mail message is received by a user
who is enabled for Unified Messaging (UM ) voice mail. By default, the text that's included with a voice message
indicates only that the user has received a voice message. However, you can create a custom message by adding
text in the When a user receives a voice message box on a UM mailbox policy. For example, the text can include
information about system security policies and describe the correct way to handle voice messages in your
organization. After you add the text, it will be included in each email message that's sent when UM -enabled users
associated with the UM mailbox policy receive a voice message.
NOTE
The custom text that accompanies a voice message is limited to 512 characters, and can include simple HTML text.
For additional management tasks related to UM mailbox policies, see UM mailbox policy procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to change the text included with a voice message
1. In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the UM dial plan you
want to change, and then click Edit .
2. On the UM Dial Plan page, under UM Mailbox Policies, select the UM mailbox policy you want to
manage, and then click Edit .
3. On the UM Mailbox Policy page > Message text, in the text box for When a user receives a voice
message, enter the text you want to include in the email message that's sent when users receive a voice
message.
4. Click Save.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -VoiceMailText "Do not forward voice messages to users outside
this organization."
Prevent callers without a caller ID from leaving a
voice message
2/28/2019 • 2 minutes to read • Edit Online
You can allow UM -enabled users to receive voice messages from anonymous callers or prevent them from doing
so. By default, when users are enabled for Unified Messaging (UM ) and voice mail, they can receive calls that are
anonymous and don't contain caller ID information.
In most cases, calls received by Exchange servers contain a caller ID that can be used to determine the source of
the incoming call. However, incoming calls may not include caller ID information for the following reasons:
Your organization's telephony equipment is configured not to include caller ID information.
The incoming call is from a mobile or external telephone.
The caller has disabled caller ID on their telephone.
Because the AnonymousCallersCanLeaveMessages parameter is enabled by default, a UM -enabled user can
receive a voice message even if caller ID information isn't included. If the AnonymousCallersCanLeaveMessages
option is disabled, and the UM -enabled user receives a call that doesn't include a caller ID, the call will be identified
as anonymous, and the UM -enabled user won't receive a voice message.
For additional management tasks related to users who are enabled for voice mail, see Voice mail-enabled user
procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can disable Unified Messaging (UM ) for a UM -enabled user. When you do this, the user can no longer use the
voice mail features found in Unified Messaging. If you prefer, when you disable UM for a user, you can keep the
UM settings for the user.
For additional management tasks related to users who are enabled for voice mail, see Voice mail-enabled user
procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to disable Unified Messaging and voice mail for a user
1. In the EAC, click Recipients.
2. In the list view, select the user whose mailbox you want to disable for Unified Messaging.
3. In the Details pane, under Phone and Voice Features, under Unified Messaging, click Disable.
4. In the Warning box, click Yes to confirm that Unified Messaging will be disabled for the user.
When you enable a user for UM and link them to a SIP URI dial plan, two EUM proxy addresses are created. One
contains the user's extension number and the other contains a SIP address for the user. The extension number is
used when the user calls in to an Outlook Voice Access number.
SIP URI dial plans and SIP addresses are used when you're integrating UM and Microsoft Office Communications
Server 2007 R2 or Microsoft Lync Server. The SIP address is used by Communications Server or Lync Server to
route incoming calls and send voice mail to the user. By default, the SIP address that's used by UM will be the SIP
address that's used by Communications Server or Lync Server.
You can change the primary SIP address that was added when the user was enabled for UM or a secondary SIP
address that was added later, along with the EUM proxy addresses for the user. The primary SIP address you
added when the user was enabled for UM will be listed as the primary EUM proxy address. Any additional
secondary SIP addresses you added will be listed as secondary EUM proxy addresses. When secondary SIP
addresses are changed, callers can leave voice mail for the user at all SIP endpoints that the user is signed in to
using the new SIP addresses. All the voice messages will be delivered to the same user's mailbox.
You can use the EAC or Exchange Online PowerShell to change a primary or a secondary SIP address. You can use
the Email Address page on the user's mailbox in the EAC to change a primary or a secondary SIP address. You
can't use the UM Mailbox page in the EAC to change a primary or secondary SIP address.
You can view the primary and secondary SIP addresses for a user by using the Get-UMMailbox cmdlet or the
Get-Mailbox cmdlet in Exchange Online PowerShell.
For additional management tasks related to users who are enabled for voice mail, see Voice mail-enabled user
procedures.
NOTE
Before you change a SIP address using Exchange Online PowerShell, you need to determine the position of the EUM proxy
address that you want to change. To determine the position, use the $mbx.EmailAddresses command. The first EUM proxy
address is the default (primary) SIP address and it will be 0 in the list.
$mbx=Get-Mailbox tony.smith
$mbx.EmailAddresses.Item(1)="eum:tsmith@contoso.com;phone-context=MySIPDialPlan.contoso.com"
Set-Mailbox tony.smith -EmailAddresses $mbx.EmailAddresses
Change an extension number
2/28/2019 • 3 minutes to read • Edit Online
When you enable a user for UM and link them to a telephone extension dial plan, an EUM proxy address is created
for the user that contains the user's extension number. You must define at least one extension number for UM to
use so voice mail can be sent to the user's mailbox. The extension number is also used when the user calls in to an
Outlook Voice Access number.
You can change the primary extension number that was added when the user was enabled for UM or a secondary
extension number that was added later, along with the related EUM proxy addresses for the user. The primary
extension number you added when the user was enabled for UM will be listed as the primary EUM proxy address.
Any additional secondary extension numbers you added will be listed as secondary EUM proxy addresses. When
extension numbers have been changed, callers can leave voice mail for the user at all the new extension numbers
that have been set. All the voice messages will be delivered to the same user's mailbox.
You can use the EAC or Exchange Online PowerShell to change a primary or a secondary extension number for a
user. You can use the Email Address page on the user's mailbox in the EAC to change a primary or secondary
extension number. You can't use the UM Mailbox page in the EAC to change a primary extension number, but you
can use it to change a secondary extension number. If you want to change a secondary extension number, you
must first remove the existing secondary extension number and then add the correct secondary extension number
for the user.
You can view the primary and secondary extension numbers for a user by using the Get-UMMailbox cmdlet or
the Get-Mailbox cmdlet in Exchange Online PowerShell.
For additional management tasks related to users who are enabled for voice mail, see Voice mail-enabled user
procedures.
NOTE
Before you change an extension number using Exchange Online PowerShell, you need to determine the position of the EUM
proxy address that you want to change. To determine the position, use the $mbx.EmailAddresses command. The first EUM
proxy address is the default (primary) extension number and it will be 0 in the list.
$mbx=Get-Mailbox tony.smith
$mbx.EmailAddresses.Item(0)="eum:22222;phone-context=MyDialPlan.contoso.com"
Set-Mailbox tony.smith -EmailAddresses $mbx.EmailAddresses
Add a SIP address
2/28/2019 • 3 minutes to read • Edit Online
When you enable a user for UM and link them to a SIP URI dial plan, two EUM proxy addresses are created. One
contains the user's extension number and the other contains a SIP address for the user. The extension number is
used when the user calls in to an Outlook Voice Access number.
SIP URI dial plans and SIP addresses are used when you're integrating UM and Microsoft Office Communications
Server 2007 R2 or Microsoft Lync Server. The SIP address is used by Communications Server or Lync Server to
route incoming calls and send voice mail to the user. By default, the SIP address that's used by UM will be the SIP
address that's used by Communications Server or Lync Server.
The primary SIP address you added when the user was enabled for UM will be listed as the primary EUM proxy
address. If the primary SIP address was removed, the first EUM proxy address you add that contains the user's SIP
address will be listed as the primary EUM proxy address. Any additional SIP addresses you add will be listed as
secondary EUM proxy addresses. When secondary SIP addresses are added, callers can leave voice mail for the
user at SIP endpoints that the user is signed in to using the SIP addresses. All the voice messages will be delivered
to the same user's mailbox.
You can use the EAC or Exchange Online PowerShell to add a primary or a secondary SIP address for a user. You
can use the Email Address page on the user's mailbox in the EAC to add a primary or secondary SIP address. You
can't use the UM Mailbox page in the EAC to add a primary or secondary SIP address.
You can view the primary and secondary SIP addresses for a user by using the Get-UMMailbox cmdlet or the
Get-Mailbox cmdlet in Exchange Online PowerShell.
For additional management tasks related to users who are enabled for voice mail, see Voice mail-enabled user
procedures.
NOTE
Before you add a SIP address using Exchange Online PowerShell, you need to determine the position of the EUM proxy
address that you want to add. To determine the position, use the $mbx.EmailAddresses command. The first proxy address
in the list will be 0.
$mbx=Get-Mailbox tony.smith
$mbx.EmailAddresses +="eum:tsmit@contoso.com;phone-context=MyDialPlan.contoso.com"
Set-Mailbox tony.smith -EmailAddresses $mbx.EmailAddresses
Remove a SIP address
3/4/2019 • 3 minutes to read • Edit Online
When you enable a user for UM and link them to a SIP URI dial plan, two EUM proxy addresses are created. One
contains the user's extension number and the other contains a SIP address for the user. The extension number is
used when the user calls in to an Outlook Voice Access number.
SIP URI dial plans and SIP addresses are used when you're integrating UM and Microsoft Office Communications
Server 2007 R2 or Microsoft Lync Server. The SIP address is used by Communications Server or Lync Server to
route incoming calls and send voice mail to the user. By default, the SIP address that's used by UM will be the SIP
address that's used by Communications Server or Lync Server.
You can remove the primary SIP address that was added when the user was enabled for UM or a secondary SIP
address that was added later, along with the EUM proxy address for the user. The primary SIP address you added
when the user was enabled for UM will be listed as the primary EUM proxy address. Any additional SIP addresses
you added will be listed as secondary EUM proxy addresses. When a SIP address is removed, callers can no longer
leave voice mail for the user at the SIP address that was removed even if the user is signed in with the SIP address
assigned to the user in Communications Server or Lync Server.
If you remove the primary SIP address, UM won't be able to send voice mail to the user's mailbox and call
answering rules won't be processed. After the primary SIP address has been removed, the EUM proxy address for
the user will be listed as Null on the user's mailbox in the EAC and when you run the Get-Mailbox cmdlet in
Exchange Online PowerShell. Also, when you run the Get-UMMailbox cmdlet, the Extensions, PhoneNumber,
and CallAnsweringRulesExtensions parameters will be blank or null.
You can use the EAC or Exchange Online PowerShell to remove a primary or a secondary SIP address. You can use
the Email Address page on the user's mailbox in the EAC to remove a primary or a secondary SIP address. You
can't use the UM Mailbox page in the EAC to remove a primary or secondary SIP address.
You can view the primary and secondary SIP addresses for a user by using the Get-UMMailbox cmdlet or the
Get-Mailbox cmdlet in Exchange Online PowerShell.
For additional management tasks related to users who are enabled for voice mail, see Voice mail-enabled user
procedures.
NOTE
Before you remove a SIP address using Exchange Online PowerShell, you need to determine the position of the EUM proxy
address that you want to modify. To determine the position, use the $mbx.EmailAddresses command. The first EUM proxy
address in the list will be 0.
When you enable a user for UM and link them to a telephone extension dial plan, an EUM proxy address is created
for the user that contains the user's extension number. You must define at least one extension number for UM to
use so voice mail can be sent to the user's mailbox. The extension number is also used when the user calls in to an
Outlook Voice Access number.
The primary extension number you added when the user was enabled for UM will be listed as the primary EUM
proxy address. If the primary extension number was removed, the first EUM proxy address you add that contains
the user's extension number will become the primary EUM proxy address. Any additional extension numbers you
add will be listed as secondary EUM proxy addresses. When additional secondary extension numbers are added,
callers can leave voice mail for the user at all extension numbers that have been set. All the voice messages will be
delivered to the same user's mailbox.
You can use the EAC or Exchange Online PowerShell to add a primary or a secondary extension number for a user.
You can use the Email Address page on the user's mailbox in the EAC to add a primary or secondary extension
number. You can't use the UM Mailbox page in the EAC to add a primary extension number, but you can use that
page to add secondary extension numbers.
You can view the primary and secondary extension numbers for a user by using the Get-UMMailbox cmdlet or
the Get-Mailbox cmdlet in Exchange Online PowerShell.
For additional management tasks related to users who are enabled for voice mail, see Voice mail-enabled user
procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to add a secondary extension number
1. In the EAC, navigate to Recipients > Mailboxes.
2. In the list view, select the mailbox to which you want to add an extension number.
3. In the details pane, Phone and Voice Features, under Unified Messaging, click View details.
4. On the UM Mailbox page, click Other Extensions, and then click Add .
5. On the Other extensions page, next to the UM dial plan box, click Browse and locate the dial plan for the
user.
6. On the Other extensions page, in the Extension number box, type the extension number, and then click
OK.
7. Click Save.
NOTE
Before you add an extension number using Exchange Online PowerShell, you need to determine the position of the EUM
proxy address that you want to add. To determine the position, use the $mbx.EmailAddresses command. The first proxy
address in the list will be 0.
$mbx=Get-Mailbox tony.smith
$mbx.EmailAddresses +="eum:22222;phone-context=MyDialPlan.contoso.com"
Set-Mailbox tony.smith -EmailAddresses $mbx.EmailAddresses
Remove an extension number
2/28/2019 • 3 minutes to read • Edit Online
When you enable a user for UM and link them to a telephone extension dial plan, an EUM proxy address is created
for the user that contains the user's extension number. You must define at least one extension number for UM to
use so voice mail can be sent to the user's mailbox. The extension number is also used when the user calls in to an
Outlook Voice Access number.
You can remove the primary extension number that was added when the user was enabled for UM or a secondary
extension number that was added later, along with the related EUM proxy addresses for the user. The primary
extension number you added when the user was enabled for UM will be listed as the primary EUM proxy address.
Any additional extension numbers you added will be listed as secondary EUM proxy addresses. When an extension
number is removed, callers can no longer leave voice mail for the user at the extension number that was removed.
If you remove the primary extension number, UM won't be able to send voice mail to the user's mailbox and call
answering rules won't be processed. After the primary extension number has been removed, the EUM proxy
address for the user will be listed as Null on the user's mailbox in the EAC and when you run the Get-Mailbox
cmdlet in Exchange Online PowerShell. Also, when you run the Get-UMMailbox cmdlet, the Extensions,
PhoneNumber, and CallAnsweringRulesExtensions parameters will be blank or null.
You can use the EAC or Exchange Online PowerShell to remove a primary or a secondary extension number. You
can use the Email Address page on the user's mailbox in the EAC to remove a primary or a secondary extension
number. You can't use the UM Mailbox page in the EAC to remove a primary extension number, but you can use it
to remove a secondary extension number.
You can view the primary and secondary extension numbers for a user by using the Get-UMMailbox cmdlet or
the Get-Mailbox cmdlet in Exchange Online PowerShell.
For additional management tasks related to users who are enabled for voice mail, see Voice mail-enabled user
procedures.
NOTE
Before you remove an extension number using Exchange Online PowerShell, you need to determine the position of the EUM
proxy address that you want to modify. To determine the position, use the $mbx.EmailAddresses command. The first EUM
proxy address in the list will be 0.
When you enable a user for UM and link them to an E.164 dial plan, two EUM proxy addresses are created. One
contains the user's extension number and the other contains the E.164 number for the user. The extension number
is used when the user calls in to an Outlook Voice Access number.
You can change the primary E.164 number that was added when the user was enabled for UM or a secondary
E.164 number that was added later, along with the EUM proxy addresses for the user. The primary E.164 number
you added when the user was enabled for UM will be listed as the primary EUM proxy address. Any additional
secondary E.164 numbers you added will be listed as secondary EUM proxy addresses. When E.164 numbers have
been changed, callers can leave voice mail for the user at all the new E.164 numbers that have been set. All the
voice messages will be delivered to the same user's mailbox.
You can use the EAC or Exchange Online PowerShell to change the primary and secondary E.164 numbers for a
user. You can use the Email Address page on the user's mailbox to change a primary or secondary E.164 number.
However, you can't use the UM Mailbox page in the EAC to change a primary or secondary E.164 number.
You can view the primary and secondary E.164 numbers for a user by using the Get-UMMailbox cmdlet or the
Get-Mailbox cmdlet in Exchange Online PowerShell.
For additional management tasks related to users who are enabled for voice mail, see Voice mail-enabled user
procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
NOTE
Before you change an E.164 number using Exchange Online PowerShell, you need to determine the position of the EUM
proxy address that you want to change. To determine the position, use the $mbx.EmailAddresses command. The first EUM
proxy address is the default (primary) E.164 number and it will be 0 in the list.
$mbx=Get-Mailbox tony.smith
$mbx.EmailAddresses.Item(1)="eum:+14255550123;phone-context=MyE.164DialPlan.contoso.com"
Set-Mailbox tony.smith -EmailAddresses $mbx.EmailAddresses
Add an E.164 number
2/28/2019 • 3 minutes to read • Edit Online
When you enable a user for UM and link them to an E.164 dial plan, two EUM proxy addresses are created. One
contains the user's extension number and the other contains the E.164 number for the user. The extension number
is used when the user calls in to an Outlook Voice Access number.
The primary E.164 number you added when the user was enabled for UM will be listed as the primary EUM proxy
address. If the primary E.164 number was removed, the first EUM proxy address you add that contains the user's
E.164 number will be listed as the primary EUM proxy address. Any additional E.164 numbers you add will be
listed as secondary EUM proxy addresses. When additional E.164 numbers are added, callers can leave voice mail
for the user at all E.164 numbers that have been set. All the voice messages will be delivered to the same user's
mailbox.
You can use the EAC or Exchange Online PowerShell to add a primary or a secondary E.164 number for a user. You
can use the Email Address page on the user's mailbox in the EAC to add a primary or secondary E.164 number.
You can't use the UM Mailbox page in the EAC to add a primary or secondary E.164 number.
You can view the primary and secondary E.164 numbers for a user by using the Get-UMMailbox cmdlet or the
Get-Mailbox cmdlet in Exchange Online PowerShell.
For additional management tasks related to users who are enabled for voice mail, see Voice mail-enabled user
procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
NOTE
Before you add an E.164 number using Exchange Online PowerShell, you need to determine the position of the EUM proxy
address that you want to add. To determine the position, use the $mbx.EmailAddresses command. The first proxy address
in the list will be 0.
$mbx=Get-Mailbox tony.smith
$mbx.EmailAddresses.Item(2)="eum:+14255550123;phone-context=MyDialPlan.contoso.com"
Set-Mailbox tony.smith -EmailAddresses $mbx.EmailAddresses
Remove an E.164 number
2/28/2019 • 3 minutes to read • Edit Online
When you enable a user for UM and link them to an E.164 dial plan, two EUM proxy addresses are created. One
contains the user's extension number and the other contains the E.164 number for the user. The extension number
is used when the user calls in to an Outlook Voice Access number.
You can remove the primary E.164 number that was added when the user was enabled for UM or a secondary
E.164 number that was added later, along with the EUM proxy addresses for the user. The primary E.164 number
you added when the user was enabled for UM will be listed as the primary EUM proxy address. Any additional
E.164 numbers you added will be listed as secondary EUM proxy addresses. When an E.164 number is removed,
callers can no longer leave voice mail for the user at the E.164 number that was removed.
If you remove the primary E.164 number, UM won't be able to send voice mail to the user's mailbox and call
answering rules won't be processed. After you remove the primary E.164 number, the EUM proxy address for the
user will be listed as Null on the user's mailbox in the EAC and when you run the Get-Mailbox cmdlet in
Exchange Online PowerShell. Also, when you run the Get-UMMailbox cmdlet, the Extensions, PhoneNumber,
and CallAnsweringRulesExtensions parameters will be blank or null.
You can use the EAC or Exchange Online PowerShell to remove a primary or a secondary E.164 number for a user.
You can use the Email Address page on the user's mailbox in the EAC to remove a primary or a secondary E.164
number. You can't use the UM Mailbox page in the EAC to remove a primary or secondary E.164 number.
You can view the primary and secondary E.164 numbers for a user by using the Get-UMMailbox cmdlet or the
Get-Mailbox cmdlet in Exchange Online PowerShell.
For additional management tasks related to users who are enabled for voice mail, see Voice mail-enabled user
procedures.
NOTE
Before you remove an E.164 number using Exchange Online PowerShell, you need to determine the position of the EUM
proxy address that you want to modify. To determine the position, use the $mbx.EmailAddresses command. The first EUM
proxy address in the list will be 0.
This topic describes the client features that give users who are enabled for Exchange Unified Messaging (UM )
access to the email and voice mail messages in their mailbox. These features let you offer your users simplified
access to voice mail and email and an improved overall user experience.
Forwarding calls
A UM -enabled user can create and configure call answering rules using Outlook or Outlook Web App. Call
answering rules let users control how their incoming calls should be handled. The rules are applied to incoming
calls similar to the way Inbox rules are applied to incoming email messages, and are stored along with other voice
settings in the user's mailbox. Up to nine call answering rules can be set up for each UM -enabled mailbox. These
rules are independent of the Inbox rules and don't take up part of the user's Inbox rules storage quota. For details,
see Allow voice mail users to forward calls.
Enable inbound faxing on the UM dial plan linked to the users by setting the Allowfax parameter to $true .
Enable inbound faxing for the users by setting the FaxEnabled parameter to $true .
Set the partner fax server URI to allow inbound faxing.
Configure authentication between the Mailbox server and the fax partner server.
Setting up Outlook Voice Access
2/28/2019 • 9 minutes to read • Edit Online
Microsoft Outlook Voice Access lets users who are enabled for Exchange Unified Messaging (UM ) access their
mailboxes by using analog, digital, or cellular telephones.
An Outlook Voice Access user (also called a subscriber), is a user in an organization who's enabled for Unified
Messaging. Subscribers use Outlook Voice Access to access their mailboxes by telephone to retrieve email, voice
mail messages, personal contacts, and calendar information.
The following section includes scenarios that describe the VUI functionality.
NOTE
If a Mailbox server running the Microsoft Exchange Unified Messaging service encounters a corrupted calendar item
in a user's mailbox, it will fail to read the item, return the caller to the Outlook Voice Access main menu, and skip
reading any additional meetings that may be scheduled for the rest of the day.
Access voice mail: An Outlook Voice Access user places a call to an Outlook Voice Access number from a
telephone and wants to access voice mail. The voice prompt says, "Welcome. You're connected to Microsoft
Exchange. To access your mailbox, please enter your extension. To contact someone, press the pound key."
After the user enters a mailbox extension number, the voice prompt says, "Please enter your PIN and press
the pound key." After the user enters a PIN, the voice prompt says, "You have two new voice mails, 10 new
email messages, and your next meeting is at 10:00 A.M. Please say voice mail, email, calendar, personal
contacts, directory, or personal options." The user says "Voice mail," and the voice mail system reads the
message header and then the name, subject, time, and priority for the voice messages that are in the user's
mailbox.
NOTE
If speech recognition is enabled, users can access their UM-enabled mailbox using speech input. Subscribers can also
use touchtone, also known as dual tone multi-frequency (DTMF), by pressing 0. Speech recognition isn't enabled for
PIN input.
Locate a user in the directory: An Outlook Voice Access user places a call to an Outlook Voice Access
number from a telephone and wants to locate a person in the directory by spelling their email alias. The
voice prompt says, "Welcome. You're connected to Microsoft Exchange. To contact someone, press the
pound key." The user presses the pound key, and then uses touchtone inputs to spell the SMTP address of
the person.
NOTE
The directory search feature with an Outlook Voice Access number isn't speech-enabled. Users can spell the name of
the person they want to contact only by using touchtone inputs.
IMPORTANT
In some companies (especially in East Asia), office telephones may not have letters on the keys of the telephone. This
makes the spell-the-name feature that uses the touchtone interface almost impossible to use without a working
knowledge of the key mappings. By default, Unified Messaging uses the E.161 key mapping. For example, 2=ABC,
3=DEF, 4=GHI, 5=JKL, 6=MNO, 7=PQRS, 8=TUV, 9=WXYZ.
When inputting a combination of letters and numbers, for example, Mike1092, the numeric digits are
mapped to themselves. For an email alias of Mike1092 to be entered correctly, the user must press the
numbers 64531092. Also, for characters other than A-Z and 0-9, there isn't a telephone key equivalent.
Therefore, these characters shouldn't be entered. For example, the email alias jim.wilson would be entered
as 546945766. Even though there are 10 characters to be input, the user enters only 9 digits because there's
no digit equivalent for the period (.).
Choosing a language
Users can't change the language that Outlook Voice Access uses to speak to them and that they use when they
reply to it. The voice mail system tries to find and use the best match for the language the user chose when they
signed in to Microsoft Outlook Web App or the language they chose on the regional settings in Outlook Web App.
If the language they chose isn't supported by Outlook Voice Access, the voice mail system will use the same
language that callers hear when they're prompted to leave a voice message.
NOTE
You can use only Exchange Online PowerShell to modify the Outlook Voice Access TUI settings for UM-enabled mailboxes or
UM mailbox policies.
UM mailbox policy settings: You can disable users' access to the following Outlook Voice Access features on a
UM mailbox policy:
Automatic Speech Recognition
PIN -less access to voice mail
Voice responses to other messages
TUI access to their calendar
TUI access to the directory
TUI access to their email
TUI access to their personal Contacts
UM -enabled mailbox settings: You can disable a user's access to the following Outlook Voice Access features
on the user's mailbox:
TUI access to the calendar
TUI access to email
Automatic Speech Recognition
You can prevent users from receiving voice mail, but let them retain the ability to access their mailbox using
Outlook Voice Access. You can enable a user for UM and configure the user's mailbox with an extension number
that isn't currently being used by another user in the organization.
Outlook Voice Access commands
2/28/2019 • 7 minutes to read • Edit Online
Outlook Voice Access lets Unified Messaging (UM )-enabled users access their mailbox using analog, digital, or
mobile telephones. Using the menu system found in Outlook Voice Access, UM -enabled users can read email,
listen to voice messages, interact with their Outlook calendar, access their personal contacts, and manage personal
options such as configuring their Outlook Voice Access PIN or recording their voice mail messages. This topic
contains a list of the Outlook Voice Access commands and how users can use them when they access their mailbox
by calling an Outlook Voice Access number.
"Call sender" 00 followed by 2 Places a call to the user who sent the
current email or voice mail message.
"Delete conversation" 00 followed by 77 Deletes all the email messages that are
associated with an email conversation.
Available only for email.
IMPORTANT
If you need to access an email message after you delete it using Outlook Voice Access, you can use Outlook Web App or
Outlook to move the email message back into the appropriate folder from the Deleted Items folder. You can't use Outlook
Voice Access to access the Deleted Items folder.
Outlook Voice Access is a feature in Unified Messaging (UM ) that enables users to retrieve email and voice mail
messages and manage their calendar and personal contacts by using an analog, digital, or mobile telephone. They
can interact with their mailbox using their telephone keypad or voice commands, but must use the keypad on their
telephone to search for a user in the directory for your organization.
When UM -enabled users call in to an Outlook Voice Access number, they can sign in to their mailbox using a
telephone and are presented with a series of voice prompts. These voice prompts help them navigate the voice mail
system menus and enable them to access their mailbox. Outlook Voice Access lets users do the following:
Retrieve, listen to, reply to, create, and forward voice or email messages.
Listen to or change calendar information.
Change personal options, such as a PIN, or call or send a voice message to a personal contact.
An Outlook Voice Access number is assigned to a user when they're enabled for UM. The user can find an Outlook
Voice Access number to access their mailbox in the welcome message that's sent to them when they're enabled for
UM or by signing in to their mailbox using Outlook Web App, going to Options > Telephone, and locating the
Outlook Voice Access number or numbers in the Outlook Voice Access section.
After a user enters their extension number and PIN, the voice mail system will let them know how many new voice
mail and email messages they have and when their next meeting is. After the voice mail system has played this
prompt, an Outlook Voice Access main menu will be read to the user and the user can say one of the following:
Voice mail
Email
Calendar
Personal options
To listen to email messages using the telephone keypad, users must dial an Outlook Voice Access number, enter
their extension number and PIN, and then do the following:
1. Press 2 to access their email.
2. The voice mail system will read the name, subject, time, and priority of the first unread email message.
3. The user can then press one of the following options:
Pound (#) key to mark the message as Read and go to the next email message.
9 to keep the message marked as Unread and go to the next message.
33 to jump to the end of the message.
7 to delete the message.
This process is shown in the following figure.
To listen to email messages and then reply using the telephone keypad, users must do the following:
1. Press 2.
2. Press # repeatedly until they reach the email message to which they want to reply.
3. Listen to the message or press 33 to go to the end of the message.
4. Press one of the following:
8 to reply to the sender.
88 to reply to the sender and all other recipients.
6 to forward the message to another user or group.
5. Record a reply, and then press #. To accept the reply message and send it, press 1.
This process is shown in the following figure.
To listen to an email message and then go to the next unread message using the telephone keypad, users must do
the following:
1. Press 2.
2. Press ## to listen to the next unread message. Press 9 to mark the message as Unread.
This process is shown in the following figure.
To listen to email messages and flag messages for follow -up using the telephone keypad, users must do the
following:
1. Press 2.
2. Press # repeatedly until they reach the email message that they want to flag for follow -up. Press 9 to mark
the message as Unread.
3. Listen to the message or press 33 to go to the end of the message.
4. Press 0 (zero) twice to access more options.
5. Press 44 to flag the message for follow -up.
This process is shown in the following figure.
Hide a conversation
To listen to email messages and hide a conversation so that the voice mail system will not continue to read other
email messages that are in the same email conversation using their voice, users must do the following:
1. Say "Email."
2. Say "Next message" repeatedly until they reach the email message that they want. Say "Mark unread" to
mark the message as Unread.
3. Listen to the message or say "End" to go to the end of the message.
4. Say "Hide" or "Hide conversation" to hide the conversation. The next email message from a different
conversation will be read.
This process is shown in the following figure.
To listen to email messages and hide a conversation so that the voice mail system will not continue to read other
email messages that are in the same email conversation using the telephone keypad, users must do the following:
1. Press 2.
2. Press # repeatedly until they reach the email message that they want to hide. Press 9 to mark the message
as Unread.
3. Listen to the message or press 33 to go to the end of the message.
4. Press 99 to hide the conversation. The next email message from a different conversation will be read.
This process is shown in the following figure.
NOTE
When a conversation is hidden, it is hidden only for the current session. If users sign out and then sign in to their mailbox
again, the voice mail system will read email messages that are in the same conversation.
To send an I'll be late message to meeting participants using the telephone keypad, users must dial an Outlook
Voice Access number, enter their extension number and PIN, and then do the following:
1. Press 3 to access their calendar.
2. Listen to the meeting requests to locate the meeting for which to send an I'll be late message.
3. After the meeting request has been read, press 3.
4. The voice mail system asks, "How late?" Enter 10 on the telephone key pad.
Cancel a meeting
To cancel a meeting, the user must be the meeting organizer. To cancel the meeting using their voice, meeting
organizers must do the following:
1. Say "Calendar for today."
2. Listen to the meeting requests to locate the meeting to cancel.
3. After the meeting request has been read, say "Cancel meeting."
4. Confirm the meeting cancellation by saying "Yes."
5. If the meeting organizer chooses to send a voice message, they can then say "Yes," record the message, and
then say "Send it."
This process is shown in the following figure.
To cancel a meeting, the user must be the meeting organizer. To cancel the meeting using the telephone keypad,
meeting organizers must do the following:
1. Press 3.
2. Listen to the meeting requests to locate the meeting to cancel.
3. Press 7 to cancel the meeting.
4. If the meeting organizer chooses to send a voice message, they can then press one of the following options:
pound key to stop recording the message.
1 to accept the recorded message.
This process is shown in the following figure.
Clear a calendar
To clear their calendar using their voice, users must do the following:
1. Say "Calendar for today."
2. Say "Clear my calendar."
3. Enter the time or the number of days to be cleared.
4. The voice mail system asks whether they want to attach a recorded voice message. If so, say "Yes," record
the message, and then say "Send it." If not, say "No."
This process is shown in the following figure.
To clear their calendar using the telephone keypad, users must do the following:
1. Press 3.
2. Press 00 to go to the More Options menu.
3. Press 77 to clear their calendar.
4. Enter the number of hours to clear from the calendar.
5. If users choose to send a voice message, they can do one of the following:
Press # to not send a voice message.
Record the voice message when prompted, press # to stop recording the message, and then press 1 to
accept the recorded message.
This process is shown in the following figure.
To accept a meeting request using the telephone keypad, users must do the following:
1. Press 2 to access their email.
2. Listen to the email message that contains a meeting request.
3. Press 4 to accept the meeting request.
This process is shown in the following figure.
To reply to a meeting request using the telephone keypad, users must do the following:
1. Press 3.
2. Listen to the meeting requests to locate the meeting request to reply to.
3. Press 00 for more options.
4. Press 8 to reply to the meeting organizer.
5. Record a message, and then press #.
6. Press 1 to accept the recording and send the message.
This process is shown in the following figure.
NOTE
When users access the Personal Options menu, they must use the telephone keypad.
NOTE
When users change their telephone greeting, they are also given the option to turn on or off their email automatic reply
message.
To locate and send a voice message to another UM -enabled user using the telephone keypad, users must do the
following:
1. Press 4 to search for a contact.
2. Press 00 to locate the person in the directory.
3. Use the telephone keypad to spell the name of the person to locate.
4. Select the correct person from the list.
5. Press 3 to send a voice message to the person.
6. Record the voice message, and then press # to stop recording.
7. Press 1 to accept the voice message and send it.
This process is shown in the following figure.
Change a PIN
To change their PIN using their voice, users must do the following:
1. Say "Personal options."
2. Press 3 to change the PIN.
3. Enter the new PIN, and then press #.
4. Press # to confirm the new PIN.
This process is shown in the following figure.
To change their PIN using the telephone keypad, users must do the following:
1. Press 6 to access personal options.
2. Press 3 to change the PIN.
3. Enter the new PIN, and then press #.
4. Press # to confirm the new PIN.
This process is shown in the following figure.
Play on Phone
2/28/2019 • 3 minutes to read • Edit Online
After a voice mail message arrives, users can choose either to listen to the voice mail message through their
computer speakers or headphones or to use the Play on Phone feature. The Play on Phone feature is included with
Microsoft Outlook and Outlook Web App, and settings for Play on Phone are available in the Play on phone
section under Voice mail options. This topic discusses how a Unified Messaging (UM )-enabled user can use the
Play on Phone feature.
NOTE
Only one voice message can be played at a time. If the user tries to start a second Play on Phone call while a previous call is
still in progress, an error message will appear.
NOTE
To enable users who are using the Play on Phone feature to dial an external telephone number without using an outside line
access code, for example 425-555-1234 instead of 9-425-555-1234, configure in-country/region dialing rules on a UM dial
plan that include the following line: group1, 9xxxxxxxxxx, 91xxxxxxxxxx. After you've configured the in-country/region dialing
rules, add this list to the UM mailbox policy.
You can enable or disable access to Outlook Voice Access for UM -enabled users who are associated with a Unified
Messaging (UM ) mailbox policy. Outlook Voice Access is a feature used by UM -enabled users to access their
mailbox over a phone. By default, this setting is enabled.
For additional management tasks related to UM mailbox policies, see UM mailbox policy procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
This example prevents users who are associated with the UM mailbox policy MyUMMailboxPolicy from using
Outlook Voice Access.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -AllowSubscriberAccess $false
Configure an Outlook Voice Access number
2/28/2019 • 2 minutes to read • Edit Online
An Outlook Voice Access number lets a user who is enabled for Unified Messaging (UM ) and voice mail access
their mailbox using Outlook Voice Access. When you configure an Outlook Voice Access or subscriber access
number on a dial plan, UM -enabled users can call in to the number, sign in to their mailbox, and access their email,
voice mail, calendar, and personal contact information.
By default, when you create a UM dial plan, an Outlook Voice Access number isn't configured. To configure an
Outlook Voice Access number, you first need to create the dial plan, and then configure an Outlook Voice Access
number under the dial plan's Outlook Voice Access option. Although an Outlook Voice Access number isn't
required, you need to configure at least one Outlook Voice Access number to enable a UM -enabled user to use
Outlook Voice Access to access their mailbox. You can configure multiple Outlook Voice Access numbers for a
single dial plan.
Outlook Voice Access numbers can contain alphabetical, numeric, and special characters, separators, and spaces.
For example:
+14255551010
+1-425-555-1010
4255551010
+1 425 555 1010
1-800-555-CALL
For more information about the menu options available for Outlook Voice Access users, see the Quick Reference
Guide for Outlook Voice Access, which is available from the Microsoft Download Center.
For additional management tasks related to UM dial plans, see Dial Plan Procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Outlook Voice Access contains two interfaces: the telephone user interface (TUI) and the voice user interface (VUI).
By default, when users dial in to Outlook Voice Access, they can access their calendar, email, and personal contacts,
and search the directory. You can use Exchange Online PowerShell to prevent users from accessing one or more of
these features when they use Outlook Voice Access to access their mailbox. When you modify Outlook Voice
Access features on a Unified Messaging (UM ) mailbox policy, your changes affect all users who are associated with
the UM mailbox policy.
You can disable users' access to the following Outlook Voice Access features on a UM mailbox policy:
Calendar
Directory
Email
Personal contacts
For additional management tasks related to UM mailbox policies, see UM mailbox policy procedures.
You can also use Exchange Online PowerShell to disable Outlook Voice Access features on the mailbox of a single
UM -enabled user. When you do this, the features will be disabled only for that user. Although you can't disable all
the Outlook Voice Access features that are found on a UM mailbox policy for a single user, you can disable access
to their calendar and to their email.
For additional management tasks related to UM mailboxes, see Voice mail for users.
NOTE
You can use only Exchange Online PowerShell to modify the Outlook Voice Access features for UM-enabled users on a UM
mailbox policy or on the mailbox of a single UM-enabled user.
This example prevents users associated with the UM mailbox policy named MyUMMailboxPolicy from accessing the
directory when they dial in to Outlook Voice Access.
This example prevents users associated with the UM mailbox policy named MyUMMailboxPolicy from accessing
their email when they dial in to Outlook Voice Access.
This example prevents users associated with the UM mailbox policy named MyUMMailboxPolicy from accessing
personal contacts when they dial in to Outlook Voice Access.
This example disables access to email on a UM mailbox named tony@contoso.com when the user dials in to
Outlook Voice Access.
Outlook Voice Access contains two interfaces: a telephone user interface (TUI) and a voice user interface (VUI). You
can configure a UM -enabled user's TUI settings when the user accesses a mailbox using the Unified Messaging
(UM ) system in Exchange Server. When you modify a UM -enabled user's TUI settings on a UM mailbox policy, the
changes affect all users who are associated with the UM mailbox policy. You can modify the following TUI settings
on a UM mailbox policy:
PIN -less access to voice mail
Voice responses to other messages
TUI access to their calendar
TUI access to the directory
TUI access to their email
TUI access to their personal contacts
NOTE
You can use only Exchange Online PowerShell to modify the Outlook Voice Access TUI settings for UM-enabled users.
For additional management tasks related to UM mailbox policies, see UM mailbox policy procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Telephone user interface (TUI) settings are used when a user accesses the Unified Messaging (UM ) system by
using Outlook Voice Access. When you modify a UM -enabled user's TUI configuration settings, you modify
properties and their values on the UM -enabled user's mailbox.
You can change the following TUI settings for a UM -enabled user:
Allow subscriber access
Allow TUI access to the calendar
Allow TUI access to email
Allow Automatic Speech Recognition
For additional management tasks related to UM users, see Set mailbox features for an Outlook Voice Access user.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can configure Automatic Speech Recognition (ASR ) for a user who's enabled for Unified Messaging (UM ) and
voice mail. When ASR is enabled on the mailbox of an Outlook Voice Access user, the user can move through the
mailbox menus using voice commands. ASR is enabled by default. If ASR is disabled, the user must use dual tone
multi-frequency (DTMF ), also known as touchtone, inputs to move through the menus.
NOTE
You can't use the EAC to configure this feature. You must use Exchange Online PowerShell to enable or disable ASR for a
voice mail user.
For additional management tasks related to UM or voice mail users, see Voice mail-enabled user procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can enable an informational announcement on a Unified Messaging (UM ) dial plan. Informational
announcements are used for general announcements that change more frequently than the welcome greeting
does, or for announcements that are required by corporate compliance policies.
By default, callers, including Outlook Voice Access users who dial in to an Outlook Voice Access number that's
been configured, don't hear an informational announcement. If you want one to be played, you must create a .wav
or .wma file to use for the informational announcement after you create a UM dial plan, and then enable the
informational announcement on the dial plan.
When it's important that the whole informational announcement is heard, you can configure the announcement to
be uninterruptible. This prevents a caller from pressing a key or speaking a command to interrupt and stop the
announcement.
For more information about the menu options that are available for Outlook Voice Access users, see the Quick
Reference Guide for Outlook Voice Access, which is available from the Microsoft Download Center.
For additional management tasks related to UM dial plans, see Dial Plan Procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
5. After you've located the file, click Open, and then click Save.
By default, each Unified Messaging (UM ) dial plan uses a standard .wav file for the welcome greeting that's played
to callers, including Outlook Voice Access users who dial in to an Outlook Voice Access number that's been
configured. However, you can create a .wav or .wma file for the welcome greeting, and then enable it on the UM
dial plan.
For example, you might want to change the default welcome greeting and instead provide a welcome greeting
that's specific to your company, such as "Welcome to Outlook Voice Access for Woodgrove Bank." To do this, you
record the customized welcome greeting and save it as a .wav or .wma file. Then you configure the dial plan to use
the customized welcome greeting.
For more information about the menu options available for Outlook Voice Access users, see the Quick Reference
Guide for Outlook Voice Access, which is available from the Microsoft Download Center.
For additional management tasks related to UM dial plans, see Dial Plan Procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
IMPORTANT
The file you use for the welcome greeting must be a .wav or .wma file.
5. After you've located the file, click Open, and then click Save.
You can enable or disable the Play on Phone feature for users associated with a Unified Messaging (UM ) mailbox
policy. This option is enabled by default and allows users to play their voice mail messages over any phone. This
option isn't available to UM -enabled users who have a mailbox on a Microsoft Exchange Server 2007 server.
For additional management tasks related to UM mailbox policies, see UM mailbox policy procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
This example disables the Play on Phone feature for users who are associated with the UM mailbox policy
MyUMMailboxPolicy .
You can enable Outlook Voice Access users to send voice mail messages to other UM -enabled users who are
associated with the same dial plan, or prevent them from doing so.
By default, this setting is enabled. If you disable this setting, Outlook Voice Access users that call into an Outlook
Voice Access number won't be able to send voice messages to users within the same dial plan.
For additional tasks related to UM dial plans, see UM Dial Plan Procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to enable or prevent Outlook Voice Access users sending
voice messages to users in the same dial plan
1. In the EAC, navigate to Unified Messaging > UM dial plans.
2. In the list view, select the UM dial plan you want to change, and then click Edit .
3. On the UM dial plan page, click Configure.
4. In Transfer & search, under Allow callers to, select Leave voice messages without ringing a user's
phone to allow sending voice messages. If you want to prevent sending voice messages for users, clear this
setting.
5. Click Save.
This example prevents Outlook Voice Access users associated with the UM dial plan named MyUMDialPlan from
sending voice messages to users associated with the same dial plan.
You can enable Outlook Voice Access users to transfer calls to a user who's associated with a Unified Messaging
(UM ) dial plan, or prevent them from doing so. By default, both this option and the Leave voice messages
without ringing a user's phone option are enabled, so that Outlook Voice Access users can transfer calls to users
in the same UM dial plan and leave voice messages for them. This setting only applies to Outlook Voice Access
users who have entered their PIN and are authenticated.
For additional tasks related to UM dial plans, see UM Dial Plan Procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to enable or prevent Outlook Voice Access users from
transferring calls
1. In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the UM dial plan that
you want to change, and then click Edit .
2. On the UM Dial Plan page, click Configure.
3. In transfer & search, under Allow callers to, select the check box next to transfer to users to enable
callers to transfer calls to other users within the dial plan. If you want to prevent Outlook Voice Access users
from transferring calls to users, clear this check box.
4. Click Save.
This example prevents Outlook Voice Access users from transferring calls to users in the same dial plan on a UM
dial plan named MyUMDialPlan .
You can specify which users can receive transferred calls or voice mail messages from Outlook Voice Access users.
By default, the In this dial plan only option is selected. You can change this setting to allow Outlook Voice Access
users to transfer calls or send voice messages to users located in the entire organization, to an existing UM auto
attendant, or to a specific extension number.
For additional tasks related to UM dial plans, see UM Dial Plan Procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to configure the group of users that Outlook Voice Access
users can contact
1. In the EAC, navigate to Unified Messaging > UM dial plans.
2. In the list view, select the UM dial plan you want to modify, and then click Edit .
3. On the UM dial plan page, click Configure.
4. In Transfer & search, under Allow callers to search for users by name or alias, select one of the
following options:
In this dial plan only: Use this option to allow Outlook Voice Access users who call in to an Outlook Voice
Access number to locate and contact users who are within the same dial plan.
In the entire organization: Use this option to allow Outlook Voice Access users who call in to an Outlook
Voice Access number to locate and contact anyone in the entire organization. This includes all users who are
mailbox-enabled.
Only on this auto attendant: Use this option to allow Outlook Voice Access users who call in to an
Outlook Voice Access number to connect to a specific auto attendant. You must create the auto attendant
before you specify it here. This allows Outlook Voice Access users to be transferred to another auto
attendant. The auto attendant you choose here can be a speech-enabled or non-speech-enabled auto
attendant.
Only for this extension: Use this option to allow Outlook Voice Access users to connect to an extension
number that you specify. You can use only numeric digits for the extension. The number of digits that you
define in this field must match the number of digits in the extension numbers that are configured on the UM
dial plan.
5. Click Save.
This example sets the group of users that Outlook Voice Access users can contact for a UM dial plan named
MyUMDialPlan to the DialPlan .
When you create a Unified Messaging (UM ) dial plan, you can configure the primary and secondary ways that
callers can search for names to locate a user when they call an Outlook Voice Access number or a UM auto
attendant that's associated with the dial plan. Callers can use touchtone inputs to locate a UM -enabled user.
NOTE
None isn't an available option for the primary way callers can search for names. When None is selected for the secondary
way they can search for names, only the primary way will be available to callers. If you configure both the primary and
secondary ways that callers can search for names, they will be prompted for both ways.
For additional management tasks related to UM dial plans, see UM Dial Plan Procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
This example sets the primary dial by name method to LastFirst . This enables callers who call the Outlook Voice
Access number or a UM auto attendant associated with the dial plan to search for a UM -enabled user by their last
and then first name.
This example sets the primary dial by name method to SMTP address . This enables callers who call the Outlook
Voice Access number or a UM auto attendant associated with the dial plan to search for a UM -enabled user by
their SMTP address.
When you create a dial plan, you can configure the primary and secondary dial by name methods or ways that
callers can search for names. Callers use these dial by name methods to look up names to locate and contact a
user when they call in to an Outlook Voice Access number or when they call in to a UM auto attendant that's
associated with the dial plan. Callers can use touchtone inputs to locate a UM -enabled user.
NOTE
If None is selected as the secondary way for callers to search for names, only the primary way of searching for names will be
available to callers who want to locate users. If you configure both the primary and secondary ways that callers can search
for names, callers will be prompted for both ways.
For additional management tasks related to UM dial plans, see UM Dial Plan Procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
This example sets the secondary dial by name method to LastFirst . This enables callers who call the Outlook
Voice Access number or a UM auto attendant associated with the dial plan to search for a UM -enabled user by
their last and then first name.
This example sets the secondary dial by name method to SMTP address . This enables callers who call the Outlook
Voice Access number or a UM auto attendant associated with the dial plan to search for a UM -enabled user by
their SMTP address.
This example sets the secondary dial by name method to None and the primary dial by name method to
SMTP address . This enables callers who call the Outlook Voice Access number or a UM auto attendant associated
with the dial plan to search for a UM -enabled user by their SMTP address only.
You can specify the number of sequential unsuccessful sign-in attempts that are allowed before a caller is
disconnected. The value of this setting can be from 1 through 20. Setting this value too low can frustrate users. For
most organizations, this value should be set to the default of three attempts.
For additional management tasks related to UM dial plans, see UM Dial Plan Procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to configure the number of sign-in failures before users
are disconnected
1. In the EAC, navigate to Unified Messaging > UM dial plans.
2. In the list view, select the UM dial plan you want to modify, and then click Edit .
3. On the UM dial plan page, click Configure.
4. In Settings, under Number of sign-in failures before disconnecting, enter the number of sign-in
failures.
5. Click Save.
You can configure the number of times that users who call in to an Outlook Voice Access number can enter
incorrect data before they're disconnected. This setting applies to both Outlook Voice Access users and
unauthenticated callers who use directory search.
The following are examples of types of data that are considered incorrect:
A caller requests an extension number that isn't found in the system.
The system can't locate the user's extension number to transfer the call.
A caller presses a menu option that isn't valid.
The value of this setting can be from 1 through 20. For most organizations, this value should be set to the default
of three attempts. Setting this value too low may prematurely disconnect callers.
For additional management tasks related to UM dial plans, see UM Dial Plan Procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
The Limit on personal greetings (minutes) setting enables you to enter the maximum number of minutes that
users associated with the Unified Messaging (UM ) mailbox policy can use to record their voice mail greetings. This
setting applies to both their standard voice mail and their Out of Office voice mail greetings. By default, the
maximum greeting duration is set to 5 minutes. However, you can configure the maximum greeting duration to
any setting between 1 and 10 minutes.
For additional management tasks related to UM mailbox policies, see UM mailbox policy procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Some Private Branch eXchange (PBX) and IP PBX telephony systems allow the caller to mark a voice mail message
as private, blocking the intended recipient of the message from forwarding it to others. In integrated voice mail
systems, a voice message can be accessed in multiple ways, which makes it more of a challenge to prevent voice
messages marked private from being exposed to unintended listeners. Unified Messaging (UM ) can be configured
to protect voice messages for an organization. This feature is known as Protected Voice Mail.
When a voice message is protected, the recipient is not only blocked from forwarding the message, but UM also
ensures that only the intended recipient or recipients of the message can access its content. Protected voice
messages can be accessed by using Outlook Web App, or Outlook Voice Access.
Outlook Web App Outlook Web App supports Protected Voice Mail messages.
EMAIL CLIENT DESCRIPTION
Outlook Voice Access Outlook Voice Access supports Protected Voice Mail.
Windows Mobile or Windows Phone Windows Mobile doesn't support Protected Voice Mail.
However, Windows Phone 7 and Windows Phone 8 support
Protected Voice Mail.
NOTE
For call-answering calls, UM uses the Protected Voice Mail settings on the UM mailbox policy of the intended
recipient of the message, because the caller isn't authenticated.
NOTE
If a caller is authenticated, the Protected Voice Mail settings on the UM mailbox policy that's linked to the caller are
applied, regardless of the UM mailbox policy settings for the intended recipient of the voice message.
Create a Protected Voice Mail message using the voice user interface
Create a Protected Voice Mail message using the telephone user interface
UM mailbox policies
You can create a Unified Messaging mailbox policy to apply a common set of UM policy settings, such as PIN
policy settings, dialing restrictions, and Protected Voice Mail settings, to a collection of UM -enabled mailboxes. To
learn more about UM mailbox policies, see Manage a UM mailbox policy and Protected Voice Mail procedures.
You can use the EAC or the Set-UMMailboxPolicy cmdlet in Exchange Online PowerShell to configure Protected
Voice Mail options. The following table lists the settings that can be configured for Protected Voice Mail.
Protected Voice Mail settings
For more information about how to manage Protected Voice Mail settings, see Protected Voice Mail procedures or
Set-UMMailboxPolicy.
You can configure Unified Messaging to answer an incoming call, and then determine whether it will apply
protection to voice mail messages by using encryption. When a voice message is protected:
The message is marked as Private in Microsoft Outlook and Outlook Web App.
The voice message can be opened only by the intended recipient of the voice message.
The recipient can reply to the voice message, but can't forward it to someone who wasn't included on the
original voice message.
This setting applies to voice messages sent to UM -enabled users when they don't answer their phone. This setting
also applies when callers sign in to their mailbox using Outlook Voice Access, and then create and send a voice
message.
For additional management tasks related to Protected Voice Mail procedures, see Protected Voice Mail procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can configure Unified Messaging to answer an incoming call, and then determine whether it will apply
protection to voice mail messages by using encryption. When a voice mail message is protected:
The message is marked as Private in Microsoft Outlook and Outlook Web App.
The voice message can be opened only by the intended recipient of the voice message.
The recipient can reply to the voice message, but can't forward it to someone who wasn't included on the
original voice message.
This setting applies to voice messages sent to UM -enabled users when they don't answer their phone. This setting
also applies to voice messages sent directly to UM -enabled users when the caller uses a UM auto attendant.
For additional management tasks related to Protected Voice Mail procedures, see Protected Voice Mail procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can force users who receive protected voice mail messages to use the Play on Phone feature to listen to their
messages. Or, if the client software doesn't support rights management, users must use Outlook Voice Access to
listen to messages.
To listen to voice messages, Unified Messaging (UM )-enabled users can use the Play on Phone feature or use
multimedia software on a computer or mobile device. Multimedia playback allows a UM -enabled user to use a
media player over computer speakers or use a media player on a mobile device to hear the voice message.
NOTE
Protected voice mail is available only on clients that are using a version of Outlook that supports rights management. If the
client software doesn't support rights management, users must use Outlook Voice Access to listen to their calls.
By default, the value of the RequireProtectedPlayOnPhone property on a UM mailbox policy is set to false. This
means that UM -enabled users that are associated with that UM mailbox policy can listen to protected voice
messages by:
Using Outlook Voice Access.
Using the built-in media player or the Play on Phone button in Outlook 2010 or a later version.
Using the built-in media player or the Play on Phone button in Outlook Web App.
If this value is set to true, multimedia playback of protected voice mail isn't allowed. UM -enabled users associated
with a UM mailbox policy on which this value is set to true can listen to protected voice messages only by:
Using Outlook Voice Access.
Using the Play on Phone button in Outlook 2010 or a later version.
Using the Play on Phone button in Outlook Web App.
This setting is especially useful when UM -enabled users use public computers, laptops in public places, or their
mobile device's media player to listen to protected voice mail that can contain private information.
For additional management tasks related to Protected Voice Mail procedures, see Protected Voice Mail procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
This example prevents users who are associated with the UM mailbox policy named MyUMMailboxPolicy from
playing back protected voice messages using a media player.
You can specify the text that will be sent to a user when they receive a protected voice message but their email
client doesn't support Information Rights Management (IRM ) or Windows Rights Management.
Protected Voice Mail can be accessed only by email clients that support Windows Rights Management or when a
UM -enabled user uses Outlook Voice Access to access a protected voice message.
Protected Voice Mail is encrypted. When a voice message is protected:
The message is marked as Private in Microsoft Outlook and Outlook Web App.
The voice message can be opened only by the intended recipient of the voice message.
The recipient can reply to the voice message, but can't forward it to someone who wasn't included on the
original voice message.
If a protected voice message is sent to someone whose email client doesn't support Windows Rights Management
and isn't accessing the message using Outlook Voice Access, an email message will be sent to them that includes
the text you specify. This text should include instructions about what the called party should do to be able to
receive the protected voice message.
For additional management tasks related to Protected Voice Mail procedures, see Protected Voice Mail procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use EAC to specify the text to display for email clients that don't
support Windows Rights Management
1. In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the UM dial plan you
want to change, and then click Edit .
2. On the UM Dial Plan page, under UM Mailbox Policies, select the UM mailbox policy you want to
manage, and then click Edit .
3. On the UM Mailbox Policy page > Protected voice mail, under Message to send to users who don't
have Windows Rights Management support, type the message text in the text box.
4. Click Save.
Use Exchange Online PowerShell to specify the text to display for email
clients that don't support Windows Rights Management
This example specifies the text to display to users associated with the UM mailbox policy named
MyUMMailboxPolicy who have email clients that don't support Windows Rights Management.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -ProtectedVoiceMailText "Your email client software does not
support Protected Voice Mail. Please contact the Help Desk."
Allow voice mail users to forward calls
2/28/2019 • 6 minutes to read • Edit Online
The Call Answering Rules feature was first introduced in Exchange 2010. Using this feature, users who are enabled
for voice mail can control how their incoming calls should be handled. Call answering rules are applied to
incoming calls similar to the way Inbox rules are applied to incoming email messages.
Call answering rules are created and configured by a voice mail-enabled user using Outlook or Outlook Web App.
The rules are stored along with other voice settings in the user's mailbox. A total of nine call answering rules can be
set up for each UM -enabled mailbox. These rules are independent of the Inbox rules that are set up by users, and
don't take up part of the Inbox rules storage quota for the user.
By default, when a user is enabled for Unified Messaging (UM ) and voice mail, no call answering rules are
configured. If an incoming call is answered by the voice mail system, the caller is prompted to leave a voice
message or if the caller doesn't get prompted, the caller will also be able to leave a voice message for the user.
If your users want to have the voice mail system just answer their incoming calls and record a voice message, you
don't have to create any call answering rules. However, if you decide that you want to set up conditions or actions,
you can set them up by using the Call Answering Rules section on the Voice Mail page in Outlook Web App.
Use the Call Answering Rules section to create, edit, and delete call answering rules.
Conditions
Conditions are rules that you can apply to call answering rules. By using a combination of conditions, you can
create multiple call answering rules that will trigger when the conditions are met. To create a default rule that will
be applied to every call, you create a rule that doesn't contain any conditions.
There are three conditions that can be used when you set up call answering rules, including:
Caller ID
Time-of-the-day
Free/busy status
Actions
Actions are used to define what you want to happen when a condition is met. The two kinds of actions are:
Find Me
Call Transfer
Adding a Find Me action
When a caller selects Find Me, the voice mail system will attempt to locate you at up to two different phone
numbers, and then connect the caller to you if you're available at one of the phone numbers.
You can specify text that will be read to the caller. For example, if you enter "Urgent Matters" to inform your
callers that they should only select this action if they have important things to discuss with you, the voice
mail system will say "For Urgent Matters, press the 1 key."
You have to associate the Find Me action with the number on the telephone keypad that the caller will press
to select this action. In the example above, the 1 telephone key is the number callers will press to reach you
at one of the phone number or numbers you specify.
Next, you have to specify the one or two phone numbers that the voice mail system will dial. If you specify
two telephone numbers, the second number will be dialed if you're not available at the first. Each phone
number that you specify has an associated duration. The duration is the time period during which the voice
mail system will try to dial the phone number before it moves on to the next number. Or, if you can't be
contacted, the voice mail system will go back to the options menu.
After you've entered this information, click Apply to save the Find Me settings.
Adding Call Transfer actions
By setting a Call Transfer action, you provide callers with the option to be transferred to another person's phone
number. There are several options that are available when you want to transfer an incoming call to another phone
or contact.
You can specify text that will be read to the caller. For example, you can enter "Important Matters" to inform
your callers that they should choose this option if they have an important matter to discuss and need to
speak to someone.
You have to associate the Call Transfer action with the number on the telephone keypad that the caller will
press to select this action.
When you choose the Call Transfer action, you have to specify a person or phone number for the caller to be
transferred to. You can choose a phone number or select a contact to be called when the caller presses the
correct key on the telephone keypad. If you specify a contact who's within your company directory, the voice
mail system will try to transfer the call to the extension number of that contact.
In addition to specifying a person or number for the caller to be transferred to, you also need to specify the
number on the telephone keypad that the caller will press to select the Call Transfer action.
After you've entered this information, click Apply to save the Call Transfer settings.
Dialing rules
Depending on how a call answering rule is configured, an incoming call may result in a call transfer. When this
happens, the transfer target phone number will be subject to the dialing rules and restrictions on the UM mailbox
policy that the called party is associated with. For more information about outdialing and dialing rules and
restrictions, see Allow users to make calls.
Enabling/disabling Call Answering Rules
By default, Call Answering Rules is automatically enabled for UM -enabled users. However, you can disable call
answering rules for users by disabling the feature on a UM mailbox policy or the user's mailbox. For details about
how to enable or disable Call Answering Rules, see the following topics:
Call answering rules in the same mailbox policy
Call answering rules
Forwarding calls procedures
2/28/2019 • 2 minutes to read • Edit Online
You can specify whether you want individual users to be able to create and manage their own call answering rules
by configuring their mailbox properties. By default, they can create call answering rules.
You can enable or disable Call Answering Rules for multiple users that are enabled for Unified Messaging (UM ) by
configuring Call Answering Rules on a UM dial plan or UM mailbox policy.
NOTE
You can't use the EAC to configure this feature. You must use Exchange Online PowerShell to enable or disable Call
Answering Rules for a voice mail user.
For additional management tasks related to allowing users to forward calls, see Forwarding calls procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
This example disables Call Answering Rules for the user tony@contoso.com.
You can allow users who are associated with a Unified Messaging (UM ) mailbox policy to configure call answering
rules, or prevent them from doing so. If the option to configure call answering rules is disabled on a UM dial plan,
the Call Answering Rules feature won't be available to UM -enabled users associated with the UM mailbox policy.
The default setting is enabled.
For additional management tasks related to allowing users to forward calls, see Forwarding calls procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can use Exchange Online PowerShell to create one or more call answering rules for a user. You can also use
the New-UMCallAnsweringRule cmdlet in a PowerShell script to create call answering rules for multiple users.
Call answering rules are applied to incoming calls similar to the way Inbox rules are applied to incoming email
messages. By default, when a user is enabled for Unified Messaging (UM ), no call answering rules are configured.
Even so, incoming calls are answered by the mail system and callers are prompted to leave a voice message.
NOTE
Users that are UM-enabled can sign in to Outlook Web App to create, manage, and remove call answering rules.
For additional management tasks related to Call Answering Rules, see Forwarding calls procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
This example creates the call answering rule MyCallAnsweringRule in the mailbox for Tony Smith and performs the
following actions:
Sets the call answering rule to two caller IDs.
Sets the priority of the call answering rule to 2.
Sets the call answering rule to allow callers to interrupt the greeting.
This example creates the call answering rule MyCallAnsweringRule in the mailbox for Tony Smith and performs the
following actions:
If the caller reaches the voice mail for the user and the status of the user is set to Busy, the caller can:
- Press the 2 key so the Find Me feature will be used for urgent issues, ring extension 23456 first, and then
ring extension 45671.
You can use Exchange Online PowerShell to view or configure one or more call answering rules for a user. You can
also use the Get-UMCallAnsweringRule or Set-UMCallAnsweringRule cmdlets in a PowerShell script to view
or manage call answering rules for multiple users.
Call answering rules are applied to incoming calls similar to the way Inbox rules are applied to incoming email
messages. By default, when a user is enabled for Unified Messaging (UM ), no call answering rules are configured.
Even so, incoming calls are answered by the mail system and callers are prompted to leave a voice message.
IMPORTANT
Users that are UM-enabled can sign in to Outlook Web App to create, manage, and remove call answering rules.
For additional management tasks related to Call Answering Rules, see Forwarding calls procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
This example performs the following actions on the call answering rule MyCallAnsweringRule in the mailbox for
Tony Smith:
Sets the call answering rule to two caller IDs.
Sets the priority of the call answering rule to 2.
Sets the call answering rule to allow callers to interrupt the greeting.
This example changes the free/busy status to Away on the call answering rule MyCallAnsweringRule in the mailbox
for Tony Smith and sets the priority to 2.
You can use Exchange Online PowerShell to enable or disable one or more call answering rules for a user. You can
also use the Enable-UMCallAnsweringRule or Disable-UMCallAnsweringRule cmdlets in a PowerShell
script to enable or disable one or more call answering rules for multiple users.
Call answering rules are applied to incoming calls similar to the way Inbox rules are applied to incoming email
messages. By default, when a user is enabled for Unified Messaging (UM ), no call answering rules are configured.
Even so, incoming calls are answered by the mail system and callers are prompted to leave a voice message.
For additional management tasks related to call answering rules, see Forwarding calls procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
The example uses the WhatIf switch to test whether the call answering rule MyUMCallAnsweringRule in the mailbox
for Tony Smith is ready to be enabled and if there are any errors within the command.
Enable-UMCallAnsweringRule -Identity MyUMCallAnsweringRule -Mailbox tonysmith -WhatIf
This example enables the call answering rule MyUMCallAnsweringRule in the mailbox for Tony Smith and prompts
the signed-in user to confirm that the call answering rule is to be enabled.
This example uses the WhatIf switch to test whether the call answering rule MyUMCallAnsweringRule in the mailbox
for Tony Smith is ready to be disabled and if there are any errors within the command.
This example disables the call answering rule MyUMCallAnsweringRule in the mailbox for Tony Smith and prompts
the signed-in user to confirm that they're disabling the call answering rule.
You can use Exchange Online PowerShell to remove one or more call answering rules for a user. You can also use
the Remove-UMCallAnsweringRule cmdlet in a PowerShell script to remove one or more call answering rules
for multiple users.
Call answering rules are applied to incoming calls similar to the way Inbox rules are applied to incoming email
messages. By default, when a user is enabled for Unified Messaging (UM ), no call answering rules are configured.
Even so, incoming calls are answered by the mail system and callers are prompted to leave a voice message.
NOTE
Users that are UM-enabled can sign in to Outlook Web App to create, manage, and remove call answering rules.
For additional management tasks related to Call Answering Rules, see Forwarding calls procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
This example removes the call answering rule MyUMCallAnsweringRule from the mailbox of Tony Smith.
Remove-UMCallAnsweringRule -Identity MyUMCallAnsweringRule -Mailbox tonysmith
Allow users to see a voice mail transcript
2/28/2019 • 7 minutes to read • Edit Online
Voice Mail Preview is a feature that's available to users who receive their voice mail messages from Unified
Messaging (UM ). Voice Mail Preview enhances the existing UM voice mail functionality by providing a text version
of audio recordings. The voice mail text is displayed in email messages within Microsoft Outlook Web App,
Outlook 2010 and later versions, and in other supported email programs. For more information, see Microsoft
Speech Technologies.
What makes the Voice Mail Preview text more or less accurate?
The accuracy of the Voice Mail Preview text depends by many factors and sometimes those factors can't be
controlled. However, Voice Mail Preview text is likely to be more accurate when:
The caller leaves a simple voice message that doesn't include slang terms, technical jargon, or unusual
words or phrases.
The caller uses a language that's easily recognized and translated by the voice mail system. Generally, voice
messages left by callers who don't speak too quickly or too softly and who don't have strong accents will
produce more accurate sentences and phrases.
The voice message is free of background noise, echo, and the audio doesn't drop out.
Microsoft Exchange Unified Messaging (UM ) includes a feature called Voice Mail Preview, which uses automatic
speech recognition (ASR ) to add a text version of the voice mail audio file to voice mail messages. ASR isn't
entirely accurate, especially when it's used to record audio over a phone that contains unknown voices and noises.
Some organizations require consistently error-free (or near-error-free) transcripts of voice messages. The Voice
Mail Preview Partner program can help such organizations meet those requirements.
Voice Mail Preview uses Microsoft speech technologies to provide a text version of audio recordings. The voice
mail text is displayed in email messages within Microsoft Outlook Web App, Outlook 2010 or later versions, and
other email programs.
By default, when you enable a user for UM in an on-premises or hybrid deployment, voice mail previews will be
sent if a supported UM language pack is installed. When you enable a user for UM in Exchange Online, all the UM
language packs are installed. However, Voice Mail Preview isn't supported in all languages that are installed.
There are Voice Mail Preview partners that offer enhanced transcription support and services for the Voice Mail
Preview feature. These partners employ people to correct voice mail transcriptions that were created using ASR.
Each Voice Mail Preview partner must meet a set of requirements to be certified to interoperate with Exchange
UM.
If you determine that the voice mail previews sent to your users aren't accurate enough, you can contact one of the
certified Voice Mail Preview partners listed at Microsoft Pinpoint and sign up with them at an additional cost.
Overview
When Unified Messaging records the audio for a voice message, it uses ASR to create voice mail preview text
from the audio file, and then submits the whole voice message for delivery to the user. For each voice message
that's created, Unified Messaging determines a confidence level for the voice mail preview included with the
message. It measures how well the sounds in the recording match the words, numbers, and phrases in the
message. If the system finds matches easily, the confidence level will be high. A higher level of confidence is
generally associated with a higher accuracy.
The accuracy of voice mail preview text depends on many factors, and sometimes those factors can't be controlled.
However, the text is likely to be more accurate when:
A simple voice message is left, and the caller doesn't use slang terms, technical jargon, or unusual words or
phrases.
The caller uses a language that's easily recognized and translated by the voice mail system. Generally, voice
messages left by callers who don't speak too quickly or too softly and who don't have strong accents will
produce more accurate sentences and phrases.
The voice message is free of background noise and echoes, and the audio doesn't drop out.
Most customers who use Unified Messaging find that the voice mail previews are accurate enough for their users.
However, when ASR is applied to recordings made over the phone by unknown voices and background noises,
the voice mail preview text usually isn't completely accurate. If the level of confidence is consistently low or the
voice mail previews that are received aren't very accurate, you can increase the accuracy of the voice mail previews
that users receive as follows:
Sign up for a voice transcription service from a Voice Mail Preview partner.
After you've signed up with a Voice Mail Preview partner, set the partner up to work with UM. For more
information about how to configure UM for a Voice Mail Preview partner, see Configure Voice Mail
Preview partner services for users.
When you've signed up with a Voice Mail Preview partner, the Exchange servers in your organization redirect
voice messages with the audio file attached to the Voice Mail Preview partner instead of generating voice mail
preview text for voice messages and submitting the voice messages to the user's mailbox. The email message with
the voice mail preview text produced by the Voice Mail Preview partner is then submitted to the Exchange servers
in your organization for delivery to the recipient's mailbox.
IMPORTANT
We recommend that all customers who plan to deploy Unified Messaging obtain the assistance of a UM specialist. A UM
specialist helps you ensure that there's a smooth transition to UM from a legacy voice mail system. Performing a new
deployment or upgrading a legacy voice mail system requires significant knowledge about VoIP gateways, IP PBXs, PBXs,
session border controllers (SBCs), and Unified Messaging. For more information about how to contact a UM specialist, see
the Microsoft Exchange Server Unified Messaging (UM) Specialists or Microsoft Pinpoint for Unified Messaging.
You can configure a Voice Mail Preview partner on a Unified Messaging (UM ) mailbox policy. After you've
configured Voice Mail Preview partner settings, such as the Voice Mail Preview partner ID and Voice Mail Preview
partner address, on a UM mailbox policy, the settings you configure will apply to all UM -enabled users who are
linked with that mailbox policy.
NOTE
You must use Exchange Online PowerShell to configure a Voice Mail Preview partner.
For additional management tasks related to UM mailbox policies, see UM mailbox policy procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can set a Voice Mail Preview partner address on a Unified Messaging (UM ) mailbox policy. After you've set the
Voice Mail Preview partner address on a UM mailbox policy, the setting will apply to all UM -enabled users who are
linked with that mailbox policy.
NOTE
You must use Exchange Online PowerShell to set a Voice Mail Preview partner address.
For more information about the Voice Mail Preview partner program, see Voice Mail Preview advisor.
For additional management tasks related to Voice Mail Preview, see Voice Mail Preview procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use Exchange Online PowerShell to set the Voice Mail Preview partner
address on a UM mailbox policy
This example sets the Voice Mail Preview partner address to exumvmp@fabrikam.com on a UM mailbox policy
named MyUMMailboxPolicy.
You can set a Voice Mail Preview partner ID on a Unified Messaging (UM ) mailbox policy. After you've set the
Voice Mail Preview partner ID on a UM mailbox policy, the setting will apply to all UM -enabled users who are
linked with that mailbox policy.
NOTE
You must use Exchange Online PowerShell to set the Voice Mail Preview partner ID.
For more information about the Voice Mail Preview partner program, see Voice Mail Preview advisor.
For additional management tasks related to voice mail preview, see Voice Mail Preview procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use Exchange Online PowerShell to set the Voice Mail Preview partner
ID on a UM mailbox policy
This example sets the Voice Mail Preview partner ID to CON123-2010 on a UM mailbox policy named
MyUMMailboxPolicy.
You can set the maximum message duration for a Voice Mail Preview partner on a Unified Messaging (UM )
mailbox policy. After you've set the maximum message duration, the setting will apply to all UM -enabled users who
are linked with that mailbox policy.
NOTE
You must use Exchange Online PowerShell to set the maximum message duration for a Voice Mail Preview partner.
For more information about the Voice Mail Preview partner program, see Voice Mail Preview advisor.
For additional management tasks related to Voice Mail Preview, see Voice Mail Preview procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can set the maximum delivery delay for a Voice Mail Preview partner on a Unified Messaging (UM ) mailbox
policy. After you've set the maximum delivery delay, the setting will apply to all UM -enabled users who are linked
with that UM mailbox policy.
NOTE
You must use Exchange Online PowerShell to set the maximum delivery delay for a Voice Mail Preview partner.
For more information about the Voice Mail Preview partner program, see Voice Mail Preview advisor.
For additional management tasks related to voice mail preview, see Voice Mail Preview procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use Exchange Online PowerShell to set the maximum delivery delay for
a Voice Mail Preview partner
This example sets the maximum delivery delay to 600 seconds (10 minutes) on a UM mailbox policy named
MyUMMailboxPolicy.
You can enable the Voice Mail Preview feature for users associated with a Unified Messaging (UM ) mailbox policy
if it has been disabled. Enabling this setting allows users to receive the text of a voice mail message in the message
body of an email or text message. The default setting is enabled.
For additional management tasks related to UM mailbox policies, see UM mailbox policy procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can disable the Voice Mail Preview feature for users associated with a Unified Messaging (UM ) mailbox policy.
Disabling this setting prevents users from receiving the text of a voice mail message in the message body of an
email or text message. The default setting is enabled.
For additional management tasks related to UM mailbox policies, see UM mailbox policy procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Message Waiting Indicator (MWI) is a feature that's found in most voice mail systems. It lets users know that they
have new or unheard voice mail messages. In its most common form, this feature lights a lamp on a user's phone
to indicate the presence of a new or unheard voice message.
Overview
MWI notifications can include any mechanism that indicates the existence of a new or unheard voice message. The
message can be in a new email message or one that's marked as unread. The MWI notification might take any of
the following forms:
A new voice message seen from Microsoft Outlook or Outlook Web App.
A lamp on a digital, analog, USB, or VoIP phone.
A special dial tone.
Icons or buttons on the display screen of a digital, analog, USB, or VoIP phone.
A highlighted notification within a software application such as:
Lync 2010 and 2013 desktop clients
Lync Mobile client app for Windows Phone, Microsoft Surface. and iOS devices
A text or Short Messaging Service (SMS ) message sent to a mobile phone that's configured to receive text
messages.
In Exchange Online, a user's voice mail is stored in their mailbox. It can be accessed from a telephone using
Outlook Voice Access, from a desktop or portable computer using Outlook or Outlook Web App, and from mobile
phone clients. When a user receives a new voice message, the message appears in their Voice Mail search folder. If
the voice message is accessed using Outlook or Outlook Web App, an email message will be included with the
voice message.
By default, MWI is turned on for all users who are enabled for Unified Messaging (UM ). It's controlled through
settings on a UM mailbox policy or on the UM IP gateways that have been created and linked to a UM dial plan.
MWI also works with protected voice messages.
MWI administration
MWI can be administered by configuring settings on two UM components: UM mailbox policies and UM IP
gateways. For both UM components, you can enable or disable MWI notifications by using the Set-
UMMailboxPolicy cmdlet or the Set-UMIPgateway cmdlet in Exchange Online PowerShell. You can also
configure the settings by using the Exchange admin center (EAC ). You can view the status of MWI notifications by
using the Get-UMMailboxPolicy cmdlet and the Get-UMIPgateway cmdlet in Exchange Online PowerShell, or
by viewing the settings in the EAC.
UM mailbox policies and MWI
You can create a UM mailbox policy to apply a common set of UM policy settings to a collection of UM -enabled
mailboxes. For example, you can use a UM mailbox policy to apply PIN policy settings, dialing restrictions, and
MWI notifications settings. If you enable or disable MWI on a UM mailbox policy, it will be enabled or disabled for
all UM -enabled users who are linked with that UM mailbox policy. The MWI setting can also apply to a subset of
the users who are linked with a UM dial plan. To learn more about UM mailbox policies, including how to enable or
disable MWI for a group of UM -enabled users, see UM mailbox policy procedures.
You can use the EAC or the Set-UMMailboxPolicy cmdlet in Exchange Online PowerShell to configure the MWI
setting, as shown in the following table.
Message Waiting Indicator setting on a UM mailbox policy
For more information about how to manage MWI settings on a UM mailbox policy, see the following topics:
Manage a UM mailbox policy
Enable Message Waiting Indicator (MWI) for users
Disable Message Waiting Indicator (MWI) for users
Set-UMMailboxPolicy
UM IP gateways and MWI
If you disable MWI on a UM IP gateway, you'll disable MWI notifications for all users who connect to the VoIP
gateway or IP PBX that's represented by the UM IP gateway. Disabling MWI on a single UM IP gateway that's
linked to a UM dial plan can disable MWI notifications for all UM -enabled users associated with a single or
multiple UM dial plans or a single or multiple UM mailbox policies. To learn more about UM mailbox policies,
including how to enable or disable MWI for a group of UM -enabled users, see Manage a UM mailbox policy.
You can use the EAC or the Set-UMMailboxPolicy cmdlet in Exchange Online PowerShell to configure the MWI
setting, as shown in the following table.
Message Waiting Indicator setting on a UM IP gateway
For more information about how to manage MWI settings, see the following topics:
Manage a UM IP gateway
Allow Message Waiting Indicator (MWI) on a UM IP gateway
Prevent Message Waiting Indicator (MWI) on a UM IP gateway
Set-UMIPGateway
Text message (SMS) notifications for voice mail messages and missed
calls
As mentioned earlier, an MWI notification is any mechanism that indicates the existence of a new voice mail
message. In addition to the mechanisms already discussed, users can be notified that they have a voice message
waiting via a text message, also called an SMS (Short Message Service) message. This is a different type of MWI
notification for new voice messages than the traditional light or other mechanisms.
A text message is sent to a user's mobile phone when a caller leaves a new voice message. Users can also receive a
text message that notifies them when they miss a phone call and a voice message isn't left. The missed call
notification text message can be sent to the user along with the new voice mail notification.
NOTE
The text message that's sent to a user includes voice mail preview.
Text message notifications use different settings than the MWI settings on the UM IP gateway or the UM mailbox
policy. Text message notifications for new voice mail and missed calls are configured on UM mailbox policies and
UM mailboxes. You can enable or disable text message notifications by using the Set-UMMailboxPolicy cmdlet
and the Set-UMMailbox cmdlet in Exchange Online PowerShell. You can view the status of text message
notifications by using the Get-UMMailboxPolicy cmdlet and the Get-UMMailbox cmdlet. It's not possible to
configure text message notifications in the EAC.
The following table shows the parameter on a UM mailbox that must be configured for a user to receive text
messages for voice mail and missed call notifications:
Text message notification settings on a user's mailbox
For more information about how to manage text message notification settings on a user's mailbox, see the
following topics:
Manage voice mail settings for a user
Set-UMMailbox
The following table shows the parameter on a UM mailbox policy that must be configured for a user to receive text
messages for voice mail and missed call notifications:
Text message and missed call notification settings on a UM mailbox policy
For more information about how to manage text message notification settings, see the following topics:
Manage a UM mailbox policy
Set-UMMailboxPolicy
For text message notifications for voice mail and missed calls to work correctly, you must perform the following
tasks:
1. Use either the EAC or Exchange Online PowerShell to enable the user for UM and link them to the correct
UM mailbox policy.
2. On the UM mailbox policy that's linked to the user, verify that the AllowSMSNotification parameter is set to
$true . To set the parameter to $true , run the following command:
3. On the user's mailbox, enable text message notifications by setting the UMSMSNotificationOption
parameter to VoiceMailAndMissedCalls or VoiceMail .
4. Because the default setting is None , you must run the following command in Exchange Online PowerShell
and set the text message notification option to either VoiceMailAndMissedCalls or VoiceMail . For example:
IMPORTANT
The AllowSMSNotification parameter on the UM mailbox policy and the UMSMSNotificationOption parameter on the
user's mailbox must both be set to $true for SMS notifications to work.
In addition to your configuring the UM mailbox policy and the user's mailbox to enable text message notifications
for new voice mail and missed calls, the user must enable and configure text message notifications when they sign
in to Outlook Web App. To set up and configure text message notifications, the user must:
1. Sign in to Outlook Web App and go to Options > Phone > Voice mail.
2. On the Voice Mail page, under Notifications, click Set up notifications.
3. On the Text messaging page, click the Turn on notifications button.
Cau t i on
Don't click Voice mail notifications or it will take you back to the Voice mail page.
4. On the Text messaging page, under Locale, use the drop-down list to select the locale or location of the
text messaging mobile operator.
5. On the Text messaging page, under Mobile operator, use the drop-down list to select the text messaging
mobile operator, and then click Next.
6. On the Text messaging page, in the Enter your phone number and click Next box, enter the mobile
phone number that's used for text message notifications, and then click Next. A six-digit passcode will be
sent to the mobile phone. If you didn't receive a passcode, click I didn't receive a passcode and need it
sent again.
7. Enter the passcode in the Passcode box, and then click Finish.
8. After the user enables text message notifications, they can click Set up voice mail notifications on the
Text Messaging page. They'll be taken back to the voice mail page, where they can scroll down to the
Notifications section and set up text message notification options for missed calls and voice mail.
Allow Message Waiting Indicator procedures
2/28/2019 • 2 minutes to read • Edit Online
You can allow or prevent voice mail notifications to users for calls received by a Unified Messaging (UM ) IP
gateway. If you enable this setting, the UM IP gateway can receive and send SIP NOTIFY messages for users.
Message Waiting Indicator (MWI) is enabled by default and allows message waiting notifications to be sent to
users, but you can turn it off depending on your needs.
A message waiting indicator notifies a user about a new or unheard voice message. It appears in the Inbox in
clients such as Outlook and Outlook Web App. It can also be a text (SMS ) message sent to a registered mobile
phone, an outgoing call made from an Exchange server to a number that's been configured for playing new
messages, or a lighted lamp on a user's desktop phone.
TIP
MWI notifications can also be enabled and disabled on a UM mailbox policy for a group of users.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can prevent voice mail notifications to users for calls received by a Unified Messaging (UM ) IP gateway. If you
enable this setting, the UM IP gateway can receive and send SIP NOTIFY messages for users. Message Waiting
Indicator (MWI) is enabled by default and allows message waiting notifications to be sent to users, but you can
turn it off depending on your needs.
A message waiting indicator notifies a user about a new or unheard voice message. It appears in the Inbox in
clients such as Outlook and Outlook Web App. It can also be a text (SMS ) message sent to a registered mobile
phone, an outgoing call made from an Exchange server to a number that's been configured for playing new
messages, or a lighted lamp on a user's desktop phone.
TIP
MWI notifications can also be enabled and disabled on a UM mailbox policy for a group of users.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can enable or disable Message Waiting Indicator for users associated with a Unified Messaging (UM ) mailbox
policy. Message Waiting Indicator is a feature found in most legacy voice mail systems. In its most common form,
it lights a lamp on a voice mail subscriber's phone to indicate the presence of a new voice mail message. Message
Waiting Indicator can also send a text message to a UM -enabled user's mobile phone. The default setting is
enabled.
If Message Waiting Indicator is disabled on the UM IP gateway, the feature isn't available to UM -enabled users
associated with the UM mailbox policy.
For additional management tasks related to UM mailbox policies, see UM mailbox policy procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can enable or disable Message Waiting Indicator for users associated with a Unified Messaging (UM ) mailbox
policy. Message Waiting Indicator is a feature found in most legacy voice mail systems. In its most common form,
it lights a lamp on a voice mail subscriber's phone to indicate the presence of a new voice mail message. Message
Waiting Indicator can also send a text message to a UM -enabled user's mobile phone. The default setting is
enabled.
If Message Waiting Indicator is disabled on the UM IP gateway, the feature isn't available to UM -enabled users
associated with the UM mailbox policy.
For additional management tasks related to UM mailbox policies, see UM mailbox policy procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can enable or disable missed call notifications for a Unified Messaging (UM ) mailbox policy by using Exchange
Online PowerShell or the EAC. A missed call notification is an email message that's sent to a user when the user
doesn't answer an incoming call and the caller doesn't leave a voice mail message. This is a different email
message than the message that contains the voice message that's left for a user.
When you disable missed call notifications on a UM mailbox policy, you prevent all users associated with the UM
mailbox policy from receiving an email message when they don't answer an incoming call and the caller doesn't
leave a voice message. By default, missed call notifications are enabled for each UM mailbox policy that's created.
Also by default, a UM mailbox policy is created every time you create a UM dial plan.
NOTE
When you're integrating Unified Messaging and Microsoft Lync Server, missed call notifications aren't available to users that
have a mailbox located on an Exchange 2007 or Exchange 2010 Mailbox server when a user disconnects before the call is
sent to a Mailbox server running the Microsoft Exchange Unified Messaging service.
For additional management tasks related to UM mailbox policies, see Manage a UM mailbox policy.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to enable missed call notifications for a UM mailbox policy
1. In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the UM dial plan you
want to change, and then click Edit .
2. On the UM Dial Plan page, under UM Mailbox Policies, select the UM mailbox policy you want to
manage, and then click Edit .
3. On the UM Mailbox Policy page > General, select the check box next to Allow missed call
notifications.
4. Click Save.
You can enable or disable missed call notifications for a Unified Messaging (UM ) mailbox policy by using Exchange
Online PowerShell or the EAC. A missed call notification is an email message that's sent to a user when the user
doesn't answer an incoming call and the caller doesn't leave a voice message. This is a different email message
than the one that contains the voice message that's left for a user.
When you disable missed call notifications on a UM mailbox policy, you prevent all users associated with the UM
mailbox policy from receiving an email message when they don't answer an incoming call and the caller doesn't
leave a voice message. By default, missed call notifications are enabled for each UM mailbox policy that's created.
Also by default, a UM mailbox policy is created every time you create a UM dial plan.
NOTE
When you're integrating Unified Messaging and Microsoft Lync Server, missed call notifications aren't available to users that
have a mailbox located on an Exchange 2007 or Exchange 2010 Mailbox server when a user disconnects before the call is
sent to a Mailbox server running the Microsoft Exchange Unified Messaging service.
For additional management tasks related to UM mailbox policies, see Manage a UM mailbox policy.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to disable missed call notifications for a UM mailbox policy
1. In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the UM dial plan you
want to change, and then click Edit .
2. On the UM Dial Plan page, under UM Mailbox Policies, select the UM mailbox policy you want to
manage, and then click Edit .
3. On the UM Mailbox Policy page > General, clear the check box next to Allow missed call notifications.
4. Click Save.
Use Exchange Online PowerShell to disable missed call notifications for
a UM mailbox policy
This example disables missed call notifications for a UM mailbox policy named MyUMMailboxPolicy .
Outdialing is the process by which users call in to a UM dial plan using an Outlook Voice Access number and
place or transfer a call to an internal or external telephone number. Unified Messaging uses many outdialing
settings to dial calls for users. To configure outdialing, you must configure dialing rules, dialing rule groups, and
dialing authorizations on Unified Messaging (UM ) dial plans and then authorize outdialing on UM dial plans, UM
mailbox policies, and auto attendants. You can also configure UM dial plans to have dialing or access codes, a
national number prefix, and in-country/region or international number formats that enable you to control
outdialing in your organization. This topic discusses dialing rules, dialing rule groups, and dialing authorizations
and how they are used to authorize and control outdialing for your organization.
Overview
Outdialing happens when:
A call is placed to an external telephone number.
A call is transferred to an auto attendant.
A call is transferred to a user in your organization.
A UM -enabled user uses the Play on Phone feature.
For outdialing to work correctly, the following settings must be configured correctly:
Dialing rules: Dialing rules define the number that is dialed by the UM -enabled user and the number that
will be dialed by the Private Branch eXchange (PBX) or IP PBX.
Dialing rule groups: Dialing rule groups determine the types of calls that users within a dialing group can
make.
Dialing authorizations: Dialing authorizations determine the restrictions that will be applied to prevent
users from incurring unnecessary telephone charges or from dialing long-distance calls.
To enable outdialing for users who call in to a dial plan or an auto attendant, you must:
Make sure the VoIP gateways represented by a UM IP gateway that is linked with a dial plan will allow
outgoing calls.
Create dialing rule groups by creating dialing rules on the UM dial plan.
Add dialing authorizations for in-country/region and international dialing rule groups on the UM dial plan,
UM mailbox policy, or auto attendant associated with the same dial plan as the UM IP gateway.
Types of users
Two types of users can use the outdialing feature in Unified Messaging: authenticated and unauthenticated. All
users who call in to a UM auto attendant are unauthenticated. When users call in to an Outlook Voice Access
number, they're considered unauthenticated because they haven't provided their extension number and PIN and
signed in to their mailbox. Users are authenticated after they provide their extension number and PIN and
successfully sign in to their mailbox.
When users call in to an Outlook Voice Access number configured on a UM dial plan and try to place or transfer a
call without signing in to their mailbox, only the UM dial plan outdialing settings are applied to the call. When
anonymous or unauthenticated users call in to a UM auto attendant, both the outdialing settings configured on
the auto attendant and the outdialing settings configured on the dial plan associated with the auto attendant are
applied to the call.
When users call in to the Outlook Voice Access number configured on a dial plan and successfully sign in to their
mailbox, they become authenticated users. When they're authenticated, the outdialing call settings use the dialing
rules and dialing authorization settings on the UM mailbox policy that's linked to those users.
Outdialing settings
You need to configure several settings to apply outdialing rules for your organization. In addition to configuring
the UM dial plans, UM auto attendants, and UM mailbox policies that you've created with the correct dialing rules
and dialing authorizations, you need to configure access codes, number prefixes, and number formats on the UM
dial plans. The following outdialing settings are configured on dial plans, auto attendants, and UM mailbox
policies:
Outside line, country/region, and international access codes
National number prefixes
In-country/region and international number formats
Configured in-country/region and international dialing rule groups
Allowed in-country/region and international dialing rule groups
Dialing rule entries
Dialing authorizations
For you to successfully configure outdialing for your organization, you first need to understand how each
component can be used with outdialing and how the component must be configured. The following table
introduces each component that needs to be configured on UM dial plans, UM auto attendants, and UM mailbox
policies before outdialing will work correctly.
Outdialing components
COMPONENT DESCRIPTION
Dial codes, number prefixes, and number formats UM uses dial codes, number prefixes, and number formats to
determine the correct number to dial when placing an
outgoing call. You can configure dial codes, number prefixes,
and number formats to restrict outgoing calls for users who
dial in to a UM auto attendant associated with a UM dial plan
or for users who dial in to an Outlook Voice Access number
configured on the dial plan.
COMPONENT DESCRIPTION
Dialing rule groups Dialing rule groups are created to enable telephone numbers
to be modified before they're sent to the PBX for outgoing
calls. Dialing rule groups remove numbers from or add
numbers to telephone numbers being called by UM. For
example, you can create a dialing rule group that
automatically adds a 9 as a prefix to a 7-digit telephone
number to provide access to an outside line. In this example,
users who place outgoing calls don't have to dial the 9 before
the telephone number to reach someone external to the
organization.
Each dialing rule group contains dialing rules that determine
the types of in-country/region and international calls that
users within a dialing rule group can make. Dialing rule
groups apply to the users who are associated with a UM dial
plan or to UM auto attendants and UM mailbox policies
associated with the UM dial plan. Each dialing rule group
must contain at least one dialing rule.
Dialing rule entries A dialing rule is used to determine the types of calls that users
within a dialing rule group can make. When you create a
dialing rule group, you configure one or more dialing rules.
When you configure each dialing rule, you must enter the
dialing rule name, number pattern to transform (number
mask), and dialed number. You can also enter a comment.
Comments can be used to describe how the dialing rule will
be used or to describe a group of users to whom the dialing
rule will apply. When you add a number mask and the dialed
number to a dialing rule, you can substitute the letter x for a
digit in a telephone number, for example, 91425xxxxxxx. You
can also use an asterisk (*) symbol as a wildcard character, for
example, 91425*.
Configuring outdialing
A dialing rule group is a collection of one or more dialing rules configured on a UM dial plan. Two types of dialing
rule groups can be configured on a UM dial plan: in-country/region and international. In-country/region dialing
rule groups apply to telephone numbers dialed within the same country or region. International dialing rule
groups apply to international telephone numbers dialed from one country or region to another country or region.
Each UM dial plan can contain one or more dialing rule groups. To apply a dialing rule group to a set of users,
after you create the dialing rule group, you must add it to the list of allowed dialing rule groups on the UM dial
plan and on the UM auto attendants and UM mailbox policies associated with the UM dial plan.
Dialing rule groups enable you to specify dialing rules that you want to apply to a group of UM -enabled users
who fall into a specific category. For example, you can use dialing rule groups to specify which group of users can
place international calls and which group can make only in-state or local calls. You can create a dialing rule group
using the Exchange admin center (EAC ) or the Set-UMDialPlan cmdlet in Exchange Online PowerShell. When
you create a dialing rule group, you must define at least one dialing rule for the group.
When a user dials a telephone number, UM takes the number and looks for a match in the dialing rules. If a match
is found, UM uses the dialing rule to determine the number to dial by looking at the telephone number or digits
listed in the Dialed Number section of the dialing rule. The number listed in the Dialed Number box of the
dialing rule will be dialed.
The following table shows an example of dialing rule groups and dialing rules. In this example, Local-Calls-Only
and Low -Rate are the dialing rule groups that have been created. The dialing rule group Local-Calls-Only has two
dialing rules: 91425* and 91206*, and the dialing rule group Low -Rate also has two dialing rules: 91509* and
91360*.
Dialing rule groups and dialing rules
For example, when a user dials 9-1-425-555-1234, UM dials 4255551234. UM removes any nonnumeric
characters (in this example, the hyphens) and applies the number mask from the dialing rule. In this example, UM
applies the number mask 91*. This tells UM not to dial the 9 or the 1, but to dial all the other numbers in the
telephone number that appear to the right of the number 1. This includes all the numbers represented by the
asterisk (*).
You can use the EAC or Exchange Online PowerShell to create and configure single or multiple in-country/region
and international dialing rule groups and dialing rules. However, if you're creating many or complex dialing rule
groups and dialing rules, you can use a comma-separated value (.csv) file in Exchange Online PowerShell. You can
import or export a list of dialing rule groups and dialing rules.
To import a list of dialing rule groups and dialing rules that you've defined in a .csv file, run the Set-UMDialPlan
cmdlet, as follows.
To retrieve a list of the dialing rule groups configured on a UM dial plan, run the Get-UMDialPlan cmdlet, as
follows.
The .csv file must be created and saved in the correct format. Each line in the .csv file represents one dialing rule.
However, each dialing rule is configured on the same dialing rule group. Each rule in the file will have four
sections separated by commas. These sections are name, number mask, dialed number, and comment. Each
section is required, and you must enter the correct information in each section except for the comment section.
There should be no spaces between the text entry and the comma for the next section, nor should there be any
blank lines between the rules or at the end. The following is an example of a .csv file that can be used to create in-
country/region dialing rule groups and dialing rules.
Name,NumberMask,DialedNumber,Comment
Low-rate,91425xxxxxxx,9xxxxxxx,Local call
Low-rate,9425xxxxxxx,9xxxxxxx,Local call
Low-rate,9xxxxxxx,9xxxxxxx,Local call
Any,91*,91*,Open access to in-country/region numbers
Long-distance,91408*,91408*,long distance
The following is an example of a .csv file that can be used to create international dialing rule groups and dialing
rule entries.
Name,NumberMask,DialedNumber,Comment
International, 901144*, 901144*, international call
International, 901133*, 901133*, international call
Single or multiple UM mailbox policies: The settings that are configured on a UM mailbox policy will
apply to all users who are linked with that UM mailbox policy. The settings configured on a UM mailbox
policy apply to users who call in to an Outlook Voice Access number and sign in to their mailbox. To apply
an in-country/region dialing rule group named MyAllowedDialRuleGroup to a single UM mailbox policy, use
the Dialing authorization page on the UM mailbox policy in the EAC or use the Set-UMMailboxPolicy
cmdlet in Exchange Online PowerShell, as follows.
Single or multiple auto attendants associated with the UM dial plan: This will apply to all users who
call in to a UM auto attendant. To apply the in-country/region dialing rule group named
MyAllowedDialRuleGroup to a single UM auto attendant, use the Dialing authorization page on the auto
attendant in the EAC or the Set-UMAutoAttendant cmdlet in Exchange Online PowerShell, as follows.
The following table summarizes the way that dialing rule groups are applied in Unified Messaging.
Applying outdialing rules
Outlook Voice Access number User calls a dial plan Outlook Voice UM mailbox policy
Access number and signs in to the
mailbox
Anonymous caller User calls a dial plan Outlook Voice UM dial plan
Access number
Caller from inside the organization User calls the Play on Phone number UM mailbox policy
You can configure several dialing codes that Unified Messaging (UM ) uses to dial internal and external calls for
UM -enabled users. Frequently, you want to configure a dial plan together with the dialing or access codes, a
national number prefix, or in-country/region or international number formats so that you can control outdialing for
users in your organization. This topic discusses dial codes, number prefixes, and number formats and how you can
use them to control outdialing for your organization.
Overview
Outdialing is the process in which users call in to a UM dial plan or UM auto attendant and then place a call to an
internal or external telephone number. When a user calls in to a UM dial plan or a UM auto attendant and then
places a call, Unified Messaging uses the settings configured on the dial plan, auto attendant, and UM mailbox
policies to place the call. UM places an outgoing call in the following situations:
When it places a call to an external telephone number for a caller
When it transfers a call to an auto attendant
When it transfers a call to a user (either UM -enabled or not) in your organization
When a UM -enabled user uses the Play on Phone feature
Two types of users use outdialing: authenticated users and unauthenticated users. Unauthenticated users call in to
an Outlook Voice Access number configured on a UM dial plan but don't sign in to their mailbox. Unauthenticated
users also call in to a number configured on a UM auto attendant. Authenticated users call in to an Outlook Voice
Access number and successfully sign in to their mailbox. When users call in to an Outlook Voice Access number,
they are initially considered unauthenticated because they haven't provided their extension number and PIN and
signed in to their mailbox. They are authenticated after they provide their extension number and PIN and
successfully sign in to their mailbox.
When an unauthenticated user calls in to a UM auto attendant and places a call using outdialing, the outdialing
settings configured on the UM dial plan and the auto attendant are used. When an unauthenticated user calls in to
an Outlook Voice Access number configured on a dial plan, only the settings configured on the dial plan are used.
When a user has successfully signed in to their mailbox, configuration settings from the dial plan and the UM
mailbox policy associated with the authenticated user are applied to the authenticated user.
You need to configure several settings to control outdialing for your organization. To control outdialing, you need
to configure the UM dial plans, auto attendants, and UM mailbox policies in Unified Messaging. The following
settings can be configured on UM dial plans, auto attendants, and UM mailbox policies to control outdialing:
Outside line, in-country/region, and international access codes
National number prefixes
In-country/region and international number formats
In-country/region and international dialing rule groups
Allowed in-country/region and international dialing rule groups
Dialing rule entries
You configure access codes, number prefixes, and number formats on a UM dial plan on the Dial Codes page in
the Exchange admin center (EAC ). You can also configure the settings using the Set-UMDialPlan cmdlet in
Exchange Online PowerShell. You can choose to configure all the settings, none of the settings, or only some of the
settings. Each setting controls a specific part of the outdialing process.
UM uses access codes, number prefixes, and number formats to determine the correct number to dial. They can be
configured to restrict outgoing calls for users who dial in to a UM auto attendant associated with a UM dial plan or
who dial in to the Outlook Voice Access number configured on the dial plan.
For more information about outdialing in Unified Messaging, see Dial codes, number prefixes, and number
formats.
You can enable outgoing calls for a Unified Messaging (UM ) IP gateway if outgoing calls have been disabled.
When you select the Allow outgoing calls through this UM IP gateway option on the properties for the UM
IP gateway, you configure the UM IP gateway to accept and send outgoing calls to a Voice over IP (VoIP ) gateway,
Private Branch eXchange (PBX) enabled for Session Initiation Protocol (SIP ), IP PBX, or session border controller
(SBC ). Although the Allow outgoing calls through this UM IP gateway setting controls whether the UM IP
gateway is able to initiate outgoing calls for users, it doesn't affect call transfers or incoming calls from a VoIP
gateway, PBX enabled for SIP, IP PBX, or SBC.
Outdialing is the term used to describe a situation in which a user in one UM dial plan initiates a call to a UM -
enabled user in another dial plan or to an external telephone number.
To allow outdialing for UM -enabled users, you must:
Verify that the UM IP gateway allows outgoing calls.
Create dialing rule groups by creating dialing rule entries on the UM dial plan associated with the UM IP
gateway.
Add the correct dialing rule groups to the list of dialing restrictions in Dialing authorization on the UM
dial plan, auto attendant, or UM mailbox policy.
For additional management tasks related to UM IP gateways, see UM IP gateway procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can enable or disable outgoing calls for a Unified Messaging (UM ) IP gateway. When you clear the Allow
outgoing calls through this UM IP gateway option on the properties for the UM IP gateway, you configure the
UM IP gateway to not accept and send outgoing calls to a Voice over IP (VoIP ) gateway, IP PBX, or session border
controller (SBC ). Although the Allow outgoing calls through this UM IP gateway setting controls whether the
UM IP gateway is able to initiate outgoing calls for users, it doesn't affect call transfers or incoming calls from a
VoIP gateway, IP PBX, or SBC.
For additional management tasks related to UM IP gateways, see UM IP gateway procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can configure dial codes, number prefixes, and number formats that are used by Unified Messaging to dial
incoming and outgoing calls for users who are enabled for UM. In most cases, you'll configure a dial plan with the
dial codes, prefixes, and number formats currently configured on your telephony network.
Dial codes and number prefixes are used to determine the correct number to dial for an outgoing call that's placed
by a UM -enabled user. Outdialing is the term used to describe the process by which a user in a UM dial plan
initiates an outgoing call. Number formats are used for incoming calls within a country or region, international
calls, or calls that are placed within a dial plan. You can configure a dial plan to match the incoming call number
format for both in-country/region and international numbers. When you configure the in-country/region and
international number formats, you can restrict incoming calls for users linked with a dial plan.
For additional management tasks related to outdialing, see Allowing users to make calls procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to configure dial codes, prefixes, and number formats
1. In the EAC, navigate to Unified Messaging > UM dial plans.
2. Select the UM dial plan you want to manage, and then click Edit .
3. On the UM Dial Plan page, click Configure.
4. On the UM dial plan page > Dial codes, configure the following options:
Outside line access code
International access code
National number prefix
Country/Region code
5. Under Number formats for dialing between dial plans, configure the following:
Country/Region number format
International number format
Number formats for incoming calls within the same dial plan: To add a number format, click Add .
6. Click Save to save your changes.
Dialing rule groups consist of dialing rule entries. Dialing rules are used to modify a phone number before
sending it to an on-premises telephone system (PBX) or IP PBX for outgoing calls. Dialing rules serve two
purposes:
They specify the numbers that can be dialed for outgoing calls. When you create a dialing rule, you specify
the number formats that can be dialed. Any number that doesn't match one of the formats you specified is
rejected. If you don't set any dialing rules, callers can place calls within your organization but can't make any
outgoing calls.
They transform the numbers dialed before sending them out to your on-premises telephone system.
Dialing rules can strip numbers from or add numbers to the number dialed. For example, you can use
dialing rules to add the outside line access code for your telephone system or to add or remove the in-
country/region code for long-distance or local numbers.
To specify the types of outgoing calls you want to allow for a UM dial plan, you create a dialing rule group with
dialing rules and then use them to authorize outgoing calls for Outlook Voice Access users and callers that dial
into a UM auto attendant. You create separate dialing rule groups for in-country/region and for international calls.
NOTE
If you are integrating UM with Microsoft Lync Server, we recommend that you create at least one dialing rule group and
authorize that dialing rule group on the SIP URI dial plans, UM mailbox policies, and UM auto attendants to allow all
outgoing calls to be forwarded to Lync Servers.
For other management tasks for outdialing, see Allowing users to make calls procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
By default, users aren't able to place outgoing calls. To specify the kinds of calls users can make, you first create
dialing rules, then authorize groups of these dialing rules on UM dial plans, UM mailbox policies, or UM auto
attendants. Before you can authorize dialing rule groups, you have to define dialing rules on a UM dial plan. For
details, see Create dialing rules for users.
Each dialing rule that you create will contain the types of calls or number patterns that you want to give users
access to. You can allow different types of users to make different types of calls. The calls you allow can be within a
country or region, or they can be international.
To authorize or restrict dialing, the following settings must be configured correctly:
Dialing rules: Dialing rules define the number that UM -enabled users dial and the number that will be sent
from Unified Messaging and dialed by the Private Branch eXchange (PBX) or IP PBX. You create a dialing
rule group by adding a dialing rule. After you create a dialing rule group, you add it to the list of authorized
calls for an in-country/region or international dialing rule group.
Dialing rule groups: Dialing rule groups determine the types of calls that users within the dialing group
can make.
Dialing authorizations: Dialing authorizations are used to determine the restrictions that will be applied to
prevent users from incurring unnecessary telephone charges or from dialing long-distance calls.
Unauthenticated callers who call in to an Outlook Voice Access UM dial plan. For details, see Authorize calls for users in a dial
number and don't enter a PIN plan.
Authenticated callers who call in to an Outlook Voice Access UM mailbox policy for the caller. For details, see Authorize calls
number and enter a PIN for a group of users.
Unauthenticated callers who call in to a telephone number UM auto attendant. For details, see Authorize calls for auto
that's configured on a UM auto attendant attendant callers.
Depending on which users you're authorizing to make outbound calls, you'll use the Dialing authorization page
in the Exchange admin center (EAC ) for the dial plan, the auto attendant, or the UM mailbox policy.
Authorize calls for auto attendant callers
2/28/2019 • 2 minutes to read • Edit Online
You can enable dialing authorizations on a Unified Messaging (UM ) auto attendant. Dialing authorizations on an
auto attendant are used to prohibit users who call in to the auto attendant from making in-country/region or
international telephone calls, or outdialing. Outdialing happens when Unified Messaging makes an outgoing call
for a user after they've called into a phone number that is configured on a UM auto attendant.
For additional management tasks related to outdialing, see Allowing users to make calls procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can enable dialing authorizations on a Unified Messaging (UM ) dial plan. Dialing authorizations on a dial plan
are used to prohibit unauthenticated Outlook Voice Access users from making in-country/region or international
telephone calls, or outdialing. Outdialing happens when Unified Messaging places an outgoing call for a user after
they've called in to an Outlook Voice Access phone number that is configured on a UM dial plan. When you
configure a setting on a UM dial plan, that setting applies to all unauthenticated users that call in to an Outlook
Voice Access number.
For additional management tasks related to outdialing, see Allowing users to make calls procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to enable dialing authorizations on a UM dial plan for in-
country/region dialing rule groups
1. In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the UM dial plan you
want to change, and then click Edit .
2. On the UM Dial Plan page, click Configure.
3. On the UM Dial Plan page > Dialing authorization, click Add under Authorized in-country/region
dialing rule groups.
4. On the Select Dialing Rule Groups to Allow page, select the dialing rule group, click OK, and then click
Save.
You can enable dialing authorizations on a Unified Messaging (UM ) mailbox policy. You can use dialing
authorizations on a mailbox policy to prohibit authenticated Outlook Voice Access users that are linked to the UM
mailbox policy from making in-country/region or international telephone calls, or outdialing. Outdialing happens
when Unified Messaging places an outgoing call for a user after they've called in to an Outlook Voice Access
phone number that is configured on a UM dial plan. When you configure a setting on a UM mailbox policy, that
setting applies to all UM -enabled users linked with the UM mailbox policy.
For additional management tasks related to outdialing, see Allowing users to make calls procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Microsoft Exchange Unified Messaging (UM ) relies on certified fax partner solutions for enhanced fax features
such as outbound fax or fax routing. By default, Exchange servers aren't configured to allow incoming faxes to be
delivered to a user that's enabled for UM. Instead, an Exchange server redirects incoming fax calls to a certified fax
partner solution. The fax partner's server receives the fax data and then sends it to the user's mailbox in an email
message with the fax included as a .tif attachment.
For more information about fax partners, see Microsoft Pinpoint for Fax Partners.
IMPORTANT
Sending and receiving faxes using T.38 or G.711 isn't supported in an environment where Unified Messaging and Microsoft
Office Communications Server 2007 R2 or Microsoft Lync Server are integrated.
By default, although the UM dial plan and the user's mailbox allow incoming faxes, you must first enable inbound
faxing on the UM mailbox policy that's assigned to the UM -enabled user and then enter the fax partner server's
URI.
To enable UM -enabled users to receive faxes, you must do the following:
Verify that each UM dial plan allows the users who are associated with the dial plan to receive faxes. By
default, all users who are associated with a dial plan can receive faxes. For UM -enabled users to receive fax
messages in their mailbox, each VoIP gateway or IP PBX must be configured to accept incoming fax calls.
You must also enable fax messages to be received by users who are linked with the dial plan. For more
information about how to enable users linked with a dial plan to receive faxes or to prevent them from
doing this, see Enable a user to receive faxes.
NOTE
If you prevent fax messages from being received on a dial plan, no users who are associated with the dial plan will be
able to receive faxes, even if you configure an individual user's properties to allow them to receive faxes. Enabling or
disabling faxing on a UM dial plan takes precedence over the settings for an individual UM-enabled user.
Configure the UM mailbox policy that's associated with the UM -enabled user. The UM mailbox policy must
be configured to allow incoming faxes, including the fax partner's URI and the name of the fax partner's
server. The FaxServerURI parameter must use the following form: sip:<fax server URI>:<port>;<transport>,
where "fax server URI" is either a fully qualified domain name (FQDN ) or an IP address of the fax partner
server. The "port" is the port on which the fax server listens for incoming fax calls and "transport" is the
transport protocol that's used for the incoming fax (UDP, TCP, or Transport Layer Security (TLS )). For
example, you might configure a UM mailbox policy to receive a fax as follows.
For details, see Set the partner fax server URI to allow faxing.
Cau t i on
Although you can include multiple entries in the format for the FaxServerURI by separating them with a
semicolon, only one entry will be used. This parameter allows only one entry to be used, and adding
multiple entries won't enable you to load balance fax requests.
Verify that the mailbox that's UM -enabled can receive fax messages. By default, all users who are associated
with a dial plan can receive faxes. However, there may be situations when a user can't receive faxes because
the ability to receive faxes has been disabled on their mailbox. For more information about how to enable a
UM -enabled user to receive faxes, see Enable a user to receive faxes.
You can prevent an individual user who's associated with a dial plan from receiving fax messages. To do this,
configure the properties for the user by using the Set-UMMailbox cmdlet in Exchange Online PowerShell.
You can also use the Set-UMMailboxPolicy cmdlet to prevent multiple users from receiving fax messages.
For more information about how to prevent a user or users from receiving fax messages, see Prevent a user
from receiving faxes.
Step 4: Configure authentication
In addition to configuring your UM dial plans, UM mailbox policies, and UM -enabled users, you have to configure
authentication between your Exchange servers and the fax partner server. The Exchange servers must be able to
authenticate the origin of the messages that claim to be coming from the fax partner server. Any unauthenticated
messages claiming to have come from a fax partner server won't be processed by an Exchange server.
To authenticate the connection from the fax partner server to the Exchange servers, you can use:
Mutual TLS
Sender ID validation
A dedicated receive connector
A receive connector should be sufficient for authenticating the fax partner servers deployed in your organization.
The receive connector will ensure that the Exchange servers treats all traffic coming from the fax partner server as
authenticated.
The receive connector will be configured on an Exchange server that's used by the fax partner server to submit
SMTP fax messages, and must be configured with the following values:
AuthMechanism: ExternalAuthoritative
PermissionGroups: ExchangeServers, PartnersFax
RemoteIPRanges: {the fax server's IP address}
RequireTLS: False
EnableAuthGSSAPI: False
LiveCredentialEnabled: False
For details, see Connectors.
If the fax partner server sends network traffic to an Exchange server over a public network, for example, a service-
based fax partner server hosted in the cloud, it's a good idea to authenticate the fax partner server using a sender
ID check. This type of authentication ensures that the IP address that the fax message came from is authorized to
send email messages on behalf of the fax partner domain that the message claims to have come from. DNS is used
to store the sender ID records (or sender policy framework (SPF ) records) and fax partners must publish their SPF
records in the DNS forward lookup zone. Exchange will validate the IP addresses by querying DNS. However, the
sender ID agent must be running on a Mailbox server to be able to perform the DNS query.
You can also use TLS to encrypt the network traffic, or mutual TLS for encryption and authentication between the
fax partner server and Exchange servers.
Fax advisor for Exchange UM
2/28/2019 • 2 minutes to read • Edit Online
Microsoft Unified Messaging (UM ) relies on certified fax partner solutions for enhanced fax functionality such as
outbound fax or fax routing. By default, users aren't configured to allow incoming fax messages to be delivered to a
UM -enabled user. Exchange servers send the fax requests to a certified fax partner solution. The fax partner's
server receives the fax data and then sends it to the recipient's mailbox in an email message with the fax included
as a .tif attachment. For details, see Enable Voice Mail Users to Receive Faxes.
IMPORTANT
We recommend that all customers who plan to deploy Unified Messaging obtain the assistance of a Unified Messaging
specialist. A Unified Messaging specialist helps you ensure that there's a smooth transition to Unified Messaging from a
legacy voice mail system. Performing a new deployment or upgrading a legacy voice mail system requires significant
knowledge about PBXs and Unified Messaging. For more information about how to contact a Unified Messaging specialist,
see the Microsoft Exchange Server Unified Messaging (UM) Specialists or Microsoft Pinpoint for Unified Messaging.
You can enable and disable inbound faxes for users associated with a Unified Messaging (UM ) mailbox policy. By
default, when you enable users for UM, users can't receive fax messages until you enable inbound faxing on the
UM mailbox policy and specify the URI for the partner fax server. If the URIs are configured on the UM mailbox
policy but the option to allow incoming faxes is disabled on the UM dial plan or for an individual user, UM -enabled
users linked to the UM mailbox policy still won't be able to receive faxes.
For more information about fax partners, see Microsoft PinPoint for Fax Partners.
For additional management tasks related to faxing, see Faxing procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
NOTE
Although the box can contain more than one fax server URI, only one will be used. If you enter two URIs, only the
first will be used.
This example allows users who are linked with the UM mailbox policy UMDialPlan Default Policy to use TLS with
port 5061 for the partner fax server faxserver2 .
You can include additional text in the email message that's sent when a fax message is received by a user who is
enabled for Unified Messaging (UM ) voice mail and is fax-enabled, and when the UM mailbox policy has been
configured correctly to use a fax partner provider. By default, the text included when a UM -enabled user receives a
fax message indicates only that the user has received a fax message. However, you can create a custom message
by adding text in the When a user receives a fax message box on a UM mailbox policy. For example, the text can
include information about system security policies and describe the correct way to handle fax messages in your
organization. After you add the text, it will be included in each email message that's sent when UM -enabled users
who are associated with the UM mailbox policy receive a fax message.
NOTE
The custom text that accompanies a fax message is limited to 512 characters, and can include simple HTML text.
For more information about fax partners, see Microsoft PinPoint for Fax Partners.
For additional management tasks related to faxing, see Faxing procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to change the text included with a fax message
1. In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the UM dial plan you
want to change, and then click Edit .
2. On the UM Dial Plan page, under UM Mailbox Policies, select the UM mailbox policy you want to
manage, and then click Edit .
3. On the UM Mailbox Policy page > Message text, in the text box for When a user receives a fax
message, enter the text you want to include in the email message that's sent when users receive a fax
message in their mailbox.
4. Click Save.
Use Exchange Online PowerShell to change the text included with a fax
message
This example enables UM -enabled users who are associated with a UM mailbox policy to receive additional
instructions on how to open a fax message that they've received in their mailbox.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -FaxMessageText "To open this fax message, double-click the
file attachment."
Allow users in the same dial plan to receive faxes
2/28/2019 • 2 minutes to read • Edit Online
You can enable all users who are linked with a Unified Messaging (UM ) dial plan to receive fax messages in their
mailboxes. By default, users who are enabled for Unified Messaging and are linked with a UM dial plan can receive
fax messages. To allow UM -enabled users to receive fax messages in their mailboxes, the dial plan must be
configured to accept incoming fax calls. You must also enable faxing on the UM mailbox policy and for the user. By
default, faxing is enabled on dial plans, UM mailbox policies, and for users. However, there may be times when
these default settings have changed and UM -enabled users can't receive fax messages.
If you prevent fax messages from being received on a dial plan, all users who are associated with the dial plan
won't be able to receive fax messages, even if you configure an individual user's properties to allow them to
receive fax messages. Enabling or disabling faxing on a UM dial plan takes precedence over the settings for faxing
on a UM mailbox policy or an individual UM -enabled user.
NOTE
You can use the EAC to configure fax settings on a UM mailbox policy. However, you must use Exchange Online PowerShell
to configure fax settings on dial plans or for individual users.
For more information about fax partners, see Microsoft PinPoint for Fax Partners.
For additional management tasks related to faxing, see Faxing procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use Exchange Online PowerShell to allow users who are linked to a dial
plan to receive faxes
This example enables UM -enabled users who are linked with the UM dial plan named MyUMDialPlan to receive
incoming faxes.
You can prevent UM -enabled users who are linked with a Unified Messaging (UM ) dial plan from receiving fax
messages. By default, users who are enabled for Unified Messaging and are linked with a UM dial plan can receive
fax messages. However, there may be times when you want to prevent users who are associated with a specific
UM dial plan from receiving faxes.
You can prevent UM -enabled users from receiving faxes by configuring the UM dial plan, the UM mailbox policy,
or the UM -enabled user's mailbox. If you disable incoming fax message delivery on a UM dial plan, all users who
are associated with the dial plan will be prevented from receiving fax messages. Enabling or disabling faxing on a
UM dial plan takes precedence over the settings for an individual UM -enabled user.
NOTE
You can use the EAC to configure fax settings on a UM mailbox policy. However, you must use Exchange Online PowerShell
to configure fax settings on dial plans or for individual users.
For more information about fax partners, see Microsoft PinPoint for Fax Partners.
For additional management tasks related to faxing, see Faxing procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can enable inbound faxes for users linked with a Unified Messaging (UM ) mailbox policy. By default, when you
enable users for Unified Messaging, users can't receive fax messages until you specify the URI for the fax partner
server, deploy a fax partner server for your organization, and enable faxing on a UM mailbox policy. If the option
to allow incoming faxes is disabled on the UM dial plan, the users linked with the UM mailbox policy still won't be
able to receive faxes. Similarly, if the option to allow incoming faxes is disabled on an individual user, that user
won't be able to receive faxes.
For more information about fax partners, see Microsoft PinPoint for Fax Partners.
For additional management tasks related to faxing, see Faxing procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can disable inbound faxes for users associated with a Unified Messaging (UM ) mailbox policy. By default,
when you enable users for Unified Messaging, users can't receive fax messages until you specify the URI for the
fax partner server , deploy a fax partner server for your organization, and enable faxing on a UM mailbox policy. If
the option to allow incoming faxes is disabled on the UM dial plan, the users linked with the UM mailbox policy
still won't be able to receive faxes. Similarly, if the option to allow incoming faxes is disabled on an individual user,
that user won't be able to receive faxes.
For more information about fax partners, see Microsoft PinPoint for Fax Partners.
For additional management tasks related to faxing, see Faxing procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can enable a Unified Messaging (UM ) user to receive faxes. By default, when you enable a user for Unified
Messaging, they will be able to receive faxes if you enable faxing and configure a fax partner's URI on the UM
mailbox policy that is linked to the user. Faxing can be enabled or disabled on UM dial plans, UM mailbox policies,
or the UM -enabled user's mailbox.
By default, the user's mailbox and the dial plan that is linked with the user allow incoming faxes. However, for a
user to receive faxes you must first enable inbound faxing on the UM mailbox policy that's associated with the
UM -enabled user and enter the fax partner's URI.
NOTE
You can use the EAC to configure fax settings on a UM mailbox policy. However, you must use Exchange Online PowerShell
to configure fax settings on dial plans or for individual users.
For more information about fax partners, see Microsoft PinPoint for Fax Partners.
For additional management tasks related to faxing, see Faxing procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Prevent a Unified Messaging (UM ) user from receiving faxes. Find out how to alter fax settings for new and
existing UM users.
By default, when you enable a user for Unified Messaging, they will be able to receive faxes if you enable faxing
and configure a fax partner's URI on the UM mailbox policy that is linked to the user. Faxing can be enabled or
disabled on UM dial plans, UM mailbox policies, or the UM -enabled user's mailbox.
By default, the user's mailbox and the dial plan that is linked with the user allow incoming faxes. However, for a
user to receive faxes you must first enable inbound faxing on the UM mailbox policy that's associated with the
UM -enabled user and enter the fax partner's URI.
NOTE
You can use the EAC to configure fax settings on a Unified Messaging mailbox policy. However, you must use Exchange
Online PowerShell to configure fax settings on dial plans or for individual users.
For more information about fax partners, see Microsoft PinPoint for Fax Partners.
For additional management tasks related to faxing, see Faxing procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
When Unified Messaging (UM ) users connect to the voice mail system by telephone, they use Outlook Voice
Access to navigate the menu system. Before users can access the voice mail system, the system prompts them to
enter their PIN. As the administrator, you can configure PIN settings and requirements and perform PIN
management tasks. After a user has been enabled for voice mail and a PIN has been generated, the user's PIN is
stored encrypted in the user's mailbox.
NOTE
Outlook Voice Access users must use touchtone (also called dual tone multi-frequency (DTMF)) inputs to enter their PIN to
access their UM-enabled mailbox. Speech recognition isn't available for PIN entry.
PIN overview
A PIN is a numeric string that's used in certain systems so that a user can be authenticated and gain access to the
system. PINs are most frequently used for automatic teller machines (ATMs). They're also used instead of
alphanumeric passwords for voice mail systems. The strength of a PIN depends on its length, how well it's
protected, and how difficult it is to guess.
In Unified Messaging, Outlook Voice Access users enter their PIN on an analog, digital, or mobile telephone so that
they can access email, voice mail, contact, and calendaring information in their Exchange Server mailbox.
In UM, PIN policies are defined and configured on a UM mailbox policy. You can create multiple UM mailbox
policies depending on your requirements. When you enable a user for voice mail, you link the user to an existing
UM mailbox policy. The UM PIN policies that are configured on the UM mailbox policy should be based on the
security requirements of your organization.
PIN requirements
The following are several PIN configuration settings that you can set on a UM mailbox policy.
Minimum PIN length
The Minimum PIN length setting specifies the minimum number of digits that a mailbox PIN must contain. The
range is 4 through 24, and the default is 6. If you enter 0, users aren't required to enter a PIN.
IMPORTANT
Configuring this setting with zero isn't a recommended practice. If you configure the setting to zero, you greatly decrease the
level of security for your network.
If you change the minimum PIN length to a higher value, current Outlook Voice Access users will be prompted to
create a new PIN that contains the new minimum number of digits before they can continue.
NOTE
Increasing this number creates a more secure UM environment. However, setting it too high can result in users forgetting
their PIN.
Enforce PIN lifetime
The Enforce PIN lifetime setting controls the time interval, in days, from the date Outlook Voice Access users last
changed their PIN to the date they'll be forced to change their PIN again. The range is 0 through 999, and the
default is 60 days. If 0 is entered, the PIN won't expire.
NOTE
Unified Messaging won't notify users when their PIN is about to expire.
NOTE
To increase security for UM-enabled users, enter a number that's less than 5.
NOTE
To increase security, decrease the number of failed attempts that are allowed. But remember that decreasing it to a number
much lower than the default may result in users being locked out unnecessarily. Unified Messaging will generate warning
events that can be viewed using Event Viewer if PIN authentication fails for a UM-enabled user or the user is unsuccessful in
trying to sign in to the system.
IMPORTANT
It's a security best practice to implement strong PIN requirements for Outlook Voice Access users. This can be enforced by
creating UM mailbox policy PIN policies that require six or more digits for PINs, which increases the level of security for your
network.
After you set the Outlook Voice Access PIN requirements, you must create and configure a UM mailbox policy to
enforce your organizational PIN requirements. For details about how to create a UM mailbox policy, see Create a
UM mailbox policy. For details about how to manage UM mailbox policies, see Manage a UM mailbox policy.
NOTE
After you create the UM mailbox policy, you must link the UM-enabled user or users with the appropriate UM mailbox policy.
You can do this by using the Enable-UMMailbox cmdlet in Exchange Online PowerShell or by using the Exchange admin
center (EAC). For more information about Exchange Online PowerShell cmdlet, see Enable-UMMailbox.
There are situations in which Outlook Voice Access users forget their PIN or are locked out of voice mail access to
their mailbox. In either case, it may be necessary for you to reset a UM -enabled user's PIN. For details, see Reset a
voice mail PIN.
You can retrieve PIN information for a user who is enabled for Unified Messaging. The information returned to you
is calculated by using the encrypted PIN data stored in the user's mailbox. This lets you view PIN information for
the user and also indicates whether the user has been locked out of their mailbox. For details, see Retrieve voice
mail PIN information.
PIN security procedures
2/28/2019 • 2 minutes to read • Edit Online
You can set PIN policies on a Unified Messaging (UM ) mailbox policy. UM mailbox policies can be configured to
increase the level of security for UM -enabled users that use Outlook Voice Access by requiring users to comply
with the predefined PIN policies for your organization.
To set PIN policies for Outlook Voice Access users, you can either create a new UM mailbox policy or modify an
existing UM mailbox policy. After a new UM mailbox policy is created, you can then configure the UM mailbox
policy by configuring the following PIN settings:
MinPasswordLength
PINLifetime
LogonFailuresBeforePINReset
MaxLogonAttempts
AllowCommonPatterns
PINHistoryCount
It's a security best practice to implement strong PIN requirements for UM users. This can be enforced by creating
UM PIN policies that require 6 or more digits for PINs and increase the level of security for your network.
When you change the PIN policy, the new PIN setting is applied to users who are currently associated with the UM
mailbox policy. For example, if you modify the UM mailbox policy and change the minimum PIN length from 7 to
10 digits, the next time users log on they'll be forced to change their PIN to comply with the changed PIN
requirement.
For additional tasks related to Outlook Voice Access PIN security, see PIN security procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to set PIN policies for Outlook Voice Access users
1. In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, click the UM dial plan you
want to edit, and then click Edit .
2. On the UM Dial Plan page, under UM Mailbox Policies, select the UM mailbox policy you want to edit,
and then click Edit .
3. Click Properties.
4. On the UM mailbox policy page, click PIN policies.
5. On the PIN Policies page, configure the PIN settings for the Outlook Voice Access users associated with
this UM mailbox policy, and then click Save.
Use Exchange Online PowerShell to set PIN policies for Outlook Voice
Access users
This example sets the PIN settings for users associated with the UM mailbox policy MyUMMailboxPolicy .
When a Unified Messaging (UM )-enabled voice mail user is locked out of their mailbox using Outlook Voice
Access because they tried to sign in using an incorrect PIN multiple times or they forgot their PIN, you can use
one of the following procedures to reset the user's PIN. When you reset a user's Outlook Voice Access PIN, you
can configure UM to automatically generate a PIN or you can manually specify the PIN. The new PIN is sent to
the user in email. You can specify additional PIN options such as requiring the user to reset their PIN when they
first sign in. Users can also reset their UM PIN using Outlook or Outlook Web App.
NOTE
To access their UM-enabled mailboxes, Outlook Voice Access users need to use touchtone, also known as dual tone multi-
frequency (DTMF), inputs. Speech recognition isn't available for PIN input.
For additional tasks related to Outlook Voice Access PIN security, see PIN security procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can retrieve PIN information for a user who is enabled for Unified Messaging (UM ). After a user has been
enabled for UM -enabled and a PIN is generated or created, the PIN is encrypted and stored in the user's mailbox.
When you retrieve PIN information for a UM -enabled user, the information returned to you is calculated by using
the encrypted PIN data stored in the user's mailbox. This lets you view information from the user's mailbox and
also indicates whether the user has been locked out of the mailbox.
For additional tasks related to PIN security, see PIN security procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can include additional text in the email message that's sent to users when their Unified Messaging (UM ) or
voice mail PIN is reset. You do this by entering custom text in the When a user's Outlook Voice Access PIN is
reset box on a UM mailbox policy. The customized text can include, for example, security-related information for
UM -enabled users.
By default, a PIN used for Outlook Voice Access is reset by the Unified Messaging or voice mail system if the
number of failed sign-in attempts exceeds 5. Users can also reset their PINs using the UM features included with
Outlook Web App or Outlook 2010 or later, or by using Outlook Voice Access from a telephone.
NOTE
The text you enter in this box is limited to 512 characters, and can include simple HTML text.
For additional tasks related to Outlook Voice Access PIN security, see PIN security procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to add text to the email message sent to users when their
PIN is reset
1. In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the UM dial plan you
want to change, and then click Edit .
2. On the UM Dial Plan page, under UM Mailbox Policies, select the UM mailbox policy you want to
manage, and then click Edit .
3. On the UM Mailbox Policy page > Message text, in the text box for When a user's Outlook Voice
Access PIN is reset, enter the text you want to include in the email message that's sent when a user's PIN
is reset.
4. Click Save.
Use Exchange Online PowerShell to add text to the email message sent
to users when their PIN is reset
This example includes the additional text, "Do not share your PIN with other users. Doing so may result in
disciplinary action", in the email message sent to users who are associated with the UM mailbox policy
MyUMMailboxPolicy when their PIN is reset.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -ResetPINText "Do not share your PIN with other users. Doing
so may result in disciplinary action."
Set the minimum PIN length for voice mail
2/28/2019 • 2 minutes to read • Edit Online
You can configure the minimum PIN length for your Outlook Voice Access users who are enabled for Unified
Messaging (UM ). The PIN settings that you configure on a UM mailbox policy will apply to all UM -enabled users
associated with the UM mailbox policy.
Outlook Voice Access is used by UM -enabled users to access their voice mail, email, calendar, and personal contact
information located in their mailbox. However, before they can access their mailbox, they must enter a PIN so they
can be authenticated by the voice mail system.
NOTE
If you change the minimum PIN length value, existing Outlook Voice Access users will be prompted to enter a new PIN that
contains the new minimum number of digits before they can continue. The default is 6.
For additional tasks related to Outlook Voice Access PIN security, see PIN security procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to configure the minimum PIN length for Outlook Voice
Access
1. In the EAC, navigate to Unified Messaging > UM dial plans.
2. In the list view, select the dial plan you want to change, and then click Edit .
3. On the UM dial plan page, under UM Mailbox Policies, select the UM mailbox policy you want to
change, and then click Edit .
4. Click PIN policies, and next to Minimum PIN length, enter a value between 4 and 24.
5. Click Save.
Use Exchange Online PowerShell to configure the minimum PIN length
for Outlook Voice Access
This example sets the minimum PIN length to 8 digits for Outlook Voice Access users who are associated with the
UM mailbox policy named MyUMMailboxPolicy .
This example sets the minimum PIN length to 8 digits and sets the number of times a sign-in can fail before the
user's PIN is reset to 3. This applies to UM -enabled users who are associated with the UM mailbox policy named
MyUMMailboxPolicy .
You can configure the PIN lifetime for users who are enabled for Unified Messaging (UM ). The PIN lifetime is the
maximum time that an Outlook Voice Access PIN will be valid for UM -enabled recipients. The PIN lifetime setting
is configured on a UM mailbox policy and applies to all UM -enabled users associated with the UM mailbox policy.
Several PIN -related settings can be configured on a UM mailbox policy. The PIN lifetime setting controls the time
interval, in days, from the date Outlook Voice Access users last changed their PIN to the date they'll be forced to
change their PIN again. The range is 0 through 999, and the default is 60 days. If you enter 0, the user's PIN won't
expire. We recommend that you don't configure this setting to 0, because by doing so you greatly reduce the
security of your network.
IMPORTANT
Unified Messaging doesn't notify users when their PIN is about to expire.
For additional tasks related to Outlook Voice Access PIN security, see PIN security procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
This example configures the following PIN -related settings for Outlook Voice Access users who are associated
with a UM mailbox policy named MyUMMailboxPolicy :
Sets the number of logon failures before the user's PIN is reset to 3.
Sets the maximum number of logon attempts to 5.
Sets the minimum PIN length to 9 digits.
Sets the PIN to expire in 40 days.
When Outlook Voice Access users dial in to an Outlook Voice Access number, they're prompted to enter their PIN
so that the voice mail system can authenticate them. After they're authenticated, they can access the voice mail,
email, calendaring, and personal contact information in their mailbox from any telephone.
Several PIN -related settings can be configured on a Unified Messaging (UM ) mailbox policy. The PIN recycle
count setting specifies the number of unique PINs users must use before they can reuse an old PIN. You can set
the value of this setting between 1 and 20. For most organizations, this value should be set to 5 PINs, which is the
default. Setting this value too high can frustrate users because it can be difficult for users to create and memorize
many PINs. Setting it too low may introduce a security threat to your network.
IMPORTANT
The PIN recycle count can't be disabled.
For additional tasks related to Outlook Voice Access PIN security, see PIN security procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can enable or disable common Unified Messaging (UM ) PIN patterns for Outlook Voice Access users. If you
enable or disable the common PIN patterns setting on a UM mailbox policy, the setting will apply to all UM -
enabled users associated with the UM mailbox policy. By default, UM -enabled users can't use common patterns
when they create a PIN.
You can configure several PIN -related settings on a UM mailbox policy. The Allow Common PIN Patterns
setting is used to allow or prevent the use of common number patterns when users create a PIN. By default, this
setting is disabled and prevents users from using the following number patterns:
Sequential numbers: These are PIN values that include only consecutive numbers. Examples of
consecutive numbers for a PIN are 1234 and 65432.
Repeated numbers: These are PIN values that include only repeated numbers. Examples of repeated
numbers are 11111 and 22222.
Suffix of mailbox extension: These are PIN values that include the suffix of a user's mailbox extension.
For example, if a user's mailbox extension is 36697, the user's PIN cannot be 3669712.
NOTE
If the Allow Common PIN Patterns setting is enabled, only the suffix of the mailbox extension will be rejected.
For additional tasks related to Outlook Voice Access PIN security, see PIN security procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can enable or disable common Unified Messaging (UM ) PIN patterns for Outlook Voice Access users. If you
enable or disable the common PIN patterns setting on a UM mailbox policy, the setting will apply to all UM -
enabled users associated with the UM mailbox policy. By default, UM -enabled users can't use common patterns
when they create a PIN.
You can configure several PIN -related settings on a UM mailbox policy. The Allow Common PIN Patterns
setting is used to allow or prevent the use of common number patterns when users create a PIN. By default, this
setting is disabled and prevents users from using the following number patterns:
Sequential numbers: These are PIN values that include only consecutive numbers. Examples of
consecutive numbers for a PIN are 1234 and 65432.
Repeated numbers: These are PIN values that include only repeated numbers. Examples of repeated
numbers are 11111 and 22222.
Suffix of mailbox extension: These are PIN values that include the suffix of a user's mailbox extension.
For example, if a user's mailbox extension is 36697, the user's PIN cannot be 3669712.
NOTE
If the Allow Common PIN Patterns setting is enabled, only the suffix of the mailbox extension will be rejected.
For additional tasks related to Outlook Voice Access PIN security, see PIN security procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
You can configure the number of sign-in failures allowed before the PIN is reset for an Outlook Voice Access user
to a value from 1 through 998. The default is 5. The number of sign-in failures allowed before a PIN is reset is
configured on a Unified Messaging (UM ) mailbox policy and applies to all Outlook Voice Access users associated
with the UM mailbox policy.
NOTE
You can increase security by configuring the Number of sign-in failures before PIN reset setting to a number less than 5.
You decrease security if you configure it to a number more than 5.
For additional tasks related to Outlook Voice Access PIN security, see PIN security procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to configure the number of sign-in failures before a PIN is
reset
1. In the EAC, navigate to Unified Messaging > UM dial plans.
2. In the list view, select the UM dial plan you want to change, and then click Edit .
3. On the UM dial plan page, under UM Mailbox Policies, select the UM mailbox policy you want to
change, and then click Edit .
4. Click PIN policies, and next to Number of sign-in failures before PIN reset, enter a value between 0
and 999.
5. Click Save.
Use Exchange Online PowerShell to configure the number of sign-in
failures before a PIN is reset
This example sets the number of sign-in failures before the user's PIN is reset to 3 for UM -enabled users who are
associated with a UM mailbox policy named MyUMMailboxPolicy .
This example sets the number of sign-in failures before the user's PIN is reset to 3, the maximum number of sign-
in attempts to 5, and the minimum PIN length to 9 for UM -enabled users who are associated with a UM mailbox
policy named MyUMMailboxPolicy .
You can configure the number of sign-in failures allowed before an Outlook Voice Access user is locked out of their
mailbox. The number of sign-in failures allowed before a voice mail user is locked out is configured on a Unified
Messaging (UM ) mailbox policy, and applies to all UM -enabled users associated with the UM mailbox policy. By
default it is set to 15.
To increase security, decrease the maximum number of failed attempts. However, remember that if you decrease it
to a number much lower than the default, users may be locked out unnecessarily. Unified Messaging will generate
warning events you can view using Event Viewer if PIN authentication fails for UM -enabled users or if users are
unsuccessful when they try to sign in to the system. This setting must be larger than the setting for the number of
sign-in failures before the PIN is reset.
For additional tasks related to Outlook Voice Access PIN security, see PIN security procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to configure the number of sign-in failures before a voice
mail user is locked out
1. In the EAC, navigate to Unified Messaging > UM dial plans.
2. In the list view, select the UM dial plan you want to change, and then click Edit .
3. On the UM dial plan page, under UM Mailbox Policies, select the UM mailbox policy you want to
change, and then click Edit .
4. Click PIN policies, and next to Number of sign-in failures before lockout, enter a value between 1 and
999.
5. Click Save.
Use Exchange Online PowerShell to configure the number of sign-in
failures before a voice mail user is locked out
This example sets the maximum number sign-in attempts to 10 for UM -enabled users who are associated with a
UM mailbox policy named MyUMMailboxPolicy .
This example sets the number of sign-in failures before the Outlook Voice Access user's PIN is reset to 3, the
maximum number of sign-in attempts to 5, and a minimum PIN length to 9 for UM -enabled users who are
associated with a UM mailbox policy named MyUMMailboxPolicy .
Unified Messaging (UM ) call reports provide information about the calls forwarded to or placed by UM. Use these
reports to monitor, troubleshoot, and report on UM for your organization. You can access Unified Messaging call
statistic reports by using the Call Statistics tool and access call logs for UM -enabled users by using the User Call
Logs tool.
The reports provide aggregated statistical information about calls for Exchange servers and calls for UM -enabled
users in your organization. These reports:
Give on-premises, hybrid, and online administrators the ability to gather statistics about the UM services
and UM -enabled users in their organizations.
Provide summaries from the data that's gathered. This data can be stored for 90 days and archived for up to
two years to meet retention requirements.
Verify the overall audio quality for incoming calls to Exchange servers that are deployed.
Easily verify the availability of the voice mail system and UM services in the organization for a given period
of time.
Plan for Unified Messaging capacity for an on-premises or hybrid organization.
Verify how UM services in an organization are used over a given period of time.
You can use the following topics to help you gather call statistics and reports and interpret those results to monitor
and troubleshoot UM services in your organization:
Review the voice mail calls in your organization Use the UM Call Statistics report to monitor the availability
and audio quality of UM and to track usage for capacity planning.
Review the voice mail calls for a user Use user call logs to see details about the calls for a user for the last 90
days.
Investigate the audio quality of voice calls in your organization If your organization is experiencing problems
with the audio quality of UM calls, use the audio quality details from the UM Call Statistics report to help
you understand what's causing the problems.
Investigate the audio quality of voice calls for a user If a user is experiencing problems with the audio quality
of UM calls, use the audio quality details from the user call logs to help you understand what's causing the
problems.
Interpret voice mail call records Export more detailed data to diagnose problems with audio quality or
rejected calls, and to provide information for audits or reports about your UM service.
UM reports procedures
2/28/2019 • 2 minutes to read • Edit Online
You can use the Call Statistics report to view information about the type and status of incoming calls handled by
the Exchange servers in your organization. The report provides statistical information about the calls forwarded to
or placed by Unified Messaging (UM ) for your organization. You can use this information to track usage for
capacity planning, monitor and troubleshoot the availability and audio quality of UM, and to troubleshoot failed
calls.
For additional tasks related to UM reporting, see UM reports procedures.
NOTE
On the report page, you can download a Microsoft Excel template that you can use to import the .csv file for a
specific day.
User call logs are used to view the following information about specific Unified Messaging (UM ) users:
Details about the UM calls for a user over the last 90 days.
Audio quality of each call. Audio quality metrics might not be available for all calls, because the metrics
depend on several factors, such as the type and length of the call.
For additional tasks related to UM reporting, see UM reports procedures.
If your organization is experiencing problems with the audio quality of Unified Messaging (UM ) calls and voice
mail messages, use the Call Statistics report to help you understand what's causing the problems.
NOTE
The audio quality of a call can be affected by factors that aren't covered in the reports. For example, if your Exchange servers
are experiencing a heavy memory load or CPU load, users may report poor call quality, even though the reports show
excellent audio quality.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Use the EAC to get audio quality statistics for your organization
1. In the EAC, navigate to Unified messaging > More options > Call statistics.
2. Choose the call statistics to include in the report. The report automatically updates as you select any of the
following options.
Show: Choose what type of call statistics to view:
Daily (90 days): Select Daily to see details for all calls in the past 90 days.
Monthly (12 months): Select Monthly to see a summary of calls by month for the last 12 months.
All: Select All to see the combined statistics for all calls received since UM started handling calls.
UM dial plan: If you want to limit the data in the report to only calls in a specific UM dial plan, select that
dial plan.
UM IP gateway: If you want to limit the data in the report to only calls in a specific UM IP gateway, select
that UM IP gateway. If you select a UM dial plan first, only the UM IP gateways associated with the selected
UM dial plan are available in the list.
3. To get more details about the audio quality for a row in the report, select the row and click Audio Quality
Details. The following information is available:
DATE AND TIME: The UTC date and time that the call statistics were captured.
UM DIAL PLAN: The dial plan for the calls included in the statistics.
UM IP GATEWAY: The UM IP gateway that took the calls included in the statistics.
NMOS: The Network Mean Opinion Score (NMOS ) for the call. The NMOS indicates how good the audio
quality was on the call as a number on a scale from 1 to 5, with 5 being excellent.
NOTE
The maximum NMOS possible for a call is dependent on the audio codec being used. The NMOS may not be
available for very short calls that are less than 10 seconds long.
NMOS DEGRADATION: The amount of audio degradation of the NMOS from the top value possible for
the audio codec being used. For example, if the NMOS degradation value for a call was 1.2 and the NMOS
reported for the call was 3.3, the maximum NMOS for that particular call would be 4.5 (1.2 + 3.3).
JITTER: The average variation in the arrival of data packets for the call.
PACKET LOSS: The average percentage of data packet loss for the selected call. Packet loss is an indication
of the reliability of the connection.
ROUND TRIP: The average round trip score, in milliseconds, for audio on the selected call. The round-trip
score measures latency on the connection.
BURST LOSS DURATION: The average duration of packet loss during bursts of losses for the selected
call.
NUMBER OF SAMPLES: The number of calls that were sampled to calculate the averages.
4. For detailed audio quality metrics for specific calls, see Investigate the audio quality of voice calls for a user.
Investigate the audio quality of voice calls for a user
2/28/2019 • 2 minutes to read • Edit Online
If a user reports problems with the audio quality of their Unified Messaging (UM ) calls, you can use the User Call
Logs report to help you understand what's causing the problems.
NOTE
The audio quality of a call can be affected by factors that aren't covered in the reports. For example, if your Exchange servers
are experiencing a heavy memory or CPU load, users may report poor call quality, even though the reports show excellent
audio quality.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
NMOS DEGRADATION: The amount of audio degradation of the NMOS from the top value possible for
the audio codec being used. For example, if the NMOS degradation value for a call was 1.2 and the NMOS
reported for the call was 3.3, the maximum NMOS for that particular call would be 4.5 (1.2 + 3.3).
JITTER: The average variation in the arrival of data packets for the call.
PACKET LOSS: The average percentage of data packet loss for the selected call. Packet loss is an indication
of the reliability of the connection.
ROUND TRIP: The average round trip score, in milliseconds, for audio on the selected call. The round-trip
score measures latency on the connection.
BURST LOSS DURATION: The average duration of packet loss during bursts of losses for the selected
call.
Interpret voice mail call records
2/28/2019 • 7 minutes to read • Edit Online
To view detailed information about calls handled by the Exchange servers on a specific day, export the call data for
that day from the Call Statistics report. Daily call data, which is available for the past 90 days, can help you
diagnose problems with audio quality or rejected calls, and provide information for audits or reports on Exchange
servers in your organization.
For additional tasks related to UM reporting, see UM reports procedures.
NOTE
On the report page, you can download a Microsoft Excel template that you can use to import the .csv file for a
specific day.
5. Use an application such as Excel to process the .csv file and build your own custom reports.
NOTE
In the Call Statistics report, the days are in UTC time.
CallStartTime: The date and time that UM handled the call, in UTC. The UTC time and date is represented
in the following format: YYYY -MM -DD hh:mm:SSZ, where YYYY = year, MM = month, DD = day, hh =
hour, in 24-hour time, mm = minutes, ss = seconds. Z signifies Zulu, which is a way to denote UTC (like
+hh:mm or -hh:mm, which gives the time offset from UTC ). Because all call times in this report are in UTC
time, this will always be Z.
For example, for a call placed on June 23, 2013 at 2:23pm, the call start time is shown as 2013-06-23
14:23:11Z.
Call Type: The type of call:
Call Answering Voice Message: The call wasn't answered and was forwarded to the Exchange
servers, and the caller left a voice message.
Call Answering Missed Call: The call wasn't answered and was forwarded to the Exchange
servers, and the caller didn't leave a voice message.
Subscriber Access: A call was made to the subscriber access number. The caller signed in and was
authenticated to UM with their extension and password to access email messages, calendars, and
voice messages over the phone.
Auto Attendant: The call was answered by a UM auto attendant. These calls are typically calls in
which the caller dialed your organization's main phone number.
Fax: A call was received in which a fax tone was detected. If you've configured fax partners, this call
was sent to the fax partner.
PlayOnPhone: A call was placed by UM because the user clicked the Play on Phone button in a
voice message in either Microsoft Outlook Web App or Outlook.
Find Me: An outbound call was placed by UM as a result of a Find Me rule in a call answering rule.
Unauthenticated Pilot Number: A call was placed to the Outlook Voice Access number. The caller
didn't sign in and wasn't authenticated.
Greetings Recording: A call was placed by UM to record personal greetings for a user.
None: A call was placed but the type wasn't defined.
CallIdentity: The SIP call identity, as provided by the UM IP gateway.
ParentCallIdentity: The SIP Session Identity of the session that originated this call. This box is used when
using the Call Answering Rules Find Me feature or call transfer calls, including call transfers between UM
auto attendants.
UMServerName: The name of the Mailbox server handling the call, if any. This information is provided
only when you have an on-premises Mailbox server.
DialPlanName: The UM dial plan that handled the call.
Call Duration: The total duration of the call.
IPGatewayAddress: The fully qualified domain name (FQDN ) of the IP gateway that handled the call.
CalledPhoneNumber: The phone number or SIP address of the intended recipient of the call (for users in
SIP dial plans with Microsoft Office Communications Server 2007 R2 or Microsoft Lync Server) .
CallerPhoneNumber: The phone number or SIP address of the caller.
OfferResult: The status of the call:
Answer: UM successfully answered or placed a call. The call was neither transferred nor redirected.
These calls include completed calls to Outlook Voice Access, Play on Phone, or UM auto attendants,
and calls that UM handled when the called extension didn't answer the phone.
Failed: UM accepted or placed a call, but the call failed. These calls include calls where the called
number or address is busy, doesn't answer, or doesn't exist; where the caller hung up before the call
was connected; where the UM dial plan or UM mailbox policy settings prevented the call; or where
the VoIP gateway or IP PBX on your telephone system couldn't be reached.
Rejected: UM rejected the call, usually because of a configuration error. These calls include calls
where the UM IP gateway isn't associated with a UM dial plan, or where there are incompatibility
issues.
Redirected: UM accepted the call, but redirected it to another Mailbox server. These calls include
calls where the caller used the UM menu to call a contact in the directory or personal contacts, or
where the caller called an Outlook Voice Access number using a phone number that isn't associated
with the user's mailbox. In these cases, UM transfers the call to the Exchange server that's associated
with that user's account.
None: The call status is unknown.
DropCallReason: The reason the call was disconnected, if UM was able to determine the reason. For
example, if the caller hung up, this shows Graceful Hangup.
ReasonForCall: How the call was connected:
Direct: The caller dialed the called number directly.
DivertForward: The caller dialed a number, and the person being called redirected the call to UM
voice mail.
DivertBusy: The caller dialed a number, and the phone was busy, so the call was redirected to UM
voice mail.
DivertNoAnswer: The caller dialed a number, and the person didn't answer, so the call was
redirected to UM voice mail.
Outbound: The call was placed by UM, for example, to play a voice message using Play on Phone.
None: No reason was reported for the call.
DialedString: The address or phone number of the person to whom this call was either referred or
transferred. This value also refers to the address or phone number called for Play on Phone calls.
CallerMailboxAlias: The mailbox alias (the portion of the email address that precedes the @ symbol) of
the caller. This value is only available if the caller signed in to Outlook Voice Access.
CallerMailboxAlias: The mailbox alias of the intended recipient of the call, if the intended recipient is a
UM -enabled user.
Auto Attendant Name: The name of the auto attendant related to this call.
NMOS Score: The Network Mean Opinion Score (NMOS ) for the call. The NMOS indicates how good the
audio quality was on the call as a number on a scale from 1 to 5, with 5 being excellent.
NOTE
Note: The maximum NMOS possible for a call depends on the audio codec being used. The NMOS may not be
available for very short calls that are less than 10 seconds long.
NMOSDegradation: The amount of audio degradation of the NMOS from the top value possible for the
audio codec being used. For example, if the NMOS degradation value for a call was 1.2 and the NMOS
reported for the call was 3.3, the maximum NMOS for that particular call would be 4.5 (1.2 + 3.3).
NMOSDegradation Jitter: The total NMOS degradation due to jitter.
NMOSDegradation PacketLoss: The total NMOS degradation because of packet loss.
Jitter: The average variation in the arrival of data packets for the call.
PacketLoss: The average percentage of data packet loss for the selected call. Packet loss is an indication of
the reliability of the connection.
Round Trip: The average round trip, in milliseconds, for audio on the selected call. The round-trip score
measures latency on the connection.
BurstDensity: The percentage of packets lost and discarded within a burst (high loss rate) period.
Burst Gap duration: The average duration of packet loss during bursts of losses for the selected call.
Audio Codec: The audio codec used during the call.
UM and voice mail terminology
3/6/2019 • 11 minutes to read • Edit Online
This topic contains the terms and definitions that are used with Unified Messaging.
audio codec
A digital encoding of an analog voice signal. Most audio codecs provide compression of the data, at the cost of
some loss of fidelity when the data is recovered. Audio codecs vary in their perceived sound quality, the
bandwidth that is required to use them, and the system requirements that are needed to do the encoding.
audio notes
Text-based notes that can be added to a voice mail message that has been received in Outlook or Outlook Web
App.
auto attendant
A software system that answers calls, plays prompts or instructions, and then collects input from the caller as
touchtones or speech. Auto attendants can direct a call to telephone numbers or named users or to entities (for
example, departments) that the caller specifies, without intervention from a human operator.
A technology that enables a computer to match human speech to a predefined set of words or phrases.
call answering
The process by which a caller interacts with a voice mail system if the number they originally called isn't
answered. Typically, the system will play a greeting or other prompt, and allow the caller to record a voice
message.
A form of call answering in which the user for whom the call is being answered can specify rules to determine
the behavior callers experience. The user can specify conditions to be evaluated, greetings, and choices to be
provided to the caller, and actions (for example, transfer or leave a message) to be taken as a result of the
caller's choice.
circuit-switched network
A network in which there exists a dedicated connection. A dedicated connection is a circuit or channel set up
between two nodes so that they can communicate.
A set of conditions that are chosen by a user to be used when they receive an incoming call. The call is
redirected based on the conditions that are set.
Dial by Name
A feature that enables a caller to spell a person's name using the keys on a telephone (ABC=2, DEF=3, etc.).
dial plan
For Unified Messaging, this is a set of telephony-capable endpoints that share a common numbering plan. The
details of the plan are determined by the telephone system to which UM is connected. In the simplest case, this
can be a private branch exchange (PBX) with its extensions, each with a unique, fixed-length number.
Dialing rule groups are created to enable telephone numbers to be modified before they're sent to a traditional
or SIP -enabled PBX or IP PBX for outgoing calls. Dialing rule groups may remove digits from or add digits to
telephone numbers that are being used to place calls by a Unified Messaging server. Each dialing rule group
contains dialing rule entries that determine the types of in-country/region and international calls that users
within a dialing rule group can make. Each dialing rule group must contain at least one dialing rule entry.
fax partner
UM fax partners provide applications or services that can accept calls handed off by UM when a fax tone is
detected. The partner's product or service then receives the fax data, creates a message, and delivers it to the
UM -enabled user as an email message with a .tif attachment. These messages will appear in the Fax search
folder in Outlook and Outlook Web App.
hunt group
A set of extensions that are organized into a group, over which a traditional or SIP -enabled PBX or IP PBX
"hunts" to find an available extension. A hunt group is used to direct calls to identically capable endpoints or to
an application, such as voice mail.
The in-country/region number format specifies how a user's telephone number should be dialed by Unified
Messaging from one dial plan to a different dial plan that has the same country code. This is used by an auto
attendant and when an Outlook Voice Access user searches and tries to call the user in the directory. This entry
consists of a number prefix and a variable number of characters (for example, 020xxxxxxx).
informational announcement
An audio message that is played when a caller first dials in to a voice mail system, which may describe some
item of interest.
The prefix that is used to direct a call internationally. The international access code is 011 in the United States
and 00 in much of the rest of the world.
The string of digits that is used to define how to dial someone from outside a specific country.
Internet Protocol Private Branch eXchange (IP PBX)
A telephone switch that natively supports voice over IP (VoIP ). An IP PBX uses VoIP -based protocols to
communicate with IP -based hosts such as VoIP telephones over a packet-switched network. Some IP PBXs can
also support the use of traditional analog and digital phones.
The mechanism used to help a caller differentiate between users with names that match the touchtone or
speech input.
A signal that indicates the presence of one or more unread voice messages. For voice mail systems, this is often
a lamp on the phone or a stutter dial tone.
A service that directs incoming calls for UM -enabled users to the Microsoft Exchange Unified Messaging
service.
An email message that is sent to a UM -enabled user that indicates that someone called but did not leave a
voice message.
A prefix that is used to direct a call as an in-country call. In the United States, this prefix is 1. In the United
Kingdom and most of the rest of the world, this prefix is 0.
number mask
A set of numbers and wildcard characters that is used to determine the telephone number that the Mailbox
server will dial. An "X" represents a single digit (0 to 9). An asterisk (*) represents any number of such digits.
numeric extension
A string of digits that doesn't contain a "+" or a country/region code. In dial plans, extensions are required to
have a specified length.
outdialing
A process in which Unified Messaging (UM ) dials or transfers calls. UM generally receives calls, but sometimes
dials calls. For example, outdialing occurs when a UM auto attendant transfers a call to a user's extension, or
when a UM -enabled user uses Play on Phone from Outlook.
The prefix that is used by UM (or a person using an internal extension on the PBX or IP PBX) to access an
outside line. This prefix is typically 9.
packet switching
A technique that divides a data message into smaller units called packets. Packets are sent to their destination
by the best route available, and then they are reassembled at the receiving end.
pilot identifier
A telephone number that points to a hunt group and is the access number for calls that are routed to Unified
Messaging. This is also sometimes called a pilot number.
PIN
Play on Phone
A Unified Messaging feature that users can use to play their voice messages or play and record personalized
voice mail greetings over a telephone.
A private telephone network in an organization. Individual telephone numbers or extension numbers are
supported, and calls are automatically routed to them. Users can call each other using extensions, even across
distributed locations.
prompt
An audio message played over the telephone to explain valid options to users.
A UM feature that uses information rights management to encrypt the contents of voice messages and specify
the operations permitted on them. Protection can be caused by caller action (marking the message as private),
or by system policy.
PSTN is a grouping of the world's public circuit-switched telephone networks. This grouping resembles the
way that the internet is a grouping of the world's public IP -based packet-switched networks.
reset
When a PIN or a password is reset, the system randomly chooses a new, temporary PIN or password. The user
is required to change the temporary PIN the next time that they sign in to Outlook Voice Access.
A method used to try to locate the name of a person, from a directory or other information store, based on a
telephone number.
RTAudio codec
An advanced speech codec that is designed for real-time two-way VoIP applications such as gaming, audio
conferencing, and wireless applications over IP. RTAudio is the preferred Microsoft audio codec and is the
default codec for Microsoft Lync Server platforms.
A SIP -enabled PBX is a telephony device that acts as a networking switch for switching calls in a telephony or
circuit-switched network. However, the difference between a SIP -enabled PBX and a traditional PBX is that the
SIP -enabled PBX can connect to the internet and use the SIP protocol to make calls over the internet.
SIP notification
A SIP notification is a SIP message sent from one SIP peer to another to advise it of a change.
SIP peer
A SIP -enabled device that provides telephony communications between a VoIP gateway, IP PBX, SIP -enabled
PBX, Microsoft Lync servers, or VoIP phones and Unified Messaging services.
star out
An action a caller can perform when they are dialed in to a Unified Messaging auto attendant but they want to
be able to get to Outlook Voice Access to get their email and voice mail. To do this, they press the star (*) key
while the auto attendant prompts are being played.
A number that is configured in a traditional or SIP -enabled PBX or IP PBX and on a UM dial plan that allows
users to access their mailbox using Outlook Voice Access. In some cases, this may be configured to be the same
number as the subscriber access number or pilot number (also called a pilot identifier) on the traditional or
SIP -enabled PBX or IP PBX and the UM hunt group.
system prompt
A short audio recording for Unified Messaging, which is played to callers by the server. System prompts are
used to welcome callers and to inform them of their options when they use the voice mail system.
An interface that is used to navigate the menus of a voice mail system using DTMF, also known as touchtone,
inputs.
Text-to-Speech (TTS )
UM IP gateway
(See IP gateway.) A UM IP gateway is the Exchange Unified Messaging representation of any SIP peer with
which it can communicate using VoIP protocols. It may represent a device that interfaces with a traditional or
SIP -enabled PBX, an IP PBX, or Microsoft Lync Server.
UM worker process
A process that's created during the startup of the Microsoft Exchange Unified Messaging service. The UM
service, on receiving a request to handle an incoming call, immediately redirects the request to a UM worker
process, which carries out all subsequent interactions with the caller.
A component that handles the creation and monitoring of all the UM worker processes that are created.
Unified Messaging
An application that consolidates a user's voice mail and email into one mailbox, so that the user only needs to
check a single location for messages, regardless of type. The email server is used as the platform for all types of
messages, making it unnecessary to maintain separate voice mail and email infrastructures.
voice mail
A feature that provides text, transcribed from the audio recording, on a voice message when it is delivered.
voice message
An interface that is used to navigate the menus of a voice mail system using speech inputs.
VoIP gateway
1. A third-party hardware device or product that connects a legacy PBX to a LAN. A VoIP gateway translates
or converts TDM or telephony circuit-switched protocols to packet-switched protocols that can be used on a
VoIP -based network.
2. The Exchange Unified Messaging representation of any SIP peer with which it can communicate using VoIP
protocols. It may represent a device that interfaces with a legacy PBX, an IP PBX, or Microsoft Lync Server.
welcome greeting
A greeting that is played when an external caller calls in to a UM auto attendant or when an Outlook Voice
Access user or another caller calls a subscriber access number that is configured on a UM dial plan. The default
welcome greetings can be changed by a customer to make them specific to an organization or location.
Clients and mobile in Exchange Online
3/4/2019 • 2 minutes to read • Edit Online
Many different clients can be used to access information in an Exchange Online mailbox. These clients include
desktop programs such as Microsoft Outlook, Outlook on the web (formerly known as Outlook Web App), and
mobile clients such as phones, tablets, and other mobile devices. Each of these clients offers a variety of features.
The following table contains links to topics that will help you learn about and manage some of the clients and client
access methods that can be used to access an Office 365 mailbox.
TOPIC DESCRIPTION
Exchange ActiveSync in Exchange Online Learn about Exchange ActiveSync, the protocol that provides
connectivity to a wide variety of mobile phones and tablets.
Using Exchange ActiveSync, users can access email, calendar,
contact, and task information.
POP3 and IMAP4 Learn about how you can use the POP3 and IMAP4 protocols
to provide users access to a number of the features in their
Office 365 mailbox. These client protocols can be used on
desktop email applications and on many mobile phones and
devices.
Outlook on the web in Exchange Online Learn about Outlook on the web, which provides users access
to their Exchange Online mailbox through a web browser.
MailTips in Exchange Online Learn about MailTips, the informative messages displayed to
users while they're composing a message.
Client Access Rules in Exchange Online Learn how to use Client Access Rules to control connections to
Exchange Online.
Disable Basic authentication in Exchange Online Learn how to disable Basic auth connections to your Exchange
Online mailboxes.
Enable or disable modern authentication in Exchange Online Learn how to require Modern auth connections to your
Exchange Online mailboxes.
Exchange ActiveSync in Exchange Online
3/4/2019 • 4 minutes to read • Edit Online
Exchange ActiveSync is a client protocol that lets you synchronize a mobile device with your mailbox.
In Office 365, you can create mobile device mailbox policies to apply a common set of policies or security settings
to a collection of users. A default mobile device mailbox policy is created in every Office 365 organization.
SETTING DESCRIPTION
Allow Bluetooth This setting specifies whether a mobile device allows Bluetooth
connections. The available options are Disable, HandsFree
Only, and Allow. The default value is Allow.
Allow Camera This setting specifies whether the mobile device camera can be
used. The default value is $true .
Allow Consumer EMail This setting specifies whether the mobile device user can
configure a personal email account (either POP3 or IMAP4) on
the mobile device. The default value is $true . This setting
doesn't control access to email accounts that are using third-
party mobile device email programs.
SETTING DESCRIPTION
Allow Desktop Sync This setting specifies whether the mobile device can
synchronize with a computer through a cable, Bluetooth, or
IrDA connection. The default value is $true .
Allow External Device Management This setting specifies whether an external device management
program is allowed to manage the mobile device.
Allow HTML Email This setting specifies whether email synchronized to the
mobile device can be in HTML format. If this setting is set to
$false , all email is converted to plain text.
Allow Internet Sharing This setting specifies whether the mobile device can be used
as a modem for a desktop or a portable computer. The default
value is $true .
Allow Mobile OTA Update This setting specifies whether the mobile device mailbox policy
settings can be sent to the mobile device over a cellular data
connection. The default value is true .
Allow non-provisionable devices This setting specifies whether mobile devices that may not
support application of all policy settings are allowed to
connect to Office 365 by using Exchange ActiveSync. Allowing
non-provisionable mobile devices has security implications.
For example, some non-provisionable devices may not be able
to implement an organization's password requirements.
Allow POPIMAPEmail This setting specifies whether the user can configure a POP3
or an IMAP4 email account on the mobile device. The default
value is $true . This setting doesn't control access by third-
party email programs.
Allow Remote Desktop This setting specifies whether the mobile device can initiate a
remote desktop connection. The default value is $true .
Allow simple password This setting enables or disables the ability to use a simple
password such as 1111 or 1234. The default value is $true .
Allow S/MIME encryption algorithm negotiation This setting specifies whether the messaging application on
the mobile device can negotiate the encryption algorithm if a
recipient's certificate doesn't support the specified encryption
algorithm.
Allow S/MIME software certificates This setting specifies whether S/MIME software certificates are
allowed on the mobile device.
Allow storage card This setting specifies whether the mobile device can access
information that's stored on a storage card.
Allow text messaging This setting specifies whether text messaging is allowed from
the mobile device. The default value is $true .
SETTING DESCRIPTION
Allow unsigned applications This setting specifies whether unsigned applications can be
installed on the mobile device. The default value is $true .
Allow unsigned installation packages This setting specifies whether an unsigned installation package
can be run on the mobile device. The default value is $true .
Alphanumeric password required This setting requires that a password contains numeric and
non-numeric characters. The default value is $true .
Approved Application List This setting stores a list of approved applications that can be
run on the mobile device.
Device encryption enabled This setting enables encryption on the mobile device. Not all
mobile devices can enforce encryption. For more information,
see the device and mobile operating system documentation.
Device policy refresh interval This setting specifies how often the mobile device mailbox
policy is sent from the server to the mobile device.
Max attachment size This setting controls the maximum size of attachments that
can be downloaded to the mobile device. The default value is
Unlimited.
Max calendar age filter This setting specifies the maximum range of calendar days
that can be synchronized to the mobile device. The following
values are accepted:
All
OneDay
ThreeDays
OneWeek
TwoWeeks
OneMonth
Max email age filter This setting specifies the maximum number of days of email
items to synchronize to the mobile device. The following
values are accepted:
All
OneDay
ThreeDays
OneWeek
TwoWeeks
OneMonth
Max email body truncation size This setting specifies the maximum size at which email
messages are truncated when synchronized to the mobile
device. The value is in kilobytes (KB).
SETTING DESCRIPTION
Max email HTML body truncation size This setting specifies the maximum size at which HTML email
messages are truncated when synchronized to the mobile
device. The value is in kilobytes (KB).
Max inactivity time lock This value specifies the length of time that the mobile device
can be inactive before a password is required to reactivate it.
You can enter any interval between 30 seconds and 1 hour.
The default value is 15 minutes.
Max password failed attempts This setting specifies the number of attempts a user can make
to enter the correct password for the mobile device. You can
enter any number from 4 through 16. The default value is 8.
Min password complex characters This setting specifies the minimum number of complex
characters required in the mobile device's password. A
complex character is a character that is not a letter.
Min password length This setting specifies the minimum number of characters in
the mobile device password. You can enter any number from
1 through 16. The default value is 4.
Password history This setting specifies the number of past passwords that can
be stored in a user's mailbox. A user can't reuse a stored
password.
Password recovery enabled When this setting is enabled, the mobile device generates a
recovery password that's sent to the server. If the user forgets
their mobile device password, the recovery password can be
used to unlock the mobile device and enable the user to
create a new mobile device password.
Require device encryption This setting specifies whether device encryption is required. If
set to $true , the mobile device must be able to support and
implement encryption to synchronize with the server.
Require encrypted S/MIME messages This setting specifies whether S/MIME messages must be
encrypted. The default value is $false .
Require encryption S/MIME algorithm This setting specifies what required algorithm must be used
when encrypting S/MIME messages.
Require manual synchronization while roaming This setting specifies whether the mobile device must
synchronize manually while roaming. Allowing automatic
synchronization while roaming will frequently lead to larger-
than-expected data costs for the mobile device data plan.
Require signed S/MIME algorithm This setting specifies what required algorithm must be used
when signing a message.
SETTING DESCRIPTION
Require signed S/MIME messages This setting specifies whether the mobile device must send
signed S/MIME messages.
Require storage card encryption This setting specifies whether the storage card must be
encrypted. Not all mobile device operating systems support
storage card encryption. For more information, see your
mobile device and mobile operating system documentation.
Unapproved InROM application list This setting specifies a list of applications that cannot be run
in ROM.
POP3 and IMAP4
3/6/2019 • 5 minutes to read • Edit Online
Summary: An overview of POP3 and IMAP4, and the differences between them.
By default, POP3 and IMAP4 are enabled for all users in Exchange Online.
To enable or disable POP3 and IMAP4 for individual users, see Enable or Disable POP3 or IMAP4 access
for a user.
To customize the POP3 or IMAP4 settings for a user, see Set POP3 or IMAP4 settings for a user.
Users can use any email programs that support POP3 and IMAP4 to connect to Exchange Online. These
programs include Outlook, Microsoft Outlook Express, Entourage, and many third-party programs, such as
Mozilla Thunderbird and Eudora. The features supported by each email client programs vary. For information
about features offered by specific POP3 and IMAP4 client programs, see the documentation that's included with
each application.
POP3 and IMAP4 provide access to the basic email features of Exchange Online and allow for offline email access,
but don't offer rich email, calendaring, and contact management, or other features that are available when users
connect with Outlook, Exchange ActiveSync, Outlook Web App, or Outlook Voice Access.
NOTE
Each time a person accesses a POP-based or IMAP-based email program to open his or her Office 365 email, that user will
experience a delay of several seconds. The delay results from using a proxy server, which introduces an additional hop for
authentication. The proxy server first looks up the assigned pod server (client access server) and then authenticates against
that.
Send and receive options for POP3 and IMAP4 email programs
POP3 and IMAP4 email programs let users choose when they want to connect to the server to send and receive
email. This section discusses some of the most common connectivity options and provides some factors your
users should consider when they choose connection options available in their POP3 and IMAP4 email programs.
Common configuration settings
Three of the most common connection settings that can be set on the POP3 or IMAP4 client application are:
To send and receive messages every time the email application is started. When this option is used, mail is
sent and received only on starting the email application.
To send and receive messages manually. When this option is used, messages are sent and received only
when the user clicks a send-and-receive option in the client user interface.
To send and receive messages every set number of minutes. When this option is used, the client application
connects to the server every set number of minutes to send messages and download any new messages.
For information about how to configure these settings for the email application that you use, see the Help
documentation that's provided with the email application.
Considerations when selecting send and receive options
The default setting on some email programs is to not keep a copy of messages on the server after they're
retrieved. If the user wants to access messages from multiple email programs or devices, they should keep a copy
of messages on the server.
If the device or computer that's running the POP3 or IMAP4 email application is always connected to the internet,
the user might want to configure the email application to send and receive messages every set number of minutes.
Connecting to the server at frequent intervals lets the user keep the email application up-to-date with the most
current information on the server. However, if the device or computer that's running the POP3 or IMAP4 email
application isn't always connected to the internet, the user might want to configure the email application to send
and receive messages manually.
NOTE
If the user is using an IMAP4-compliant email application that supports the IMAP4 IDLE command, the user might be able
to send email to and receive email from the Exchange mailbox in nearly real time. For this connection method to work, both
the email server application and the client application must support the IMAP4 IDLE command. In most cases, users don't
have to configure any settings in their IMAP4 programs to use this connection method.
Enable or Disable POP3 or IMAP4 access for a user
4/5/2019 • 2 minutes to read • Edit Online
By default, POP3 and IMAP4 are enabled for all users in Exchange Online. You can disable them for individual
users. For additional information related to POP3 and IMAP4, see POP3 and IMAP4.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
You use the Set-CASMailbox cmdlet to configure the PO3 and IMAP4 options for each user. The configuration
options are described in the following table.
PopForceICalForCalendarRetrievalOpti Sets the preferred format for meeting $true : Meeting requests are all
on requests. Outlook Web App links
ImapForceICalForCalendarRetrievalOp By default, meeting requests appear as $false : Meeting requests are all iCal
tion Outlook Web App links. You can change format
them to iCal format.
PopSuppressReadReceipt Sets whether to send read receipts $false : POP3 or IMAP4 users are
ImapSuppressReadReceipt when a message is downloaded and sent a read receipt each time a recipient
again when it is opened or just when downloads a message. Users are also
the message is opened sent a read receipt when the user opens
By default, if a read receipt is requested, the message. This is the default setting.
two read receipts are sent: one when a $true : POP3 or IMAP4 users that use
user downloads a message and another the send read receipt for messages I
when the user opens the message. You send option in their email client
can change it so that only one read programs receive a read receipt only
receipt is sent: when the user opens the when the recipient opens the message.
message.
PopMessagesRetrievalMimeFormat Sets the preferred format for received Use a numeral or a text value.
ImapMessagesRetrievalMimeFormat messages. 0 or TextOnly : Text only
The default is to use the best format 1 or HtmlOnly : HTML
based on the message. 2 or HtmlAndTextAlternative :
HTML and alternative text
3 or TextEnriched : Enriched text
4 or
TextEnrichedAndTextAlternative :
Enriched text and alternative text
5 or BestBodyFormat : Best body
format. This is the default value.
6 or Tnef : Transport-Neutral
Encapsulation Format (TNEF). Also
known as rich text format, Outlook rich
text format, or MAPI rich text format.
PopEnableExactRFC822Size Sets whether to calculate the exact size $true : Use actual message size.
ImapEnableExactRFC822Size of messages. $false : Use estimated message size.
Changing this value is not This is the default.
recommended unless the default value
causes problems for your email client.
By default, the estimated message size,
rather than the exact message size, is
sent to the email client.
For additional information related to POP3 and IMAP4, see POP3 and IMAP4.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Use Exchange Online PowerShell to set the meeting request format for
a POP3 or IMAP4 user
The following example sets all meeting requests in incoming mail to USER01 to iCal format for a POP3 user.
The following example sets all meeting requests in incoming mail to USER01 to iCal format for an IMAP4 user.
The following example sets it up so that the IMAP4 sender receives a read receipt only when the message is
opened.
The following example sets the message retrieval format to text only for IMAP4 access for USER01 .
IMPORTANT
Set the PopEnableExactRFC822Size parameter to $true only if the POP client doesn't work for this user.
This example calculates the exact size of IMAP messages for USER01.
IMPORTANT
Set the ImapEnableExactRFC822Size parameter to $true only if the IMAP client doesn't work for this user.
The Outlook app for iOS and Android is designed to bring together email, calendar, contacts, and other files,
enabling users in your organization to do more from their mobile devices. This article provides an overview of the
architecture, so that Office 365 administrators can deploy and maintain Outlook for iOS and Android in their
organizations.
NOTE
The Outlook for iOS and Android Help Center is available for users, including help for using the app on specific devices and
troubleshooting information.
Beginning in December 2018, Microsoft will migrate customers to a native Microsoft sync technology that
removes the Stateless Protocol Translator component from the Office 365-based architecture. With the native
Microsoft sync technology, Outlook for iOS and Android connects directly to Office 365 for data connections
ensuring the data is protected by an HTTP TLS -secured connection end-to-end.
Summary: This article covers the most common questions asked by customers and administrators about using
Outlook for iOS and Android with Exchange Online and Office 365.
The Outlook for iOS and Android app is designed to enable users in your organization to do more from their
mobile devices, by bringing together email, calendar, contacts, and other files. The following sections highlight the
most common questions we receive, across three key areas:
Outlook for iOS and Android architecture and security
Managing and maintaining Outlook for iOS and Android in your Exchange organization after it has been
deployed
Common questions from end-users who access information in your Exchange organization with the
Outlook for iOS and Android app on their mobile devices
NOTE
Apple allows its native Mail and Calendar apps to do background refreshes without any restrictions. Therefore, users may
notice a difference in the background synchronization experience between the apps. However, this also results in improved
battery life and less data consumption with Outlook for iOS.
Q: Does each user's instance of Outlook for iOS and Android have a unique device ID in the Office 365-based
architecture? How is the device ID generated and is this same device ID used in Intune?
Upon initial account login, Outlook for iOS and Android establishes a connection to the Office 365-based
architecture. A unique device ID is generated, and this device ID is what appears in Active Directory device records
(which can be retrieved with cmdlets such as Get-MobileDevice in Exchange Online Powershell) and which appears
in HTTP request headers.
Intune uses a different device ID. The basic workflow for how Intune assigns a device ID is described in App-based
conditional access with Intune. In Intune, the device ID is assigned when the device workplace joins for all device-
conditional access scenarios. This is an AAD -generated unique ID for the device. Intune uses that unique ID when
sending compliance information, and ADAL uses that unique ID when authenticating to services.
Q: Does Outlook for iOS and Android support RMS?
Yes. Outlook for iOS and Android supports reading protected messages. Outlook for iOS and Android works
differently than desktop versions of Outlook when it comes to RMS. For desktop versions of Outlook, once a
protected message is received and access is attempted, and Outlook verifies that the user can read RM messages,
Outlook connects to Exchange to request an encryption key. The Outlook desktop client uses that encryption key to
decrypt the message in front of the user (client-side). Mobile clients operate differently. When Outlook for iOS and
Android sets up its initial relationship with Exchange, it notifies Exchange that it supports RMS. Exchange decrypts
any protected messages before passing them to the client. In other words, decryption is performed server-side.
Outlook for iOS and Android doesn't perform any decryption itself.
In cases where Outlook for iOS and Android receives protected messages and prompts end-users to use an RM
client to open the file, it means that Exchange hasn't decrypted the message, which is due to an issue on the
Exchange side.
NOTE
Outlook for iOS leverages iOS's native preview technology to quickly expose attachments to end users. iOS's preview
technology does not support rights management and will report error "The operation couldn't be completed.
(OfficeImportErrorDomain error 912)" when a user attempts to open a rights-protected attachment. Users will need to tap
the respective Word, Excel, or PowerPoint app icon to open the rights-protected attachment in the native app.
Q: What ports and end points does Outlook for iOS and Android use?
Outlook for iOS and Android communicates via TCP port 443. The app accesses various end points, depending on
the activities of the user. Complete information is available in Network Requests in Office 365 ProPlus.
Q: Does Outlook for iOS and Android support proxy configurations?
Yes, Outlook for iOS and Android supports proxy configurations when the proxy infrastructure meets the following
requirements:
Supports HTTP protocol without TLS decryption and inspection.
Does not perform authentication.
Outlook for iOS and Android will consume the proxy configuration as defined by the platform operating system.
Typically, this configuration information is deployed via a PAC file. The PAC file must be configured to use
hostnames instead of protocol; no additional custom settings are supported.
For tenants that have not been migrated to the native Microsoft sync technology, the following additional
requirement applies:
Supports and has SOCKS proxy capability enabled. The Outlook for iOS and Android client utilizes TCP
connections to our Office 365-based architecture. The IP ranges for the SOCKS connections are not restricted
to a subset of Azure IP ranges, which means that customers cannot define a whitelist range. The PAC must be
configured to use hostnames instead of protocol and return the SOCKS proxy information given the host URL;
no additional custom settings are supported.
Get-MobileDevice | where {$_.DeviceModel -eq "Outlook for iOS and Android"} | Format-List
FriendlyName,DeviceID,DeviceOS,ClientType
The ClientType property indicates which data sync protocol is in use. If the value is REST, then the client is
utilizing the REST API. If the value is Outlook, then the client is using the native Microsoft sync technology.
Alternatively, a user can login to Outlook on the web and, from within Options, select Mobile Devices to view the
details of a mobile device. Like the cmdlet, the user can see the value for the ClientType property.
Summary: How users with modern authentication-enabled accounts can quickly set up their Outlook for iOS and
Android accounts in Exchange Online.
There are two ways that users in your Exchange Online organization can set up their own Outlook for iOS and
Android accounts: AutoDetect and single sign-on. Both methods leverage modern authentication. In addition,
Outlook for iOS and Android offers IT administrators the ability to "push" account configurations to their Office
365 users, as well as, control whether Outlook for iOS and Android supports personal accounts.
AutoDetect
Outlook for iOS and Android offers a solution called AutoDetect that helps end-users quickly setup their accounts.
AutoDetect will first determine which type of account a user has, based on the SMTP domain. Account types that
are covered by this service include Office 365, Outlook.com, Google, Yahoo, and iCloud. Next, AutoDetect will
make the appropriate configurations to the app on the user's device based on that account type. This saves time for
users and eliminates the need for manual input of configuration settings like hostname and port number.
For modern authentication, which is used by all Office 365 accounts and on-premises accounts leveraging hybrid
modern authentication, AutoDetect queries Exchange Online for a user's account information and then configures
Outlook for iOS and Android on the user's device so that the app can connect to Exchange Online. During this
process, the only information required from the user is their SMTP address and credentials.
The following images show an example of account configuration via AutoDetect:
In the event that AutoDetect fails for a user, the following images show an alternative account configuration path
using manual configuration:
Single sign-on
Outlook for iOS and Android supports single sign-on via authentication token re-use. If a user is already signed in
to another Microsoft app on their device, like Word or Company Portal, Outlook for iOS for Android will detect
that token and use it for its own authentication. When such a token is detected, users already enrolled in Outlook
for iOS and Android will see their account available as "Found" under Accounts on the Settings menu. New users
will see their account in the initial account setup screen.
The following images show an example of account configuration via single sign-on for a first-time user:
If a user already has Outlook for iOS and Android, such as for a personal account, but an Office 365 account is
detected because they recently enrolled, the single-sign on path will look as follows:
Account setup configuration via enterprise mobility management
Outlook for iOS and Android offers IT administrators the ability to "push" account configurations to Office 365
accounts or on-premises accounts leveraging hybrid modern authentication. This capability works with any Mobile
Device Management (MDM ) provider who uses the Managed App Configuration channel for iOS or the Android
in the Enterprise channel for Android.
For users enrolled in Microsoft Intune, you can deploy the account configuration settings using Intune in the Azure
Portal.
Once account setup configuration has been setup in the MDM provider and the user enrolls their device, Outlook
for iOS and Android will detect that an account is "Found" and will then prompt the user to add the account. The
only information the user needs to enter to complete the setup process is their password. Then, the user's mailbox
content will load and the user can begin using the app.
For more information on the account setup configuration keys needed to enable this functionality, please see the
Account setup configuration section in Deploying Outlook for iOS and Android App Configuration Settings.
In order to ensure these users can only access corporate email on enrolled devices (whether it be iOS or Android
Enterprise) with Intune, you will need to leverage an Azure Active Directory conditional access policy with the grant
controls Require devices to be marked as compliant and Require approved client app. Details on creating this type
of policy can be found in Azure Active Directory app-based conditional access.
IMPORTANT
Require devices to be marked as compliant grant control requires the device to be managed by Intune.
1. The first policy allows Outlook for iOS and Android, and it blocks OAuth capable Exchange ActiveSync
clients from connecting to Exchange Online. See "Step 1 - Configure an Azure AD conditional access policy
for Exchange Online", but for the fifth step select "Require device to be marked as compliant", "Require
approved client app", and "Require all the selected controls".
2. The second policy prevents Exchange ActiveSync clients leveraging basic authentication from connecting to
Exchange Online. See "Step 2 - Configure an Azure AD conditional access policy for Exchange Online with
Active Sync (EAS )."
Managing Outlook for iOS and Android in Exchange
Online
3/29/2019 • 7 minutes to read • Edit Online
Summary: This article describes best practices for managing mobile devices with Outlook for iOS and Android in
Exchange Online.
Outlook for iOS and Android provides users the fast, intuitive email and calendar experience users expect from a
modern mobile app, while being the only app to provide support for the best features of Office 365. In addition,
Microsoft provides a number of utilities for managing and protecting company data on mobile devices in your
Exchange Online organization.
NOTE
For implementation details on each of these three options, see Securing Outlook for iOS and Android in Exchange Online.
Microsoft recommends Office 365 customers use the features of the Enterprise Mobility + Security suite to protect
corporate data on mobile devices, due to the advanced capabilities provided by these services. The core capabilities
of the built-in MDM for Office 365 are included with an Office 365 subscription, while the broader capabilities of
the Enterprise Mobility + Security require an additional subscription purchase.
IMPORTANT
Mobile device access rules (allow, block, or quarantine) in Exchange Online are skipped when access is managed by a
conditional access policy that includes either Require device to be marked as compliant or Require approved client app.
A complete side-by-side comparison of MDM and Intune is available in Choose between MDM for Office 365 and
Microsoft Intune.
NOTE
When using mobile device cmdlets such as Get-MobileDevice to check the status of a device, the timestamp for Outlook
for iOS and Android synchronization, indicated by the LastSyncTime property, may be up to 15 minutes behind the actual
time of synchronization. While device synchronization does occur in real time, the returned time stamp may lag behind.
NOTE
While the Enterprise Mobility + Security suite subscription includes licenses for both Microsoft Intune and Azure Active
Directory, customers can purchase Microsoft Intune licenses and Azure Active Directory Premium licenses separately. All users
must be licensed to leverage the conditional access and Intune app protection policies discussed in this article.
Intune provides mobile application management (MAM ) capabilities, as well as other conditional access and device
management capabilities. With Intune app protection policies, you can restrict actions such as cut, copy, paste, and
"save as" of corporate data between Intune-managed apps and apps that are not managed by Intune. More
information is available in How to create and assign app protection policies. Additionally, the Intune-managed
Outlook apps include a new multi-identity management feature that enables users to access both their personal
and work email accounts in the same Outlook app while only applying the Intune app protection policies to the
user's work account. This provides a much more seamless user experience.
Conditional access is a capability of Azure Active Directory that enables you to enforce controls on the access to
apps in your environment based on specific conditions from a central location. By using conditional access policies,
you can apply the right access controls under the required conditions. Azure Active Directory conditional access
provides you with added security when such security is needed, and it stays out of your users' way when it isn't.
Key features of the Enterprise Mobility + Security suite with Outlook for iOS and Android:
Conditional access. Azure Active Directory ensures that Exchange Online email can be accessed only when
the conditional access requirements are met. For more information on device enrollment, see Conditional
access in Azure Active Directory.
Intune app protection. Outlook for iOS and Android allows you to protect your corporate data with
Intune app protection policies. This is a great option for "bring your own device" (BYOD ) scenarios where
you want to keep corporate data safe without managing a users' devices. For more information on Intune
app protection policies, see Protect app data using mobile app management policies with Microsoft Intune.
Device enrollment. Intune lets you manage your workforce's devices and apps, and how they access your
company data. In this model, Outlook for iOS and Android ensures that Exchange Online email can be
accessed only on phones and tablets that are managed by your company and are compliant with your
organization's policy. When users log on to the Outlook app on an unmanaged mobile device, Outlook
prompts users to enroll the device in Intune by leveraging the Azure conditional access policy, and then
validates that the device meets organizational standards of device compliance.
Device management and reporting. The enrollment process allows organizations to set and manage
security policies that, for example, enforce device-level PIN lock, require data encryption, and block
compromised devices in order to prevent untrusted devices from accessing corporate email and data. Each
enrolled device appears in the Office 365 admin center, and reporting is available to provide details on the
devices that access your corporate data.
Selective wipe. Microsoft Intune can remove Office 365 email data from Outlook for iOS and Android,
while leaving any personal email accounts intact (whether the device is enrolled or not). This is an
increasingly important requirement as more businesses adopt a "bring your own device" approach to
phones and tablets.
For more about Microsoft Intune see Documentation for Microsoft Intune.
Using built-in Mobile Device Management (MDM ) for Office 365
MDM for Office 365 provides device management capabilities at no additional cost. Microsoft Intune powers these
basic capabilities, providing a core set of controls in the Office 365 admin center for organizations that need the
basics.
Because this is a device management solution, there is no native capability to control which apps can be used, even
after a device is enrolled. If you want to limit access to Outlook for iOS and Android, you will need to obtain Azure
Active Directory Premium licenses and leverage conditional access policies.
Outlook for iOS and Android fully supports the capabilities provided by MDM for Office 365.
For detailed information on MDM, see the following resources:
Overview built-in Mobile Device Management for Office 365.
Manage settings and features on your devices with Microsoft Intune policies
Instructions for your end-users to enroll a device in Office 365 MDM: Enroll your mobile device in Office
365
Using Third-Party Mobile Device Management Solutions
Third-party MDM providers can deploy the Outlook for iOS and Android the same way they would deploy any
iOS or Android app, using their existing tools. They can also apply device management controls like device PIN,
device encryption, device wipe, and more, all of which are important for a secure email experience, but are also
completely independent of Outlook for iOS and Android.
Third-party MDM providers can also deploy certain app configuration settings, like account setup, organization
allowed accounts mode, and general app configuration settings, to Outlook for iOS and Android; for more
information, please see Deploying Outlook for iOS and Android app configuration settings.
In order to manage and protect corporate data within the app (such as restricting actions with corporate data like
cut, copy, paste, and "save as"), customers will need to use Microsoft's Enterprise Mobility + Security suite.
Using Mobile Device Access and Mobile Device Mailbox Policies
Microsoft recommends Office 365 customers use either the Enterprise Mobility + Security suite or the built-in
MDM for Office 365 to manage company data on mobile devices, due to the advanced capabilities provided by
those services. Outlook for iOS and Android does support mobile device access and mobile device mailbox policies
(formerly known as Exchange Active Sync policies), which are available through the Exchange admin center.
Outlook for iOS and Android supports the following Exchange mobile device mailbox policy settings:
Device encryption enabled
Min password length
Password enabled
See Mobile device mailbox policies in Exchange Online for more information.
Exchange administrators can initiate a remote device wipe against Outlook for iOS and Android. Upon receiving
the remote wipe request, the app will remove the profile and all data associated with it.
NOTE
Outlook for iOS and Android only supports the "Wipe Data" remote wipe command and does not support "Account Only
Remote Wipe Device."
Securing Outlook for iOS and Android in Exchange
Online
3/18/2019 • 16 minutes to read • Edit Online
Outlook for iOS and Android provides users the fast, intuitive email and calendar experience that users expect
from a modern mobile app, while being the only app to provide support for the best features of Office 365.
Protecting company or organizational data on users' mobile devices is extremely important. Begin by reviewing
Setting up Outlook for iOS and Android, to ensure your users have all the required apps installed. After that,
choose one of the following options to secure your devices and your organization's data:
1. Recommended: If your organization has an Enterprise Mobility + Security subscription, or has separately
obtained licensing for Microsoft Intune and Azure Active Directory Premium, follow the steps in Leveraging
Enterprise Mobility + Security suite to protect corporate data with Outlook for iOS and Android to protect
corporate data with Outlook for iOS and Android.
2. If your organization doesn't have an Enterprise Mobility + Security subscription or licensing for Microsoft
Intune and Azure Active Directory Premium, follow the steps in Leveraging Mobile Device Management for
Office 365, and use the Mobile Device Management (MDM ) for Office 365 capabilities that are included in
your Office 365 subscription.
3. Follow the steps in Leveraging Exchange Online mobile device policies to implement basic Exchange
mobile device mailbox and device access policies.
If, on the other hand, you don't want to use Outlook for iOS and Android in your organization, see Blocking
Outlook for iOS and Android.
NOTE
See Exchange Web Services (EWS) application policies later in this article if you'd rather implement an EWS application policy
to manage mobile device access in your organization.
The richest and broadest protection capabilities for Office 365 data are available when you subscribe to the
Enterprise Mobility + Security suite, which includes Microsoft Intune and Azure Active Directory Premium
features, such as conditional access. At a minimum, you will want to deploy a conditional access policy that only
allows connectivity to Outlook for iOS and Android from mobile devices and an Intune app protection policy that
ensures the corporate data is protected.
NOTE
While the Enterprise Mobility + Security suite subscription includes both Microsoft Intune and Azure Active Directory
Premium, customers can purchase Microsoft Intune licenses and Azure Active Directory Premium licenses separately. All
users must be licensed in order to leverage the conditional access and Intune app protection policies that are discussed in
this article.
Block all email apps except Outlook for iOS and Android using conditional access
When an organization decides to standardize how users access Exchange data, using Outlook for iOS and Android
as the only email app for end users, they can configure a conditional access policy that blocks other mobile access
methods. To do this, you will need two conditional access policies, with each policy targeting all potential users.
Details on creating these polices can be found in Azure Active Directory app-based conditional access.
1. The first policy allows Outlook for iOS and Android, and it blocks OAuth capable Exchange ActiveSync
clients from connecting to Exchange Online. See "Step 1 - Configure an Azure AD conditional access policy
for Exchange Online."
2. The second policy prevents Exchange ActiveSync clients leveraging basic authentication from connecting to
Exchange Online. See "Step 2 - Configure an Azure AD conditional access policy for Exchange Online with
Active Sync (EAS )."
The policies leverage the grant control Require approved client app, which ensures only Microsoft apps that have
integrated the Intune SDK are granted access.
NOTE
After the conditional access policies are enabled, it may take up to 6 hours for any previously connected mobile device to
become blocked. Mobile device access rules (allow, block, or quarantine) in Exchange Online are skipped when access is
managed by a conditional access policy that includes either Require device to be marked as compliant or Require approved
client app. To leverage app-based conditional access policies, the Microsoft Authenticator app must be installed on iOS
devices. For Android devices, the Intune Company Portal app is leveraged. For more information, see App-based Conditional
Access with Intune.
Protect corporate data in Outlook for iOS and Android using Intune app protection policies
Regardless of whether the device is enrolled in an MDM solution, an Intune app protection policy needs to be
created for both iOS and Android apps, using the steps in How to create and assign app protection policies. These
policies, at a minimum, must meet the following conditions:
1. They include all Microsoft mobile applications, such as Word, Excel, or PowerPoint, as this will ensure that
users can access and manipulate corporate data within any Microsoft app in a secure fashion.
2. They mimic the security features that Exchange provides for mobile devices, including:
Requiring a PIN for access (which includes Select Type, PIN length, Allow Simple PIN, Allow fingerprint)
Encrypting app data
Blocking managed apps from running on "jailbroken" and rooted devices
3. They are assigned to all users. This ensures that all users are protected, regardless of whether they use Outlook
for iOS and Android.
In addition to the above minimum policy requirements, you should consider deploying advanced protection policy
settings like Restrict cut, copy and paste with other apps to further prevent corporate data leakage. For more
information on the available settings, see Android app protection policy settings in Microsoft Intune and iOS app
protection policy settings.
IMPORTANT
To apply Intune app protection policies against apps on Android devices that are not enrolled in Intune, the user must also
install the Intune Company Portal. For more information, see What to expect when your Android app is managed by app
protection policies.
NOTE
Policies and access rules created in MDM for Office 365 will override both Exchange mobile device mailbox policies and
device access rules created in the Exchange admin center. After a device is enrolled in MDM for Office 365, any Exchange
mobile device mailbox policy or device access rule that is applied to that device will be ignored.
NOTE
Outlook for iOS and Android only supports the "Wipe Data" remote wipe command and does not support "Account Only
Remote Wipe Device."
3. Optional: Create rules that allow Outlook on Windows devices for Exchange ActiveSync connectivity (WP
refers to Windows Phone, WP8 refers to Windows Phone 8 and later, and WindowsMail refers to the Mail app
included in Windows 10):
Option 2: Block native Exchange ActiveSync apps on Android and iOS devices
Alternatively, you can block native Exchange ActiveSync apps on specific Android and iOS devices or other types
of devices.
1. Confirm that there are no Exchange ActiveSync device access rules in place that block Outlook for iOS and
Android:
If any device access rules that block Outlook for iOS and Android are found, type the following to remove
them:
2. You can block most Android and iOS devices with the following commands:
3. Not all Android device manufacturers specify "Android" as the DeviceType. Manufacturers may specify a
unique value with each release. In order to find other Android devices that are accessing your environment,
execute the following command to generate a report of all devices that have an active Exchange ActiveSync
partnership:
4. Create additional block rules, depending on your results from Step 3. For example, if you find your
environment has a high usage of HTCOne Android devices, you can create an Exchange ActiveSync device
access rule that blocks that particular device, forcing the users to use Outlook for iOS and Android. In this
example, you would type:
New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "HTCOne" -AccessLevel Block
NOTE
The QueryString parameter does not accept wildcards or partial matches.
Additional resources:
New -ActiveSyncDeviceAccessRule
Get-MobileDevice
Set-ActiveSyncOrganizationSettings
DeviceModel Outlook for iOS and Android Outlook for iOS and Android
Option A: Block Outlook for iOS and Android on both the iOS and Android platforms
With the New-ActiveSyncDeviceAccessRule cmdlet, you can define a device access rule, using either the DeviceModel
or DeviceType characteristic. In both cases, the access rule blocks Outlook for iOS and Android across all
platforms, and will prevent any device, on both the iOS platform and Android platform, from accessing an
Exchange mailbox via the app.
The following are two examples of a device access rule. The first example uses the DeviceModel characteristic; the
second example uses the DeviceType characteristic.
Option B: Block Outlook for iOS and Android on a specific mobile device platform
With the UserAgent characteristic, you can define a device access rule that blocks Outlook for iOS and Android
across a specific platform. This rule will prevent a device from using Outlook for iOS and Android to connect on
the platform you specify. The following examples show how to use the device-specific value for the UserAgent
characteristic.
To block Android and allow iOS:
Summary: How to customize the behavior of Outlook for iOS and Android in your Exchange organization.
Outlook for iOS and Android supports app settings that allow Office 365 and mobile device management (MDM ),
like Intune, administrators to customize the behavior of the app.
Outlook for iOS and Android supports the following configuration scenarios:
Account setup configuration
Organization allowed accounts mode
General app configuration settings
Data protection settings
Each configuration scenario will highlight its specific requirements; for example, whether the configuration scenario
requires device enrollment, and thus work with any MDM provider, or requires Intune App Protection Policies.
IMPORTANT
For configuration settings that require device enrollment, with Android the devices must be enrolled via an Android
Enterprise work profile and Outlook for Android must be deployed via the managed Google Play store. For more information,
please see Set up enrollment of Android work profile devices and Add app configuration policies for managed Android
devices.
Focused Inbox On
Require Biometrics to access the app Off This setting is only available for
Outlook for iOS.
If using App Protection Policies,
Microsoft recommends disabling
this setting to prevent dual access
prompts.
Settings that are security-related in nature have an additional option, Allow user to change setting. For these
settings (Save Contacts, External recipients MailTip, Block external images, and Require Biometrics to access the
app), administrators can prevent the user from changing the app’s configuration. The administrator’s configuration
cannot be overridden.
Allow user to change setting does not change the app’s behavior. For example, if the admin enables Block
external images and prevents user change, then by default external images will not be downloaded in messages;
however, the user can manually download the images for that message body.
NOTE
The Allow user to change setting for Require Biometrics to access the app is currently only available as a configuration key.
This will be addressed in a future Intune portal update. For more information regarding the configuration key, see
Configuration keys.
The following conditions describe Outlook’s behavior when implementing various app configurations:
If the admin configures a setting with its default value, and the app is configured with the default, then the
admin’s configuration doesn't have any effect. For example, if the admin sets External recipients MailTip=on,
the default value is also on, so Outlook’s configuration doesn't change.
If the admin configures a setting with the non-default value and the app is configured with the default, then
the admin’s configuration is applied. For example, the admin sets Focused Inbox=off, but app default is on,
so Outlook’s configuration for Focused Inbox is off.
If the user has configured a non-default value, but the admin has configured a default value and allows user
choice, then Outlook retains the user’s configured value. For example, the user has enabled contact
synchronization, but the admin sets Save Contacts=off and allows user choice, so Outlook keeps contact
synchronization on and does not break caller-ID for user.
If the admin disables user choice, Outlook always enforces the admin-defined configuration, regardless of
the user's configuration or default app configuration. For example, the user has enabled contact
synchronization, but the admin sets Save Contacts=off and disables user choice, so contact synchronization
gets disabled and the user is prevented from enabling it.
If after the MDM configuration is applied, if the user changes the setting value to not match the admin
desired value (and user choice is allowed), then the user’s configuration is retained. For example, block
external images is off by default, admin set Block external images=on, but afterwards, user changes block
external images back to off; in this scenario, block external images remains off the next time the policy is
applied.
Users are alerted to configuration changes via a notification toast in the app:
This notification toast will automatically dismiss after ten seconds. There are two scenarios where this notification
toast will not appear:
If the app has previously shown the notification in the last hour.
If the app has been installed in less than 24 hours.
Save Contacts
The Save Contacts setting is a special case scenario because unlike the other settings, this setting requires user
interaction: the user needs to grant Outlook permissions to access the native Contacts app and the data stored
within. If the user does not grant access, then contact synchronization cannot be enabled.
NOTE
With Android Enterprise, administrators can configure the default permissions assigned to the managed app. Within the
policy, you can define that Outlook for Android is granted READ_CONTACTS and WRITE_CONTACTS within the work profile;
for more information on how to assign permissions, please see Add app configuration policies for managed Android devices.
When assigning default permissions it is important to understand which Android Enterprise deployment models are in use, as
the permissions may grant access to personal data.
The workflow for enabling Save Contacts is the same for new accounts and existing accounts.
1. The user is notified that the administrator has enabled contact synchronization. In Outlook for iOS, the
notification occurs within the app, whereas in Outlook for Android, a persistent notification is delivered via
the Android notification center.
2. If the user taps on the notification, the user is prompted to grant access:
3. If the user allows Outlook to access the native Contacts app, access is granted and contact synchronization
will be enabled. If the user denies Outlook access to the native Contacts app, then the user is prompted to go
into the OS settings and enable contact synchronization:
4. In the event the user denies Outlook access to the native Contacts app and dismisses the previous prompt,
the user may later enable access by navigating to the account configuration within Outlook and tapping
Open Settings:
Deploying app configuration settings with Intune
The Intune portal enables administrators to easily deploy these settings to Outlook for iOS and Android via App
Configuration Policies.
The following steps will allow you to create an app configuration policy. After the configuration policy is created,
you can assign its settings to groups of users.
IMPORTANT
When deploying app configuration policies to managed devices, issues can occur when multiple policies have different values
for the same configuration key and are targeted for the same app and user. This is due to the lack of a conflict resolution
mechanism for resolving the differing values. You can prevent this by ensuring that only a single app configuration policy for
managed devices is defined and targeted for the same app and user.
Create an app configuration policy for Outlook for iOS and Android
1. Sign into the Azure portal.
2. Select More Services > Monitoring + Management > Intune.
3. On the Client apps blade of the Manage list, select App configuration policies.
4. On the App Configuration policies blade, choose Add.
5. On the Add app configuration blade, enter a Name, and optional Description for the app configuration
settings.
6. For Device enrollment type, choose Managed devices.
7. For Platform, choose either iOS or Android.
8. For Associated app, choose Select the required app, and then, on the Targeted apps blade, choose
Outlook.
NOTE
If Outlook is not listed as an available app, then you must add it by following the instructions in Assign apps to Android work
profile devices with Intune and Add iOS store apps to Microsoft Intune.
IMPORTANT
If the account will be protected by an Intune App Protection Policy that requires a PIN to access the protected
account, then the Require Biometrics to access the app setting should be disabled, otherwise the user will be
prompted with multiple authentication prompts when accessing the app.
For Save Contacts, choose from the available options: Not configured (default), On, Off (app default).
When selecting On or Off, administrators can choose to allow the user to change the app setting’s value.
Select Yes (app default) to allow the user to change the setting or choose No if you want to prevent the
user from changing the setting’s value.
For External recipients MailTip, choose from the available options: Not configured (default), On (app
default), Off. When selecting On or Off, administrators can choose to allow the user to change the app
setting’s value. Select Yes (app default) to allow the user to change the setting or choose No if you want
to prevent the user from changing the setting’s value.
For Block external images, choose from the available options: Not configured (default), On, Off (app
default). When selecting On or Off, administrators can choose to allow the user to change the app
setting’s value. Select Yes (app default) to allow the user to change the setting or choose No if you want
to prevent the user from changing the setting’s value.
13. When you are done, choose OK.
14. On the Add app configuration blade, choose Add.
The newly created configuration policy will be displayed on the App configuration blade.
NOTE
For Managed devices you will need to create a separate app configuration policy for each platform. Also, Outlook will need
to be installed from the Company Portal for the configuration settings to take effect.
com.microsoft.outlook.Mail.Notifications This key specifies if the user can adjust Managed apps
Enabled.UserChangeAllowed the mail notification setting within the
app. Setting the value to false prevents
the user from adjusting the mail
notification setting.
Accepted values: true, false
Default if not specified: true
Example: false
com.microsoft.outlook.Calendar.Notifica This key specifies if the user can adjust Managed apps
tionsEnabled.UserChangeAllowed the calendar reminder notification
setting within the app. Setting the value
to false prevents the user from
adjusting the calendar reminder
notification setting.
Accepted values: true, false
Default if not specified: true
Example: false
Configure Contact Field Sync to native Contacts for Outlook for iOS and Android
The settings in the following table allow you to control the contact fields that will synchronize between Outlook on
iOS and Android and the native Contacts applications.
NOTE
Outlook for Android supports bi-directional contact synchronization. However, if a user edits a field in the native contacts app
that is restricted (such as the Notes field), then that data will not synchronize back into Outlook for Android.
com.microsoft.outlook.ContactSync.JobT This key specifies if the contact's job title Managed apps
itleAllowed should be synchronized to native
contacts.
Accepted values: true, false
Default if not specified: true
Example: true
NOTE
Intune managed apps will check-in with an interval of 30 minutes for Intune App Configuration Policy status, when deployed
in conjunction with an Intune App Protection Policy. If an Intune App Protection Policy isn't assigned to the user, then the
Intune App Configuration Policy check-in interval is set to 720 minutes.
Create an app configuration policy for Outlook for iOS and Android
1. Sign in to the Azure portal.
2. Select More Services > Monitoring + Management > Intune.
3. On the Client apps blade of the Manage list, select App configuration policies.
4. On the App Configuration policies blade, choose Add.
5. On the Add app configuration blade, enter a Name, and optional Description for the app configuration
settings.
6. For Device enrollment type, choose Managed apps.
7. For Associated app, choose Select the required app, and then, on the Targeted apps blade, choose
Outlook by selecting both the iOS and Android platform Outlook apps.
8. Click OK to return to the Add app configuration blade.
9. Choose Configuration Settings. On the Configuration blade, define the key and value pairs that will
supply configurations for Outlook for iOS and Android. The key and value pairs you can define are covered
in Data protection scenarios.
10. When you are done, choose OK.
11. On the Add app configuration blade, choose Add.
The newly created configuration policy will be displayed on the App configuration blade.
Assign the configuration settings that you created
You assign the settings to groups of users in Azure Active Directory. When a user has the Microsoft Outlook app
installed, the app will be managed by the settings you have specified. To do this:
1. From the Intune blade, on the Mobile apps blade of the Manage list, select App configuration policies.
2. From the list of app configuration policies, select the one you want to assign.
3. On the next blade, choose Assignments.
4. On the Assignments blade, select the Azure AD group to which you want to assign the app configuration,
and then choose OK.
Configuration keys
Account setup configuration
Outlook for iOS and Android offers administrators the ability to “push” account configurations to their Office 365
users. For more information on account setup configuration, see Account setup with modern authentication in
Exchange Online.
Summary: How organizations in the Office 365 U.S. Government Community Cloud (GCC ) can enable Outlook
for iOS and Android for their Exchange Online users.
Outlook for iOS and Android is fully architected in the Microsoft Cloud and meets the security and compliance
requirements needs of all United States Government customers when the mailboxes reside in Exchange Online.
For customers with Exchange Online mailboxes operating in the Government Community Cloud (GCC Moderate,
GCC High or Department of Defense), Outlook for iOS and Android leverages the native Microsoft sync
technology. This architecture is FedRAMP -compliant (defined by NIST Special Publication 800-145) and approved,
and meets GCC High and DoD requirements DISA SRG Level 4 (GCC -High) and Level 5 (DoD ), Defense Federal
Acquisition Regulations Supplement (DFARS ), and International Traffic in Arms Regulations (ITAR ), which have
been approved by a third-party assessment organization and are FISMA compliant based on the NIST 800-53 rev
4.
For more information, please see the Office 365 FedRAMP System Security plan located in the FedRAMP Audit
Reports section of the Microsoft Service Trust Portal.
IMPORTANT
Customers operating in the Government Community Cloud may have user mailboxes that also reside on-premises via an
Exchange hybrid topology. Accessing on-premises mailboxes with Outlook for iOS and Android does not utilize an
architecture that is FedRAMP-compliant. For more information on this architecture, see Using Basic authentication with
Outlook for iOS and Android.
Enabling Outlook for iOS and Android for Office 365 GCC customers
GCC (Moderate, High and Department of Defense) customers can leverage Outlook for iOS and Android without
any special configuration.
For Office 365 GCC customers who are not currently using Outlook for iOS and Android, enabling the app
requires unblocking Outlook for iOS and Android in the organization, downloading the app on users' devices, and
having end-users add their account on their devices.
1. Unblock Outlook for iOS and Android
Remove any restrictions placed within your Exchange environment that may be blocking Outlook for iOS and
Android. This means you'll need to update your Exchange Web Services application policies, your Exchange mobile
device access rules, or any relevant Azure Active Directory Conditional Access policies so that the app is no longer
blocked. See Securing Outlook for iOS and Android in Exchange Online for information about enabling Outlook as
the only mobile messaging client in an organization.
2. Download and install Outlook for iOS and Android
End users need to install the app on their devices. How the installation happens depends on whether or not the
devices are enrolled in a mobile device management (MDM ) solution, such as Microsoft Intune. Users with
enrolled devices can install the app through their MDM solution, like the Intune Company Portal. Users with
devices that are not enrolled in an MDM solution can search for "Microsoft Outlook" in the Apple App Store or
Google Play Store and download it from one of those locations.
NOTE
To leverage app-based conditional access policies, the Microsoft Authenticator app must be installed on iOS devices. For
Android devices, the Intune Company Portal app is leveraged. For more information, see App-based conditional access with
Intune.
At any time, access can be revoked by resetting the parameter back to the default value:
Changing this setting typically takes affect within an hour. As this is an tenant-based change, all Outlook for iOS
and Android users in the GCC organization will be affected.
For more information on the cmdlet, please see Set-OrganizationConfig.
Mobile access in Exchange Online
3/4/2019 • 2 minutes to read • Edit Online
Your users can access their Office 365 mailbox from a wide variety of devices: mobile phones, tablets, laptops, and
even devices such as e-readers. These devices can use Exchange ActiveSync, POP3, or IMAP4 to access Office 365
mailbox data.
Exchange ActiveSync
Exchange ActiveSync is a synchronization protocol that's optimized to work together with high-latency and low -
bandwidth networks. The protocol, based on HTTP and XML, lets mobile phones access an organization's
information on a server that's running Microsoft Exchange. Exchange ActiveSync enables mobile phone users to
access their email, calendar, contacts, and tasks, and to continue to access this information while they're working
offline.
Exchange ActiveSync provides the following:
Support for HTML messages
Support for follow -up flags
Conversation grouping of email messages
Ability to synchronize or not synchronize an entire conversation
Support for viewing message reply status
Support for fast message retrieval
Meeting attendee information
Enhanced Exchange Search
PIN reset
Enhanced device security through password policies
Autodiscover for over-the-air provisioning
Support for setting automatic replies when users are away, on vacation, or out of the office
Support for task synchronization
Direct Push
Support for availability information for contacts
POP3
POP3 was designed to support offline mail processing. With POP3, email messages are removed from the server
and stored on the local POP3 client unless the client has been set to leave mail on the server. This puts the data
management and security responsibility in the hands of the user. POP3 doesn't offer advanced collaboration
features such as calendaring, contacts, and tasks.
IMAP4
IMAP4 offers offline and online access but, like POP3, IMAP4 doesn't offer advanced collaboration features such
as calendaring, contacts, and tasks.
Configure mobile phones to access email
3/4/2019 • 2 minutes to read • Edit Online
You can configure a mobile phone, such as a Windows Phone, to use Microsoft Exchange ActiveSync. You should
perform this procedure on each mobile phone in your organization.
Prerequisites
You've reviewed the manufacturer's documentation for the mobile phone you want to configure.
Exchange ActiveSync is enabled in your organization.
NOTE
For device-specific information about setting up Microsoft Exchange-based email on a phone or tablet, see Set up a mobile
device using Office 365 for business.
Your users carry sensitive corporate information in their pockets every day. If one of them loses their mobile
phone, your data can end up in the hands of another person. If one of your users loses their mobile phone, you can
use the Exchange admin center (EAC ) or Exchange Online PowerShell to wipe their phone clean of all corporate
and user information.
NOTE
This topic also provides instructions for how to use Microsoft Outlook Web App to perform a remote wipe on a phone. The
user must be signed in to Outlook Web App to perform a remote wipe.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
By default, Outlook on the web (formerly known as Outlook Web App) is enabled in Exchange Online, and lets
users access their mailbox from almost any web browser.
For information about client access mailbox methods in Exchange Online, see Clients and mobile in Exchange
Online.
In Exchange Online, Outlook on the web mailbox policies control the availability of settings and features in
Outlook on the web (formerly known as Outlook Web App). A mailbox can only have one Outlook on the web
mailbox policy applied to it. You can create different policies for different types of users in your Exchange Online
organization.
Every Exchange Online organization has a default Outlook on the web mailbox policy named OwaMailboxPolicy-
Default that's applied to all user mailboxes. You can use this policy or create additional policies as necessary to
meet the needs of your organization.
For the procedures that you can do on Outlook on the web mailbox policies, see Outlook on the web mailbox
policy procedures in Exchange Online.
Outlook on the web mailbox policy procedures in
Exchange Online
3/4/2019 • 2 minutes to read • Edit Online
You can create Outlook on the web mailbox policies to apply settings to users in Outlook on the web (formerly
known as Outlook Web App). Outlook on the web mailbox policies are useful for applying and standardizing
settings, for example, attachment settings, for specific groups of users.
For more information about Outlook on the web mailbox policies, see Outlook Web App mailbox policies.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
This example creates an Outlook on the web mailbox policy named Executives.
In Exchange Online PowerShell, replace <Policy Name> with the name of the policy, and run the following
command to verify the settings:
Next steps
To modify an existing Outlook on the web mailbox policy, see View or configure Outlook on the web mailbox
policy properties in Exchange Online.
Apply or remove an Outlook on the web mailbox
policy on a mailbox in Exchange Online
3/4/2019 • 5 minutes to read • Edit Online
Assigning an Outlook on the web mailbox policy to a mailbox controls the Outlook on the web (formerly known as
Outlook Web App) experience for the user. You can apply Outlook on the web mailbox policies to one or more
mailboxes or remove the policy assignments in the Exchange admin center (EAC ) or Exchange Online PowerShell.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
This example applies the Outlook on the web mailbox policy named Sales Associates to tony@contoso.com.
Filter mailboxes by attributes: This method requires that the mailboxes all share a unique filterable
attribute. For example:
Title, Department, or address information for user accounts as seen by the Get-User cmdlet.
CustomAttribute1 through CustomAttribute15 for mailboxes by as seen the Get-Mailbox cmdlet.
The syntax uses the following two commands (one to identify the mailboxes, and the other to apply the
policy to the mailboxes):
This example assigns the policy named Managers and Executives to all mailboxes whose Title attribute
contains "Manager" or "Executive".
$Mgmt = Get-User -ResultSize unlimited -Filter {(RecipientType -eq 'UserMailbox') -and (Title -like
'*Manager*' -or Title -like '*Executive*')}
Use a list of specific mailboxes: This method requires a text file to identify the mailboxes. Values that
don't contain spaces (for example, the user account) work best. The text file must contain one user account
on each line like this:
akol@contoso.com
tjohnston@contoso.com
kakers@contoso.com
The syntax uses the following two commands (one to identify the user accounts, and the other to apply the
policy to those users):
In Exchange Online PowerShell, run the following command to verify the value of the OwaMailboxPolicy
property for all mailboxes:
This example removes the Outlook on the web mailbox policy from mailbox of the user tony@contoso.com.
Set-CASMailbox -Identity tony@contoso.com -OwaMailboxPolicy $null
In Exchange Online PowerShell, run the following command to verify the value of the OwaMailboxPolicy
property:
You can remove a Microsoft Outlook on the web mailbox policy from an Exchange organization by using either the
Exchange admin center (EAC ) or Exchange Online PowerShell.
Note: Don't remove the built-in mailbox policy named OwaMailboxPolicy-Default.
For additional management tasks related to Outlook on the web mailbox policies, see Outlook on the web mailbox
policies.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
This example removes the Outlook on the web mailbox policy named Sales Associates.
Get-OwaMailboxPolicy
View or configure Outlook on the web mailbox
policy properties in Exchange Online
3/4/2019 • 3 minutes to read • Edit Online
After you create an Outlook on the web mailbox policy, you can configure a variety of options to control the
features available to users in Outlook on the web (formerly known as Outlook Web App). For example, you can
enable or disable Inbox rules or create a list of allowed file types for attachments.
For more information about Outlook on the web mailbox policies, see Outlook Web App mailbox policies.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Use the EAC to view or configure Outlook on the web mailbox policies
1. In the EAC, go to Permissions > Outlook Web App policies and select the policy that you want to view
or configure.
2. The Details pane show the enabled features in the policy. To see more information, click Edit . In the
properties window that opens you can view and configure the following settings:
On the General tab, you can view and edit the name of the policy.
On the Features tab, use the check boxes to enable or disable features. By default, the most common
features are displayed. To see all features that can be enabled or disabled, click More options.
Note: You can configure settings for individual users by using the Set-CASMailbox cmdlet in Exchange
Online PowerShell.
On the File Access tab, use the Direct file access check boxes to configure the file access and viewing
options for users. File access lets a user open or view the contents of files attached to an email message.
File access can be controlled based on whether a user has signed in on a public or private computer. The
option for users to select private computer access or public computer access is available only when you're
using forms-based authentication. All other forms of authentication default to private computer access.
On the Offline access tab, use the option buttons to configure offline access availability.
3. When you're finished, click Save to update the policy.
This example retrieves detailed information for the policy named Executives.
As an admin, you can set up both private and public attachment handling in Outlook on the web (formerly known
as Outlook Web App) depending on how you configure your Outlook on the web mailbox policies. The settings for
private (internal) and public (external) networks define how users can open, view, send, or receive attachments
depending on whether a user is signed in to Outlook on the web on a computer that is part of a private or of a
public network.
PARAMETER* DESCRIPTION
WacViewingOnPublicComputersEnabled Specifies whether a user who has signed into Outlook on the
web from a computer outside of the corporate network can
view supported Office files using Outlook on the web.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Note: Setting this parameter to $true won't affect the settings for the following parameters:
ForceWacViewingFirstOnPublicComputers
WSSAccessOnPublicComputersEnabled
UNCAccessOnPublicComputersEnabled
8. Click Finish.
9. In the Edit Claim Rules dialog box, click OK to save the rule.
Inbox rules in Outlook on the web (formerly known as Outlook Web App) and Outlook are limited to 256 KB total
for all rules. Each rule you create will take up space in your mailbox. The actual amount of space a rule uses
depends on several factors, such as how long the name is and how many conditions you've applied. When you
reach the 256 KB limit, you'll be warned that you can't create any more rules or that you can't update a rule. You
can't increase the amount of space that's allocated to store Inbox rules in Exchange Online, but you can decrease it
to suit your business needs.
Notes:
The valid range for the Inbox rules quota is 32 KB to 256 KB.
There isn't a maximum number of rules that users can create.
The quota for Inbox rules applies only to enabled rules. There's no restriction on the number of disabled
rules that a mailbox can have. However, the total size of rules that are enabled or active in the mailbox can't
exceed the quota value
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Use Exchange Online PowerShell to increase the limit for Inbox rules
There are three basic methods you can use to modify the rules quota for a mailbox:
Individual mailboxes: Use the following syntax:
This example decreases the rules quota to 200 KB for the user douglas@contoso.com.
Filter mailboxes by attributes: This method requires that the mailboxes all share a unique filterable
attribute. For example:
Title, Department, or address information for user accounts as seen by the Get-User cmdlet.
CustomAttribute1 through CustomAttribute15 for mailboxes by as seen the Get-Mailbox cmdlet.
The syntax uses the following two commands (one to identify the mailboxes, and the other to apply the rules
quota to the mailboxes):
This example decreases the rules quota to 32 KB to all mailboxes whose Title attribute contains "Vendor" or
"Contractor".
$V = Get-User -ResultSize unlimited -Filter {(RecipientType -eq 'UserMailbox') -and (Title -like
'*Vendor*' -or Title -like '*Contractor*')}
Use a list of specific mailboxes: This method requires a text file to identify the mailboxes. Values that
don't contain spaces (for example, the user account) work best. The text file must contain one user account
on each line like this:
akol@contoso.com
tjohnston@contoso.com
kakers@contoso.com
The syntax uses the following two commands (one to identify the user accounts, and the other to apply the
rules quota to those users):
This example decreases the rules quota to 150 KB to the mailboxes specified in the file C:\My
Documents\Junior Managers.txt.
Run the following command to verify the value of the RulesQuota property for all mailboxes:
MailTips are informative messages displayed to users while they're composing a message. Microsoft Exchange
Server analyzes the message, including the list of recipients to which it's addressed, and if it detects a potential
problem, it notifies the user with MailTips prior to sending the message. With the help of the information provided
by MailTips, senders can adjust the message they're composing to avoid undesirable situations or non-delivery
reports (NDRs).
MailTips in Exchange
The following table lists the available MailTips in Exchange Server.
MailTip restrictions
MailTips are subject to the following restrictions:
MailTips aren't supported when working in offline mode in Outlook.
When a message is addressed to a distribution group, the MailTips for individual recipients that are
members of that distribution group aren't evaluated. However, if any of the members is an external
recipient, the External Recipients MailTip is displayed, which shows the sender the number of external
recipients in the distribution group.
If the message is addressed to more than 200 recipients, individual mailbox MailTips aren't evaluated due to
performance reasons.
Custom MailTips are limited to 175 characters.
While older versions of Exchange Server would populate MailTips in their entirety, Exchange Online will
only display up to 1000 characters.
If the sender starts composing a message and leaves it open for an extended period of time, the Automatic
Replies and Mailbox Full MailTips are evaluated every two hours.
Configure the large audience size for your
organization
3/4/2019 • 2 minutes to read • Edit Online
You can use Exchange Online PowerShell to configure various settings that define how you use MailTips in your
organization.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Set-OrganizationConfig -MailTipsLargeAudienceThreshold 50
MailTips are informative messages displayed to users in the InfoBar in Outlook Web App and Microsoft Outlook
2010 or later when a user does any of the following while composing an e-mail message:
Add a recipient
Add an attachment
Reply or Reply all
Open a message from the Drafts folder that's already addressed to recipients
In addition to the built-in MailTips that are available, you can create custom MailTips for all types of recipients. For
more information about the built-in MailTips, see MailTips.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
<RecipientType> can be any type of recipient. For example, Mailbox , MailUser , MailContact , DistributionGroup ,
or DynamicDistributionGroup .
For example, suppose you have a mailbox named "Help Desk" for users to submit support requests, and the
promised response time is two hours. To configure a custom MailTip that explains this, run the following
command:
Set-Mailbox "Help Desk" -MailTip "A Help Desk representative will contact you within 2 hours."
<culture> is a valid ISO 639 two-letter culture code associated with the language.
For example, suppose the mailbox named Notifications currently has the MailTip: "This mailbox is not monitored."
To add the Spanish translation, run the following command:
Microsoft Exchange Server allows you to configure organization relationships with Microsoft Exchange Online or
other Exchange organizations. Establishing an organization relationship allows you to enhance the user experience
when dealing with the other organization. For example, you can share free or busy data, configure secure message
flow, and enable message tracking across both organizations.
IS THE MAILTIP AVAILABLE WHEN THE IS THE MAILTIP AVAILABLE WHEN THE
MAILTIP ACCESS LEVEL IS SET TO ALL? ACCESS LEVEL IS SET TO LIMITED?
For detailed steps about how to configure MailTips access levels, see Manage MailTips for organization
relationships.
You can use Exchange Online PowerShell to configure custom settings for MailTips between various
organizations.
By establishing an organizational relationship, you can enhance the user experience for both organizations by
sharing free/busy data, configuring secure message flow, and enabling message tracking. For more information
about organizational relationships, see MailTips over organization relationships.
You can use various settings to control how MailTips are used between two organizations that have established an
organizational relationship. The procedures in this section illustrate these various controls. In all examples, the on-
premises organization is contoso.com, the remote organization is online.contoso.com, and the organizational
relationship is named Contoso Online.
You use the Set-OrganizationRelationship cmdlet to configure these settings.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
This example configures the organizational relationship to prevent MailTips from being returned to senders in the
remote organization when composing messages to recipients in your organization.
This example configures the organizational relationship so that only the Automatic Replies, Oversize Message,
Restricted Recipient, and Mailbox Full MailTips are returned.
This example configures the organizational relationship so that no MailTips are returned.
NOTE
Don't use this method to disable MailTips for this relationship. To disable MailTips, set the MailTipsAccessEnabled parameter
to $false .
Add-ins for Outlook are applications that extend the usefulness of Outlook clients by adding information or tools
that your users can use without having to leave Outlook. Add-ins are built by third-party developers and can be
installed either from a file or URL or from the Office Store. By default, all users can install add-ins. Exchange
Online admins can control whether users can install add-ins for Office.
TIP
For information about add-ins for Outlook from an end-user perspective, check out the Help topic Installed add-ins at
Office.com. That topic provides an overview of the add-ins and also shows you some of the add-ins for Outlook that might
be installed by default.
The Microsoft Exchange Remote Connectivity Analyzer (ExRCA) helps you make sure that connectivity for your
Exchange servers is set up correctly. If you're having problems, it can also help you find and fix these problems. The
ExRCA website can run tests to check for Microsoft Exchange ActiveSync, Exchange Web Services, Microsoft
Outlook, and internet email connectivity.
Summary: Learn how administrators can use Client Access Rules to allow or block different types of client
connections to Exchange Online.
Client Access Rules help you control access to your Exchange Online organization based on client properties or
client access requests. Client Access Rules are like mail flow rules (also known as transport rules) for client
connections to your Exchange Online organization. You can prevent clients from connecting to Exchange Online
based on their IP address, authentication type, and user property values, and the protocol, application, service, or
resource that they're using to connect. For example:
Allow access to Exchange ActiveSync clients from specific IP addresses, and block all other ActiveSync
clients.
Block access to Exchange Web Services (EWS ) for users in specific departments, cities, or countries.
Block access to an offline address book (OAB ) for specific users based on their usernames.
Prevent client access using federated authentication.
Prevent client access using Exchange Online PowerShell.
Block access to the Exchange admin center (EAC ) for users in a specific country or region.
For Client Access Rule procedures, see Procedures for Client Access Rules in Exchange Online.
Multiple rules that contain the same The first rule is applied, and subsequent For example, if your highest priority rule
condition rules are ignored blocks Outlook on the web connections,
and you create another rule that allows
Outlook on the web connections for a
specific IP address range, all Outlook on
the web connections are still blocked by
the first rule. Instead of creating
another rule for Outlook on the web,
you need to add an exception to the
existing Outlook on the web rule to
allow connections from the specified IP
address range.
Multiple conditions in one rule AND A client connection must match all
conditions in the rule. For example, EWS
connections from users in the
Accounting department.
One condition with multiple values in a OR For conditions that allow more than
rule one value, the connection must match
any one (not all) of the specified
conditions. For example, EWS or IMAP4
connections.
You can test how a specific client connection would be affected by Client Access Rules (which rules would match
and therefore affect the connection). For more information, see Use Exchange Online PowerShell to test Client
Access Rules.
Important notes
Client connections from your internal network
Connections from your local network aren't automatically allowed to bypass Client Access Rules. Therefore, when
you create Client Access Rules that block client connections to Exchange Online, you need to consider how
connections from your internal network might be affected. The preferred method to allow internal client
connections to bypass Client Access Rules is to create a highest priority rule that allows client connections from
your internal network (all or specific IP addresses). That way, the client connections are always allowed, regardless
of any other blocking rules that you create in the future.
Client Access Rules and middle-tier applications
Many applications that access Exchange Online use a middle-tier architecture (clients talk to the middle-tier
application, and the middle-tier application talks to Exchange Online). A Client Access Rule that only allows access
from your local network might block middle-tier applications. So, your rules need to allow the IP addresses of
middle-tier applications.
Middle-tier applications owned by Microsoft (for example, Outlook for iOS and Android) will bypass blocking by
Client Access Rules, and will always be allowed. To provide additional control over these applications, you need to
use the control capabilities that are available in the applications.
Timing for rule changes
To improve overall performance, Client Access Rules use a cache, which means changes to rules don't immediately
take effect. The first rule that you create in your organization can take up to 24 hours to take effect. After that,
modifying, adding, or removing rules can take up to one hour to take effect.
Administration
You can only use remote PowerShell to manage Client Access Rules, so you need to be careful about rules that
block your access to remote PowerShell. If you create a rule that blocks your access to remote PowerShell, or if
you create a rule that blocks all protocols for everyone, you'll lose the ability to fix the rules yourself. You'll need to
call Microsoft Customer Service and Support, and they will create a rule that gives you remote PowerShell access
from anywhere so you can fix your own rules. Note that it can take up to one hour for this new rule to take effect.
As a best practice, create a Client Access Rule with the highest priority to preserve your access to remote
PowerShell. For example:
New-ClientAccessRule -Name "Always Allow Remote PowerShell" -Action Allow -AnyOfProtocols RemotePowerShell -
Priority 1
n/a
PowerShellWebServices n/a n/a n/a n/a
Summary: Learn how to view, create, modify, delete, and test Client Access Rules in Exchange Online.
Client Access Rules allow or block client connections to your Exchange Online organization based on the
properties of the connection. For more information about Client Access Rules, see Client Access Rules in Exchange
Online.
TIP
Verify that your rules work the way you expect. Be sure to thoroughly test each rule and the interactions between rules. For
more information, see the Use Exchange Online PowerShell to test Client Access Rules section later in this topic.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
Get-ClientAccessRule
This example returns all the property values for the rule named "Block Client Connections from 192.168.1.0/24".
This example returns only the specified properties for the same rule.
Get-ClientAccessRule -Identity "Block Client Connections from 192.168.1.0/24" | Format-List
Name,Priority,Enabled,Scope,Action
This example creates a new Client Access Rule named Block ActiveSync that blocks access for Exchange
ActiveSync clients, except for clients in the IP address range 192.168.10.1/24.
Notes:
As a best practice, create a Client Access Rule with the highest priority to preserve your administrator
access to remote PowerShell. For example:
New-ClientAccessRule -Name "Always Allow Remote PowerShell" -Action Allow -AnyOfProtocols
RemotePowerShell -Priority 1
.
The rule has the default priority value, because we didn't use the Priority parameter. For more information,
see the Use Exchange Online PowerShell to set the priority of Client Access Rules section later in this topic.
The rule is enabled, because we didn't use the Enabled parameter, and the default value is $true .
This example creates a new Client Access Rule named Restrict EAC Access that blocks access for the Exchange
admin center, except if the client is coming from an IP address in the 192.168.10.1/24 range or if the user account
name contains "tanyas".
Get-ClientAccessRule
Replace <RuleName> with the name of the rule, and run this command to see the details of the rule:
See which Client Access Rules would affect a specific client connection to Exchange Online by using the
Test-ClientAccessRule cmdlet. For more information, see the Use Exchange Online PowerShell to test
Client Access Rules section later in this topic.
This example disables the existing Client Access Rule named Allow IMAP4.
An important consideration when you modify Client Access Rules is modifying conditions or exceptions that
accept multiple values:
The values that you specify will replace any existing values.
To add or remove values without affecting other existing values, use this syntax:
@{Add="<Value1>","<Value2>"...; Remove="<Value1>","<Value2>"...}
This example adds the IP address range 172.17.17.27/16 to the existing Client Access Rule named Allow IMAP4
without affecting the existing IP address values.
See which Client Access Rules would affect a specific client connection to Exchange Online by using the
Test-ClientAccessRule cmdlet. For more information, see the Use Exchange Online PowerShell to test
Client Access Rules section later in this topic.
This example sets the priority of the rule named Disable IMAP4 to 2. All existing rules that have a priority less than
or equal to 2 are decreased by 1 (their priority numbers are increased by 1).
Note: To set the priority of a new rule when you create it, use the Priority parameter on the New-
ClientAccessRule cmdlet.
How do you know this worked?
To verify that you've successfully set the priority of a Client Access Rule, use either of these procedures:
Run the this command in Exchange Online PowerShell to see the list of rules and their Priority values:
Get-ClientAccessRule
Replace <RuleName> with the name of the rule, and run this command:
This example removes the Client Access Rule named Block POP3.
Note: To disable a Client Access Rule without deleting it, use the Enabled parameter with the value $false on the
Set-ClientAccessRule cmdlet.
For detailed syntax and parameter information, see Remove-ClientAccessRule.
How do you know this worked?
To verify that you've successfully removed a Client Access Rule, run this command in Exchange Online PowerShell
to verify that the rule is no longer listed:
Get-ClientAccessRule
This example returns the Client Access Rules that would match a client connection to Exchange Online that has
these properties:
Authentication type: Basic
Protocol: OutlookWebApp
Basic authentication in Exchange Online uses a username and a password for client access requests. Blocking Basic
authentication can help protect your Exchange Online organization from brute force or password spray attacks.
When you disable Basic authentication for users in Exchange Online, their email clients and apps must support
modern authentication. Those clients are:
Outlook 2013 or later (Outlook 2013 requires a registry key change)
Outlook 2016 for Mac or later
Outlook for iOS and Android
Mail for iOS 11.3.1 or later
If your organization has no legacy email clients, you can use authentication policies in Exchange Online to disable
Basic authentication requests, which forces all client access requests to use modern authentication. For more
information about modern authentication, see Using Office 365 modern authentication with Office clients.
This topic explains how Basic authentication is used and blocked in Exchange Online, and the corresponding
procedures for authentication policies.
1. The email client sends the username and password to Exchange Online.
Note: When Basic authentication is blocked, it's blocked at this step.
2. Exchange Online sends the username and password to Azure Active Directory.
3. Azure Active Directory returns a user ticket to Exchange Online and the user is authenticated.
Federated authentication
The steps in federated authentication are described in the following diagram:
1. The email client sends the username and password to Exchange Online.
Note: When Basic authentication is blocked, it's blocked at this step.
2. Exchange Online sends the username and password to the on-premises IdP.
3. Exchange Online receives a Security Assertion Markup Language (SAML ) token from the on-premises IdP.
4. Exchange Online sends the SAML token to Azure Active Directory.
5. Azure Active Directory returns a user ticket to Exchange Online and the user is authenticated.
Exchange Active Sync (EAS) Used by some email clients on mobile AllowBasicAuthActiveSync
devices.
MAPI over HTTP (MAPI/HTTP) Used by Outlook 2013 and later. AllowBasicAuthMapi
Offline Address Book (OAB) A copy of address list collections that AllowBasicAuthOfflineAddressBook
are downloaded and used by Outlook.
Outlook Service Used by the Mail and Calendar app for AllowBasicAuthOutlookService
Windows 10.
Outlook Anywhere (RPC over HTTP) Used by Outlook 2016 and earlier. AllowBasicAuthRpc
Typically, when you block Basic authentication for a user, we recommend that you block Basic authentication for all
protocols. However, you can use the AllowBasicAuth* parameters (switches) on the New-AuthenticationPolicy
and Set-AuthenticationPolicy cmdlets to selectively allow or block Basic authentication for specific protocols.
For email clients and apps that don't support modern authentication, you need to allow Basic authentication for the
protocols and services that they require. These protocols and services are described in the following table:
NOTE
Blocking Basic authentication will block app passwords in Exchange Online. For more information about app passwords, see
Create an app password for Office 365.
This example assigns the policy named Block Basic Auth to the user account laura@contoso.com.
Filter user accounts by attributes: This method requires that the user accounts all share a unique
filterable attribute (for example, Title or Department) that you can use to identify the users. The syntax uses
the following commands (two to identify the user accounts, and the other to apply the policy to those users):
This example assigns the policy named Block Basic Auth to all user accounts whose Title attribute contains
the value "Sales Associate".
$SalesUsers = Get-User -ResultSize unlimited -Filter {(RecipientType -eq 'UserMailbox') -and (Title -
like '*Sales Associate*')}
$Sales = $SalesUsers.MicrosoftOnlineServicesID
$Sales | foreach {Set-User -Identity $_ -AuthenticationPolicy "Block Basic Auth"}
Use a list of specific user accounts: This method requires a text file to identify the user accounts. Values
that don't contain spaces (for example, the Office 365 work or school account) work best. The text file must
contain one user account on each line like this:
akol@contoso.com
tjohnston@contoso.com
kakers@contoso.com
The syntax uses the following two commands (one to identify the user accounts, and the other to apply the
policy to those users):
Filter on-premises Active Directory user accounts that are synchronized to Exchange Online: For
details, see the Filter on-premises Active Directory user accounts that are synchronized to Exchange Online
section in this topic.
NOTE
To remove the policy assignment from users, use the value $null for the AuthenticationPolicy parameter on the Set-User
cmdlet.
This example immediately applies the authentication policy to the user laura@contoso.com.
This example immediately applies the authentication policy to multiple users that were previously identified by
filterable attributes or a text file. This example works if you're still in the same PowerShell session and you haven't
changed the variables you used to identify the users (you didn't use the same variable name afterwards for some
other purpose). For example:
or
To view detailed information about a specific authentication policy, use this syntax:
This example returns detailed information about the policy named Block Basic Auth.
Get-AuthenticationPolicy -Identity "Block Basic Auth"
You can use the Get-AuthenticationPolicy cmdlet to see the current status of the AllowBasicAuth* switches in
the policy.
This example enables basic authentication for the POP3 protocol and disables basic authentication for the IMAP4
protocol in the existing authentication policy named Block Basic Auth.
This example configures the authentication policy named Block Basic Auth as the default policy.
NOTE
To remove the default authentication policy designation, use the value $null for the DefaultAuthenticationPolicy
parameter.
For example:
When an authentication policy blocks Basic authentication requests from a specific user for a specific protocol in
Exchange Online, the response is 401 Unauthorized . No additional information is returned to the client to avoid
leaking any additional information about the blocked user. An example of the response looks like this:
After you get the list of groups, you can query which users belong to those groups and create a list based on any of
their attributes. We recommend using the objectGuid attribute because the value is unique for each user.
This example returns the objectGuid attribute value for the members of the group named Developers.
This example sets the Department attribute to the value "Developer" for users that belong to the group named
"Developers".
Use the following syntax in Active Directory PowerShell to verify the attribute was applied to the user accounts
(now or in the past):
This example returns all user accounts with the value "Developer" for the Department attribute.
NOTE
The attribute values for on-premises users are synchronized to Exchange Online only for users that have a valid Exchange
Online license. For more information, see Assign licenses to users in Office 365 for business.
The Exchange Online PowerShell syntax uses the following commands (two to identify the user accounts, and the
other to apply the policy to those users):
$<VariableName1> = Get-User -ResultSize unlimited -Filter <Filter>
$<VariableName2> = $<VariableName1>.MicrosoftOnlineServicesID
$<VariableName2> | foreach {Set-User -Identity $_ -AuthenticationPolicy "Block Basic Auth"}
This example assigns the policy named Block Basic Auth to all synchronized user accounts whose Department
attribute contains the value "Developer".
$developerUsers = Get-User -ResultSize unlimited -Filter {(RecipientType -eq 'UserMailbox') -and (department -
like '*developer*')}
$developers = $developerUsers.MicrosoftOnlineServicesID
$developers | foreach {Set-User -Identity $_ -AuthenticationPolicy "Block Basic Auth"}
If you connect to Exchange Online PowerShell in an Active Directory PowerShell session, you can use the
following syntax to apply the policy to all members of an Active Directory group.
This example creates a new authentication policy named Marketing Policy that disables Basic authentication for
members of the Active Directory group named Marketing Department for ActiveSync, POP3, authenticated SMTP,
and IMAP4 clients.
NOTE
A known limitation in Active Directory PowerShell prevents the Get-AdGroupMember cmdlet from returning more than
5000 results. Therefore, the following example only works for Active Directory groups that have less than 5000 members.
Modern authentication in Exchange Online enables authentication features like multi-factor authentication (MFA)
using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers. Modern
authentication is based on the Active Directory Authentication Library (ADAL ) and OAuth 2.0.
When you enable modern authentication in Exchange Online, Outlook 2013 or later clients use modern
authentication to log in to Exchange Online mailboxes. For more information, see How modern authentication
works for Office client apps.
When you disable modern authentication in Exchange Online, Outlook 2013 or later uses basic authentication to
log in to Exchange Online mailboxes. They don't use modern authentication.
Notes:
Modern authentication is enabled by default in Exchange Online, Skype for Business Online and SharePoint
Online.
Enabling or disabling modern authentication in Exchange Online as described in this topic only affects
modern authentication connections by Outlook 2013 or later clients.
Other email clients that support modern authentication (for example, Outlook Mobile, Outlook for Mac
2016, and Exchange ActiveSync in iOS 11 or later) always use modern authentication to log in to Exchange
Online mailboxes, regardless of whether you enable or disable modern authentication for Outlook 2013 or
later clients as described in this topic.
You should synchronize the state of modern authentication in Exchange Online with Skype for Business
Online to prevent multiple log in prompts in Skype for Business clients. For instructions, see Skype for
Business Online: Enable your tenant for modern authentication.
Note that the previous command does not block Outlook 2013 or later clients from using basic
authentication connections.
Run the following command to prevent modern authentication connections (force th use of basic
authentication connections) to Exchange Online by Outlook 2013 or later clients:
3. To verify that the change was successful, run the following command:
Get-OrganizationConfig | Format-Table Name,OAuth* -Auto
See also
Using Office 365 modern authentication with Office clients
Monitoring, reporting, and message tracing in
Exchange Online
3/29/2019 • 5 minutes to read • Edit Online
Exchange Online offers many different reports that can help you determine the overall status and health of your
organization. There are also tools to help you troubleshoot specific events (such as a message not arriving to its
intended recipients), and auditing reports to aid with compliance requirements. The following table describes the
reports and troubleshooting tools that are available to Exchange Online administrators.
NOTE
For a mapping of reports from the old Office 365 admin center, see Where did my Office 365 report go?
Usage reports in the Office 365 groups activity: In the Office 365 admin Office 365 Reports in the
Office 365 admin center View information about the center at admin center - Office 365
number of Office 365 https://portal.office.com/adm groups
groups that are created and inportal/home, click Reports Office 365 Reports in the
used. > Usage. At the top of the Admin Center - Email activity
Email activity: View dashboard, click Select a Office 365 Reports in the
information about the report. In the in the drop- Admin Center - Email apps
number of messages sent, down list that appears, make usage
received and read in your one of these selections: Office 365 Reports in the
whole organization, and by Office 365 section: Office Admin Center - Mailbox
specific users. 365 groups activityExchange usage
Email app usage: View section: Email activityEmail
information about the email app usageMailbox usage
apps that are connecting to
Exchange Online. This
include the total number of
connections for each app,
and the versions of Outlook
that are connecting.
Mailbox usage: View
information about storage
used, quota consumption,
item count, and last activity
(send or read activity) for
mailboxes.
FEATURE DESCRIPTION WHERE YOU CAN FIND IT FOR MORE INFORMATION
Security & compliance These enhanced reports In the Office 365 Security & View the reports for data
reports in the Office 365 provide an interactive Compliance Center at loss prevention
admin center reporting experience for https://protection.office.com, View reports for Advanced
Exchange Online admins, click Reports > Dashboard. Threat Protection and
which includes summary Select one of the reports Exchange Online Protection
information, and the ability that are available on the
to drill down for more page: DLP reports: DLP
details. policy matches and DLP false
Data loss prevention positives and overrides. ATP
(DLP): View information reports: ATP file types, ATP
about DLP policies and rules message disposition, and
that affect messages Threat protection status.
containing sensitive data as EOP reports: Malware
they enter and leave your detections, Top malware, Top
organization. senders and recipients, Spoof
Note: DLP is only available mail, Spam detections, and
in certain Exchange Online Sent and received mail.
subscription plans. For
information, see the Data
Loss Prevention entries in
the Exchange Online Service
Description.
Advanced Threat
Protection (ATP): View
information about safe links
and safe attachments that
are part of ATP.
Note: ATP is available in
Office 365 Enterprise E5, but
you can also purchase ATP
as an add-on to other
subscription plans. For more
information, see Office 365
Advanced Threat Protection
Service Description.
Exchange Online
Protection (EOP): View
information about malware
detections, spoofed mail,
spam detections, and mail
flow to and from your
organization.
Custom reports using Programmatically create the n/a The subtopics of Working
Microsoft Graph reports that are available in with Office 365 usage
the Office 365 admin center reports in Microsoft Graph
by using Microsoft Graph
FEATURE DESCRIPTION WHERE YOU CAN FIND IT FOR MORE INFORMATION
Custom reports using Programmatically create https://reports.office365.com Office 365 Reporting Web
reporting web services reports from the available /ecp/reportingwebservice/re Services
Exchange Online PowerShell porting.svc
reporting cmdlets by using
REST/ODATA2 query
filtering.
Note: Many of the original
Exchange Online PowerShell
reporting cmdlets have been
deprecated and replaced by
similar reports in Microsoft
Graph. For more
information, see Reporting
cmdlets in Exchange Online.
Message trace Follows email messages as In the Office 365 admin Trace an email message
they travel through your center at To learn how to use message
Exchange Online https://portal.office.com/adm trace and other tools for
organization. You can inportal/home, click Admin troubleshooting, watch the
determine if an email centers > Exchange. In the video at Find and fix email
message was received, new Exchange admin center delivery issues as an Office
rejected, deferred, or page that opens, go to Mail 365 for business admin.
delivered by the service. It flow > Message trace.
also shows what actions
were taken on the message
before it reached its final
status.
You can use this information
to efficiently answer your
user's questions,
troubleshoot mail flow
issues, validate policy
changes, and alleviates the
need to contact technical
support for assistance.
Audit logging Tracks specific changes made In the Office 365 admin Exchange auditing reports
by admins to your Exchange center at
Online organization. These https://portal.office.com/adm
reports help you meet inportal/home, click Admin
regulatory, compliance, and centers > Exchange Online
litigation requirements. Protection. In the new
Exchange admin center page
that opens, go to
Compliance management >
Auditing.
Mail protection detail reports 90 days For detail data that's less than 7 days
old, data should appear within 24 hours
but may not be complete until 48
hours. Some minor incremental changes
may occur for up to 5 days.
To view detail reports for messages that
are greater than 7 days old, results may
take up to a few hours.
Message trace data 90 days When you run a message trace for
messages that are less than 7 days old,
the messages should appear within 5-
30 minutes.
When you run a message trace for
messages that are greater than 7 days
old, results may take up to a few hours.
NOTE
Data availability and latency is the same whether requested via the Office 365 admin center or remote PowerShell.
Use mail protection reports in Office 365 to view data
about malware, spam, and rule detections
3/4/2019 • 2 minutes to read • Edit Online
If you're an Exchange Online or Exchange Online Protection (EOP ) admin, there's a good chance you'd like to
monitor how much spam and malware is being detected, or how often your mail flow rules (also known as
transport rules) are being matched. With the interactive mail protection reports in the Office 365 Security &
Compliance Center, you can quickly get a visual report of summary data, and drill-down into details about
individual messages, for as far back as 90 days.
NOTE
You must be an Office 365 global administrator or have appropriate permissions assigned in order to use the Security &
Compliance Center. For more details, see Permissions in the Office 365 Security & Compliance Center.
Reporting overview
The following table describes the types of reports that are available, how to find them, and where to go to learn
more.
Threat management dashboard (this In the Security & Compliance Center, Security dashboard overview
is also referred to as the Security go to Threat management >
dashboard and the Threat Dashboard.
Intelligence dashboard).
Threat detections, malware trends, top
targeted users, details about sent and
received email messages, and more.
Advanced Threat Protection and In the Security & Compliance Center, View reports for Office 365 Advanced
email security reports go to Reports > Dashboard. Threat Protection
Email security and threat protection View email security reports in the
reports (including malware, spam, Security & Compliance Center
phishing, and spoofing reports).
Mail flow In the Security & Compliance Center, Mail flow insights in the Office 365
Information about sent and received go to Mail flow > Dashboard. Security & Compliance Center
email messages, recent alerts, top
senders and recipients, email
forwarding reports, and more .
Related topics
Reports and insights in the Office 365 Security & Compliance Center
Customize and schedule mail protection reports in
Office 365 to be automatically sent to your inbox
3/4/2019 • 2 minutes to read • Edit Online
As an Exchange Online or Exchange Online Protection (EOP ) admin, you probably want to keep an eye on your
organization's mail flow, how much spam and malware is being detected, or how often your rules and policies are
being matched. By using mail protection reports, you'll get a quick summary of the messages that Office 365 has
delivered or rejected based on spam or malware characteristics, rules, or data loss prevention (DLP ) policies.
You can choose to either schedule mail protection reports to be sent to your inbox automatically, or you can view
them any time in the Office 365 Security & Compliance Center.
To get started customizing and downloading reports, see the following resources:
Set up and download a custom report in the Security & Compliance Center
Download existing reports in the Security & Compliance Center
Manage schedules for multiple reports in the Security & Compliance Center
Related topics
Smart reports and insights in the Security & Compliance Center
View email security reports in the Security & Compliance Center
Mail flow insights in the Office 365 Security & Compliance Center
What happened to delivery reports in Office 365?
3/4/2019 • 2 minutes to read • Edit Online
Delivery reports was a feature in Office 365 that allowed users and administrators to discover and view delivery
information about messages.
In Office 365, delivery reports for administrators has been replaced by message trace. For more information, see
these topics:
Using Message Trace
Trace an email message
Currently, there's no direct replacement for delivery reports for users, so the delivery report links in Outlook and
Outlook on the web don't go anywhere.
Notes
Delivery reports for users and administrators is still available in on-premises Exchange environments. For
more information, see Track messages with delivery reports .
Read receipts and delivery notifications aren't related to delivery reports, and are still available in Office 365.
For more information, see Add and request read receipts and delivery notifications.
Trace an email message
3/4/2019 • 2 minutes to read • Edit Online
Sometimes an email message gets lost in transit, or it can take a lot longer than expected for delivery, and your
users can wonder what happened. As an administrator, you can use the message trace feature to follow messages
as they pass through your Exchange Online or Exchange Online Protection service. With message tracing, you can
determine whether a targeted email message was received, rejected, deferred, or delivered by the service. It also
shows what events have occurred to the message before reaching its final status. Getting detailed information
about a specific message lets you efficiently answer your user's questions, troubleshoot mail flow issues, validate
policy changes, and alleviates the need to contact technical support for assistance.
TIP
For troubleshooting general issues and trends, use the reports in the Office 365 admin center or the Excel reporting
workbook. For single point specifics where details are needed about a message, use the message trace tool.
Run a Message Trace and View Results describes how to run a message trace to narrow down your search criteria.
It also describes how to view message trace results, and how to view details about a specific message.
The Message Trace FAQ topic presents common messaging questions that arise and how to best answer these
questions using the message trace tool.
Run a message trace and view the results in the Exchange admin center
3/4/2019 • 18 minutes to read • Edit Online
NOTE
Message trace is available in the Office 365 Security & Compliance Center. For more information, see Message trace in the Office 365 Security & Compliance Center.
As an administrator, you can find out what happened to an email message by running a message trace in the Exchange admin center (EAC). After running the
message trace, you can view the results in a list, and then view the details about a specific message. Message trace data is available for the past 90 days. If a message
is more than 7 days old, you can only view the results in a downloadable .CSV file.
For a video walkthrough of message trace and other mail flow troubleshooting tools, see Find and fix email delivery issues as an Office 365 for business admin.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection. If you're an Office 365 for business admin, you can contact
Office 365 for business support.
2. Depending on what you're searching for, you can enter values in the following fields. None of these fields are required for messages that are less than 7 days
old. You can simply click Search to retrieve all message trace data over the default time period, which is the past 48 hours.
3. Date range: Using the drop-down list, select to search for messages sent or received within the past 24 hours, 48 hours, or 7 days. You can also select a
custom time frame that includes any range within the past 90 days. For custom searches you can also change the time zone, in Coordinated Universal Time
(UTC).
4. Delivery status: Using the drop-down list, select the status of the message you want to view information about. Leave the default value of All to cover all
statuses. Other possible values are:
Delivered: The message was successfully delivered to the intended destination.
Failed: The message was not delivered. Either it was attempted and failed or it was not delivered as a result of actions taken by the filtering service. For
example, if the message was determined to contain malware.
Pending*: Delivery of the message is being attempted or re-attempted.
Expanded: The message was sent to a distribution list and was expanded so the members of the list can be viewed individually.
Unknown*: The message delivery status is unknown at this time. When the results of the query are listed, the delivery details fields will not contain any
information.
<sup>*</sup>If you're searching for messages that are older than 7 days, you can't select **Pending** or **Unknown**.
3. Message ID: This is the Internet message ID (also known as the Client ID) found in the message header in the Message-ID: header field. Users can provide you
with this information in order to investigate specific messages.
The form of this ID varies depending on the sending mail system. The following is an example: `<08f1e0f6806a47b4ac103961109ae6ef@server.domain>`.
This ID should be unique; however, not all sending mail systems behave the same way. As a result, there's a possibility that you may get results for multiple
messages when querying upon a single Message ID.
**Note**: Be sure to include the full Message ID string. This may include angle brackets (\<\>).
4. Sender: You can narrow the search for specific senders by clicking the Add sender button next to the Sender field. In the subsequent dialog box, select one or
more senders from your company from the user picker list and then click Add. To add senders who aren't on the list, type their email addresses and click
Check names. In this box, wildcards are supported for email addresses in the format: *@contoso.com. When specifying a wildcard, other addresses can't be
used. When you're done with your selections, click OK.
5. Recipient: You can narrow the search for specific recipients by clicking the Add recipient button next to the Recipient field. In the subsequent dialog box,
select one or more recipients from your company from the user picker list and then click Add. To add recipients who aren't on the list, type their email
addresses and click Check names. In this box, wildcards are supported for email addresses in the format: *@contoso.com. When specifying a wildcard, other
addresses can't be used. When you're done with your selections, click OK.
6. If you're searching for messages that are older than 7 days, configure the following settings: (otherwise you can skip this step):
7. Include message events and routing details with report: We recommend selecting this check box only if you're looking for a small number of messages.
Otherwise, the results will take longer to return.
8. Direction: Leave the default All or select Inbound for messages sent to your organization or Outbound for messages sent from your organization.
9. Original client IP address: Specify the IP address of the sender's client.
10. Report title: Specify the unique identifier for this report. This will also be used as the subject line text for the email notification. The default is "Message trace
report <day of the week>, <current date> <current time>". For example, "Message trace report Thursday, October 17, 2018 7:21:09 AM".
11. Notification email address: Specify the email address that you want to receive the notification when the message trace completes. This address must reside
within your list of accepted domains.
12. Click Search: to run the message trace. You'll be warned if you're nearing the threshold of the amount of traces you're allowed to run over a 24 hour period.
After running your message trace, proceed to one of the next sections to read about how to view your results.
Note: To search for a different message, you can click the Clear button and then specify new search criteria.
View message trace results for messages less than 7 days old
After you run a message trace in the EAC, the results will be listed, sorted by date, with the most recent message appearing first. You can sort on any of the listed
fields by clicking their headers. Clicking a column header a second time will reverse the sort order. When viewing message trace results, the following information is
provided about each message:
Date: The date and time at which the message was received by the service, using the configured UTC time zone.
Sender: The email address of the sender in the form alias@domain .
Recipient: The email address of the recipient or recipients. For messages sent to more than one recipient, there is one line per recipient. If the recipient is a
distribution list, the distribution list will be the first recipient, and then each member of the distribution list will be included on a separate line so that you can
check the status for all recipients.
Subject: The subject line text of the message. If necessary, this is truncated to the first 256 characters.
Status: This field specifies whether the message was Delivered to the recipient or the intended destination, Failed to be delivered to the recipient (either
because it failed to reach its destination or because it was filtered), is Pending delivery (it is either in the process of being delivered or the delivery was
deferred but is being re-attempted), was Expanded (there was no delivery because the message was sent to a distribution list (DL) that was expanded to the
recipients of the DL), or has a status of None (there is no status of delivery for the message to the recipient because the message was either rejected or
redirected to a different recipient).
NOTE
The message trace can display a maximum of 500 entries. By default, the user interface displays 50 entries per page, and you can navigate through the pages. You can also change the
entry size of each page up to 500.
TIP
Additional events may appear; for more information about these, see the "Event types in the message tracking log" section in Message Tracking.
Action: This field shows the action that was performed if the message was filtered due to a malware or spam detection or a rule match. For example, it will let
you know if the message was deleted or if it was sent to the quarantine.
Detail: This field provides detailed information that elaborates on what happened. For example, it may inform you which specific mail flow rule (also known as
a transport rule) was matched, and what happened to the message as a result of that match. It can also inform you which specific malware was detected in
which specific attachment, or why a message was detected as spam. If the message was successfully delivered, it can tell you the IP address to which it was
delivered.
View message trace results for messages more than 7 days old
If you run a message trace for items that are older than 7 days, when you click Search a message should appear letting you know that the message was successfully
submitted, and that an email notification will be sent to the supplied email address when the trace has completed. (If the message trace is processed and data that
matches your search criteria is successfully retrieved, this notification message will include information about the trace and a link to the downloadable .CSV file. If no
data was found that matched the search criteria you specified, you'll be asked to submit a new request with changed criteria in order to obtain valid results.)
In the EAC, you can click View pending or completed traces in order to view a list of traces that were run for items that older than 7 days. In the resulting UI, the
list of traces is sorted based on the date and time that they were submitted, with the most recent submissions appearing first. In addition to the report title, the date
and time the trace was submitted, and the number of messages in the report, the following status values are listed:
Not started: The trace was submitted but is not yet running. At this point, you have the option to cancel the trace.
Cancelled: The trace was submitted but was cancelled.
In progress: The trace is running and you can't cancel the trace or download the results.
Completed: The trace has completed and you can click Download this report to retrieve the results in a .CSV file. Note that if your message trace results
exceed 5000 messages for a summary report, it will be truncated to the first 5000 messages. If your message trace results exceed 3000 messages for a
detailed report, it will be truncated to the first 3000 messages. If you do not see all the results that you need, we recommend that break your search out into
multiple queries.
When you select a specific message trace, additional information appears in the right pane. Depending on what search criteria you specified, this may include details
such as the date range for which the trace was run, and the sender and intended recipients of the message.
NOTE
Message traces containing data that is more than 7 days old are automatically deleted in the EAC after 10 days. They can't be manually deleted.
View report details about a specific message more than 7 days old
When you download and view a message trace report, either from View pending or completed traces in the EAC or from a notification email, its contents depend
on whether you have selected the Include message events and routing details with report option.
IMPORTANT
In order to view the downloaded message trace report, you must have the "View-Only Recipients" RBAC role assigned to your role group. By default, the following role groups have
this role assigned: Compliance Management, Help Desk, Hygiene Management, Organization Management, View-Only Organization Management.
SCL=<number> For more information about the different SCL values and
what they mean, see Spam Confidence Levels.
DI=SJ The message was sent to the recipient's Junk Email folder.
DI=SN The message was routed through the higher risk delivery
pool. For more information, see Higher risk delivery pool
for Outbound Messages.
LOG INFORMATION DESCRIPTION
IPV=CAL The message was allowed through the spam filters because
the IP address was specified in an IP Allow list in the
connection filter.
When a message is filtered for spam, a sample custom_data entry would look similar to the following:
S:SFA=SUM|SFV=SPM|IPV=CAL|SRV=BULK|SFS=470454002|SFS=349001|SCL=9|SCORE=-
1|LIST=0|DI=SN|RD=ftmail.inc.com|H=ftmail.inc.com|CIP=98.129.140.74|SFP=1501|ASF=1|CTRY=US|CLTCTRY=|LANG=en|LAT=287|LAT=260|LAT=18;
AMA=SUM|v=1| The message was determined to contain malware. SUM denotes that the malware could've
or been detected by any number of engines. EV denotes that the malware was detected by a
AMA=EV|v=1| specific engine. When malware is detected by an engine this triggers the subsequent
actions.
When a message contains malware, a sample custom_data entry would look similar to the following:
S:AMA=SUM|v=1|action=b|error=|atch=1;S:AMA=EV|engine=M|v=1|sig=1.155.974.0|name=DOS/Test_File|file=filename;S:AMA=EV|engine=A|v=1|sig=201307282038|name=Test_File|file=filename
St=[datetime] The date and time (in UTC) when the rule match occurred.
Action=[ActionDefinition] The action that was applied. For a list of available actions, see Mail flow rule actions in
Exchange Online.
When a message matches a mail flow rule, a sample custom_data entry would look similar to the following:
S:TRA=ETR|ruleId=19a25eb2-3e43-4896-ad9e-47b6c359779d|st=7/17/2013 12:31:25 AM|action=ApplyHtmlDisclaimer|sev=1|mode=Enforce
For more information
Message Trace FAQ presents messaging questions that a user may have, along with possible answers. It also describes how to use the message trace tool in order to
get those answers and troubleshoot specific mail delivery issues.
Can I run a message trace via Exchange Online PowerShell or Exchange Online Protection PowerShell? What are the cmdlets to use? gives information about the
PowerShell cmdlets that you can use to run a message trace.
Message Trace FAQ
3/29/2019 • 12 minutes to read • Edit Online
This topic presents messaging questions that a user may have, along with possible answers. It also describes how
to use the message trace tool in order to get those answers and troubleshoot specific mail delivery issues.
How long does it take to see results when running a message trace?
In the Exchange admin center (EAC ), the search results appear immediately for messages that are less than
7 days old.
In the Office 365 Security & Compliance Center, the search results appear immediately for messages that
are less than 10 days old.
When you run a message trace for older messages, the results are returned within a few hours as a downloadable
CSV file.
Why didn't someone receive my message or why did I get this non-
delivery report (also known as an NDR or bounce message)?
Possible reasons include the following:
The message was detected as spam.
The message was sent to quarantine due to a rule match.
The message was re-routed because a connector sent it to another destination.
The message was rejected
By the malware filter
Because a file attached to the message contained malware
Because the message body contained malware
By a rule
Because the action was Reject
Because the action was Force TLS and TLS failed to be established
By a connector because TLS was required and failed to be established
The message was sent for moderation and is awaiting approval or was rejected by the moderator.
The message was never sent.
The message is still being processed because there was a previous failure and the service is re-attempting
delivery.
The message failed to be delivered to the destination
Because the destination is not reachable
Because the destination rejected the message
Because the message timed out during the delivery attempt
The message was delivered to the destination but it was deleted before it was accessed (perhaps because it
matched a rule).
To find out what happened:
Run a message trace. Use as many search criteria as possible to narrow down the results. For example, you should
know the sender and the intended recipient or recipients of the message, and the general time period when the
message was sent.
View the results, locate the message, and then view specific details about the message (see View message trace
results for messages less than 7 days old or View message trace results for messages more than 7 days old).
Look for a delivery status of Failed or Pending to explain why the message was not delivered. Confirm that the
message was sent, that it was successfully received by the service, that it was not filtered, redirected, or sent for
moderation, and that it did not experience any delivery failures or delays. If the destination is not reachable, you
can use the To IP to help troubleshoot connectivity issues.
Which mail flow rule (also known as a transport rule) or DLP policy was
applied to a message?
To find out which mail flow rule (custom policy rule) or data loss prevention (DLP ) policy (Exchange Online
customers only) was applied to a message, run a message trace. Use as many search criteria as possible to narrow
down the results. Set the delivery status to Failed.
View the results, locate the message, and then view specific details about the message (see View message trace
results for messages less than 7 days old or View message trace results for messages more than 7 days old).
If the message was not delivered because its contents matched a rule, the events section will let you know the
name of the mail flow rule that was matched. You will also be informed of the action that occurred as a result of
the mail flow rule match, for example if the message was quarantined, rejected, redirected, sent for moderation,
decrypted, or any number of other possible options. For information about how to create Exchange mail flow rules
and set actions for them, see Mail flow rules (transport rules) in Exchange Online.
When I run a message trace it returns rule ID-1. What does this mean?
Rule ID -1 is returned when the message trace encounters a mail flow rule that no longer exists. (The mail flow rule
could have been modified or deleted after the original message was sent.)
One of the questions we often hear is "How does Exchange Online back up my data?" You may be asking this
because you're concerned about how to recover your data if there is a failure. Or, you may be wondering how to
recover your data if it gets accidentally deleted. This topic answers these questions.
NOTE
You can get the latest information related to a service interrupting event by logging into the Service Health Dashboard. For
more information, see View the status of your services.
If you're using Outlook to access your Office 365 email account or another Exchange-based email account, and
you're having problems, we want to get you back to sending and receiving email as quickly as possible.
NOTE
If you're looking for help with Outlook.com, check out Help for Outlook.com. > If you're looking for help with Outlook for
Mac, check out Outlook 2016 for Mac Help.
The Support and Recovery Assistant app can help you identify and fix several issues for the following apps and
services:
Office setup
Outlook
Outlook for Mac 2016 or Outlook for Mac 2011
Mobile devices
Outlook on the web for business
Microsoft Dynamics CRM Online
Exchange Online
OneDrive for Business
The following video shows how to use Support and Recovery Assistant to run diagnostic tests:
By default, Support and Recovery Assistant for Office 365 collects diagnostic logs to help troubleshoot problems in
the following scenarios:
Support and Recovery Assistant sometimes collects diagnostic logs when the tool fails to solve a user's
problem.
Support and Recovery Assistant collects diagnostic logs when a user chooses to run advanced diagnostics.
Typically this happens at the request of an admin or Microsoft support engineer.
Office 365 uses diagnostic logs to improve the tool to provide better troubleshooting in the future. Microsoft
support engineers can also use these logs to analyze your user's specific issue more throughly. As an admin, you
can make a registry edit to prevent users from collecting diagnostic logs if your organization wants to limit data
sharing.
Cau t i on
Registry Editor is a tool intended for advanced users. Follow the steps in this article carefully to make sure you only
make changes to data collection for Support and Recovery Assistant. Before making changes to the registry, create
a backup in case something goes wrong. For more information about creating a backup, see How to back up and
restore the registry in Windows.
Related articles
Fix Outlook and Office 365 issues with Microsoft Support and Recovery Assistant for Office 365
Microsoft Support and Recovery Assistant
Find and fix email delivery issues as an Office 365 for
business admin
3/4/2019 • 7 minutes to read • Edit Online
When users report that they aren't getting email, it can be hard to find what's wrong. You might run through
several troubleshooting scenarios in your mind. Is something wrong with Outlook? Is the Office 365 service
down? Is there a problem with mail flow or spam filter settings? Or is the problem due to something that's outside
your control, like the sender is on a global block list? Fortunately, Office 365 provides powerful automated tools
that can help you find and fix a variety of problems.
Watch the following video for more information about how to use Support and Recovery Assistant app.
If Support and Recovery Assistant app doesn't fix the email delivery
issue, try these admin tools
As an Office 365 for business admin, you have access to several tools that can help you investigate why users can't
get email. The following video gives a brief overview of the tools available to you.
The following tools are listed from the quickest to the most in-depth option.
Check Office 365 service health for Exchange Online issues - 5 minutes
The service health page lists the status of Office 365 services and indicates if there have been any recent service
incidents. Use the following steps to check the service health.
1. Where to sign in to Office 365 for business with your work or school account.
2. Select the app launcher icon in the upper-left and choose Admin.
TIP
Admin appears only to Office 365 administrators.
Can't find the app you're looking for? From the app launcher, selectAll apps to see an alphabetical list of
the Office 365 apps available to you. From there, you can search for a specific app.
3. Under Service health, go to View the service health.
If there is an indication that ExchangeOnline service is degraded, email delivery might be delayed for your
organization, and CompanyName service engineers are already working to restore service. Check the service
health page for progress updates. In this case, you don't need to open a service request because CompanyName is
already working to resolve the issue.
Use message trace for in-depth email delivery troubleshooting - 15 minutes
Sometimes an email message gets lost in transit, or it can take a lot longer than expected for delivery, and your
users can wonder what happened. The message trace feature lets you follow messages as they pass through your
Exchange Online service. Getting detailed information about a specific message lets you efficiently answer your
user's questions, troubleshoot mail flow issues, validate policy changes, and can prevent you from needing to
contact technical support for assistance.
Open the message trace tool
If you're an Office 365 Midsize Business, Office 365 Business, or Office 365 Enterprise admin, you access and run
the message trace tool through the Exchange admin center. To get there, do the following:
1. Where to sign in to Office 365 for business with your work or school account.
2. Select the app launcher icon in the upper-left and choose Admin.
TIP
Admin appears only to Office 365 administrators.
Can't find the app you're looking for? From the app launcher, selectAll apps to see an alphabetical list of
the Office 365 apps available to you. From there, you can search for a specific app.
3. Go to Exchange.
To search for a different message, you can click the Clear button on the message trace page, and then specify new
search criteria.
View the results of a message trace that is greater than 7 days old
Message traces for items more than 7 days old are only available as a downloadable .CSV file. Because data about
older messages is stored in a different database, message traces for older messages can take up to an hour. To
download the .CSV file, do one of the following.
Click the link inside the email notification that is sent when the trace is completed.
To view a list of traces that were run for items that are more than 7 days old, click View pending or
completed traces in the message trace tool.
In the resulting UI, the list of traces is sorted based on the date and time that they were submitted, with the
most recent submissions appearing first.
When you select a specific message trace, additional information appears in the right pane. Depending on
what search criteria you specified, this may include details such as the date range for which the trace was
run, and the sender and intended recipients of the message.
NOTE
Message traces containing data that is greater than 7 days old are automatically deleted. They cannot be manually deleted.
You're reading a collection of conceptual and procedural topics organized by subject or by technologies used by
Microsoft Exchange. You can access each topic directly from the table of contents in the left pane, from a link in
another Help topic, from the results of a search, or from your own custom list of favorite topics.
Other information related to Exchange documentation is in Third-Party Copyright Notices.
Additional resources
Looking for more than just documentation? Check out these other Exchange resources:
Exchange Server Downloads Use this page to download service packs, add-ins, tools, and trial software to
help you optimize your Exchange organization.
Exchange Server Forums The forum provides a place to discuss Exchange with users and Exchange Team
members.
Exchange Server for Developers You'll find Exchange developer documentation here.
Support for Microsoft Exchange Server Check out this page for support resources for multiple versions of
Exchange.
Accessibility for People with Disabilities_E15 This topic provides important information about features,
products, and services that help make Microsoft Exchange more accessible for people with disabilities.
Accessibility in Exchange Online
3/4/2019 • 2 minutes to read • Edit Online
Microsoft wants to provide the best possible experience for all customers, including customers with disabilities.
This article contains links to articles written for people who use the screen reader JAWS from Freedom Scientific or
who use Narrator, the screen reader built-in to Windows 10.
These articles provide help that depends only on specified keyboard shortcuts and a screen reader.
The Exchange admin center (EAC ) in Exchange Online includes accessibility features that make it easy for users
with limited dexterity, low vision, or other disabilities to work with files. This means you can use keyboard
shortcuts, a screen reader, or a speech recognition tool to work with the EAC.
Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have the appropriate Office
365 subscription and admin role to work in the EAC. Then, open the EAC and get started. For more information
about the EAC, see Exchange admin center in Exchange Online.
Use your browser and keyboard to navigate in the EAC
Exchange Online, which includes the EAC, is a web-based application, so the keyboard shortcuts and navigation
may be different from those in Exchange 2016.
For best results when working in the EAC in Exchange Online, use Internet Explorer as your browser. Learn
more about Internet Explorer keyboard shortcuts.
Many tasks in the EAC require the use of pop-up windows so, in your browser, be sure to enable pop-up
windows for Office 365.
Confirm your Office 365 subscription plan
Exchange Online is included in Office 365 business and enterprise subscription plans, but capabilities may differ
by plan. If your EAC doesn't include a function described in this article, your plan might not include it.
For more information about the Exchange Online capabilities in your subscription plan, go to What Office 36
business product or license do I have? and Exchange Online Service Description.
Open the EAC, and confirm your admin role
Use a screen reader to open the Exchange admin centerUse a screen reader to open the Exchange admin center
and check that your Office 365 global administrator has assigned you to any admin role group, for example,
Organization Management. You know you are assigned to at least one admin role group if you can open the
EAC. Learn how to Use a screen reader to identify your admin role in the Exchange admin center.
You can use a screen reader with the Exchange admin center (EAC ) in Exchange Online to carry out administrative
tasks. The EAC works with Narrator, the built-in screen reader in Windows, or JAWS, a third-party screen reader.
These screen readers convert text to speech to read the contents of the EAC window.
Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have the appropriate Office 365
subscription and admin role to work in the EAC. Then, open the EAC and get started. For more information about
the EAC, see Exchange admin center in Exchange Online.
Use your browser and keyboard to navigate in the EAC
Exchange Online, which includes the EAC, is a web-based application, so the keyboard shortcuts and navigation
may be different from those in Exchange 2016. Accessibility in the Exchange admin center.
For best results when working in the EAC in Exchange Online, use Internet Explorer as your browser. Learn more
about Internet Explorer keyboard shortcuts.
Many tasks in the EAC require the use of pop-up windows so, in your browser, be sure to enable pop-up windows
for Office 365.
Confirm your Office 365 subscription plan
Exchange Online is included in Office 365 business and enterprise subscription plans, but capabilities may differ
by plan. If your EAC doesn't include a function described in this article, your plan might not include it.
For more information about the Exchange Online capabilities in your subscription plan, go to What Office 36
business product or license do I have? and Exchange Online Service Description.
Open the EAC, and confirm your admin role
Use a screen reader to open the Exchange admin centerUse a screen reader to open the Exchange admin center
and check that your Office 365 global administrator has assigned you to any admin role group, for example,
Organization Management. You know you are assigned to at least one admin role group if you can open the EAC.
Learn how to Use a screen reader to identify your admin role in the Exchange admin center.
Get started
Navigate with Internet Explorer and keyboard shortcuts,
and make sure that you have the appropriate Office 365
subscription and admin role to work in the EAC. Then,
open the EAC and get started. For more information
about the EAC, see Exchange admin center in Exchange
Online.
Use your browser and keyboard to navigate in the EAC
Exchange Online, which includes the EAC, is a web-based
application, so the keyboard shortcuts and navigation
may be different from those in Exchange 2016.
Accessibility in the Exchange admin center.
For best results when working in the EAC in Exchange
Online, use Internet Explorer as your browser. Learn more
about Internet Explorer keyboard shortcuts.
Many tasks in the EAC require the use of pop-up windows
so, in your browser, be sure to enable pop-up windows for
Office 365.
Confirm your Office 365 subscription plan
Exchange Online is included in Office 365 business and
enterprise subscription plans, but capabilities may differ
by plan. If your EAC doesn't include a function described
in this article, your plan might not include it.
For more information about the Exchange Online
capabilities in your subscription plan, go to What Office
36 business product or license do I have? and Exchange
Online Service Description.
Move within lists from one The Up Arrow key, the Down
item to another Arrow key, Home, End, Page
Up, or Page Down
Note: You can also use the
Up Arrow key, the Down
Arrow key, the Left Arrow key,
or the Right Arrow key to
move between option buttons
or within a group of check
boxes.
TO DO THIS PRESS
Create mailboxes in the Exchange admin center (EAC ) for any printer, projector, or other device that's attached to
your corporate network by using your keyboard and any screen reader.
Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have the appropriate Office 365
subscription and admin role to work in the EAC. Then, open the EAC and get started.
Use your browser and keyboard to navigate in the EAC
Exchange Online, which includes the EAC, is a web-based application, so the keyboard shortcuts and navigation
may be different from those in Exchange 2016. Accessibility in the Exchange admin center.
For best results when working in the EAC in Exchange Online, use Internet Explorer as your browser. Learn more
about Internet Explorer keyboard shortcuts.
Many tasks in the EAC require the use of pop-up windows so, in your browser, be sure to enable pop-up windows
for Office 365.
Confirm your Office 365 subscription plan
Exchange Online is included in Office 365 business and enterprise subscription plans; however, capabilities may
differ by plan. If your EAC doesn't include a function described in this article, your plan might not include it.
For more information about the Exchange Online capabilities in your subscription plan, go to What Office 365
business product or license do I have? and Exchange Online Service Description..
Open the EAC, and confirm your admin role
To add a new equipment mailbox, Use a screen reader to open the Exchange admin center and check that your
Office 365 global administrator has assigned you to the Organization Management admin role group. Learn how
to Use a screen reader to identify your admin role in the Exchange admin center
8. Type in the name of the device and, to move to the Email Address box, press the Tab key. You hear "Email
address..
TIP
This name will appear in users' Outlook Address Book. To make rooms easier for users to find, use a consistent
naming convention within your organization.
9. The email address is also required. Type in the first portion of the email address (before the at sign) and, to
get to the domain drop-down list, press the Tab key. You hear the selected domain option.
10. If the default selection in the domain drop-down menu is not the domain you want to choose, to access
other available domains, press the Down Arrow key. As you move through the available options, you hear
the domain name and suffix. When you find the domain you want to use, to select it, press Enter.
TIP
You cannot type any values into the domain box. It is a prepopulated drop-down list. To add domains to that drop-down list,
contact your Office admin.
11. To go to the Save button, press the Tab key. You hear "Save..
12. Press Enter. This saves the mailbox you created with the values you assigned, and the pop-up window
closes, returning you to the Resources list on the Resources tab. The focus is on the New Mailbox button.
You hear "New mailbox..
TIP
It may take a few minutes to save the new mailbox and close the pop-up window. You do not hear any additional feedback
during this wait time.
If you want to add additional information to your new room mailbox, learn about all the options available in Use a
screen reader to use mailbox properties and options in EAC on Exchange Online.
Using a screen reader with Exchange Online, you can use the Exchange admin center (EAC ) to set up a mail
contact —a mail-enabled directory service object containing information about a person or entity that exists
outside of your Exchange Online organization. Each mail contact has an external email address. For more
information about mail contacts, refer to the Recipients TechNet article.
Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have the appropriate Office 365
subscription and admin role to work in the EAC. Then, open the EAC and get started.
Use your browser and keyboard to navigate in the EAC
Exchange Online, which includes the EAC, is a web-based application, so the keyboard shortcuts and navigation
may be different from those in Exchange 2016. Accessibility in the Exchange admin center.
For best results when working in the EAC in Exchange Online, use Internet Explorer as your browser. Learn more
about Internet Explorer keyboard shortcuts.
Many tasks in the EAC require the use of pop-up windows so, in your browser, be sure to enable pop-up windows
for Office 365.
Confirm your Office 365 subscription plan
Exchange Online is included in Office 365 business and enterprise subscription plans. But capabilities may differ
by plan. If your EAC doesn't include a function described in this article, your plan might not include it.
For more information about the Exchange Online capabilities in your subscription plan, go to What Office 365
business product or license do I have? and Exchange Online Service Description..
Open the EAC, and confirm your admin role
To add a new mail contact, use a screen reader to open the EAC and check that your Office 365 global
administrator has assigned you to the Organization Management and Recipient Management admin group. Learn
how to Use a screen reader to identify your admin role in the Exchange admin center.
Add a mailbox for conference rooms in the Exchange admin center (EAC ), by using keyboard shortcuts and your
screen reader.
Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have the appropriate Office 365
subscription and admin role to work in the EAC. Then, open the EAC and get started.
Use your browser and keyboard to navigate in the EAC
Exchange Online, which includes the EAC, is a web-based application, so the keyboard shortcuts and navigation
may be different from those in Exchange 2016. Accessibility in the Exchange admin center.
For best results when working in the EAC in Exchange Online, use Internet Explorer as your browser. Learn more
about Internet Explorer keyboard shortcuts.
Many tasks in the EAC require the use of pop-up windows so, in your browser, be sure to enable pop-up windows
for Office 365.
Confirm your Office 365 subscription plan
Exchange Online is included in Office 365 business and enterprise subscription plans; however, capabilities may
differ by plan. If your EAC doesn't include a function described in this article, your plan might not include it.
For more information about the Exchange Online capabilities in your subscription plan, go to What Office 365
business product or license do I have? and Exchange Online Service Description..
Open the EAC, and confirm your admin role
To add a new room mailbox, Use a screen reader to open the Exchange admin center and check that your Office
365 global administrator has assigned you to the Organizational Management admin role group. Learn how to
Use a screen reader to identify your admin role in the Exchange admin center.
TIP
This name will appear in users' Outlook Address Books. To make rooms easier for users to find, use a consistent
naming convention within your organization.
9. The email address is also required. Type in the first portion of the email address (before the at sign) and, to
get to the domain drop-down list, press the Tab key. You hear the selected domain option.
10. If the default selection in the domain drop-down menu is not the domain you want to choose, to access
other available domains, press the Down Arrow key. As you move through the available options, you hear
the domain name and suffix. When you find the domain you want to use, to select it, press Enter.
TIP
You cannot type any values into the domain box. It is a prepopulated drop-down list. To add domains to that drop-down list,
contact your Office admin.
11. To go to the Save button, press the Tab key. You hear "Save..
12. Press Enter. This saves the mailbox you created with the values you assigned, and the pop-up window
closes, returning you to the Resources list on the Resources tab. The focus is on the New Mailbox button.
You hear "New mailbox..
TIP
It may take a few minutes to save the new mailbox and close the pop-up window. You do not hear any additional feedback
during this wait time.
If you want to add additional information to your new room mailbox, learn about all the options available in Use a
screen reader to use mailbox properties and options in EAC on Exchange Online.
You can use your screen reader to create a shared mailbox in the Exchange admin center (EAC ) in Exchange
Online. Shared mailboxes make it easy for a group of people in your organization to monitor and send email from
a common account, such as info@contoso.com or support@contoso.com. When a person in the group replies to a
message sent to the shared mailbox, the email looks like it was sent by the shared mailbox, not from the individual
user. Learn more about shared mailboxes.
Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have the appropriate Office 365
subscription and admin role to work in the EAC. Then, open the EAC and get started.
Use your browser and keyboard to navigate in the EAC
Exchange Online, which includes the EAC, is a web-based application, so the keyboard shortcuts and navigation
may be different from those in Exchange 2016. Accessibility in the Exchange admin center.
For best results when working in the EAC in Exchange Online, use Internet Explorer as your browser. Learn more
about Internet Explorer keyboard shortcuts.
Many tasks in the EAC require the use of pop-up windows so, in your browser, be sure to enable pop-up windows
for Office 365.
Confirm your Office 365 subscription plan
Exchange Online is included in Office 365 business and enterprise subscription plans, but capabilities may differ
by plan. If your EAC doesn't include a function described in this topic, your plan might not include it.
For more information about the Exchange Online capabilities in your subscription plan, go to What Office 365
business product or license do I have? and Exchange Online Service Description..
Open the EAC, and confirm your admin role
To add a new shared mailbox, Use a screen reader to open the Exchange admin center and check that your Office
365 global administrator has assigned you to the Organization Management and Recipient Management admin
role groups. Learn how to Use a screen reader to identify your admin role in the Exchange admin center.
Using a screen reader with the Exchange admin center (EAC ) in Exchange Online, you can add and remove
members of a distribution group.
Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have the appropriate Office 365
subscription and admin role to work in the EAC. Then, open the EAC and get started.
Use your browser and keyboard to navigate in the EAC
Exchange Online, which includes the EAC, is a web-based application, so the keyboard shortcuts and navigation
may be different from those in Exchange 2016. Accessibility in the Exchange admin center.
For best results when working in the EAC in Exchange Online, use Internet Explorer as your browser. Learn more
about Internet Explorer keyboard shortcuts.
Many tasks in the EAC require the use of pop-up windows so, in your browser, be sure to enable pop-up windows
for Office 365.
Confirm your Office 365 subscription plan
Exchange Online is included in Office 365 business and enterprise subscription plans. But capabilities may differ
by plan. If your EAC doesn't include a function described in this article, your plan might not include it.
For more information about the Exchange Online capabilities in your subscription plan, go to What Office 365
business product or license do I have? and Exchange Online Service Description..
Open the EAC, and confirm your admin role
To complete the tasks covered in this topic, Use a screen reader to open the Exchange admin center and check that
your Office 365 global administrator has assigned you to the Organization Management and Records
Management admin role groups. Use a screen reader to identify your admin role in the Exchange admin center.
You can use your screen reader in the Exchange admin center (EAC ) to enable or disable archiving of items in an
Exchange Online mailbox. You can also use your screen reader in the EAC to apply retention policies to mailboxes.
Learn more about the archive mailboxes in Exchange Online.
Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have the appropriate Office 365
subscription and admin role to work in the EAC. Then, open the EAC and get started.
For more information about creating distribution groups, refer to Use a screen reader to create a new distribution
group in the Exchange admin center.
Use your browser and keyboard to navigate in the EAC
Exchange Online, which includes the EAC, is a web-based application, so the keyboard shortcuts and navigation
may be different from those in Exchange 2016. Accessibility in the Exchange admin center.
For best results when working in the EAC in Exchange Online, use Internet Explorer as your browser. Learn more
about Internet Explorer keyboard shortcuts.
Many tasks in the EAC require the use of pop-up windows so, in your browser, be sure to enable pop-up windows
for Office 365.
Confirm your Office 365 subscription plan
Exchange Online is included in Office 365 business and enterprise subscription plans. But capabilities may differ by
plan. If your EAC doesn't include a function described in this article, your plan might not include it.
For more information about the Exchange Online capabilities in your subscription plan, go to What Office 365
business product or license do I have? and Exchange Online Service Description..
Open the EAC, and confirm your admin role
To complete the tasks covered in this topic, Use a screen reader to open the Exchange admin center and check that
your Office 365 global administrator has assigned you to the Organization Management and Records
Management admin role groups. Use a screen reader to identify your admin role in the Exchange admin center.
Tip: If you want to enable archiving for additional users, move the focus back to the list of mailboxes by
pressing Ctrl+Shift+F6. Select the name you want by pressing the Down Arrow key or the Up Arrow
key, and repeat steps 7 through 9.
Note: For more information, go to Enable or disable an archive mailbox in Exchange Online.
Accessibility information
The Microsoft Accessibility website provides more information about assistive technology. A free monthly
electronic newsletter is available to help you stay current with accessibility topics about Microsoft products. To
subscribe, visit the Microsoft Accessibility Update Newsletter Subscription page.
Technical support for customers with disabilities
Microsoft wants to provide the best possible experience for all our customers. If you have a disability or have
questions related to accessibility, please contact the Microsoft Disability Answer Desk for technical assistance.
The Disability Answer Desk support team is trained in using many popular assistive technologies and can offer
assistance in English, Spanish, French, and American Sign Language. Please visit the Microsoft Disability Answer
Desk site to find the contact details for your region.
Use a screen reader to configure collaboration in the
Exchange admin center in Exchange Online
3/4/2019 • 8 minutes to read • Edit Online
You can use your screen reader in the Exchange admin center (EAC ) in Exchange Online to configure different
methods of collaboration. These methods might include public folders, distribution groups, shared mailboxes, or—
in conjunction with SharePoint—site mailboxes.
Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have the appropriate Office 365
subscription and admin role to work in the EAC. Then, open the EAC and get started.
Use your browser and keyboard to navigate in the EAC
Exchange Online, which includes the EAC, is a web-based application, so the keyboard shortcuts and navigation
may be different from those in Exchange 2016. Accessibility in the Exchange admin center.
For best results when working in the EAC in Exchange Online, use Internet Explorer as your browser. Learn more
about Internet Explorer keyboard shortcuts.
Many tasks in the EAC require the use of pop-up windows so, in your browser, be sure to enable pop-up windows
for Office 365.
Confirm your Office 365 subscription plan
Exchange Online is included in Office 365 business and enterprise subscription plans, but capabilities may differ
by plan. If your EAC doesn't include a function described in this article, your plan might not include it.
For more information about the Exchange Online capabilities in your subscription plan, go to What Office 36
business product or license do I have? and Exchange Online Service Description.
Open the EAC, and confirm your admin role
To complete the tasks covered in this topic, Use a screen reader to open the Exchange admin center and check that
your Office 365 global administrator has assigned you to the Organization Management and Records
Management admin role groups. Use a screen reader to identify your admin role in the Exchange admin center.
TIP
Public folder mailboxes contain the hierarchy information plus the content for public folders. The first public folder
mailbox you create becomes the primary mailbox, which contains the one writable copy of the public folder hierarchy.
Any additional public folder mailboxes you create will be secondary mailboxes, which contain a read-only copy of the
hierarchy.
7. Tab to the Save button and press Enter. It might take up to a minute for the public folder mailbox to be
created, after which you hear an alert that says the mailbox will be available in approximately 15 minutes.
8. With the focus on the OK button, press Enter. The new public folder mailbox is added to the public folder
mailboxes list view.
Learn more about creating public folders.
Create a public folder
After you create a public folder mailbox, you can add a public folder.
1. With the focus in the public folder mailboxes list view, to move to the menu bar, press Ctrl+Shift+F6 twice.
You hear "Public folders, Secondary navigation link." Press Enter.
2. To move to the toolbar, press Ctrl+F6. You hear "New public folder button." Press Enter. This creates a
public folder at the root level in the public folder's hierarchy.
TIP
You can create a subfolder within an existing public folder. First, with the focus in the public folders list view, to select
the parent folder, press the Down Arrow key or the Up Arrow key, and then press the Tab key. To open the folder,
press Enter. Then, to move to the toolbar, press Ctrl+Shift+F6. Select the New public folder button, which has the
focus, press Enter, and then go on to Step 3. (If you want to move back to the parent folder, on the toolbar, tab to
the Go to the parent folder button and press Enter..
3. In the Public Folder dialog box which opens, the Name text box has the focus. Type the name for your
public folder.
4. To move to the Path text box, press the Tab key. In this read-only text box, you hear the path for the public
folder. For example, if you're creating a public folder at the root level, you hear "Backslash..
5. Tab to the Save button and press Enter. The name of the new public folder is added to the public folders list
view.
Add users of a public folder
After you create a public folder, specify the users who can access it. Also specify these users' roles in the public
folder, including their read-write permissions.
1. With the focus in the public folders list view, to select the public folder you want to add users to, press the
Up Arrow key or the Down Arrow key.
2. To move to the details pane, press Ctrl+F6. The mail settings Enable link has the focus.
3. To move to the folder permissions Manage link, press the Tab key and then press Enter.
4. In the Public Folder Permissions dialog box which opens, the Add button has the focus. Press Enter.
5. In the dialog box which opens, the Browse button has the focus. Press Enter.
6. In the Select Recipient dialog box which opens, the Search text box has the focus. You hear "Filter or
search edit." Type all or part of the name of the first user you want to add to the shared mailbox and then, to
search for the name, press Enter.
7. Press the Tab key about six times until you hear the name of the user in the search results list. Press Enter.
TIP
If the search results list includes multiple names, press the Up Arrow key or the Down Arrow key until you hear the
name you want. Press Enter.
8. Tab to the Permission level combo box. The default permission level is Publishing Editor, which allows
selected users to create items and subfolders, read items, and edit or delete all items. Other permission
levels include Reviewer, Contributor, Non Editing Author, Author, Editor, Publishing Author, and
Owner. You can also create a custom permission level.
9. To select the permission level for the selected user, press the Up Arrow key or the Down Arrow key.
TIP
To review the rights allowed for a permission level, press the Tab key through the 10 check boxes that specify the
rights for the selected permission level. If you change a check box setting, the permission level changes to Custom. If
you select the Custom permission level, all check boxes are cleared for you to select what you want.
10. Tab to the Save button and press Enter. The user and associated permission level are saved and added to
the table of users in the Public Folder Permissions dialog box.
11. To add another user, activate the Add button, which has the focus, by pressing Enter. Repeat steps 5
through 10. Do this for all users you want to add to the new public folder.
12. When you finish adding users, in the Public Folder Permissions dialog box, tab to the Save button and
press Enter. Wait several seconds for the information to be saved. An alert specifies that the save operation
is complete, and you hear "Close button." To close the alert, press Enter. The public folders main page view
has the focus again.
NOTE
Public folders have size limits, and subfolders inherit permission settings from parent folders in specific ways. In addition, you
can enable mail settings for a public folder. Learn more about creating public folders.
Accessibility Information
The Microsoft Accessibility website provides more information about assistive technology. A free monthly
electronic newsletter is available to help you stay current with accessibility topics about Microsoft products. To
subscribe, visit the Microsoft Accessibility Update Newsletter Subscription page.
Technical support for customers with disabilities
Microsoft wants to provide the best possible experience for all our customers. If you have a disability or have
questions related to accessibility, please contact the Microsoft Disability Answer Desk for technical assistance.
The Disability Answer Desk support team is trained in using many popular assistive technologies and can offer
assistance in English, Spanish, French, and American Sign Language. Please visit the Microsoft Disability Answer
Desk site to find the contact details for your region.
Use a screen reader to create a new distribution
group in the Exchange admin center
3/4/2019 • 7 minutes to read • Edit Online
Using a screen reader and keyboard shortcuts, you can create a new distribution group in the Exchange admin
center (EAC ) in Exchange Online. This topic explains how to create a new distribution group in your Exchange
organization and how to mail-enable an existing group in Active Directory.
Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have the appropriate Office 365
subscription and admin role to work in the EAC. Then, open the EAC and get started.
Notes:
The different types of groups that are covered in this topic are::
Distribution groups: Can be used only to deliver messages.
Mail-enabled security groups: Can be used to deliver messages as well as grant permissions (a
security group is a security principal that can has permissions assigned to it).
For more information, see Create and manage distribution groups in Exchange Online.
If your organization has a group naming policy, it's applied only to groups created by users (not admins).
For more information, see Create a distribution group naming policy in Exchange Online and Override the
distribution group naming policy in Exchange Online.
Use your browser and keyboard to navigate in the EAC
Exchange Online, which includes the EAC, is a web-based application, so the keyboard shortcuts and navigation
may be different from those in Exchange 2016. Accessibility in the Exchange admin center.
For best results when working in the EAC in Exchange Online, use Internet Explorer as your browser. Learn more
about Internet Explorer keyboard shortcuts.
Many tasks in the EAC require the use of pop-up windows so, in your browser, be sure to enable pop-up windows
for Office 365.
Confirm your Office 365 subscription plan
Exchange Online is included in Office 365 business and enterprise subscription plans. But capabilities may differ
by plan. If your EAC doesn't include a function described in this article, your plan might not include it.
For more information about the Exchange Online capabilities in your subscription plan, go to What Office 365
business product or license do I have? and Exchange Online Service Description..
Open the EAC, and confirm your admin role
To complete the tasks covered in this topic, Use a screen reader to open the Exchange admin center and check that
your Office 365 global administrator has assigned you to the Organization Management and Records
Management admin role groups. Use a screen reader to identify your admin role in the Exchange admin center.
TIP
The new distribution group window includes two buttons named Add and two named Remove. The first set of
Add and Remove buttons affects the Select Owners box. The second set applies to the Select Members box.
TIP
Required boxes are designated with an asterisk. In screen readers, you hear "Star" or "Asterisk" before the label. For
example, for the required Display name box, you hear "Star display name" or "Asterisk display name." You also hear
the text of a tool tip that appears when you move the focus to an option.
*Display name. Type the name you want to appear in your organization's address book. This name
appears on the To: line when email is sent to this group and in the Groups list in the EAC. The
display name is required. Make it recognizable for users and unique in the forest.
*Alias. Type a name of 64 characters or less for the group's alias. Make it unique in the forest. When
a user types the alias in the To: line of an email message, it resolves to the group's display name.
*Email address. If you want to change the default name used for this group's email address, type
the name you want. The default is the alias you specified.
Notes. If you want to add a description for this distribution group, type a note. The text you type
appears on the group's contact card and in the address book.
Add. To open the Select Owners window, where you can add owners to the distribution group,
select Add. By default, the person who creates a group is the owner and is listed in the Owners box.
All groups must have at least one owner. For help using the Select Owners window, refer to Use a
screen reader in the Select Owners window later in this topic.
Remove. To remove a selected name from the Owners box, use this option.
*Owners. This option lists the names of the distribution group's owners. Screen readers read the
selected name, not the label. For example, you hear "Sara Davis, Button..
Add group owners as member. By default, this check box is selected.
Add. To add members to the distribution group, select this option. By default, the group owners are
members and are listed in the Members box. When you select the Add button, the Select
Members window opens and you can search for or select the names you want. To return to the new
distribution group window, select the OK button. For detailed steps, refer to Use a screen reader to
add a member to a distribution group.
Remove. Use to remove the selected name from the Members box.
Members. This option lists the names of the distribution group's members. In Narrator, you may
hear "Please wait" or nothing, when this list is empty.
Choose whether owner approval is required to join the group. Screen readers read the
selected option. The default is Open. To require approval for people to join the group, use an arrow
key to select one of the other two options: Closed or Owner Approval.
Choose whether the group is open to leave. Screen readers read the selected option. The
default is Open. To require approval for people to leave the group, use an arrow key to select
Closed.
9. When you've finished, tab to the Save button and press Enter.
NOTE
By default, new distribution groups require that all senders be authenticated. This prevents external senders from
sending messages to distribution groups. To configure a distribution group to accept messages from all senders, you
must modify the message delivery restriction settings for that distribution group.
Using a screen reader and keyboard shortcuts, you can create mail flow rules (also known as transport rules) in
Exchange Online in the Exchange admin center (EAC ) to look for specific conditions in messages that pass through
your organization and take action on them. The main difference between mail flow rules and Inbox rules you
would set up in an email client application (such as Outlook) is that mail flow rules take action on messages while
they're in transit as opposed to after the message is delivered. Mail flow rules also contain a richer set of
conditions, exceptions, and actions, which provides you with the flexibility to implement many types of messaging
policies.
Note: To learn more about mail flow rules, see Mail flow rules (transport rules) in Exchange Online.
Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have the appropriate Office 365
subscription and admin role to perform this task. Then, open the EAC and get started.
Use your browser and keyboard to navigate in the EAC
Exchange Online, which includes the EAC, is a web-based application, so the keyboard shortcuts and navigation
may be different from those in Exchange 2016. Accessibility in the Exchange admin center.
For best results when working in the EAC in Exchange Online, use Internet Explorer as your browser. Learn more
about Internet Explorer keyboard shortcuts.
Many tasks in the EAC require the use of pop-up windows so, in your browser, be sure to enable pop-up windows
for Office 365.
Confirm your Office 365 subscription plan
Exchange Online is included in Office 365 business and enterprise subscription plans, but capabilities may differ
by plan. If your EAC doesn't include a function described in this article, your plan might not include it.
For more information about the Exchange Online capabilities in your subscription plan, go to What Office 36
business product or license do I have? and Exchange Online Service Description.
Open the EAC, and confirm your admin role
To complete the tasks covered in this topic, Use a screen reader to open the Exchange admin center and check that
your Office 365 global administrator has assigned you to the Organization Management and Records
Management admin role groups. Learn how to Use a screen reader to identify your admin role in the Exchange
admin center.
TIP
To move the focus to each setting that's listed in a pop-up window, press the Tab key. As you select each setting, you
hear information about it. To open drop-down box lists, press Spacebar. To move between and select options in
drop-down box lists, press the Down Arrow and Up Arrow keys. To choose an option, press Enter. You can also use
the Spacebar to select or clear the selection for check boxes.
7. After you've accepted your condition settings in the appropriate pop-up window, move to the next option in
the new rule pop-up window by pressing the Tab key.
8. As the focus moves to the Do the following drop-down box, you hear "Do the following, Combo box."
Press the Down Arrow or Up Arrow key until you hear the action you want to select. Press Enter. As the
focus moves to the first UI element in the pop-up window that opens for the selected action, you hear the
name of the pop-up window followed by the name of the first UI element in the window. The following
table gives you an overview of the UI elements in each action's pop-up window.
• Forward the message for approval to • Search, Refresh, and More buttons.
• Redirect the message to • Display Name and Email Address column headers.
• Bcc the message to • List of names and email addresses.
• Add button and text box that includes the selected
names.
• Check names button and text box in which you type
the name you want to check.
• OK and Cancel buttons.
Reject the message with the explanation • Text box in which you type the explanation OK
• OK and Cancel buttons.
Append the disclaimer No pop-up window opens, but an Enter text link and a
Select one link are inserted in the window after the drop-
down box.
• If you select the Enter text link, a pop-up window opens
that includes a text box in which you type the disclaimer,
and the OK and Cancel buttons.
• If you select the Select one link, a pop-up window
opens that includes a drop-down box that opens a list of
fallback actions in case the disclaimer can't be inserted,
and the OK and Cancel buttons.
9. After you've accepted your action settings in the appropriate pop-up window, move to the next option in the
new rule pop-up window by pressing the Tab key.
10. As the focus moves to the Audit this rule with severity level check box, you hear "Checked" or
"Unchecked" depending on whether the box is selected or not, followed by "Audit this rule with severity
level, Check box." To select or clear the selection for the check box, press Spacebar. You hear "Checked" or
"Unchecked." Do either of the following two actions.
If you selected the Audit this rule with severity level check box, when you press the Tab key, the focus
moves to a drop-down box that lists severity levels ( Low, Medium, or High ). To move between severity
levels in the list, press the Up Arrow or Down Arrow key. You hear the name of each severity level. To select
a severity level, press Enter. To move to the next option in the window, press the Tab key.
If you didn't select the Audit this rule with severity level check box, to move to the next available option
in the window, press the Tab key.
11. As the focus moves to the first of three available modes for the rule, you hear the name of the first mode (
Enforce ) followed by "Radio button." Do any of the following three actions.
The Enforce mode is selected by default. To move to and select the next mode, press the Down Arrow key.
After you've selected the mode you want, to move to the next area of options in the window, press the Tab
key.
To select the Test with Policy Tips mode, press the Down Arrow key. You hear "Test with Policy Tips"
followed by "Radio button." To move to and select the next mode, press the Down Arrow key. After you've
selected the mode you want, to move to the next area of options in the window, press the Tab key.
To select the Test without Policy Tips mode, press the Down Arrow key. You hear "Test without Policy
Tips" followed by "Radio button." To move to and select the next mode, press the Down Arrow key. After
you've selected the mode you want, to move to the next area of options in the window, press the Tab key.
12. As the focus moves to the More options link, you hear "More options link." If you want to add more options
for the rule, press Enter. The following nine UI elements are added to the window.
After the Apply this rule if drop-down box, an add condition button is added.
After the Do the following drop-down box, an add action button is added.
After the add action button, an add exception button is added.
After the options for the modes for the rule, the following UI elements are added:
Activate this rule on the following date check box, followed by a date drop-down box and a time drop-
down bo.
Deactivate this rule on the following date check box, followed by a date drop-down box and a time
drop-down bo.
Stop processing more rules check bo.
Defer the message if rule processing doesn't complete check bo.
Match sender address in message drop-down box that includes Header, Envelope, and Header or
Envelope option.
Comment text bo.
13. To save the new rule, move the focus to the Save button by pressing the Tab key until you hear "Save
button." Press Enter. .
14. As the focus moves back to the New button on the rules content area of the page, you hear "Rules, New
button." The new rule is turned on by default.
TIP
To turn off a new rule, press the Tab key to tab through the elements of the rules content area of the page, use the
Up Arrow and Down Arrow keys to select a rule, and then press Spacebar. To hear the settings for a selected rule,
press the Tab key until the focus moves to the details pane for the selected rule, and you hear the details for the rule.
Use a screen reader to define rules that encrypt or
decrypt email messages in the Exchange admin
center in Exchange Online
3/4/2019 • 8 minutes to read • Edit Online
In the Exchange admin center (EAC ) in Exchange Online, you can create mail flow rules (also known as transport
rules) to enable or disable Office 365 Message Encryption. This lets you encrypt outgoing email messages and
remove encryption from encrypted messages coming from inside your organization or from replies to encrypted
messages sent from your organization.
Note: To learn more about message encryption, go to Encryption in Office 365. Your organization must have
Windows Azure Rights Management set up for Office 365 Message Encryption to complete the tasks in this topic.
Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have the appropriate Office 365
subscription and admin role to perform this task. Then, open the EAC and get started.
Use your browser and keyboard to navigate in the EAC
Exchange Online, which includes the EAC, is a web-based application, so the keyboard shortcuts and navigation
may be different from those in Exchange 2016. Accessibility in the Exchange admin center.
For best results when working in the EAC in Exchange Online, use Internet Explorer as your browser. Learn more
about Internet Explorer keyboard shortcuts.
Many tasks in the EAC require the use of pop-up windows so, in your browser, be sure to enable pop-up windows
for Office 365.
Confirm your Office 365 subscription plan
Exchange Online is included in Office 365 business and enterprise subscription plans, but capabilities may differ
by plan. If your EAC doesn't include a function described in this article, your plan might not include it.
For more information about the Exchange Online capabilities in your subscription plan, go to What Office 365
business product or license do I have? and Exchange Online Service Description..
Open the EAC, and confirm your admin role
To complete the tasks covered in this topic, Use a screen reader to open the Exchange admin center and check that
your Office 365 global administrator has assigned you to the Organization Management and Records
Management admin role groups. Use a screen reader to identify your admin role in the Exchange admin center.
TIP
When you select the More options link, more user interface (UI) elements are added to the page and more options
are added to the combo boxes. To have access to the Modify the message security option that you need to select
in the next step, you must select the More options link.
9. To move the focus back to the Do the following drop-down box in the new rule pop-up window, press
Shift+Tab until you hear "Do the following, Combo box." Perform the following two steps.
a. In the Do the following drop-down box, to select the Modify the message security option, press
the Down Arrow key until you hear "Modify the message security." Press Enter.
b. As the focus moves to a list of message security options, you hear the first option in the list, "Apply
rights protection." To select the Apply Office 365 Message Encryption option, press the Down
Arrow key until you hear "Apply Office 365 Message Encryption." Press Enter.
10. To save the new rule, move the focus to the Save button by pressing the Tab key until you hear "Save
button." Press Enter.
11. As the focus moves back to the New button on the rules content area of the page, you hear "Rules, New
button." The new rule is turned on by default.
TIP
To turn off a new rule, press the Tab key to tab through the elements of the rules content area of the page, use the Up
Arrow and Down Arrow keys to select a rule, and then press Spacebar. To hear the settings for a selected rule, press the Tab
key until the focus moves to the details pane for the selected rule, and you hear the details for the rule.
TIP
When you select the More options link, more user interface (UI) elements are added to the page and more options
are added to the combo boxes. To have access to the Modify the message security option that you need to select
in the next step, you must select the More options link.
9. To move the focus back to the Do the following drop-down box in the new rule pop-up window, press
Shift+Tab until you hear "Do the following, Combo box." Perform the following two steps.
a. In the Do the following drop-down box, to select the Modify the message security option, press
the Down Arrow key until you hear "Modify the message security." Press Enter.
b. As the focus moves to a list of message security options, you hear the first option in the list, "Apply
rights protection." To select the Remove Office 365 Message Encryption option, press the Down
Arrow key until you hear "Remove Office 365 Message Encryption." Press Enter.
10. To save the new rule, move the focus to the Save button by pressing the Tab key until you hear "Save
button." Press Enter.
11. As the focus moves back to the New button on the rules content area of the page, you hear "Rules, New
button." The new rule is turned on by default.
TIP
To turn off a new rule, press the Tab key to tab through the elements of the rules content area of the page, use the Up
Arrow and Down Arrow keys to select a rule, and then press Spacebar. To hear the settings for a selected rule, press the Tab
key until the focus moves to the details pane for the selected rule, and you hear the details for the rule.
Use a screen reader to edit the mailbox display name
in the Exchange admin center in Exchange Online
3/4/2019 • 2 minutes to read • Edit Online
Use keyboard shortcuts and your screen reader to add or edit a mailbox's display name in the Exchange admin
center (EAC ) in Exchange Online.
Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have the appropriate Office 365
subscription and admin role to perform this task. Then, open the EAC and get started.
Use your browser and keyboard to navigate in the EAC
Exchange Online, which includes the EAC, is a web-based application, so the keyboard shortcuts and navigation
may be different from those in Exchange 2016.
For best results, when working in the EAC in Exchange Online, use Internet Explorer as your browser. Learn more
about Internet Explorer keyboard shortcuts.
Many tasks in the EAC require the use of pop-up windows so, in your browser, be sure to enable pop-up windows
for Office 365.
Confirm your Office 365 subscription plan
Exchange Online is included in Office 365 business and enterprise subscription plans; however, capabilities may
differ by plan. If your EAC doesn't include a function described in this article, your plan might not include it.
For more information on the Exchange Online capabilities in your subscription plan, go to What Office 365
business product or license do I have? and Exchange Online Service Description.
You can export and review mailbox audit logs by using your screen reader in the Exchange admin center (EAC ) in
Exchange Online. When enabled, Exchange mailbox auditing logs information in the mailbox audit log whenever a
user other than the owner accesses the mailbox. Each log entry includes information about who accessed the
mailbox and the actions performed.
Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have the appropriate Office 365
subscription and admin role to perform this task. Then, open the EAC and get started.
Use your browser and keyboard to navigate in the EAC
Exchange Online, which includes the EAC, is a web-based application, so the keyboard shortcuts and navigation
may be different from those in Exchange 2016. Accessibility in the Exchange admin center.
For best results when working in the EAC in Exchange Online, use Internet Explorer as your browser. Learn more
about Internet Explorer keyboard shortcuts.
Many tasks in the EAC require the use of pop-up windows so, in your browser, be sure to enable pop-up windows
for Office 365.
Confirm your Office 365 subscription plan
Exchange Online is included in Office 365 business and enterprise subscription plans, but capabilities may differ
by plan. If your EAC doesn't include a function described in this article, your plan might not include it.
For more information about the Exchange Online capabilities in your subscription plan, go to What Office 36
business product or license do I have? and Exchange Online Service Description.
Open the EAC, and confirm your admin role
To export and review mailbox audit logs, Use a screen reader to open the Exchange admin center and check that
your Office 365 global administrator has assigned you to the Organization Management and Records
Management admin role groups. Learn how to Use a screen reader to identify your admin role in the Exchange
admin center.
Configure mailbox audit logging
Before you can export and review audit logs, you or another admin must enable mailbox audit logging and
configure Outlook to allow XML attachments. These tasks are done in Exchange Online PowerShell. For more
information, go to Export mailbox audit logs.
TIP
By default, the start date is set to two weeks before yesterday's date. When enabled, the mailbox audit log typically
stores entries for 90 days.
a. If necessary, type the start date year for the audit logs. You can also select the start date year by
pressing the Up Arrow key or the Down Arrow key.
b. Tab to the month text box, and type or select the start date month.
c. Tab to the day text box, and type or select the start date day.
8. Tab to the End date year combo box. You hear "Year of End date combo box..
TIP
The default end date is today's date.
a. If necessary, type the end date year for the audit logs. You can also select the end date year by
pressing the Up Arrow key or the Down Arrow key.
b. Tab to the month text box, and type or select the end date month.
c. Tab to the day text box, and type or select the end date day.
9. To access the select users button, press the Tab key twice. You hear "Search these mailboxes or leave blank
to find all mailboxes accessed by non-owners..
TIP
If you want to export audit logs for all mailboxes, don't select any users, and go on to step 10. When the Search
these users box is blank, the search includes all mailboxes.
a. To open the Select Mailbox dialog box, with the focus on the select users button, press Enter. The
Search box has the focus, and you hear "Filter or search edit." Type all or part of the name of the
first mailbox whose audit logs you want to export and then, to search for the name, press Enter.
b. To select a mailbox, press the Tab key four times until you hear the name of the mailbox owner in the
search results list. If there are multiple mailboxes in the search results list, press the Down Arrow or
Up Arrow key until you hear the name of the mailbox owner.
TIP
You can select multiple consecutive mailboxes. To work with all mailboxes, leave the Search box blank, or enter all or
part of the mailbox names you want to add. Tab to the search results. Press the Down Arrow key to hear each name.
To add them all, press Ctrl+A. To add several mailboxes listed consecutively, press the Down Arrow key or the Up
Arrow key until you hear the first mailbox name you want to add, hold down the Shift key, press the Down Arrow
key or the Up Arrow key until you hear the last mailbox name you want to add, and then release the Shift key. All
mailboxes between the first and last mailbox names are selected.
c. To add the selected mailbox(es) to the list to be included in the audit log export, press Enter. The list of
mailboxes retains the focus, so you can continue to add more mailboxes by selecting them and pressing
Enter.
TIP
To check the mailboxes you've added, tab to the Add button. To hear the list of mailboxes, press the Tab key again.
You hear the first mailbox name in the list. To hear the second mailbox name in the list, press the Tab key one more
time. Continue pressing the Tab key until you hear the names of all the mailboxes you've added. To delete a mailbox
from the list, activate the Remove link by pressing Enter when you hear the mailbox name.
d. To search for another mailbox or set of mailboxes, tab several times until you hear "Filter or search
edit." Type all or part of the name of the next mailboxes you want to add, and press Enter. Repeat
steps b and c. Do this for all mailboxes you want to add.
e. To add an external mailbox, press the Tab key until you hear "Check names edit, Type in text." (In
Narrator, you hear "Editing.") Type the email address of the external recipient, press Shift+Tab to
select the Check names button, and then press Enter. This verifies the email address and adds it to
the list of mailboxes.
TIP
Be aware that if you type an external email address and press Enter, this adds the address to the list and then closes
the dialog box. If you're not finished, use the Check names button to add it instead.
f. When you finish adding mailboxes, tab to the OK button and press Enter. The Export Mailbox Audit
Logs dialog box has the focus again, and the Search these mailboxes text box lists the selected
mailboxes.
10. Tab to the Search for access by combo box. This specifies which types of mailbox non-owners you want
the audit logs to show.
To have the audit logs show all non-owners, you don't need to do anything, as this is the default.
To specify a certain group of non-owners, like External users (Microsoft datacenter administrators),
Administrators and delegated users, or Administrators, press the Down Arrow key to move to the user
type you want, and then press Enter.
11. Press the Tab key twice to access the next select users button. You hear "Send the audit report to picker
button." To open the Select Members dialog box, press Enter. The Search button has the focus.
12. To search for a user within your organization, press Enter, type all or part of the name of the first audit log
recipient, and then press Enter.
13. Press the Tab key several times until you hear the name of the user in the search results list.
14. To add the user to the list of audit log recipients, press the Down Arrow key until you hear the user's name,
and then press Enter. The list of users retains the focus, so you can continue to add more recipients by
selecting their mailboxes and pressing Enter.
TIP
To check the recipients you've added, tab to the Add button. To hear the list of recipients, press the Tab key again. The first
name is read. To hear the second name in the list, press the Tab key one more time. Continue pressing the Tab key until you
hear the names of all the recipients you've added. To delete a recipient from the list, activate the Remove link by pressing
Enter when you hear the username.
4. To search for another name or set of names from within your organization, tab several times until you hear
"Filter or search edit." Type all or part of the name of the next user you want to add, and press Enter. Repeat
steps b and c. Do this for all audit report recipients in your organization.
5. To add an external recipient, press the Tab key until you hear "Check names edit, Type in text." (In Narrator,
you hear "Editing.") Type the email address of the external recipient, press Shift+Tab to select the Check
names button, and then press Enter. This verified the email address and adds it to the list of recipients.
TIP
Be aware that if you type an external email address and press Enter, this adds the recipient to the list and then closes the
dialog box. If you're not finished, use the Check names button to add it instead.
6. When you finish adding users, tab to the OK button and press Enter. The Export Mailbox Audit Logs
dialog box has the focus again, and the Send the audit report to text box lists the audit log recipients.
7. Tab to the export button and press Enter. Exchange retrieves entries in the mailbox audit log that meet
your search criteria, saves them to a file named SearchResult.xml, and then attaches the XML file to an
email message sent within 24 hours to your selected audit log recipients.
TIP
If you hear an error message that says the items you're trying to open couldn't be found, check that audit logging is enabled
for the selected mailboxes. Also check that the selected dates are within range. The dates need to be after the date audit
logging was enabled, and, by default, within the past 90 days.
TIP
If Outlook is not configured to allow XML attachments, you might receive the email message but not be able to
open the XML attachment. Also, if you can't find the message, you might need to wait longer. Recipients typically
receive the exported audit log within 24 hours, but in some cases it might take a few days.
3. Select the message attachment and specify that you want to download the XML file.
4. Open the SearchResult.xml file in Excel. Each log entry includes information about non-owners of the
mailbox who accessed the mailbox and the actions performed. The following fields are included, among
others, in the audit log:
LastAccessed The date and time of the most recent mailbox access
To complete administrative tasks in the Exchange admin center (EAC ) in Exchange Online, you need the
appropriate administrative permissions, which are grouped and assigned by role. By using a screen reader and
keyboard shortcuts, you can identify your admin role, in addition to the role you must be assigned to complete
particular tasks.
NOTE
To learn how to open the EAC, refer to Use a screen reader to open the Exchange admin center. To learn more admin
role groups, go to Understanding management role groups.
1. In the EAC, to move the focus to Dashboard, which is the first link in the navigation pane, press
Ctrl+F6 twice. You hear "Dashboard, Primary navigation link..
2. In the navigation pane, to move the focus to the Permissions link, press the Tab key until you hear
"Permissions, Primary navigation link." Press Enter.
3. To move the focus to the admin roles link on the content area of the page, press Crtl+F6. You hear
"Admin roles, Secondary navigation link."
4. To move the focus to each of the following three elements of the user interface, press the Tab key for
each element:
a. The main content for admin roles. You hear "Role groups."
b. The Name column. You hear "Name, Column header..
c. The list of admin role groups in the Name column. You hear the name of the first role group,
which is Compliance Management, followed by "Row..
5. In the list of admin role groups, to move between and select the name of a group, use the Up Arrow
and Down Arrow keys. As you select each group, you hear its name, followed by "Row."
6. Select the admin role group that includes the role you need to complete a task.
TIP
If you don't know the role required for a particular task, select the admin role group that you think might
include roles related to your task, perform step 6, and pay particular attention to the assigned roles.
7. To move the focus to the details pane for the admin role group, press Ctrl+F6.
If you're using Narrator, you hear all the details for the admin role group, including a description
of the group, assigned roles, members, managed by, and write scope.
If you're using JAWS, to hear the description of the admin role group, press the Down Arrow key,
and then, to hear the rest of the text in the details pane, press Alt+Down Arrow.
8. If you do not hear your name among the members, you have not been assigned the appropriate role to
complete your task. Contact your Office 365 administrator.
Use a screen reader to manage anti-malware
protection in the Exchange admin center in Exchange
Online
3/4/2019 • 7 minutes to read • Edit Online
Exchange Online offers multilayered protection that's designed to catch all known malware. All messages are
scanned for malware (viruses and spyware), and if malware is detected, the message is deleted. Administrators do
not need to set up or maintain these filtering technologies, which are enabled by default. However, administrators
can make company-specific filtering customizations in the Exchange admin center (EAC )—all using a screen reader
and keyboard shortcuts.
NOTE
To learn more about protecting your organization's email messages from malware in Exchange Online, go to Anti-Spam and
Anti-Malware Protection.
Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have the appropriate Office 365
subscription and admin role to perform this task. Then, open the EAC and get started.
Use your browser and keyboard to navigate in the EAC
Exchange Online, which includes the EAC, is a web-based application, so the keyboard shortcuts and navigation
may be different from those in Exchange 2016. Accessibility in the Exchange admin center.
For best results when working in the EAC in Exchange Online, use Internet Explorer as your browser. Learn more
about Internet Explorer keyboard shortcuts.
Many tasks in the EAC require the use of pop-up windows so, in your browser, be sure to enable pop-up windows
for Office 365.
Confirm your Office 365 subscription plan
Exchange Online is included in Office 365 business and enterprise subscription plans, but capabilities may differ
by plan. If your EAC doesn't include a function described in this article, your plan might not include it.
For more information about the Exchange Online capabilities in your subscription plan, go to What Office 365
business product or license do I have? and Exchange Online Service Description.
Open the EAC, and confirm your admin role
To complete the tasks covered in this topic, Use a screen reader to open the Exchange admin center and check that
your Office 365 global administrator has assigned you to the Organization Management and Hygiene
Management admin role groups. Learn how to Use a screen reader to identify your admin role in the Exchange
admin center.
TIP
This page doesn't contain a navigation pane. To move the focus to each setting that's listed on the page, press the
Tab key. As you select each setting, you hear information about the setting. To open menus, press Spacebar. To move
between and select menu options, press the arrow keys. To choose an option, press Enter. You can also press the
Spacebar to select or clear a check box selection.
5. After you've pressed the Tab key to tab through all the settings on the page, the last two elements on the
page are the Save button and the Cancel button. To activate either button, press Enter.
6. As the Anti-malware policy pop-up window closes and the focus moves back to the New button in the
malware filter content area, you hear "Malware filter, New button..
6. After you've pressed the Tab key to tab through all the settings on the page, the last two elements on the
page are the Save button and the Cancel button. To activate either button, press Enter.
7. As the Anti-malware policy pop-up window closes and the focus moves back to the malware filter
content area, you hear "Malware filter..
TIP
You must disable a malware filter before you can delete it. To learn how to disable a filter go to the Enable or disable
a malware filter section in this topic.
4. Press Delete. You hear "Warning, Are you sure you want to delete the policy" followed by the name of the
policy. To select the Yes button, press Enter. To select the No button, press the Tab key, and then press Enter.
Exchange Online includes spam filtering capabilities that help protect your network from spam transferred
through email. Administrators do not need to set up or maintain these filtering technologies, which are enabled by
default. However, administrators can make company-specific filtering customizations in the Exchange admin
center (EAC )—all using a screen reader and keyboard shortcuts.
NOTE
To learn more about protecting your organization from spam in Exchange Online, go to Anti-Spam and Anti-Malware
Protection.
Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have the appropriate Office 365
subscription and admin role to work in the EAC. Then, open the EAC and get started. For more information about
the EAC, see Exchange admin center in Exchange Online.
Use your browser and keyboard to navigate in the EAC
Exchange Online, which includes the EAC, is a web-based application, so the keyboard shortcuts and navigation
may be different from those in Exchange 2016. Accessibility in the Exchange admin center.
For best results when working in the EAC in Exchange Online, use Internet Explorer as your browser. Learn more
about Internet Explorer keyboard shortcuts.
Many tasks in the EAC require the use of pop-up windows so, in your browser, be sure to enable pop-up windows
for Office 365.
Confirm your Office 365 subscription plan
Exchange Online is included in Office 365 business and enterprise subscription plans, but capabilities may differ
by plan. If your EAC doesn't include a function described in this article, your plan might not include it.
For more information about the Exchange Online capabilities in your subscription plan, go to What Office 36
business product or license do I have? and Exchange Online Service Description.
Open the EAC, and confirm your admin role
To complete the tasks covered in this topic, Use a screen reader to open the Exchange admin center and check that
your Office 365 global administrator has assigned you to the Organization Management and Hygiene
Management admin role groups. Learn how to Use a screen reader to identify your admin role in the Exchange
admin center.
TIP
This page doesn't contain a navigation pane. To move the focus to each setting that's listed on the page, press the
Tab key. As you select each setting, you hear information about the setting. To open menus, press Spacebar. To move
between and select menu options, press the arrow keys. To choose an option, press Enter. You can also press the
Spacebar to select or clear a check box selection.
5. After you've pressed the Tab key to tab through all the settings on the page, the last two elements on the
page are the Save button and the **Cancel **button. To activate either button, press Enter.
6. As the Spam filter policy pop-up window closes and the focus moves back to the New button in the
spam filter content area, you hear "Spam filter, New button..
Edit an existing spam filter
1. Move the focus to your spam filter settings in the EAC.
2. To move the focus to each of the following three elements of the user interface, press the Tab key:
The Name column. You hear "Name, Column header..
The list of spam filters in the Name column. You hear the name of the first spam filter followed by "Button..
The first spam filter in the list. You hear the name of the first spam filter followed by "Row."
3. To move the focus to one of your spam filters, press the Up Arrow or Down arrow key until you hear the
name of the filter you want to edit. Press Enter.
4. As the focus moves to the general link in the navigation pane in the Edit Spam Filter Policy pop-up
window that opens for the filter, you hear "Edit Spam Filter Policy, Selected, General..
5. In the navigation pane in the Edit Spam Filter Policy pop-up window, press the arrow keys to move
between and select the links in the navigation pane on the page, which correspond to the settings you can
edit: general, spam and bulk actions, block lists, allow lists, international spam, and advanced
options.
TIP
When a link is selected in the navigation pane, press the Tab key to move the focus to the content area of the page.
To move through and select the elements in the content area, press the Tab key. As you select each setting, you hear
information about the setting. To open menus, press Spacebar. To move between and select menu options, press the
arrow keys. To choose an option, press Enter. You can also press the Spacebar to select or clear a check box selection.
6. After you've customized the settings for the filter and pressed the Tab key to tab through all the links in the
Edit Spam Filter Policy pop-up window, the last two elements on the page are the Save button and the
Cancel button. To activate either button, press Enter.
7. As the pop-up window closes and the focus moves back to the spam filter content area, you hear "Spam
filter..
Delete a spam filter
1. Move the focus to your spam filter settings in the EAC.
2. To move the focus to each of the following three elements of the user interface, press the Tab key:
The Name column. You hear "Name, Column header..
The list of spam filters in the Name column. You hear the name of the first spam filter followed by
"Button..
The first spam filter in the list. You hear the name of the first spam filter followed by "Row."
3. To move the focus to one of your spam filters, press the Up Arrow or Down arrow key until you hear the
name of the filter you want to delete.
TIP
You must disable a spam filter before you can delete it. To learn how to disable a filter, go to the Enable or disable a
spam filter section in this topic.
4. Press Delete. You hear "Warning, Are you sure you want to delete the policy" followed by the name of the
policy. To select the Yes button, press Enter. To select the No button, press the Tab key, and then press Enter.
Enable or disable a spam filter
1. Move the focus to your spam filter settings in the EAC.
2. To move the focus to each of the following three elements of the user interface, press the Tab key:
The Name column. You hear "Name, Column header..
The list of spam filters in the **Name **column. You hear the name of the first spam filter followed
by "Button..
The first spam filter in the list. You hear the name of the first spam filter followed by "Row."
3. To move the focus to one of your spam filters, press the Up Arrow or Down arrow key until you hear the
name of the filter you want to enable or disable.
4. To toggle between enabling and disabling the filter, press Spacebar.
Hear the details for a spam filter
1. Move the focus to your spam filter settings in the EAC.
2. To move the focus to each of the following three elements of the user interface, press the Tab key:
The Name column. You hear "Name, Column header..
The list of spam filters in the Name column. You hear the name of the first spam filter followed by
"Button..
The first spam filter in the list. You hear the name of the first spam filter followed by "Row."
3. To move the focus to one of your spam filters, press the Up Arrow or Down arrow key until you hear the
name of the filter whose details you want to hear.
4. To move the focus to the details pane for the spam filter, press the Tab key. You hear the details for the filter.
6. After you've customized the options for the outbound spam setting and pressed the Tab key to tab through
all the links in the window, the last two elements on the page are the Save button and the Cancel button.
To activate either button, press Enter.
7. As the Edit Spam Filter Policy pop-up window closes and the focus moves back to the spam filter content
area, you hear "Spam filter..
Hear the details for an outbound spam setting
1. Move the focus to your outbound spam settings in the EAC.
2. To move the focus to each of the following three elements of the user interface, press the Tab key:
The Name column. You hear "Name, Column header..
The list of outbound spam filters in the Name column. You hear the name of the first outbound
spam filter followed by "Button..
The first outbound spam filter in the list. You hear the name of the first outbound spam filter
followed by "Row."
3. To move the focus to one of your outbound spam filters, press the Up Arrow or Down arrow key until you
hear the name of the filter whose details you want to hear.
4. To move the focus to the details pane for the outbound spam filter, press the Tab key. You hear the details
for the filter.
Use a screen reader to open the Exchange admin
center in Exchange Online
3/4/2019 • 2 minutes to read • Edit Online
The Exchange admin center (EAC ) is a web-based app that lets you manage your Exchange Online
organization in a web browser. Using a screen reader and keyboard shortcuts, you can open the EAC and
perform administrative tasks (based on your permissions).
NOTE
When you work in the EAC, we recommend that you use Internet Explorer as your web browser. For more information
about the keyboard shortcuts you can use to navigate the EAC and about other accessibility features that are available
for Exchange Online, see Learn more about Internet Explorer keyboard shortcuts and Accessibility in Exchange Online.
1. Sign in to your organization's Office 365 account. In the App launcher, move the focus to the Admin
app. You hear "Go to the Office 365 admin center, Link." Press Enter.
TIP
If you use the My apps page to open your apps, to quickly move to the Admin app (sometimes one of the last
apps on the list), move the focus to the Search apps box (one of the first elements on the page). In JAWS, you
hear "Leaving menus, My apps, Edit, Type text." In Narrator, you hear "Search apps, Editing." Type admin, and
then move the focus to the only search result on the page: Admin app. You hear "Admin link." Press Enter.
2. As the Office 365 admin center opens, in JAWS, you hear "Office 365, Office admin center, Home." In
Narrator, you hear "Office 365, Editing..
3. To move the focus to the Expand link in the navigation pane, press the Tab key until you hear one of
the following two options.
"Expand navigation menu button." To expand the navigation pane, press Spacebar.
"Collapse navigation menu button." The navigation pane is already expanded, so no action is
required.
4. To move the focus to Admin centers (the last item in the navigation pane), press the Tab key until you
hear "Admin centers..
5. To ensure that the Admin centers list is expanded so that you can access the items in it, press the Tab
key. Then, based on the audible feedback you hear, perform one of the following two actions.
If you hear "Exchange link, Open Exchange admin center in a new tab," the list is already
expanded and you've selected Exchange.
If you hear something other than "Exchange link, Open Exchange admin center in a new tab,"
the list is collapsed. To move the focus back to the Admin centers list, press Shift+Tab. To
expand the list, press Enter. In the expanded Admin centers list, to select Exchange, press the
Tab key until you hear "Exchange link, Open Exchange admin center in a new tab..
6. To open the Exchange admin center, press Enter. As the Exchange admin center opens in a new
tab in your web browser, in JAWS, you hear "Exchange admin center." In Narrator, you hear "Microsoft
Exchange..
7. To move the focus to Dashboard (the first link), in the navigation pane of the Exchange admin
center, press Ctrl+F6 twice. In Narrator, you hear "Dashboard, Primary navigation link..
TIP
To move to the rest of the items in the navigation pane, press the Tab key. To open an item, press Enter. After
you've opened an item, to move directly to one of its elements in the content area on a page, press Ctrl+F6. To
identify the admin role groups to which you've been assigned, which determine the tasks you can perform in
the EAC, refer to Use a screen reader to identify your admin role in the Exchange admin center.
Use a screen reader to run an audit report in the
Exchange admin center in Exchange Online
3/4/2019 • 22 minutes to read • Edit Online
You can run audit reports and search for audit information by using your screen reader in the Exchange admin
center (EAC ) in Exchange Online. Certain audit reports can help you troubleshoot configuration issues by tracking
specific changes made by administrators. Other audit reports can help you monitor regulatory, compliance, and
litigation requirements.
Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have the appropriate Office 365
subscription and admin role to work in the EAC. Then, open the EAC and get started.
Use your browser and keyboard to navigate in the EAC
Exchange Online, which includes the EAC, is a web-based application, so the keyboard shortcuts and navigation
may be different from those in Exchange 2016. Accessibility in the Exchange admin center.
For best results when working in the EAC in Exchange Online, use Internet Explorer as your browser. Learn more
about Internet Explorer keyboard shortcuts.
Many tasks in the EAC require the use of pop-up windows so, in your browser, be sure to enable pop-up windows
for Office 365.
Confirm your Office 365 subscription plan
For more information about the Exchange Online capabilities in your subscription plan, go to What Office 365
business product or license do I have? and Exchange Online Service Description..
Open the EAC, and confirm your admin role
To run audit reports, Use a screen reader to open the Exchange admin center and check that your Office 365
global administrator has assigned you to the Organization Management and Records Management admin role
groups. To run In-Place eDiscovery or In-Place Hold reports, check that you are assigned to the Discovery
Management role group. Learn how to Use a screen reader to identify your admin role in the Exchange admin
center.
1. In the EAC, press Ctrl+F6 until the primary navigation pane has the focus and you hear "Dashboard,
Primary navigation link."
2. Tab to compliance management and press Enter.
3. To move to the menu bar, press Ctrl+F6.
4. Tab to auditing. You hear "Auditing, Secondary navigation link." Press Enter.
5. To access the main window list view, press Ctrl+F6. You hear "Audit reports..
6. Press the Tab key about three times until you hear "Run a non-owner mailbox access report." Press Enter.
7. In the Search for Mailboxes Accessed by Non-Owners dialog box which opens, the Start date year
combo box has the focus, and you hear "Year of Start date combo box..
TIP
By default, the start date is set to two weeks before yesterday's date. When enabled, the mailbox audit log typically
stores entries for 90 days.
a. If necessary, type the start date year for your administrator configuration change search. You can
also select the start date year by pressing the Up Arrow key or the Down Arrow key.
b. Tab to the month text box, and type or select the start date month.
c. Tab to the day text box, and type or select the start date day.
8. Tab to the End date year combo box. You hear "Year of End date combo box..
TIP
The default end date is today's date.
a. If necessary, type the end date year for your administrator configuration change search. You can also
select the end date year by pressing the Up Arrow key or the Down Arrow key.
b. Tab to the month text box, and type or select the end date month.
c. Tab to the day text box, and type or select the end date day.
9. Press the Tab key to access the search button, and press Enter.
TIP
If you want to search all mailboxes for non-owner access, don't select any specific mailboxes, and go on to step 10.
When the Search these mailboxes box is blank, the search includes all mailboxes.
a. To open the Select Mailbox dialog box, with the focus on the select mailboxes button, press Enter.
The Search box has the focus, and you hear "Filter or search edit." Type all or part of the name of the
first mailbox you want to include in the non-owner mailbox access search and then, to search for the
name, press Enter.
b. To select a mailbox, press the Tab key about four times until you hear the name of the mailbox owner
in the search results list. If there are multiple mailboxes in the search results list, press the Down
Arrow key or Up Arrow key until you hear the name of the mailbox owner.
TIP
You can select multiple consecutive mailboxes. To work with all mailboxes, leave the Search box blank, or enter all or
part of the mailbox names you want to add. Tab to the search results. Press the Down Arrow key to hear each name.
To add them all, press Ctrl+A. To add several mailboxes listed consecutively, press the Down Arrow key or the Up
Arrow key until you hear the first mailbox name you want to add, hold down the Shift key, press the Down Arrow key
or the Up Arrow key until you hear the last mailbox name you want to add, and then release the Shift key. All
mailboxes between the first and last mailbox names are selected.
c. To add the selected mailbox(es) to the list to be included in the non-owner mailbox access search, press
Enter. The list of mailboxes retains the focus, so you can continue to add more mailboxes by selecting
them and pressing Enter.
TIP
To check the mailboxes you've added, tab to the Add button. To hear the list of mailboxes, press the Tab key again.
You hear the first mailbox name in the list. To hear the second mailbox name in the list, press the Tab key once more.
Continue pressing the Tab key until you hear the names of all the mailboxes you've added. To delete a mailbox from
the list, activate the Remove link by pressing Enter when you hear the mailbox name.
d. To search for another mailbox or set of mailboxes, tab several times until you hear "Filter or search
edit." Type all or part of the name of the next mailboxes you want to add, and press Enter. Repeat
steps b and c. Do this for all mailboxes you want to add.
e. To add an external mailbox, press the Tab key until you hear "Check names edit, Type in text." (In
Narrator, you hear "Editing.") Type the email address of the external recipient, press Shift+Tab to
select the Check names button, and then press Enter. This verifies the email address and adds it to
the list of mailboxes.
TIP
Be aware that if you type an external email address and press Enter, this adds the address to the list and then closes
the dialog box. If you're not finished, use the Check names button to add it instead.
f. When you finish adding mailboxes, tab to the OK button and press Enter. The Search for Mailboxes
Accessed by Non-Owners dialog box has the focus again, and the Search these mailboxes text box
lists the selected mailboxes.
10. Tab to the Search for access by combo box. This specifies which types of mailbox non-owners you want
the non-owner mailbox report to show.
To search the audit logs for administrator access, you don't need to do anything, as this is the default.
To search the audit logs for another group of non-owners, like All non-owners, External users (Microsoft
datacenter administrators), or Administrators and delegated users, press the Up Arrow key to move to
the user type you want.
11. Press the Tab key to access the Search button, and press Enter.
12. Press the Tab key about four times to access the search results. If any mailboxes were accessed by a non-
owner of the type you specified in the time period you selected, you hear the name of the mailbox owner
and the date the mailbox was accessed by a non-owner. If none of the mailboxes were accessed by a non-
owner, you hear "There are no items to show in this view." (In Narrator, you hear "Contains 0 items.")
13. For more details about a non-owner mailbox access, with the item selected in the search results list, press
the Tab key to move to the details pane. To print the contents of the details pane, press Enter. To hear the
contents of the details pane, press Tab again.
14. To close the dialog box, tab to the Close button and press Enter.
TIP
You can also export the log of non-owner access of mailboxes and review it in an XML file. Learn more in Use a screen reader
to export and review audit logs in the Exchange admin center.
TIP
By default, the start date is set to two weeks before yesterday's date. The administrator audit log typically stores
entries for 90 days.
a. If necessary, type the start date year for your administrator configuration change search. You can
also select the start date year by pressing the Up Arrow key or the Down Arrow key.
b. Tab to the month text box, and type or select the start date month.
c. Tab to the day text box, and type or select the start date day.
8. Tab to the End date year combo box. You hear "Year of End date combo box..
TIP
The default end date is today's date.
a. If necessary, type the start date year for your administrator configuration change search. You can
also select the end date year by pressing the Up Arrow key or the Down Arrow key.
b. Tab to the month text box, and type or select the end date month.
c. Tab to the day text box, and type or select the end date day.
9. Press the Tab key to access the search button, and press Enter.
10. Press the Tab key about five times to access the search results. Press the Down Arrow key or the Up Arrow
key to hear the list of configuration changes made in the time period you specified. For each item, you hear
the date of the change, the type of configuration change made, and the name of the Administrator who
made the change. If there were no configuration changes, you hear "There are no items to show in this
view." (In Narrator, you hear "Contains 0 items.")
11. For more details about a configuration change, with the change selected in the search results list, press the
Tab key to move to the details pane. To print the contents of the details pane, press Enter. To hear the
contents of the details pane, press Tab again.
12. To close the dialog box, tab to the Close button and press Enter.
TIP
You can also export the admin audit log to an XML file and email it to specified recipients. On the auditing page, press the
Tab key until you hear "Export the admin audit log." Press Enter and work through the Export the Administrator Audit
Log dialog box which appears. For more information, go to Use a screen reader to export and review audit logs in the
Exchange admin center.
TIP
By default, the start date is set to two weeks before yesterday's date. The administrator audit log typically stores
entries for 90 days.
a. If necessary, type the start date year for your administrator role group change search. You can also
select the start date year by pressing the Up Arrow key or the Down Arrow key.
b. Tab to the month text box, and type or select the start date month.
c. Tab to the day text box, and type or select the start date day.
8. Tab to the End date year combo box. You hear "Year of End date combo box..
TIP
The default end date is today's date.
a. If necessary, type the start date year for your administrator role group change search. You can also
select the end date year by pressing the Up Arrow key or the Down Arrow key.
b. Tab to the month text box, and type or select the end date month.
c. Tab to the day text box, and type or select the end date day.
9. To access the select role groups button, press the Tab key twice. You hear "Search these role groups or
leave this box blank to find all changed role groups..
TIP
If you want to search all role groups for changes, don't select any specific role groups, and go on to step 10. When
the Search these role groups box is blank, the search includes all role groups.
a. To open the Select a Role dialog box, with the focus on the select role groups button, press Enter.
The Search box has the focus, and you hear "Filter or search edit." Type all or part of the name of the
first role group you want to include in the search and then, to search for the role group, press Enter.
b. To select a role group, press the Tab key about three times until you hear the name of the role group
in the search results list. If there are role groups in the search results list, press the Down Arrow key
or Up Arrow key until you hear the name of the role group.
TIP
You can select multiple consecutive role groups. To work with all role groups, leave the Search box blank, or enter all
or part of the role group names you want to add. Tab to the search results. Press the Down Arrow key to hear each
name. To add them all, press Ctrl+A. To add several role groups listed consecutively, press the Down Arrow key or
the Up Arrow key until you hear the first role group name you want to add, hold down the Shift key, press the Down
Arrow key or the Up Arrow key until you hear the last role group name you want to add, and then release the Shift
key. All role groups between the first and last names are selected.
c. To add the selected role group(s) to the list to be included in the role group change search, press Enter.
The list of role groups retains the focus, so you can continue to add more role groups by selecting them
and pressing Enter.
TIP
To check the role groups you've added, tab to the Add button. To hear the list of role groups, press the Tab key
again. You hear the first role group name in the list. To hear the second role group name in the list, press the Tab key
once more. Continue pressing the Tab key until you hear the names of all the role groups you've added. To delete a
role group from the list, activate the Remove link by pressing Enter when you hear the role group name.
d. When you finish adding role groups, tab to the OK button and press Enter. The Search for Changes to
Administrator Role Groups dialog box has the focus again, and the Search these role groups text
box lists your selected role groups.
10. Press the Tab key to access the Search button, and press Enter.
11. Press the Tab key about four times to access the search results. If any of your selected role groups were
changed in the time period you selected, you hear the name of the role group and the date of the change. If
none of the role groups were changed, you hear "There are no items to show in this view." (In Narrator, you
hear "Contains 0 items.")
12. For more details about a role group change, with the change selected in the search results list, press the Tab
key to move to the details pane. To print the contents of the details pane, press Enter. To hear the contents
of the details pane, press Tab again.
13. To close the dialog box, tab to the Close button and press Enter.
TIP
By default, the start date is set to two weeks before yesterday's date. The administrator audit log typically stores
entries for 90 days.
a. If necessary, type the start date year for the eDiscovery and Hold change search. You can also select
the start date year by pressing the Up Arrow key or the Down Arrow key.
b. Tab to the month text box, and type or select the start date month.
c. Tab to the day text box, and type or select the start date day.
8. Tab to the End date year combo box. You hear "Year of End date combo box..
TIP
The default end date is today's date.
a. If necessary, type the end date year for your eDiscovery and Hold change search. You can also select
the end date year by pressing the Up Arrow key or the Down Arrow key.
b. Tab to the month text box, and type or select the end date month.
c. Tab to the day text box, and type or select the end date day.
9. Press the Tab key to access the Search button, and press Enter.
10. Press the Tab key about three times to access the search results. If any eDiscovery or Holds were changed in
the time period you selected, you hear their names. If none have been changed, you hear "There are no
items to show in this view." (In Narrator, you hear "Contains 0 items.")
11. For more details about an eDiscovery or Hold change, with the change selected in the search results list,
press the Tab key to move to the details pane. To print the contents of the details pane, press Enter. To hear
the contents of the details pane, press Tab again.
12. To close the dialog box, tab to the Close button and press Enter.
Search for mailboxes that are enabled or disabled for litigation holds
If your organization is involved in a legal action, you may have to take steps to preserve email messages that
might be used as evidence. You can use the litigation hold feature to retain all email sent and received by specific
people or retain all email sent and received in your organization for a specific time period. Search the
administrator audit log to monitor the mailboxes that have had a change to their litigation hold status (enabled or
disabled) during a specified time period. Learn more about running a per-mailbox litigation hold report.
1. In the EAC, press Ctrl+F6 until the primary navigation pane has the focus and you hear "Dashboard,
Primary navigation link."
2. Tab to compliance management and press Enter.
3. To move to the menu bar, press Ctrl+F6.
4. Tab to auditing. You hear "Auditing, Secondary navigation link." Press Enter.
5. To access the main window list view, press Ctrl+F6. You hear "Audit reports..
6. Press the Tab key about 21 times until you hear "Run a per-mailbox Litigation Hold report." Press Enter.
7. In the Search for Changes to Per-Mailbox Litigation Hold dialog box which opens, the Start date year
combo box has the focus, and you hear "Year of Start date combo box..
TIP
By default, the start date is set to two weeks before yesterday's date. The administrator audit log typically stores
entries for 90 days.
a. If necessary, type the start date year for your litigation hold change search. You can also select the
start date year by pressing the Up Arrow key or the Down Arrow key.
b. Tab to the month text box, and type or select the start date month.
c. Tab to the day text box, and type or select the start date day.
8. Tab to the End date year combo box. You hear "Year of End date combo box..
TIP
The default end date is today's date.
a. If necessary, type the end date year for your litigation hold change search. You can also select the end
date year by pressing the Up Arrow key or the Down Arrow key.
b. Tab to the month text box, and type or select the end date month.
c. Tab to the day text box, and type or select the end date day.
9. To access the select users button, press the Tab key twice. You hear "Search these mailboxes or leave blank
to find all mailboxes with litigation hold changes..
TIP
If you want to search all mailboxes for litigation hold changes, don't select any specific mailboxes, and go on to step
10. When the Search these mailboxes box is blank, the search includes all mailboxes.
a. To open the Select Members dialog box, with the focus on the select users button, press Enter. The
Search button has the focus. To search for a user within your organization, press the Spacebar, type
all or part of the name of the user, and then press Enter.
b. Press the Tab key about seven times until you hear the name of the user in the search results list.
c. To add the user to the list of mailboxes in the litigation hold search, press the Down Arrow key until
you hear the user's name, and then press Enter. The list of users retains the focus, so you can
continue to add more users by selecting their mailboxes and pressing Enter.
TIP
To check the users you've added, tab to the Add button. To hear the list of users, press the Tab key again. The first
name is read. To hear the second name in the list, press the Tab key once more. Continue pressing the Tab key until
you hear the names of all the users you've added. To delete a user from the list, activate the Remove link by
pressing Enter when you hear the username.
d. To add an external user, press the Tab key until you hear "Check names edit, Type in text." (In Narrator,
you hear "Editing.") Type the email address of the external user, press Shift+Tab to select the Check
names button, and then press Enter. This verifies the email address and adds it to the list of users.
TIP
Be aware that if you type an external email address and press Enter, this adds the user to the list and then closes the
dialog box. If you're not finished, use the Check names button to add it instead.
e. When you finish adding users, tab to the OK button and press Enter. The Search for Changes to Per-
Mailbox Litigation Hold dialog box has the focus again, and the Search these mailboxes text box
lists the mailboxes to be searched for litigation hold changes.
10. Press the Tab key to access the Search button, and press Enter.
11. Press the Tab key about three times to access the search results. If any mailboxes had a change to its
litigation hold status in the time period you selected, you hear the name of the mailbox owner. If none of the
mailboxes were accessed by a non-owner, you hear "There are no items to show in this view." (In Narrator,
you hear "Contains 0 items.")
12. For more details about a litigation hold change, with the change selected in the search results list, press the
Tab key to move to the details pane. To print the contents of the details pane, press Enter. To hear the
contents of the details pane, press Tab again.
13. To close the dialog box, tab to the Close button and press Enter.
Use a screen reader to trace an email message in the
Exchange admin center in Exchange Online
3/4/2019 • 6 minutes to read • Edit Online
You can trace email messages by using your screen reader in the Exchange admin center (EAC ) in Exchange
Online. This is helpful if users are wondering whether their messages are delayed or possibly lost in delivery. With
message tracing, you can follow messages as they pass through Exchange Online and determine whether a
targeted email message was received, rejected, deferred, or delivered.
Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have the appropriate Office 365
subscription and admin role to perform this task. Then, open the EAC and get started.
Use your browser and keyboard to navigate in the EAC
Exchange Online, which includes the EAC, is a web-based application, so the keyboard shortcuts and navigation
may be different from those in Exchange 2016. Accessibility in the Exchange admin center.
For best results when working in the EAC in Exchange Online, use Internet Explorer as your browser. Learn more
about Internet Explorer keyboard shortcuts.
Many tasks in the EAC require the use of pop-up windows so, in your browser, be sure to enable pop-up windows
for Office 365.
Confirm your Office 365 subscription plan
Exchange Online is included in Office 365 business and enterprise subscription plans, but capabilities may differ
by plan. If your EAC doesn't include a function described in this article, your plan might not include it.
For more information about the Exchange Online capabilities in your subscription plan, go to What Office 36
business product or license do I have? and Exchange Online Service Description.
Open the EAC, and confirm your admin role
To trace a message, Use a screen reader to open the Exchange admin center and check that your Office 365 global
administrator has assigned you to the Organization Management, Compliance Management, and Help Desk
admin role groups. Learn how to Use a screen reader to identify your admin role in the Exchange admin center.
TIP
If you select Custom, you can tab to and enter the time zone, start date and time, and end date and time. These
fields are not available unless you select Custom in the Date range combo box. Note that there might not be any
data for messages that are less than four hours old. You cannot run a message trace on a message more than 90
days old.
7. Tab to the Delivery status combo box. Choices are All (the default setting), Delivered, Failed, Pending,
Expanded, Quarantined, Filtered as spam, and Unknown. Press the Down Arrow or Up Arrow key until
the delivery status you want is selected.
8. Tab to the Message ID text box. This is an optional field, but it can help narrow the search results. The
Message ID or Client ID is generated by the sending system and can be found in the header of the message
with the Message-ID: token. The Message ID might include angle brackets (< >).
9. To specify senders (one or more) in the message trace, tab to the add sender button and press Enter. In the
Select Members dialog box, the Search button has the focus.
a. To search for a user within your organization, press Enter, type all or part of the name of the user, and
then press Enter.
b. Press the Tab key about seven times until you hear the name of the user in the search results list.
c. To add the user to the list of senders for the message trace, press the Down Arrow key until you hear
the user's name and then press Enter. The list of users retains the focus, so you can continue to add
more users by selecting their mailboxes and pressing Enter.
TIP
To check the users you've added, tab to the Add button. To hear the list of users, press the Tab key again. The first
name is read. To hear the second name in the list, press the Tab key one more time. Continue pressing the Tab key
until you hear the names of all the users you've added. To delete a user from the list, activate the Remove link by
pressing Enter when you hear the username.
d. To specify an external user or an email address with a wildcard (for example, *@contoso.com), press the
Tab key until you hear "Check names edit, Type in text." (In Narrator, you hear "Editing.") Type the email
address of the external user or the address with a wildcard. To select the Check names button, press
Shift+Tab and then press Enter. This verifies the email address and adds it to the list of users.
TIP
When you specify a wildcard, you cannot also add full email addresses to the message trace. > Be aware that if you
type an external email address and press Enter, this adds the user to the list and then closes the dialog box. If you're
not finished, use the Check names button to add it instead.
e. When you finish adding users, tab to the OK button and press Enter. The message trace page has the
focus again, and the Sender text box lists the senders you specified for the message trace.
10. To add a recipient to the message trace instead of or in addition to the senders, tab to the add recipient
button and press Enter. In the Select Members dialog box, the Search button has the focus. To add one or
more recipients to the message trace, repeat step 9.
11. On the message trace page, tab to the search button and press Enter. The Message Trace Results page
opens and shows the date, sender, recipient, subject, and status of the message(s) that are a result of the
message trace.
TIP
When you run a trace for messages that are less than seven days old, the messages should appear within 5-30 minutes.
When you run a message trace for messages that are more than seven days old, results may take up to a few hours. So if
the Message Trace Results page appears empty at first, check again later. An easy way to do this is to keep this page open,
and, on the toolbar, periodically tab to the Refresh button and then press Enter.
12. To close the Message Trace Results page, tab to the Close button and press Enter.
NOTE
For more information, refer to Run a Message Trace and View Results.
Use a screen reader to work with mobile clients in the
Exchange admin center in Exchange Online
3/4/2019 • 5 minutes to read • Edit Online
You can use your screen reader in the Exchange admin center (EAC ) to enable the use of mobile devices for users
of Exchange Online, who can then access information in their Office 365 mailboxes through mobile phones and
tablets. Learn more about clients and mobile in Exchange Online.
Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have the appropriate Office 365
subscription and admin role to work in the EAC. Then, open the EAC and get started.
Use your browser and keyboard to navigate in the EAC
Exchange Online, which includes the EAC, is a web-based application, so the keyboard shortcuts and navigation
may be different from those in Exchange 2016. Accessibility in the Exchange admin center.
For best results when working in the EAC in Exchange Online, use Internet Explorer as your browser. Learn more
about Internet Explorer keyboard shortcuts.
Many tasks in the EAC require the use of pop-up windows so, in your browser, be sure to enable pop-up windows
for Office 365.
Confirm your Office 365 subscription plan
Exchange Online is included in Office 365 business and enterprise subscription plans. But capabilities may differ
by plan. If your EAC doesn't include a function described in this article, your plan might not include it.
For more information about the Exchange Online capabilities in your subscription plan, go to What Office 365
business product or license do I have? and Exchange Online Service Description..
Open the EAC, and confirm your admin role
To complete the tasks covered in this topic, Use a screen reader to open the Exchange admin center and check that
your Office 365 global administrator has assigned you to the Organization Management and Records
Management admin role groups. Use a screen reader to identify your admin role in the Exchange admin center.
TIP
If the user is already enabled for Exchange ActiveSync, you hear "Disable Exchange ActiveSync..
9. Press Enter. You hear "Are you sure you want to enable Exchange ActiveSync?" With the focus on the Yes
button, press Enter.
10. Press the Tab key. You hear "Mobile devices link, Enable OWA for Devices."
TIP
If the user is already enabled for Outlook Web App for Devices, you hear "Disable OWA for Devices..
11. Press Enter. You hear "Are you sure you want to enable OWA for Devices?" With the focus on the Yes button,
press Enter.
TIP
If you want to enable Exchange ActiveSync and Outlook Web App for additional users, press Ctrl+Shift+F6 to move the
focus back to the list of users. Press the Down Arrow key or the Up Arrow key until you hear the name you want, and repeat
steps 7 through 11.
Enable Exchange ActiveSync and Outlook Web App for multiple users at once
1. In the EAC, press Ctrl+F6 until the primary navigation pane has the focus and you hear "Dashboard,
Primary navigation link."
2. Tab to recipients and press Enter.
3. To move to the menu bar, press Ctrl+F6. You hear "Mailboxes, Secondary navigation link." To select the
mailboxes link, press Enter.
4. Press Ctrl+F6 twice to move to the list of users. Press the Down Arrow key or the Up Arrow key to move to
the first adjacent user. Hold down the Shift key and press the Down Arrow key or the Up Arrow key to
select more adjacent users.
TIP
To select all users, press Ctrl+A.
5. Repeatedly press the Tab key until the Bulk Edit details pane has the focus and you hear "Bulk Edit..
6. Press the Tab key until you hear "Enable link." Press Enter.
7. An alert asks "Are you sure you want to enable Outlook on the web for all the selected recipients?" With the
focus on the OK button, press Enter.
8. Press the Tab key about 10 times until you hear "Show link." Press the Tab key once more. You hear "Enable
link." Press Enter.
9. An alert asks "Are you sure you want to enable Exchange ActiveSync for all the selected recipients?" With
the focus on the OK button, press Enter.