Microsoft Ignite 2017: BRK3155 – Thrive in as an enterprise organization in Microsoft Exchange Online

Large enterprise customers often have unique and specialized requirements for adoption Exchange Online. This session showcases the lifecycle of an enterprise customer leveraging features designed just for them. Demo and some several new features will be covered, such as Mailbox Plans, Client Access Rules, on send event APIs, and a first look at technology for mergers and divestitures.

The full recorded session can be found here:

This blog post covers a summary of the session.

  • Exchange Online

* Mailbox Plans is being there for a long while. You can set the default provisioning settings for all of your users, like quota. The real common ask was to disable POP and IMAP for your users. Microsoft extended the cmdlets Set-MailboxPlan and added Set-CASMailboxPlan to leverage new features and provision options for your users.20171001_111314000_iOS

* Client Access Rules will be available in Q4/2017 for the first release. This feature is built-in to Exchange and will empowering customers to control how end-users access the service. For some financial services and government customers they had one very specific challenge with the features like conditional access which exists today. They are not a hundred percent of full-proof because these features are working at the time of authentication. Let’s assume a user is authentication in the company network, he or she will get the authentication token based on location or an allowed ip address and the users gets authenticated. But the user now can put the notebook and go to a public location with public wifi available and work again within the same session because the authentication token is still valid, even know you are on an unapproved location.

The Client Access Rules engine can intercept in a kind of live proofing every single end users session that comes to Exchange. For the above example, the user will be in an unallowed rule set and the engine will reject the session.20171001_111832000_iOS

You can mix and match different rules for different protocols, like disable OWA or EAS for only specific users. A tenant will allow up to 20 Client Access Rules.

It is really important to get the ordering of your rules correctly and use the priority parameter for the rules. It is very important because there is no backdoor to this feature for you. For example, if you create a rule that blocks every protocol including PowerShell from every location and every ip address, you have effectively locked out every users from your tenant. If you do that, you have to call support and they will create a rule for allow only PowerShell that will allow you to login via PowerShell and unblock your users by yourself. You should create as a first rule with priority 1 that allows every users to login via PowerShell and then create new rules and test it because then you will be able to change it again. Note that Client Access Rules can currently only administrated via PowerShell.20171001_112137000_iOS

An allow EAS rule looks like the following:20171001_112216000_iOS

* The classification problem describes how to disable emails to being send out due to classification issues, which is mostly used by financial and government organizations. There is no options to use DLP because it filters email messages at the transport pipeline. It has to happen at the time you push the send button immediately. You can now use your own developed apps and/or scripts to accomplish your organization requirements, which is likely used by third-party apps which configured the Exchange dll and config files on your on-premises environment.

There is a new parameter available for the OWA Mailbox Policy. For example, you can enable and add OnSendAddInsEnabled to unique users or the entire organization. 20171001_114705000_iOS

Note that you cannot publish an app into the Office store which has the OnSend event. It will rejected by the store validation.20171001_114732000_iOS

Microsoft solved this feature in OWA first and is available for a couple of months now. Outlook will be on a longer term roadmap. This is also available in Exchange 2016 on-prem.

  • Exchange Hybrid

* Issues with Hybrid Delegation (cross-premises delegate permission) is now solved.

* FullAccess redirection in OWA is now solved and will currently be rolled out to every tenant. You won’t be redirected to the on-premises OWA URL and then back to the EXO OWA URL and nothing happens. The workaround was to type in the email address in the URL to get this mailbox open. Run the latest version of HCW will now also update the cloud-side TargetOwaURL and gives you the redirection and an explicit logon.

* FullAccess with Automap is used by the attribute msExchDelegateListLink and the associated back links. This changed was done in the Azure AD Connect and is now solved. It is currently in a private preview and will be tested by Microsoft and some customers.

* Send on Behalf of is used by the attribute msExchPublicDelegates and the associated back links and MEU’s must be ACLable. This is now solved as well and available in Q4/2017.

* Send-As permissions which are set prior migration generally continue to function. A workaround is to set send-as permissions for the mailbox and MEU object as well. The solution for this is called Hybrid Recipient Management.

* Organization Configuration Transfer allows you to match the on-premises policies with EXO, and vice versa. Initial configuration, admin configurable set and dual write to make cloud and on-premises object changes together or create recurring sync. New updates will be available within the next 12-18 months.

* Mailbox Configuration Transfer allows you to migrate the mailbox settings to EXO. Extend the list of properties configured by MRS at move completion and customizable list per migration batch.

* Hybrid Publishing and Security20171001_190253000_iOS

* Hybrid Complexity20171001_190336000_iOS

Solution: Hybrid Publishing. The only thing what must be changed on-premises is the server running the Hybrid Connector must used port 443 for outbound communication to Microsoft.20171001_190404000_iOS

* Hybrid Recipient Management allows you to remove the last on-premises Exchange server. About 70% of hybrid customers moved all mailboxes to the cloud and want to remove all on-premises Exchange server(s) as well. Microsoft is working on a unified recipient management where all things can changed in Exchange Online and/or on-premises which means no more dual administration. Microsoft is currently working on this but there is no exact timeline when this feature will be available.20171001_190828000_iOS

* Hybrid Solution Backbone is the core of Hybrid Recipient Management and Send-As cross premises permissions and the preview will be available in about Q1/2018.20171001_191340000_iOS

  • Mergers, Acquisitions, and Divestitures

* Dual key authorization allows to move mailboxes between tenants. An Organization Relationship is used for this authorization. All this features will be updated and available within the next 6,12, and 18 months.20171001_191513000_iOS20171001_193350000_iOS

* The Road Ahead20171001_193630000_iOS

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s