Exchange health set unhealthy
Hello everyone! Some healthprobes on our Exchange 2016 Server have been reporting an unhealty state since the middle of February. OAB.Proxy, EWS.Proxy, Outlook.proxy and OutlookMapiHttp.Proxy. We have no mailboxes on the server, so its not critical, but I would still like to figure out what is going on. They all fail with "The remote server returned an error: (401) Unauthorized" and if I try to invoke the probe i see this in the response: It looks like the SSL validation is not happening. Is it normal for the probe to use localhost for this? When I run "Get-WebServicesVirtualDirectory" both internal and external virtual directry is set to our external url. Any insight is greatly appreciated!Outlook Search Folder for External Senders
I'm using the Outlook M365 desktop app on the current channel and Exchnage 2019 in Hybrid mode with Exchange Online. We route all mail inbound and outbound via Exchange Server. I'd like to create a search folder in Outlook to show only mails from external senders. The issue is the only criteria I can seem to create would rely on the From field and this seems to map to the SenderName on the MailItem object in Outlook. This is not the actual sender's mail address that would include the @domain etc but rather seems to be the senders name which is arbitrary from I can see e.g SomeSender. How to create a search folder based on the senders actual address?
Force users to "entra register" their devices
Hi, is it possible to force user to register their devices when they log in with their company account to any other device than company owned? I tested on my private smarthphone. Logged in as normal user with company account and my device did not show up in entra as "Microsoft Entra registered" Any ideas? Thanks
Exchange Hybrid Wizard Error (413)
Hello, we are running into issues with the Hybrid Wizard. On the last point validation, we always getting the same error and dont know what to do, cuz it says the external server is responding with.... See Log attached. 2025.03.05 08:43:02.035 *ERROR* 10349 [Client=UX, Page=HybridConnectorInstall, Thread=8] The connection to the server '6499703f-91f1-4369-a729-b40098fdd276.resource.mailboxmigration.his.msappproxy.net' could not be completed., The call to 'https://6499703f-91f1-4369-a729-b40098fdd276.resource.mailboxmigration.his.msappproxy.net/EWS/mrsproxy.svc' failed. Error details: The remote server returned an unexpected response: (413) RequestEntityTooLarge.., The remote server returned an unexpected response: (413) RequestEntityTooLarge. OriginalFailureType: ProtocolException, WellKnownException: MRSRemote None MRSRemote Remote stack trace: Remote trace: at System.ServiceModel.Channels.HttpResponseMessageHelper.ValidateResponseStatusCode() at System.ServiceModel.Channels.HttpResponseMessageHelper.ParseIncomingResponse(TimeoutHelper timeoutHelper) at System.ServiceModel.Channels.HttpChannelFactory`1.HttpClientRequestChannel.HttpClientChannelAsyncRequest.ReceiveReplyAsync(TimeoutHelper timeoutHelper) at System.ServiceModel.Channels.RequestChannel.RequestAsync(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ClientReliableChannelBinder`1.RequestAsync(Message message, TimeSpan timeout, MaskingMode maskingMode) at System.ServiceModel.Channels.RequestReliableRequestor.OnRequestAsync(Message request, TimeSpan timeout, Boolean last) at System.ServiceModel.Channels.ReliableRequestor.RequestAsync(TimeSpan timeout) at System.ServiceModel.Channels.ClientReliableSession.OpenAsync(TimeSpan timeout) at System.ServiceModel.Channels.ReliableRequestSessionChannel.OnOpenAsync(TimeSpan timeout) at System.ServiceModel.Channels.ReliableRequestSessionChannel.OnOpenAsync(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.OnOpenAsyncInternal(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.System.ServiceModel.IAsyncCommunicationObject.OpenAsync(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.OnOpenAsync(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.OnOpenAsyncInternal(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.System.ServiceModel.IAsyncCommunicationObject.OpenAsync(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(MethodInfo targetMethod, Object[] args) at generatedProxy_3.ExchangeVersionInformation(VersionInformation, VersionInformation&) at Microsoft.Exchange.Connections.Common.WcfClientWithFaultHandling`2.<>c__DisplayClass4_0.<CallService>b__0() in \_\sources\dev\common\src\Connections\Common\WcfClientWithFaultHandling.cs:line 76 at Microsoft.Exchange.Net.WcfClientBase`1.CallService(Action serviceCall, String context)Arc Jumpstart Newsletter: February 2025 Edition
We’re thrilled to bring you the latest updates from the Arc Jumpstart team in this month’s newsletter. Whether you are new to the community or a regular Jumpstart contributor, this newsletter will keep you informed about new releases, key events, and opportunities to get involved in within the Azure Adaptive Cloud ecosystem. Check back each month for new ways to connect, share your experiences, and learn from others in the Adaptive Cloud community.Arc Jumpstart Newsletter: January 2025 Edition
We’re thrilled to bring you the latest updates from the Arc Jumpstart team in this month’s newsletter. Whether you are new to the community or a regular Jumpstart contributor, this newsletter will keep you informed about new releases, key events, and opportunities to get involved in within the Azure Adaptive Cloud ecosystem. Check back each month for new ways to connect, share your experiences, and learn from others in the Adaptive Cloud community.Announcing Jumpstart ArcBox 25Q1 general availability
We are thrilled to announce the first major update to ArcBox following our release of ArcBox 3.0 in August 2024. ArcBox has been an invaluable resource for IT professionals, DataOps teams, and DevOps practitioners, providing comprehensive solutions to evaluate how to deploy, manage, and operate Arc-enabled environments. With this release, we have introduced Windows Server 2025 on both the ArcBox-Client as well as in a nested VM, making it possible for you to evaluate a range of new features and enhancements that elevate the functionality, performance, and user experience. WinGet and Windows Terminal Integration One of the standout enhancements in Windows Server 2025 is the inclusion of WinGet and Windows Terminal. These tools are now built-in components of Windows Server 2025 and no longer require bootstrapping in our automation processes. Advanced Management Capabilities for Arc-enabled servers Windows Server 2025 introduces new management capabilities specifically designed for Arc-enabled servers. These capabilities enhance the control and oversight of server environments, providing more robust tools for monitoring, configuration, and maintenance. The enhancements are now available in ArcBox to be evaluated. SSH Included and Enabled Another significant update in Windows Server 2025 is the inclusion of SSH as a native component. This addition is a major step forward, as it eliminates the need for external SSH installations. However, it is important to note that while SSH is included, it needs to be enabled manually. This feature enhances secure access to servers, facilitating more efficient remote management and operations. In ArcBox, SSH is enabled by the automated setup and ready to start evaluating. SSH for Arc-enabled servers enables SSH based connections to Arc-enabled servers without requiring a public IP address or additional open ports. This functionality can be used interactively, automated, or with existing SSH based tooling, allowing existing management tools to have a greater impact on Azure Arc-enabled servers. You can use Azure CLI or Azure PowerShell to connect to one of the Azure Arc-enabled servers using SSH. In addition to SSH, you can also connect to the Azure Arc-enabled servers, Windows Server virtual machines using Remote Desktop tunneled via SSH. Also, Remote PowerShell over SSH is available for Windows and Linux machines. SSH for Arc-enabled servers also enables SSH-based PowerShell Remoting connections to Arc-enabled servers without requiring a public IP address or additional open ports. After setting up the configuration, we can use native PowerShell Remoting commands. Configurable SQL Server Edition to support Performance Dashboards ArcBox now provides the flexibility to deploy SQL Server Standard or Enterprise editions on the ArcBox-SQL guest VM, replacing the previously default Developer edition. This enhancement empowers users to experience advanced Arc-enabled SQL Server monitoring through Performance Dashboard reports. Available in both the ITPro and DataOps configurations, this feature ensures tailored performance monitoring capabilities for diverse use cases. To configure the SQL Server edition during deployment: Portal Deployment: Specify the desired SQL Server edition during setup. Bicep Deployment: Use the sqlServerEdition parameter to define the edition. ARM Template Deployment: Set the edition via the sqlServerEdition parameter. Below is an example Performance Dashboard report from an Arc-enabled SQL Server using the Standard or Enterprise editions, highlighting comprehensive insights and monitoring capabilities. Cost Optimizations We optimized the storage costs significantly by changing the ArcBox Client VM data disk from Premium SSD to Premium SSD v2. This change allows for better performance at a lower cost, making ArcBox even more economical for various use cases. With this optimization, users can enjoy faster data access speeds and increased storage efficiency. We also introduced support for enabling Azure VM Spot pricing for the ArcBox Client VM, allowing users to take advantage of cost savings on unused Azure capacity. This feature is ideal for workloads that can tolerate interruptions, providing an economical option for testing and development environments. By leveraging Spot pricing, users can significantly reduce their operational costs while maintaining the flexibility and scalability offered by Azure. You may leverage the advisor on the Azure Spot Virtual Machine pricing page to estimate costs for your selected region. Here is an example for running the ArcBox Client Virtual Machine in the East US region: Visit the ArcBox FAQ to see the updated price estimates for running ArcBox in your environment. The new deployment parameter enableAzureSpotPricing is disabled by default, so users who wants to take advantage of this capability will need to opt-in. Along with the option to opt-in for Azure Spot pricing, we also added new parameters for enabling Auto Shutdown: Auto Shutdown is enabled by default, and will configure the built-on Auto-shutdown feature for Azure VMs: Summary The latest update to ArcBox not only focuses on new features but also on enhancing overall cost and performance. The integration of new operating system versions and management capabilities ensures a smoother, more efficient workflow for IT professionals, DataOps teams, and DevOps practitioners to evaluate Azure Arc services. We invite our community to explore these new features and take full advantage of the enhanced capabilities of ArcBox with Windows Server 2025 support. Your feedback is invaluable to us, and we look forward to hearing about your experiences and insights as you navigate these new enhancements. Watch our release announcement episode of Jumpstart Lightning and get started today by visiting aka.ms/JumpstartArcBox!MTO and access to on premises file system
Let me preface this by saying I'm still fairly new to 365 Admin (it's been a steep learning curve) and haven't even got my feet wet with on premises stuff as yet. Also, I think some of the admin decisions made previously by others may have been based on just repeating what was found to work the first time rather than necessarily a deep understanding of the best solution. The situation when I arrived on the scene was this (actually it was a bit more complex and messy than this, but this simplified description covers the salient points at this stage) One tenant, with two domains, call them old-domain and new-domain. Two types of user, who I will refer to operations and corporate. An on premises Active Directory system running a file server. Well to be more precise on three premises with mirroring of data and a DFS, but from the user perspective when you're one of the office locations and connect to the network the same folders are available to you. Everyone was using Azure Joined Company Laptops to do this, so their laptop logins were also their network logins. Outside of the offices people connected to the DFS using a VPN (with three gateways in different countries). Operations Users had one account, @old-domain, this was licensed for 365 and had a mailbox associated with it. It was also synched to their on premises AD account Corporate Users had two accounts, one @old-domain with no license, synched to an on premises AD account. The second was new-domain with a 365 license and mailbox. If you're scratching your head wondering why two accounts rather than assigning the new-domain email address to the same account, I can't give you a definitive answer as I've never been given one, but for whatever reason when new domains were brought into play on corporate name changes the admins gave them new mailboxes rather than simply aliasing email addresses to the same mailbox (some people had three accounts as a result). What I did note was that when a new Corporate user was added the admins gave them both of the above accounts, I was told that the unlicensed old-domain one was required for the access to the DFS. Now for reasons not worth getting into here, a decision was made to move the Corporate users to a new tenant, along with new-domain and then to link the two tenants in a multi-tenant organization. It was also decided to leverage BYOD for Corporate users, so their devices will only be Azure registered. This has been done, there was some pain thanks to the reluctance of Microsoft applications to switch to the new account locations rather than redirecting back to the old tenant, but that's been sorted. So right now Corporate users still have two accounts, but on two tenants. On the Old Tenant they have their @old-domain account, no license, no mailbox, synched to the on premises AD (as before) On the New Tenant they have their new-domain account. This is where they actually do their work, and is the only account anyone should be communicating with internally or externally. Access to the DFS is being done using the VPN with the on premises credentials associated with the old-domain account. In terms of functionality, this works perfectly well, people across the two tenants appear in each other's address lists, they can chat and share information etc. Everybody also has access to the folders they should have access to on the DFS. However there are two issues. The first, and most detrimental in terms of just getting work done is that users in one of the overseas offices have found their access to the DFS has slowed considerably, despite being in physically the same location as the data. I believe the problem is that although the data is on-premises, the VPN gateway is not, therefore data does a round trip from the server, through that gateway IP address at the ISP and back to the user. Since they are in a remote location with poor internet this slows things considerably. So the first question is, how do we take that loop out of the equation so that when they are in the office they connect more directly to the servers on site? Ideally without having to revert to needing an Azure AD joined device. The second issue is that those remaining old-domain accounts (the ones for the Corporate users who are now working on the new tenant) on the old tenant are messy, in two ways 1) From an admin perspective, because every one of those corporate users still has two accounts, their local one that is synched to On Premises AD, and the the external account shared from the new tenant as part of the MTO 2) From a user's perspective. For reasons that I cannot fathom (but this is coming direct from Microsoft after many attempts on my part to find a way) it seems that while you can control which licensed accounts appear on Teams search by controlling whether they are in the GAL and setting the appropriate switch in Teams Admin, all the unlicensed users appear whether you like it or not. The net result is that when someone on the old tenant starts typing in a name of someone in Corporate, they get two suggestions coming up. So the second question is, are those accounts actually necessary?Dynamic Distribution Group with no Disabled Accounts
Hi I'm trying to build a few Dynamic Distribution Lists in Exchange Online and want to only include Active Users (i.e., users that are marked "Active" in Azure AD). I've tried using the UserAccountControl attribute (-eq 514 or -ne 514 - both are returning the same results, which is strange), but it still includes user accounts that are disabled. This is how my recipient filter looks like: RecipientType -eq 'UserMailbox' -and UserAccountControl -ne 514 What's the best way to achieve this in Exchange Online? Thanks Taranjeet Singh
